From 41dfd8ff0c308e5bf8c83549c0668f6b22202d60 Mon Sep 17 00:00:00 2001 From: Fukusuke Takahashi <41001169+fukusuket@users.noreply.github.com> Date: Wed, 31 Jul 2024 17:16:56 +0900 Subject: [PATCH 001/144] Merge PR #4940 from @fukusuket - Update unreachable references `blog.menasec[.]net` chore: Suspicious CLR Logs Creation chore: Remote Task Creation via ATSVC Named Pipe - Zeek chore: Possible Impacket SecretDump Remote Activity - Zeek chore: Suspicious PsExec Execution - Zeek chore: AD Privileged Users or Groups Reconnaissance chore: Remote Task Creation via ATSVC Named Pipe chore: Impacket PsExec Execution chore: Possible Impacket SecretDump Remote Activity chore: Suspicious PsExec Execution chore: Remote Service Activity via SVCCTL Named Pipe chore: Suspicious DotNET CLR Usage Log Artifact chore: DotNet CLR DLL Loaded By Scripting Applications chore: Potential Credential Dumping Activity Via LSASS chore: DNS RCE CVE-2020-1350 --------- thanks: @fukusuket --- deprecated/windows/file_event_win_susp_clr_logs.yml | 2 +- .../CVE-2020-1350/proc_creation_win_exploit_cve_2020_1350.yml | 2 +- rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml | 2 +- .../network/zeek/zeek_smb_converted_win_impacket_secretdump.yml | 2 +- rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml | 2 +- .../windows/builtin/security/win_security_account_discovery.yml | 2 +- rules/windows/builtin/security/win_security_atsvc_task.yml | 2 +- rules/windows/builtin/security/win_security_impacket_psexec.yml | 2 +- .../builtin/security/win_security_impacket_secretdump.yml | 2 +- rules/windows/builtin/security/win_security_susp_psexec.yml | 2 +- .../builtin/security/win_security_svcctl_remote_service.yml | 2 +- .../windows/file/file_event/file_event_win_net_cli_artefact.yml | 2 +- .../image_load/image_load_susp_script_dotnet_clr_dll_load.yml | 2 +- rules/windows/process_access/proc_access_win_lsass_memdump.yml | 2 +- 14 files changed, 14 insertions(+), 14 deletions(-) diff --git a/deprecated/windows/file_event_win_susp_clr_logs.yml b/deprecated/windows/file_event_win_susp_clr_logs.yml index 84d2f62d75d..fe59fd9c08b 100644 --- a/deprecated/windows/file_event_win_susp_clr_logs.yml +++ b/deprecated/windows/file_event_win_susp_clr_logs.yml @@ -3,7 +3,7 @@ id: e4b63079-6198-405c-abd7-3fe8b0ce3263 status: deprecated description: Detects suspicious .NET assembly executions. Could detect using Cobalt Strike's command execute-assembly. references: - - https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html + - https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html - https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/ - https://github.com/olafhartong/sysmon-modular/blob/5e5f6d90819a7f35eec0aba08021d0d201bb9055/11_file_create/include_dotnet.xml author: omkar72, oscd.community, Wojciech Lesicki diff --git a/rules-emerging-threats/2020/Exploits/CVE-2020-1350/proc_creation_win_exploit_cve_2020_1350.yml b/rules-emerging-threats/2020/Exploits/CVE-2020-1350/proc_creation_win_exploit_cve_2020_1350.yml index 81c5e8cdc9a..9f9435d3504 100644 --- a/rules-emerging-threats/2020/Exploits/CVE-2020-1350/proc_creation_win_exploit_cve_2020_1350.yml +++ b/rules-emerging-threats/2020/Exploits/CVE-2020-1350/proc_creation_win_exploit_cve_2020_1350.yml @@ -4,7 +4,7 @@ status: test description: Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process references: - https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/ - - https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html + - https://web.archive.org/web/20230329172447/https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html author: Florian Roth (Nextron Systems) date: 2020/07/15 modified: 2022/07/12 diff --git a/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml b/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml index 67139a7f6b0..54b3ac4afc9 100644 --- a/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml +++ b/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml @@ -6,7 +6,7 @@ related: status: test description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe references: - - https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html + - https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html author: 'Samir Bousseaden, @neu5rn' date: 2020/04/03 modified: 2022/12/27 diff --git a/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml b/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml index 2d9b24e4efb..4b2fa257341 100644 --- a/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml +++ b/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml @@ -3,7 +3,7 @@ id: 92dae1ed-1c9d-4eff-a567-33acbd95b00e status: test description: 'Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml' references: - - https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html + - https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html author: 'Samir Bousseaden, @neu5ron' date: 2020/03/19 modified: 2021/11/27 diff --git a/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml b/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml index 6cc11eafb57..c1940bef359 100644 --- a/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml +++ b/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml @@ -6,7 +6,7 @@ related: status: test description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one references: - - https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html + - https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html author: Samir Bousseaden, @neu5ron, Tim Shelton date: 2020/04/02 modified: 2022/12/27 diff --git a/rules/windows/builtin/security/win_security_account_discovery.yml b/rules/windows/builtin/security/win_security_account_discovery.yml index 7aae6093fd6..da3c979636e 100644 --- a/rules/windows/builtin/security/win_security_account_discovery.yml +++ b/rules/windows/builtin/security/win_security_account_discovery.yml @@ -3,7 +3,7 @@ id: 35ba1d85-724d-42a3-889f-2e2362bcaf23 status: test description: Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs references: - - https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html + - https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html author: Samir Bousseaden date: 2019/04/03 modified: 2022/07/13 diff --git a/rules/windows/builtin/security/win_security_atsvc_task.yml b/rules/windows/builtin/security/win_security_atsvc_task.yml index e79fd80e7ec..22c0c8c0f41 100644 --- a/rules/windows/builtin/security/win_security_atsvc_task.yml +++ b/rules/windows/builtin/security/win_security_atsvc_task.yml @@ -3,7 +3,7 @@ id: f6de6525-4509-495a-8a82-1f8b0ed73a00 status: test description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe references: - - https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html + - https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html author: Samir Bousseaden date: 2019/04/03 modified: 2022/08/11 diff --git a/rules/windows/builtin/security/win_security_impacket_psexec.yml b/rules/windows/builtin/security/win_security_impacket_psexec.yml index da608e634b8..2916fea761a 100644 --- a/rules/windows/builtin/security/win_security_impacket_psexec.yml +++ b/rules/windows/builtin/security/win_security_impacket_psexec.yml @@ -3,7 +3,7 @@ id: 32d56ea1-417f-44ff-822b-882873f5f43b status: test description: Detects execution of Impacket's psexec.py. references: - - https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html + - https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html author: Bhabesh Raj date: 2020/12/14 modified: 2022/09/22 diff --git a/rules/windows/builtin/security/win_security_impacket_secretdump.yml b/rules/windows/builtin/security/win_security_impacket_secretdump.yml index 11bc35fd196..87bfc42cb64 100644 --- a/rules/windows/builtin/security/win_security_impacket_secretdump.yml +++ b/rules/windows/builtin/security/win_security_impacket_secretdump.yml @@ -3,7 +3,7 @@ id: 252902e3-5830-4cf6-bf21-c22083dfd5cf status: test description: Detect AD credential dumping using impacket secretdump HKTL references: - - https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html + - https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html author: Samir Bousseaden, wagga date: 2019/04/03 modified: 2022/08/11 diff --git a/rules/windows/builtin/security/win_security_susp_psexec.yml b/rules/windows/builtin/security/win_security_susp_psexec.yml index 63f6fb62899..a2ccfd7ae2e 100644 --- a/rules/windows/builtin/security/win_security_susp_psexec.yml +++ b/rules/windows/builtin/security/win_security_susp_psexec.yml @@ -3,7 +3,7 @@ id: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82 status: test description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one references: - - https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html + - https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html author: Samir Bousseaden date: 2019/04/03 modified: 2022/08/11 diff --git a/rules/windows/builtin/security/win_security_svcctl_remote_service.yml b/rules/windows/builtin/security/win_security_svcctl_remote_service.yml index 2e7c5bfe901..2b175525098 100644 --- a/rules/windows/builtin/security/win_security_svcctl_remote_service.yml +++ b/rules/windows/builtin/security/win_security_svcctl_remote_service.yml @@ -3,7 +3,7 @@ id: 586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3 status: test description: Detects remote service activity via remote access to the svcctl named pipe references: - - https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html + - https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html author: Samir Bousseaden date: 2019/04/03 modified: 2022/08/11 diff --git a/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml b/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml index fda85fadcef..2cb7ce899d6 100644 --- a/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml +++ b/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml @@ -11,7 +11,7 @@ references: - https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/ - https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml - https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008 - - https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html + - https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html author: frack113, omkar72, oscd.community, Wojciech Lesicki date: 2022/11/18 modified: 2023/02/23 diff --git a/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml b/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml index 8b160f44bc0..c2614032082 100644 --- a/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml +++ b/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml @@ -5,7 +5,7 @@ description: Detects .NET CLR DLLs being loaded by scripting applications such a references: - https://github.com/tyranid/DotNetToJScript - https://thewover.github.io/Introducing-Donut/ - - https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html + - https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html - https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008 author: omkar72, oscd.community date: 2020/10/14 diff --git a/rules/windows/process_access/proc_access_win_lsass_memdump.yml b/rules/windows/process_access/proc_access_win_lsass_memdump.yml index 86463e94b7e..c8d8aa0b7d6 100755 --- a/rules/windows/process_access/proc_access_win_lsass_memdump.yml +++ b/rules/windows/process_access/proc_access_win_lsass_memdump.yml @@ -5,7 +5,7 @@ description: | Detects process access requests to the LSASS process with specific call trace calls and access masks. This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature. references: - - https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html + - https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md - https://research.splunk.com/endpoint/windows_possible_credential_dumping/ From 65d76a30aa24802d34954324e9d3dad5d53f62d1 Mon Sep 17 00:00:00 2001 From: Mohamed Ashraf <47338567+X-Junior@users.noreply.github.com> Date: Wed, 31 Jul 2024 11:33:46 +0300 Subject: [PATCH 002/144] Merge PR #4934 from @X-Junior - Update and add new `file_access` rules fix: Access To Potentially Sensitive Sysvol Files By Uncommon Applications - Fix error in filter modifier new: Access To Chromium Browsers Sensitive Files By Uncommon Applications new: Access To Crypto Currency Wallets By Uncommon Applications update: Access To .Reg/.Hive Files By Uncommon Applications - Update filters and move to threat hunting folder update: Access To Browser Credential Files By Uncommon Applications - Update filters and move to threat hunting folder update: Access To Windows Credential History File By Uncommon Applications - Update filters update: Access To Windows DPAPI Master Keys By Uncommon Applications - Update filters update: Access To Windows Outlook Mail Files By Uncommon Applications - Update filters and move to threat hunting folder update: Credential Manager Access By Uncommon Applications - Update filters --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- ..._win_browsers_chromium_sensitive_files.yml | 46 ++++++++++++++++ .../file_access_win_browsers_credential.yml | 29 +++++----- ...ess_win_office_outlook_mail_credential.yml | 16 +++--- .../file_access_win_susp_reg_and_hive.yml | 14 ++--- ...ess_win_susp_credential_manager_access.yml | 14 ++--- .../file_access_win_susp_credhist.yml | 16 +++--- ...ccess_win_susp_crypto_currency_wallets.yml | 53 +++++++++++++++++++ ...ccess_win_susp_dpapi_master_key_access.yml | 14 ++--- .../file_access_win_susp_gpo_files.yml | 14 ++--- .../file_access_win_teams_sensitive_files.yml | 2 +- 10 files changed, 162 insertions(+), 56 deletions(-) create mode 100644 rules-threat-hunting/windows/file/file_access/file_access_win_browsers_chromium_sensitive_files.yml rename rules/windows/file/file_access/file_access_win_browsers_credential_access.yml => rules-threat-hunting/windows/file/file_access/file_access_win_browsers_credential.yml (78%) rename {rules => rules-threat-hunting}/windows/file/file_access/file_access_win_office_outlook_mail_credential.yml (85%) rename {rules => rules-threat-hunting}/windows/file/file_access/file_access_win_susp_reg_and_hive.yml (74%) create mode 100644 rules/windows/file/file_access/file_access_win_susp_crypto_currency_wallets.yml diff --git a/rules-threat-hunting/windows/file/file_access/file_access_win_browsers_chromium_sensitive_files.yml b/rules-threat-hunting/windows/file/file_access/file_access_win_browsers_chromium_sensitive_files.yml new file mode 100644 index 00000000000..87580e5f0a8 --- /dev/null +++ b/rules-threat-hunting/windows/file/file_access/file_access_win_browsers_chromium_sensitive_files.yml @@ -0,0 +1,46 @@ +title: Access To Chromium Browsers Sensitive Files By Uncommon Applications +id: c5f37810-a85f-4186-81e9-33f23abb4141 +status: experimental +description: | + Detects file access requests to chromium based browser sensitive files by uncommon processes. + Could indicate potential attempt of stealing sensitive information. +references: + - Internal Research +author: X__Junior (Nextron Systems) +date: 2024/07/29 +tags: + - attack.t1003 + - attack.credential_access + - detection.threat_hunting +logsource: + category: file_access + product: windows + definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider' +detection: + selection: + FileName|contains: + - '\User Data\Default\Cookies' + - '\User Data\Default\History' + - '\User Data\Default\Network\Cookies' + - '\User Data\Default\Web Data' + filter_main_system: + Image: System + filter_main_generic: + # This filter is added to avoid large amount of FP with 3rd party software. You should remove this in favour of specific filter per-application + Image|startswith: + - 'C:\Program Files (x86)\' + - 'C:\Program Files\' + - 'C:\Windows\system32\' + - 'C:\Windows\SysWOW64\' + filter_optional_defender: + Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\' + Image|endswith: + - '\MpCopyAccelerator.exe' + - '\MsMpEng.exe' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* +falsepositives: + - Antivirus, Anti-Spyware, Anti-Malware Software + - Backup software + - Legitimate software installed on partitions other than "C:\" + - Searching software such as "everything.exe" +level: low diff --git a/rules/windows/file/file_access/file_access_win_browsers_credential_access.yml b/rules-threat-hunting/windows/file/file_access/file_access_win_browsers_credential.yml similarity index 78% rename from rules/windows/file/file_access/file_access_win_browsers_credential_access.yml rename to rules-threat-hunting/windows/file/file_access/file_access_win_browsers_credential.yml index c5cc761da2f..3774dd6163c 100644 --- a/rules/windows/file/file_access/file_access_win_browsers_credential_access.yml +++ b/rules-threat-hunting/windows/file/file_access/file_access_win_browsers_credential.yml @@ -1,4 +1,4 @@ -title: Access To Browser Credential Files By Uncommon Application +title: Access To Browser Credential Files By Uncommon Applications id: 91cb43db-302a-47e3-b3c8-7ede481e27bf status: experimental description: | @@ -8,12 +8,13 @@ description: | references: - https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users - https://github.com/lclevy/firepwd -author: frack113 +author: frack113, X__Junior (Nextron Systems) date: 2022/04/09 -modified: 2023/12/18 +modified: 2024/07/29 tags: - attack.t1003 - attack.credential_access + - detection.threat_hunting logsource: category: file_access product: windows @@ -24,36 +25,36 @@ detection: selection_firefox: FileName|endswith: - '\cookies.sqlite' + - '\places.sqlite' - 'release\key3.db' # Firefox - 'release\key4.db' # Firefox - 'release\logins.json' # Firefox selection_chromium: FileName|contains: - - '\Appdata\Local\Chrome\User Data\Default\Login Data' - - '\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies' - - '\AppData\Local\Google\Chrome\User Data\Local State' + - '\User Data\Default\Login Data' + - '\User Data\Local State' filter_main_system: Image: System filter_main_generic: # This filter is added to avoid large amount of FP with 3rd party software. You should remove this in favour of specific filter per-application - Image|contains: - - ':\Program Files (x86)\' - - ':\Program Files\' - - ':\Windows\system32\' - - ':\Windows\SysWOW64\' + Image|startswith: + - 'C:\Program Files (x86)\' + - 'C:\Program Files\' + - 'C:\Windows\system32\' + - 'C:\Windows\SysWOW64\' filter_optional_defender: - Image|contains: ':\ProgramData\Microsoft\Windows Defender\' + Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\' Image|endswith: - '\MpCopyAccelerator.exe' - '\MsMpEng.exe' filter_optional_thor: Image|endswith: - - '\thor64.exe' - '\thor.exe' + - '\thor64.exe' condition: 1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Antivirus, Anti-Spyware, Anti-Malware Software - Backup software - Legitimate software installed on partitions other than "C:\" - Searching software such as "everything.exe" -level: medium +level: low diff --git a/rules/windows/file/file_access/file_access_win_office_outlook_mail_credential.yml b/rules-threat-hunting/windows/file/file_access/file_access_win_office_outlook_mail_credential.yml similarity index 85% rename from rules/windows/file/file_access/file_access_win_office_outlook_mail_credential.yml rename to rules-threat-hunting/windows/file/file_access/file_access_win_office_outlook_mail_credential.yml index 09cf650ab95..4372c24f694 100644 --- a/rules/windows/file/file_access/file_access_win_office_outlook_mail_credential.yml +++ b/rules-threat-hunting/windows/file/file_access/file_access_win_office_outlook_mail_credential.yml @@ -1,4 +1,4 @@ -title: Access To Windows Outlook Mail Files By Uncommon Application +title: Access To Windows Outlook Mail Files By Uncommon Applications id: fc3e237f-2fef-406c-b90d-b3ae7e02fa8f status: experimental description: | @@ -10,9 +10,11 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/58496ee3306e6e42a7054d36a94e6eb561ee3081/atomics/T1070.008/T1070.008.md#atomic-test-4---copy-and-modify-mailbox-data-on-windows author: frack113 date: 2024/05/10 +modified: 2024/07/29 tags: - attack.t1070.008 - attack.defense_evasion + - detection.threat_hunting logsource: category: file_access product: windows @@ -26,13 +28,13 @@ detection: Image: 'System' filter_main_generic: # This filter is added to avoid large amount of FP with 3rd party software. You should remove this in favour of specific filter per-application - Image|contains: - - ':\Program Files (x86)\' - - ':\Program Files\' - - ':\Windows\system32\' - - ':\Windows\SysWOW64\' + Image|startswith: + - 'C:\Program Files (x86)\' + - 'C:\Program Files\' + - 'C:\Windows\system32\' + - 'C:\Windows\SysWOW64\' filter_optional_defender: - Image|contains: ':\ProgramData\Microsoft\Windows Defender\' + Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\' Image|endswith: - '\MpCopyAccelerator.exe' - '\MsMpEng.exe' diff --git a/rules/windows/file/file_access/file_access_win_susp_reg_and_hive.yml b/rules-threat-hunting/windows/file/file_access/file_access_win_susp_reg_and_hive.yml similarity index 74% rename from rules/windows/file/file_access/file_access_win_susp_reg_and_hive.yml rename to rules-threat-hunting/windows/file/file_access/file_access_win_susp_reg_and_hive.yml index dea4215eb8d..8c33a42b71c 100644 --- a/rules/windows/file/file_access/file_access_win_susp_reg_and_hive.yml +++ b/rules-threat-hunting/windows/file/file_access/file_access_win_susp_reg_and_hive.yml @@ -1,4 +1,4 @@ -title: Access To .Reg/.Hive Files By Uncommon Application +title: Access To .Reg/.Hive Files By Uncommon Applications id: 337a31c6-46c4-46be-886a-260d7aa78cac status: experimental description: Detects file access requests to files ending with either the ".hive"/".reg" extension, usually associated with Windows Registry backups. @@ -6,9 +6,11 @@ references: - https://github.com/tccontre/Reg-Restore-Persistence-Mole author: frack113 date: 2023/09/15 +modified: 2024/07/29 tags: - attack.t1112 - attack.defense_evasion + - detection.threat_hunting logsource: category: file_access product: windows @@ -19,11 +21,11 @@ detection: - '.hive' - '.reg' filter_main_generic: - Image|contains: - - ':\Program Files (x86)\' - - ':\Program Files\' - - ':\Windows\System32\' - - ':\Windows\SysWOW64\' + Image|startswith: + - 'C:\Program Files (x86)\' + - 'C:\Program Files\' + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' condition: selection and not 1 of filter_main_* falsepositives: - Third party software installed in the user context might generate a lot of FPs. Heavy baselining and tuning might be required. diff --git a/rules/windows/file/file_access/file_access_win_susp_credential_manager_access.yml b/rules/windows/file/file_access/file_access_win_susp_credential_manager_access.yml index cad181453c0..8e4278128f3 100644 --- a/rules/windows/file/file_access/file_access_win_susp_credential_manager_access.yml +++ b/rules/windows/file/file_access/file_access_win_susp_credential_manager_access.yml @@ -1,4 +1,4 @@ -title: Credential Manager Access By Uncommon Application +title: Credential Manager Access By Uncommon Applications id: 407aecb1-e762-4acf-8c7b-d087bcff3bb6 status: experimental description: | @@ -9,7 +9,7 @@ references: - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022/10/11 -modified: 2023/12/18 +modified: 2024/07/29 tags: - attack.t1003 - attack.credential_access @@ -25,11 +25,11 @@ detection: - '\AppData\Local\Microsoft\Vault\' - '\ProgramData\Microsoft\Vault\' filter_system_folders: - Image|contains: - - ':\Program Files\' - - ':\Program Files (x86)\' - - ':\Windows\system32\' - - ':\Windows\SysWOW64\' + Image|startswith: + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' + - 'C:\Windows\system32\' + - 'C:\Windows\SysWOW64\' condition: selection and not 1 of filter_* falsepositives: - Legitimate software installed by the users for example in the "AppData" directory may access these files (for any reason). diff --git a/rules/windows/file/file_access/file_access_win_susp_credhist.yml b/rules/windows/file/file_access/file_access_win_susp_credhist.yml index 2836f61376e..d890dd9b1db 100644 --- a/rules/windows/file/file_access/file_access_win_susp_credhist.yml +++ b/rules/windows/file/file_access/file_access_win_susp_credhist.yml @@ -1,4 +1,4 @@ -title: Access To Windows Credential History File By Uncommon Application +title: Access To Windows Credential History File By Uncommon Applications id: 7a2a22ea-a203-4cd3-9abf-20eb1c5c6cd2 status: experimental description: | @@ -9,7 +9,7 @@ references: - https://www.passcape.com/windows_password_recovery_dpapi_credhist author: Nasreddine Bencherchali (Nextron Systems) date: 2022/10/17 -modified: 2023/12/18 +modified: 2024/07/29 tags: - attack.credential_access - attack.t1555.004 @@ -21,13 +21,13 @@ detection: selection: FileName|endswith: '\Microsoft\Protect\CREDHIST' filter_main_system_folders: - Image|contains: - - ':\Program Files\' - - ':\Program Files (x86)\' - - ':\Windows\system32\' - - ':\Windows\SysWOW64\' + Image|startswith: + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' + - 'C:\Windows\system32\' + - 'C:\Windows\SysWOW64\' filter_main_explorer: - Image|endswith: ':\Windows\explorer.exe' + Image: 'C:\Windows\explorer.exe' condition: selection and not 1 of filter_main_* falsepositives: - Unknown diff --git a/rules/windows/file/file_access/file_access_win_susp_crypto_currency_wallets.yml b/rules/windows/file/file_access/file_access_win_susp_crypto_currency_wallets.yml new file mode 100644 index 00000000000..e11262253f5 --- /dev/null +++ b/rules/windows/file/file_access/file_access_win_susp_crypto_currency_wallets.yml @@ -0,0 +1,53 @@ +title: Access To Crypto Currency Wallets By Uncommon Applications +id: f41b0311-44f9-44f0-816d-dd45e39d4bc8 +status: experimental +description: | + Detects file access requests to crypto currency files by uncommon processes. + Could indicate potential attempt of crypto currency wallet stealing. +references: + - Internal Research +author: X__Junior (Nextron Systems) +date: 2024/07/29 +tags: + - attack.t1003 + - attack.credential_access +logsource: + category: file_access + product: windows + definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider' +detection: + selection: + - FileName|contains: + - '\AppData\Roaming\Ethereum\keystore\' + - '\AppData\Roaming\EthereumClassic\keystore\' + - '\AppData\Roaming\monero\wallets\' + - FileName|endswith: + - '\AppData\Roaming\Bitcoin\wallet.dat' + - '\AppData\Roaming\BitcoinABC\wallet.dat' + - '\AppData\Roaming\BitcoinSV\wallet.dat' + - '\AppData\Roaming\DashCore\wallet.dat' + - '\AppData\Roaming\DogeCoin\wallet.dat' + - '\AppData\Roaming\Litecoin\wallet.dat' + - '\AppData\Roaming\Ripple\wallet.dat' + - '\AppData\Roaming\Zcash\wallet.dat' + filter_main_system: + Image: System + filter_main_generic: + # This filter is added to avoid large amount of FP with 3rd party software. You should remove this in favour of specific filter per-application + Image|startswith: + - 'C:\Program Files (x86)\' + - 'C:\Program Files\' + - 'C:\Windows\system32\' + - 'C:\Windows\SysWOW64\' + filter_optional_defender: + Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\' + Image|endswith: + - '\MpCopyAccelerator.exe' + - '\MsMpEng.exe' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* +falsepositives: + - Antivirus, Anti-Spyware, Anti-Malware Software + - Backup software + - Legitimate software installed on partitions other than "C:\" + - Searching software such as "everything.exe" +level: medium diff --git a/rules/windows/file/file_access/file_access_win_susp_dpapi_master_key_access.yml b/rules/windows/file/file_access/file_access_win_susp_dpapi_master_key_access.yml index 8678bfdfb0e..b9973ce0a1f 100644 --- a/rules/windows/file/file_access/file_access_win_susp_dpapi_master_key_access.yml +++ b/rules/windows/file/file_access/file_access_win_susp_dpapi_master_key_access.yml @@ -1,4 +1,4 @@ -title: Access To Windows DPAPI Master Keys By Uncommon Application +title: Access To Windows DPAPI Master Keys By Uncommon Applications id: 46612ae6-86be-4802-bc07-39b59feb1309 status: experimental description: | @@ -9,7 +9,7 @@ references: - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords author: Nasreddine Bencherchali (Nextron Systems) date: 2022/10/17 -modified: 2023/12/18 +modified: 2024/07/29 tags: - attack.credential_access - attack.t1555.004 @@ -23,11 +23,11 @@ detection: - '\Microsoft\Protect\S-1-5-18\' # For System32 - '\Microsoft\Protect\S-1-5-21-' # For Users filter_system_folders: - Image|contains: - - ':\Program Files\' - - ':\Program Files (x86)\' - - ':\Windows\system32\' - - ':\Windows\SysWOW64\' + Image|startswith: + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' + - 'C:\Windows\system32\' + - 'C:\Windows\SysWOW64\' condition: selection and not 1 of filter_* falsepositives: - Unknown diff --git a/rules/windows/file/file_access/file_access_win_susp_gpo_files.yml b/rules/windows/file/file_access/file_access_win_susp_gpo_files.yml index 37a2d6dcc60..e555a558dff 100644 --- a/rules/windows/file/file_access/file_access_win_susp_gpo_files.yml +++ b/rules/windows/file/file_access/file_access_win_susp_gpo_files.yml @@ -1,4 +1,4 @@ -title: Access To Potentially Sensitive Sysvol Files By Uncommon Application +title: Access To Potentially Sensitive Sysvol Files By Uncommon Applications id: d51694fe-484a-46ac-92d6-969e76d60d10 related: - id: 8344c19f-a023-45ff-ad63-a01c5396aea0 @@ -9,6 +9,7 @@ references: - https://github.com/vletoux/pingcastle author: frack113 date: 2023/12/21 +modified: 2024/07/29 tags: - attack.credential_access - attack.t1552.006 @@ -34,11 +35,12 @@ detection: - 'services.xml' filter_main_generic: Image|startswith: - - ':\Program Files (x86)\' - - ':\Program Files\' - - ':\Windows\explorer.exe' - - ':\Windows\system32\' - - ':\Windows\SysWOW64\' + - 'C:\Program Files (x86)\' + - 'C:\Program Files\' + - 'C:\Windows\system32\' + - 'C:\Windows\SysWOW64\' + filter_main_explorer: + Image: 'C:\Windows\explorer.exe' condition: selection and not 1 of filter_main_* falsepositives: - Unknown diff --git a/rules/windows/file/file_access/file_access_win_teams_sensitive_files.yml b/rules/windows/file/file_access/file_access_win_teams_sensitive_files.yml index ea68a8c5a27..21dcd47b2d2 100644 --- a/rules/windows/file/file_access/file_access_win_teams_sensitive_files.yml +++ b/rules/windows/file/file_access/file_access_win_teams_sensitive_files.yml @@ -1,4 +1,4 @@ -title: Microsoft Teams Sensitive File Access By Uncommon Application +title: Microsoft Teams Sensitive File Access By Uncommon Applications id: 65744385-8541-44a6-8630-ffc824d7d4cc status: experimental description: | From 42f90bb5d05b7785ac0bba44f60c652a6ec53bc5 Mon Sep 17 00:00:00 2001 From: Daniel Cortez <32076062+DefenderDaniel@users.noreply.github.com> Date: Wed, 31 Jul 2024 04:57:48 -0700 Subject: [PATCH 003/144] Merge PR #4929 from @DefenderDaniel - Add `Clipboard Data Collection Via Pbpaste` new: Clipboard Data Collection Via Pbpaste --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- .../proc_creation_macos_pbpaste_execution.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules-threat-hunting/macos/process_creation/proc_creation_macos_pbpaste_execution.yml diff --git a/rules-threat-hunting/macos/process_creation/proc_creation_macos_pbpaste_execution.yml b/rules-threat-hunting/macos/process_creation/proc_creation_macos_pbpaste_execution.yml new file mode 100644 index 00000000000..875b285279c --- /dev/null +++ b/rules-threat-hunting/macos/process_creation/proc_creation_macos_pbpaste_execution.yml @@ -0,0 +1,30 @@ +title: Clipboard Data Collection Via Pbpaste +id: d8af0da1-2959-40f9-a3e4-37a6aa1228b7 +status: experimental +description: | + Detects execution of the "pbpaste" utility, which retrieves the contents of the clipboard (a.k.a. pasteboard) and writes them to the standard output (stdout). + The utility is often used for creating new files with the clipboard content or for piping clipboard contents to other commands. + It can also be used in shell scripts that may require clipboard content as input. + Attackers can abuse this utility in order to collect data from the user clipboard, which may contain passwords or sensitive information. + Use this rule to hunt for potential abuse of the utility by looking at the parent process and any potentially suspicious command line content. +references: + - https://www.loobins.io/binaries/pbpaste/ + - https://medium.com/@NullByteWht/hacking-macos-how-to-dump-1password-keepassx-lastpass-passwords-in-plaintext-723c5b1c311b + - https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF +author: Daniel Cortez +date: 2024/07/30 +tags: + - attack.collection + - attack.credential_access + - attack.t1115 + - detection.threat_hunting +logsource: + product: macos + category: process_creation +detection: + selection: + Image|endswith: '/pbpaste' + condition: selection +falsepositives: + - Legitimate administration activities +level: medium From 6800135a02dae521790cd6d4634f70c0d64ba6a0 Mon Sep 17 00:00:00 2001 From: Luca <150611686+LucaInfoSec@users.noreply.github.com> Date: Wed, 31 Jul 2024 09:10:20 -0400 Subject: [PATCH 004/144] Merge PR #4885 from @LucaInfoSec - Add `Potential CSharp Streamer RAT Loading .NET Executable Image` new: Potential CSharp Streamer RAT Loading .NET Executable Image --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- ...ad_malware_csharp_streamer_dotnet_load.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules-emerging-threats/2024/Malware/CSharp-Streamer/image_load_malware_csharp_streamer_dotnet_load.yml diff --git a/rules-emerging-threats/2024/Malware/CSharp-Streamer/image_load_malware_csharp_streamer_dotnet_load.yml b/rules-emerging-threats/2024/Malware/CSharp-Streamer/image_load_malware_csharp_streamer_dotnet_load.yml new file mode 100644 index 00000000000..fd3ed84cede --- /dev/null +++ b/rules-emerging-threats/2024/Malware/CSharp-Streamer/image_load_malware_csharp_streamer_dotnet_load.yml @@ -0,0 +1,23 @@ +title: Potential CSharp Streamer RAT Loading .NET Executable Image +id: 6f6afac3-8e7a-4e4b-9588-2608ffe08f82 +status: experimental +description: | + Detects potential CSharp Streamer RAT loading .NET executable image by using the default file name and path associated with the tool. +references: + - https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections + - https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/ +author: Luca Di Bartolomeo +date: 2024/06/22 +tags: + - attack.command_and_control + - attack.t1219 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|re: '\\AppData\\Local\\Temp\\dat[0-9A-Z]{4}\.tmp' + condition: selection +falsepositives: + - Unknown +level: high From 6b7814466880d7687d64f5dd0426fe531b42b635 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 1 Aug 2024 10:26:14 +0200 Subject: [PATCH 005/144] Merge PR #4942 from @nasbench - promote older rules status from experimental to test chore: promote older rules status from experimental to test Co-authored-by: nasbench --- .../file/file_event/file_event_win_dump_file_creation.yml | 2 +- .../file/file_event/file_event_win_scheduled_task_creation.yml | 2 +- .../proc_creation_win_diskshadow_child_process.yml | 2 +- .../registry_event/registry_event_scheduled_task_creation.yml | 2 +- rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml | 2 +- .../azure_identity_protection_malicious_ip_address.yml | 2 +- ...zure_identity_protection_malicious_ip_address_suspicious.yml | 2 +- .../azure_identity_protection_prt_access.yml | 2 +- .../azure_identity_protection_threat_intel.yml | 2 +- .../privileged_identity_management/azure_pim_account_stale.yml | 2 +- .../azure_pim_invalid_license.yml | 2 +- .../azure_pim_role_assigned_outside_of_pim.yml | 2 +- .../azure_pim_role_frequent_activation.yml | 2 +- .../azure_pim_role_no_mfa_required.yml | 2 +- .../privileged_identity_management/azure_pim_role_not_used.yml | 2 +- .../azure_pim_too_many_global_admins.yml | 2 +- rules/cloud/m365/audit/microsoft365_disabling_mfa.yml | 2 +- .../audit/microsoft365_new_federated_domain_added_audit.yml | 2 +- rules/cloud/okta/okta_identity_provider_created.yml | 2 +- rules/cloud/okta/okta_suspicious_activity_enduser_report.yml | 2 +- .../cloud/okta/okta_user_session_start_via_anonymised_proxy.yml | 2 +- .../win_appmodel_runtime_sysinternals_tools_appx_execution.yml | 2 +- rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml | 2 +- .../win_security_registry_permissions_weakness_check.yml | 2 +- .../dns_query_win_dns_server_discovery_via_ldap_query.yml | 2 +- ...ns_query_win_remote_access_software_domains_non_browsers.yml | 2 +- .../windows/dns_query/dns_query_win_tor_onion_domain_query.yml | 2 +- rules/windows/dns_query/dns_query_win_ufile_io_query.yml | 2 +- .../file/file_event/file_event_win_dump_file_susp_creation.yml | 2 +- .../file_event_win_office_onenote_files_in_susp_locations.yml | 2 +- .../image_load/image_load_dll_amsi_suspicious_process.yml | 2 +- .../image_load/image_load_rundll32_remote_share_load.yml | 2 +- .../image_load/image_load_susp_dll_load_system_process.yml | 2 +- rules/windows/image_load/image_load_susp_python_image_load.yml | 2 +- rules/windows/network_connection/net_connection_win_python.yml | 2 +- ...e_created_sysinternals_psexec_default_pipe_susp_location.yml | 2 +- .../process_creation/proc_creation_win_7zip_exfil_dmp_files.yml | 2 +- .../proc_creation_win_addinutil_suspicious_cmdline.yml | 2 +- .../proc_creation_win_addinutil_uncommon_child_process.yml | 2 +- .../proc_creation_win_addinutil_uncommon_cmdline.yml | 2 +- .../proc_creation_win_addinutil_uncommon_dir_exec.yml | 2 +- .../proc_creation_win_browsers_chromium_mockbin_abuse.yml | 2 +- .../proc_creation_win_cmd_copy_dmp_from_share.yml | 2 +- .../proc_creation_win_cmd_del_greedy_deletion.yml | 2 +- .../proc_creation_win_diskshadow_child_process_susp.yml | 2 +- .../proc_creation_win_diskshadow_script_mode_susp_location.yml | 2 +- .../process_creation/proc_creation_win_driverquery_recon.yml | 2 +- .../process_creation/proc_creation_win_driverquery_usage.yml | 2 +- .../process_creation/proc_creation_win_renamed_autoit.yml | 2 +- .../proc_creation_win_rundll32_webdav_client_susp_execution.yml | 2 +- .../proc_creation_win_vscode_tunnel_renamed_execution.yml | 2 +- .../proc_creation_win_winrar_exfil_dmp_files.yml | 2 +- .../proc_creation_win_wmic_recon_unquoted_service_search.yml | 2 +- .../proc_creation_win_wmic_terminate_application.yml | 2 +- .../registry_set_office_trusted_location_uncommon.yml | 2 +- .../registry_set/registry_set_persistence_search_order.yml | 2 +- .../registry/registry_set/registry_set_uac_bypass_eventvwr.yml | 2 +- rules/windows/sysmon/sysmon_file_block_executable.yml | 2 +- rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml | 2 +- 59 files changed, 59 insertions(+), 59 deletions(-) diff --git a/rules-threat-hunting/windows/file/file_event/file_event_win_dump_file_creation.yml b/rules-threat-hunting/windows/file/file_event/file_event_win_dump_file_creation.yml index fe101ae2895..79e5c0ffa2f 100644 --- a/rules-threat-hunting/windows/file/file_event/file_event_win_dump_file_creation.yml +++ b/rules-threat-hunting/windows/file/file_event/file_event_win_dump_file_creation.yml @@ -1,6 +1,6 @@ title: DMP/HDMP File Creation id: 3a525307-d100-48ae-b3b9-0964699d7f97 -status: experimental +status: test description: Detects the creation of a file with the ".dmp"/".hdmp" extension. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash. references: - https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps diff --git a/rules-threat-hunting/windows/file/file_event/file_event_win_scheduled_task_creation.yml b/rules-threat-hunting/windows/file/file_event/file_event_win_scheduled_task_creation.yml index 5b6c2358a20..14cb6421963 100644 --- a/rules-threat-hunting/windows/file/file_event/file_event_win_scheduled_task_creation.yml +++ b/rules-threat-hunting/windows/file/file_event/file_event_win_scheduled_task_creation.yml @@ -1,6 +1,6 @@ title: Scheduled Task Created - FileCreation id: a762e74f-4dce-477c-b023-4ed81df600f9 -status: experimental +status: test description: Detects the creation of a scheduled task via file creation. references: - https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/task_scheduling/ diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_child_process.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_child_process.yml index d32cee14a51..1ab85af2c8a 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_child_process.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_child_process.yml @@ -9,7 +9,7 @@ related: type: similar - id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 # Diskshadow Script Mode Execution type: similar -status: experimental +status: test description: Detects any child process spawning from "Diskshadow.exe". This could be due to executing Diskshadow in interpreter mode or script mode and using the "exec" flag to launch other applications. references: - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ diff --git a/rules-threat-hunting/windows/registry/registry_event/registry_event_scheduled_task_creation.yml b/rules-threat-hunting/windows/registry/registry_event/registry_event_scheduled_task_creation.yml index 116f3ab882f..9a73274ebc2 100644 --- a/rules-threat-hunting/windows/registry/registry_event/registry_event_scheduled_task_creation.yml +++ b/rules-threat-hunting/windows/registry/registry_event/registry_event_scheduled_task_creation.yml @@ -1,6 +1,6 @@ title: Scheduled Task Created - Registry id: 93ff0ceb-e0ef-4586-8cd8-a6c277d738e3 -status: experimental +status: test description: Detects the creation of a scheduled task via Registry keys. references: - https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/task_scheduling/ diff --git a/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml b/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml index b299af75d82..b9963f627b8 100644 --- a/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml +++ b/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml @@ -1,6 +1,6 @@ title: AWS Identity Center Identity Provider Change id: d3adb3ef-b7e7-4003-9092-1924c797db35 -status: experimental +status: test description: | Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider. A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation. diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address.yml index 0671ebad073..7221d8ad3a0 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address.yml @@ -1,6 +1,6 @@ title: Malicious IP Address Sign-In Failure Rate id: a3f55ebd-0c01-4ed6-adc0-8fb76d8cd3cd -status: experimental +status: test description: Indicates sign-in from a malicious IP address based on high failure rates. references: - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address_suspicious.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address_suspicious.yml index 3d88c48bcfb..064c2f24473 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address_suspicious.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address_suspicious.yml @@ -1,6 +1,6 @@ title: Malicious IP Address Sign-In Suspicious id: 36440e1c-5c22-467a-889b-593e66498472 -status: experimental +status: test description: Indicates sign-in from a malicious IP address known to be malicious at time of sign-in. references: - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_prt_access.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_prt_access.yml index e01a8b58a85..76e38687e4a 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_prt_access.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_prt_access.yml @@ -1,6 +1,6 @@ title: Primary Refresh Token Access Attempt id: a84fc3b1-c9ce-4125-8e74-bdcdb24021f1 -status: experimental +status: test description: Indicates access attempt to the PRT resource which can be used to move laterally into an organization or perform credential theft references: - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml index 21098ec741d..1180430554d 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml @@ -1,6 +1,6 @@ title: Azure AD Threat Intelligence id: a2cb56ff-4f46-437a-a0fa-ffa4d1303cba -status: experimental +status: test description: Indicates user activity that is unusual for the user or consistent with known attack patterns. references: - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml index ff0e178413c..57ff7fd7d28 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml @@ -1,6 +1,6 @@ title: Stale Accounts In A Privileged Role id: e402c26a-267a-45bd-9615-bd9ceda6da85 -status: experimental +status: test description: Identifies when an account hasn't signed in during the past n number of days. references: - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml index 3ce88cdde01..46e06757aaa 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml @@ -1,6 +1,6 @@ title: Invalid PIM License id: 58af08eb-f9e1-43c8-9805-3ad9b0482bd8 -status: experimental +status: test description: Identifies when an organization doesn't have the proper license for PIM and is out of compliance. references: - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#the-organization-doesnt-have-microsoft-entra-premium-p2-or-microsoft-entra-id-governance diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml index b847363479a..1563eda0694 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml @@ -1,6 +1,6 @@ title: Roles Assigned Outside PIM id: b1bc08d1-8224-4758-a0e6-fbcfc98c73bb -status: experimental +status: test description: Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack. references: - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml index ffe091cd223..3064e61c8a9 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml @@ -1,6 +1,6 @@ title: Roles Activated Too Frequently id: 645fd80d-6c07-435b-9e06-7bc1b5656cba -status: experimental +status: test description: Identifies when the same privilege role has multiple activations by the same user. references: - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml index 897ce1edec5..7bb31ea202e 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml @@ -1,6 +1,6 @@ title: Roles Activation Doesn't Require MFA id: 94a66f46-5b64-46ce-80b2-75dcbe627cc0 -status: experimental +status: test description: Identifies when a privilege role can be activated without performing mfa. references: - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml index fec0c1bbf39..e0cfcc5b344 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml @@ -1,6 +1,6 @@ title: Roles Are Not Being Used id: 8c6ec464-4ae4-43ac-936a-291da66ed13d -status: experimental +status: test description: Identifies when a user has been assigned a privilege role and are not using that role. references: - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml index 0ffaf1db912..06e46b94262 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml @@ -1,6 +1,6 @@ title: Too Many Global Admins id: 7bbc309f-e2b1-4eb1-8369-131a367d67d3 -status: experimental +status: test description: Identifies an event where there are there are too many accounts assigned the Global Administrator role. references: - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators diff --git a/rules/cloud/m365/audit/microsoft365_disabling_mfa.yml b/rules/cloud/m365/audit/microsoft365_disabling_mfa.yml index f1516794b19..f2c9c39d29e 100644 --- a/rules/cloud/m365/audit/microsoft365_disabling_mfa.yml +++ b/rules/cloud/m365/audit/microsoft365_disabling_mfa.yml @@ -1,6 +1,6 @@ title: Disabling Multi Factor Authentication id: 60de9b57-dc4d-48b9-a6a0-b39e0469f876 -status: experimental +status: test description: Detects disabling of Multi Factor Authentication. references: - https://research.splunk.com/cloud/c783dd98-c703-4252-9e8a-f19d9f5c949e/ diff --git a/rules/cloud/m365/audit/microsoft365_new_federated_domain_added_audit.yml b/rules/cloud/m365/audit/microsoft365_new_federated_domain_added_audit.yml index 44c6a49161c..15a46cb76df 100644 --- a/rules/cloud/m365/audit/microsoft365_new_federated_domain_added_audit.yml +++ b/rules/cloud/m365/audit/microsoft365_new_federated_domain_added_audit.yml @@ -3,7 +3,7 @@ id: 58f88172-a73d-442b-94c9-95eaed3cbb36 related: - id: 42127bdd-9133-474f-a6f1-97b6c08a4339 type: similar -status: experimental +status: test description: Detects the addition of a new Federated Domain. references: - https://research.splunk.com/cloud/e155876a-6048-11eb-ae93-0242ac130002/ diff --git a/rules/cloud/okta/okta_identity_provider_created.yml b/rules/cloud/okta/okta_identity_provider_created.yml index c21a195a5f9..03bb1d9257e 100644 --- a/rules/cloud/okta/okta_identity_provider_created.yml +++ b/rules/cloud/okta/okta_identity_provider_created.yml @@ -1,6 +1,6 @@ title: Okta Identity Provider Created id: 969c7590-8c19-4797-8c1b-23155de6e7ac -status: experimental +status: test description: Detects when a new identity provider is created for Okta. references: - https://developer.okta.com/docs/reference/api/system-log/ diff --git a/rules/cloud/okta/okta_suspicious_activity_enduser_report.yml b/rules/cloud/okta/okta_suspicious_activity_enduser_report.yml index 6db72dea19c..75e09e6a91b 100644 --- a/rules/cloud/okta/okta_suspicious_activity_enduser_report.yml +++ b/rules/cloud/okta/okta_suspicious_activity_enduser_report.yml @@ -1,6 +1,6 @@ title: Okta Suspicious Activity Reported by End-user id: 07e97cc6-aed1-43ae-9081-b3470d2367f1 -status: experimental +status: test description: Detects when an Okta end-user reports activity by their account as being potentially suspicious. references: - https://developer.okta.com/docs/reference/api/system-log/ diff --git a/rules/cloud/okta/okta_user_session_start_via_anonymised_proxy.yml b/rules/cloud/okta/okta_user_session_start_via_anonymised_proxy.yml index 8cf095fc7b5..37cb9e1045f 100644 --- a/rules/cloud/okta/okta_user_session_start_via_anonymised_proxy.yml +++ b/rules/cloud/okta/okta_user_session_start_via_anonymised_proxy.yml @@ -1,6 +1,6 @@ title: Okta User Session Start Via An Anonymising Proxy Service id: bde30855-5c53-4c18-ae90-1ff79ebc9578 -status: experimental +status: test description: Detects when an Okta user session starts where the user is behind an anonymising proxy service. references: - https://developer.okta.com/docs/reference/api/system-log/ diff --git a/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml b/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml index 3b45dc52304..e7145460a01 100644 --- a/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml +++ b/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml @@ -1,6 +1,6 @@ title: Sysinternals Tools AppX Versions Execution id: d29a20b2-be4b-4827-81f2-3d8a59eab5fc -status: experimental +status: test description: Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths references: - Internal Research diff --git a/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml b/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml index fc80250ee3b..e5622c0cdf6 100644 --- a/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml +++ b/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml @@ -3,7 +3,7 @@ id: 090ffaad-c01a-4879-850c-6d57da98452d related: - id: 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b type: similar -status: experimental +status: test description: Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration references: - https://thedfirreport.com/2021/12/13/diavol-ransomware/ diff --git a/rules/windows/builtin/security/win_security_registry_permissions_weakness_check.yml b/rules/windows/builtin/security/win_security_registry_permissions_weakness_check.yml index c1bbd97709a..4e74565af40 100644 --- a/rules/windows/builtin/security/win_security_registry_permissions_weakness_check.yml +++ b/rules/windows/builtin/security/win_security_registry_permissions_weakness_check.yml @@ -1,6 +1,6 @@ title: Service Registry Key Read Access Request id: 11d00fff-5dc3-428c-8184-801f292faec0 -status: experimental +status: test description: | Detects "read access" requests on the services registry key. Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. diff --git a/rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml b/rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml index 260c77a4aa4..160adb3f6f8 100644 --- a/rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml +++ b/rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml @@ -1,6 +1,6 @@ title: DNS Server Discovery Via LDAP Query id: a21bcd7e-38ec-49ad-b69a-9ea17e69509e -status: experimental +status: test description: Detects DNS server discovery via LDAP query requests from uncommon applications references: - https://github.com/redcanaryco/atomic-red-team/blob/980f3f83fd81f37c1ca9c02dccfd1c3d9f9d0841/atomics/T1016/T1016.md#atomic-test-9---dns-server-discovery-using-nslookup diff --git a/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml b/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml index ac8617682d7..42656d7f212 100644 --- a/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml +++ b/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml @@ -7,7 +7,7 @@ related: type: obsoletes - id: ed785237-70fa-46f3-83b6-d264d1dc6eb4 type: obsoletes -status: experimental +status: test description: | An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. diff --git a/rules/windows/dns_query/dns_query_win_tor_onion_domain_query.yml b/rules/windows/dns_query/dns_query_win_tor_onion_domain_query.yml index 430e8c1da24..046b352420f 100644 --- a/rules/windows/dns_query/dns_query_win_tor_onion_domain_query.yml +++ b/rules/windows/dns_query/dns_query_win_tor_onion_domain_query.yml @@ -3,7 +3,7 @@ id: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544 related: - id: 8384bd26-bde6-4da9-8e5d-4174a7a47ca2 type: similar -status: experimental +status: test description: Detects DNS queries to an ".onion" address related to Tor routing networks references: - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/ diff --git a/rules/windows/dns_query/dns_query_win_ufile_io_query.yml b/rules/windows/dns_query/dns_query_win_ufile_io_query.yml index 1ef60ac954e..3890fad5025 100644 --- a/rules/windows/dns_query/dns_query_win_ufile_io_query.yml +++ b/rules/windows/dns_query/dns_query_win_ufile_io_query.yml @@ -3,7 +3,7 @@ id: 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b related: - id: 090ffaad-c01a-4879-850c-6d57da98452d type: similar -status: experimental +status: test description: Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration references: - https://thedfirreport.com/2021/12/13/diavol-ransomware/ diff --git a/rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml b/rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml index 64756bc1864..c689dba2dfd 100644 --- a/rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml +++ b/rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml @@ -3,7 +3,7 @@ id: aba15bdd-657f-422a-bab3-ac2d2a0d6f1c related: - id: 3a525307-d100-48ae-b3b9-0964699d7f97 type: similar -status: experimental +status: test description: Detects the creation of a file with the ".dmp"/".hdmp" extension by a shell or scripting application such as "cmd", "powershell", etc. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash. references: - https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps diff --git a/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml b/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml index 90502e03333..dce7b494af3 100644 --- a/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml +++ b/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml @@ -1,6 +1,6 @@ title: OneNote Attachment File Dropped In Suspicious Location id: 7fd164ba-126a-4d9c-9392-0d4f7c243df0 -status: experimental +status: test description: Detects creation of files with the ".one"/".onepkg" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments references: - https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/ diff --git a/rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml b/rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml index 419cded28cc..b8bb326b611 100644 --- a/rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml +++ b/rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml @@ -1,6 +1,6 @@ title: Amsi.DLL Loaded Via LOLBIN Process id: 6ec86d9e-912e-4726-91a2-209359b999b9 -status: experimental +status: test description: Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack references: - Internal Research diff --git a/rules/windows/image_load/image_load_rundll32_remote_share_load.yml b/rules/windows/image_load/image_load_rundll32_remote_share_load.yml index ff412b655be..e93b5aac5db 100644 --- a/rules/windows/image_load/image_load_rundll32_remote_share_load.yml +++ b/rules/windows/image_load/image_load_rundll32_remote_share_load.yml @@ -1,6 +1,6 @@ title: Remote DLL Load Via Rundll32.EXE id: f40017b3-cb2e-4335-ab5d-3babf679c1de -status: experimental +status: test description: Detects a remote DLL load event via "rundll32.exe". references: - https://github.com/gabe-k/themebleed diff --git a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml index 9c5ed041352..a1206b18ddb 100644 --- a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml +++ b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml @@ -1,6 +1,6 @@ title: DLL Load By System Process From Suspicious Locations id: 9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c -status: experimental +status: test description: Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public" references: - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea) diff --git a/rules/windows/image_load/image_load_susp_python_image_load.yml b/rules/windows/image_load/image_load_susp_python_image_load.yml index df60f3ac044..0523dd935a0 100644 --- a/rules/windows/image_load/image_load_susp_python_image_load.yml +++ b/rules/windows/image_load/image_load_susp_python_image_load.yml @@ -1,6 +1,6 @@ title: Python Image Load By Non-Python Process id: cbb56d62-4060-40f7-9466-d8aaf3123f83 -status: experimental +status: test description: Detects the image load of "Python Core" by a non-Python process. This might be indicative of a Python script bundled with Py2Exe. references: - https://www.py2exe.org/ diff --git a/rules/windows/network_connection/net_connection_win_python.yml b/rules/windows/network_connection/net_connection_win_python.yml index bd6f1267860..5312bbe489c 100644 --- a/rules/windows/network_connection/net_connection_win_python.yml +++ b/rules/windows/network_connection/net_connection_win_python.yml @@ -1,6 +1,6 @@ title: Python Initiated Connection id: bef0bc5a-b9ae-425d-85c6-7b2d705980c6 -status: experimental +status: test description: Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python diff --git a/rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml b/rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml index 7835d408a9d..f0c2647aa12 100644 --- a/rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml +++ b/rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml @@ -3,7 +3,7 @@ id: 41504465-5e3a-4a5b-a5b4-2a0baadd4463 related: - id: f3f3a972-f982-40ad-b63c-bca6afdfad7c type: derived -status: experimental +status: test description: Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack references: - https://www.jpcert.or.jp/english/pub/sr/ir_research.html diff --git a/rules/windows/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml b/rules/windows/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml index 70612f8b656..24a958d6409 100644 --- a/rules/windows/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml +++ b/rules/windows/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml @@ -3,7 +3,7 @@ id: ec570e53-4c76-45a9-804d-dc3f355ff7a7 related: - id: 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc type: derived -status: experimental +status: test description: Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration. references: - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ diff --git a/rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml b/rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml index 9fa881746a7..e1ff2063ddb 100644 --- a/rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml +++ b/rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml @@ -1,6 +1,6 @@ title: Suspicious AddinUtil.EXE CommandLine Execution id: 631b22a4-70f4-4e2f-9ea8-42f84d9df6d8 -status: experimental +status: test description: | Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload. references: diff --git a/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml b/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml index 9c767d7dd53..dbbe9071827 100644 --- a/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml @@ -1,6 +1,6 @@ title: Uncommon Child Process Of AddinUtil.EXE id: b5746143-59d6-4603-8d06-acbd60e166ee -status: experimental +status: test description: | Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload. references: diff --git a/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml b/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml index 81addd83bca..3f07b90bfe3 100644 --- a/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml +++ b/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml @@ -1,6 +1,6 @@ title: Uncommon AddinUtil.EXE CommandLine Execution id: 4f2cd9b6-4a17-440f-bb2a-687abb65993a -status: experimental +status: test description: | Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload. references: diff --git a/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml b/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml index 8ff2f9ba0a7..23bf8f40882 100644 --- a/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml @@ -1,6 +1,6 @@ title: AddinUtil.EXE Execution From Uncommon Directory id: 6120ac2a-a34b-42c0-a9bd-1fb9f459f348 -status: experimental +status: test description: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory. references: - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml index 418ae9f60bb..d1331368d0c 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml @@ -1,6 +1,6 @@ title: Chromium Browser Headless Execution To Mockbin Like Site id: 1c526788-0abe-4713-862f-b520da5e5316 -status: experimental +status: test description: Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data). references: - https://www.zscaler.com/blogs/security-research/steal-it-campaign diff --git a/rules/windows/process_creation/proc_creation_win_cmd_copy_dmp_from_share.yml b/rules/windows/process_creation/proc_creation_win_cmd_copy_dmp_from_share.yml index 9a3a7405ca6..1ca643dc6f6 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_copy_dmp_from_share.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_copy_dmp_from_share.yml @@ -1,6 +1,6 @@ title: Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE id: 044ba588-dff4-4918-9808-3f95e8160606 -status: experimental +status: test description: Detects usage of the copy builtin cmd command to copy files with the ".dmp"/".dump" extension from a remote share references: - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ diff --git a/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml b/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml index ce00f3e6ef3..fdde9d91f8a 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml @@ -1,6 +1,6 @@ title: Greedy File Deletion Using Del id: 204b17ae-4007-471b-917b-b917b315c5db -status: experimental +status: test description: Detects execution of the "del" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence. references: - https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D diff --git a/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml b/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml index bdc0bb328d2..4aa24565c43 100644 --- a/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml +++ b/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml @@ -9,7 +9,7 @@ related: type: similar - id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 # Diskshadow Script Mode Execution type: similar -status: experimental +status: test description: Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules. references: - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ diff --git a/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml b/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml index a1ce40db443..99993fcd70f 100644 --- a/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml +++ b/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml @@ -9,7 +9,7 @@ related: type: similar - id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 # Diskshadow Script Mode Execution type: similar -status: experimental +status: test description: Detects execution of "Diskshadow.exe" in script mode using the "/s" flag where the script is located in a potentially suspicious location. references: - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ diff --git a/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml b/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml index cfbc94e7f27..324f94a53eb 100644 --- a/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml @@ -3,7 +3,7 @@ id: 9fc3072c-dc8f-4bf7-b231-18950000fadd related: - id: a20def93-0709-4eae-9bd2-31206e21e6b2 type: similar -status: experimental +status: test description: Detect usage of the "driverquery" utility to perform reconnaissance on installed drivers references: - https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/ diff --git a/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml b/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml index ace3c60f07d..b64926ce257 100644 --- a/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml @@ -3,7 +3,7 @@ id: a20def93-0709-4eae-9bd2-31206e21e6b2 related: - id: 9fc3072c-dc8f-4bf7-b231-18950000fadd type: similar -status: experimental +status: test description: Detect usage of the "driverquery" utility. Which can be used to perform reconnaissance on installed drivers references: - https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/ diff --git a/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml b/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml index 1e509d4011a..2d9869469d7 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml @@ -1,6 +1,6 @@ title: Renamed AutoIt Execution id: f4264e47-f522-4c38-a420-04525d5b880f -status: experimental +status: test description: | Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe. AutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks. diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml index fc312f152eb..610c2e6f2e0 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml @@ -1,6 +1,6 @@ title: Suspicious WebDav Client Execution Via Rundll32.EXE id: 982e9f2d-1a85-4d5b-aea4-31f5e97c6555 -status: experimental +status: test description: | Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397 references: diff --git a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml index b13d497c839..42e75cd56e5 100644 --- a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml @@ -1,6 +1,6 @@ title: Renamed Visual Studio Code Tunnel Execution id: 2cf29f11-e356-4f61-98c0-1bdb9393d6da -status: experimental +status: test description: Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel references: - https://ipfyx.fr/post/visual-studio-code-tunnel/ diff --git a/rules/windows/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml b/rules/windows/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml index 13783e8cd28..fa562799e67 100644 --- a/rules/windows/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml +++ b/rules/windows/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml @@ -3,7 +3,7 @@ id: 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc related: - id: ec570e53-4c76-45a9-804d-dc3f355ff7a7 type: similar -status: experimental +status: test description: Detects execution of WinRAR in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration. references: - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/ diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml index 5126343f1eb..b3d54f81abf 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml @@ -5,7 +5,7 @@ related: type: similar - id: 76f55eaa-d27f-4213-9d45-7b0e4b60bbae type: similar -status: experimental +status: test description: Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts references: - https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py diff --git a/rules/windows/process_creation/proc_creation_win_wmic_terminate_application.yml b/rules/windows/process_creation/proc_creation_win_wmic_terminate_application.yml index 26ee602fa51..8dd0fe238a8 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_terminate_application.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_terminate_application.yml @@ -3,7 +3,7 @@ id: 49d9671b-0a0a-4c09-8280-d215bfd30662 related: - id: 847d5ff3-8a31-4737-a970-aeae8fe21765 # Uninstall Security Products type: derived -status: experimental +status: test description: Detects calls to the "terminate" function via wmic in order to kill an application references: - https://cyble.com/blog/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/ diff --git a/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml b/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml index 917eaffdd61..c0f7b532125 100644 --- a/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml +++ b/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml @@ -3,7 +3,7 @@ id: f742bde7-9528-42e5-bd82-84f51a8387d2 related: - id: a0bed973-45fa-4625-adb5-6ecdf9be70ac type: derived -status: experimental +status: test description: Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions. references: - Internal Research diff --git a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml index f33bacadc52..9f0efd19884 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via COM Search Order Hijacking id: a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12 -status: experimental +status: test description: Detects potential COM object hijacking leveraging the COM Search Order references: - https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/ diff --git a/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml b/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml index 9d96673befa..e57b719f791 100755 --- a/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml +++ b/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml @@ -1,6 +1,6 @@ title: UAC Bypass via Event Viewer id: 7c81fec3-1c1d-43b0-996a-46753041b1b6 -status: experimental +status: test description: Detects UAC bypass method using Windows event viewer references: - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ diff --git a/rules/windows/sysmon/sysmon_file_block_executable.yml b/rules/windows/sysmon/sysmon_file_block_executable.yml index 2dd947a46e4..0768df81a14 100644 --- a/rules/windows/sysmon/sysmon_file_block_executable.yml +++ b/rules/windows/sysmon/sysmon_file_block_executable.yml @@ -1,6 +1,6 @@ title: Sysmon Blocked Executable id: 23b71bc5-953e-4971-be4c-c896cda73fc2 -status: experimental +status: test description: Triggers on any Sysmon "FileBlockExecutable" event, which indicates a violation of the configured block policy references: - https://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e diff --git a/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml b/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml index 335ef9b8fb2..23dfd17be25 100644 --- a/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml +++ b/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml @@ -1,6 +1,6 @@ title: Suspicious Scripting in a WMI Consumer id: fe21810c-2a8c-478f-8dd3-5a287fb2a0e0 -status: experimental +status: test description: Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers references: - https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/ From b8e67f13d5bf39d690da91cae2066312efd3bd00 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 1 Aug 2024 10:26:40 +0200 Subject: [PATCH 006/144] Merge PR #4943 from @nasbench - Archive new rule references and update cache file chore: archive new rule references and update cache file Co-authored-by: nasbench --- .github/latest_archiver_output.md | 940 +++++++++++++++--------------- tests/rule-references.txt | 17 + 2 files changed, 490 insertions(+), 467 deletions(-) diff --git a/.github/latest_archiver_output.md b/.github/latest_archiver_output.md index 26e74821bff..2f423c63cae 100644 --- a/.github/latest_archiver_output.md +++ b/.github/latest_archiver_output.md @@ -1,516 +1,522 @@ # Reference Archiver Results -Last Execution: 2024-07-15 02:23:02 +Last Execution: 2024-08-01 02:00:18 ### Archiver Script Results #### Newly Archived References -N/A +- https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html #### Already Archived References -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#end-user-stopped-due-to-risk-based-consent -- https://app.any.run/tasks/64043a79-165f-4052-bcba-e6e49f847ec1/ -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exec%20into%20container/ -- https://portmap.io/ -- https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html -- https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/ -- https://bazaar.abuse.ch/sample/64e6605496919cd76554915cbed88e56fdec10dec6523918a631754664b8c8d3/ -- https://github.com/wavestone-cdt/EDRSandblast -- https://app.any.run/tasks/ec207948-4916-47eb-a0f4-4c6abb2e7668/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec -- https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy -- https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#the-organization-doesnt-have-microsoft-entra-premium-p2-or-microsoft-entra-id-governance -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.4 -- https://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#leaked-credentials -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662 -- https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf -- https://pro.twitter.com/JaromirHorejsi/status/1795001037746761892/photo/2 -- https://medium.com/@seifeddinerajhi/kubernetes-rbac-privilege-escalation-exploits-and-mitigations-26c07629eeab -- https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5140 -- https://github.com/LOLBAS-Project/LOLBAS/pull/151 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32 -- https://github.com/RhinoSecurityLabs/CVEs/blob/15cf4d86c83daa57b59eaa2542a0ed47ad3dc32d/CVE-2024-1212/CVE-2024-1212.py -- https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kdc-event-16-27-des-encryption-disabled -- https://www.redhat.com/en/blog/protecting-kubernetes-against-mitre-attck-persistence#technique-33-kubernetes-cronjob -- https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite -- https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11) -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#changes-to-privileged-accounts -- https://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker -- https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/ -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2 -- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy -- https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/ -- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 -- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax -- https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8 -- https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse +- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html +- https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6416 +- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a +- https://docs.github.com/en/migrations +- https://learn.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps +- https://security.padok.fr/en/blog/kubernetes-webhook-attackers +- https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/ +- https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11) +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4701 +- https://github.com/Voyag3r-Security/CVE-2023-1389/blob/4ecada7335b17bf543c0e33b2c9fb6b6215c09ae/archer-rev-shell.py +- https://asec.ahnlab.com/en/58878/ +- https://learn.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules #### Error While Archiving References - https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin -- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ -- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/ -- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/ -- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ -- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/ -- https://security.padok.fr/en/blog/kubernetes-webhook-attackers -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini -- https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html -- https://learn.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture -- https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029 -- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage -- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction -- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4 -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4699 -- https://www.group-ib.com/blog/apt41-world-tour-2021/ -- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations -- https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html -- https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/ -- https://thehackernews.com/2024/03/github-rolls-out-default-secret.html -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4649 -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#unfamiliar-sign-in-properties -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634 -- https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11) -- https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/ +- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html +- https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698 +- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create +- https://www.cyberciti.biz/faq/how-force-kill-process-linux/ - https://hijacklibs.net/entries/microsoft/built-in/dbgmodel.html -- https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/ -- https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771 -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 -- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967 -- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195 -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker -- https://tria.ge/240123-rapteaahhr/behavioral1 -- https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/ -- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624 -- https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand -- https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues -- https://www.loobins.io/binaries/launchctl/ -- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers -- https://twitter.com/DTCERT/status/1712785426895839339 -- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings -- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ -- https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/ -- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16 -- https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia -- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/ -- https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/ -- https://www.fortiguard.com/psirt/FG-IR-22-398 -- https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support -- https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps -- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing -- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode -- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization -- https://learn.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps -- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ -- https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details -- https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2 -- https://learn.microsoft.com/en-us/windows/win32/shell/app-registration -- https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval -- https://github.com/search?q=repo%3AHackplayers%2Fevil-winrm++shell.run%28&type=code +- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ +- https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf - https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations -- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery -- https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/ +- https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates +- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml +- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil +- https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html +- https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e +- https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/ - https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78 -- https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts -- https://learn.microsoft.com/en-gb/sysinternals/downloads/sdelete -- https://twitter.com/Max_Mal_/status/1775222576639291859 -- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ -- https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel -- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101 +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently +- https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/800c0e06571993a54e39571cf27fd474dcc5c0bc/2017/2017.11.14.Muddying_the_Water/muddying-the-water-targeted-attacks.pdf +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc +- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address +- https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983 +- https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html +- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/ +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4 +- https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/ +- https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/ +- https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF +- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing +- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer +- https://github.com/CICADA8-Research/RemoteKrbRelay +- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/ - http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ -- https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16 -- https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/ -- https://www.loobins.io/binaries/xattr/ -- https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/ -- https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11) -- https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code -- https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/initial_access_via_system_manager.toml -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address -- https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216 -- https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1 -- https://cloud.google.com/logging/docs/audit/understanding-audit-logs +- https://www.tenable.com/security/research/tra-2023-11 +- https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps +- https://github.com/elastic/detection-rules/blob/5fe7833312031a4787e07893e27e4ea7a7665745/rules/_deprecated/privilege_escalation_krbrelayup_suspicious_logon.toml#L38 +- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195 +- https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/ +- https://twitter.com/DTCERT/status/1712785421845790799 +- https://twitter.com/DTCERT/status/1712785426895839339 +- https://tria.ge/240123-rapteaahhr/behavioral1 +- https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/ - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment -- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN -- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ -- https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension +- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf +- https://cloud.google.com/logging/docs/audit/understanding-audit-logs +- https://www.fortiguard.com/psirt/FG-IR-22-398 +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated +- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ +- https://bazaar.abuse.ch/browse/signature/RaspberryRobin/ +- https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps +- https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights +- https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg +- https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/ +- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/ +- https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487 +- https://adsecurity.org/?p=1785 +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding +- https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.4 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#unfamiliar-sign-in-properties +- https://learn.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture +- https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/ +- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11) +- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script +- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction +- https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging +- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml - https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609 -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183 -- https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch -- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html +- https://github.com/grayhatkiller/SharpExShell +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038 +- https://medium.com/@NullByteWht/hacking-macos-how-to-dump-1password-keepassx-lastpass-passwords-in-plaintext-723c5b1c311b +- https://securelist.com/network-tunneling-with-qemu/111803/ +- https://github.com/search?q=repo%3AHackplayers%2Fevil-winrm++shell.run%28&type=code +- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations +- https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/ +- https://learn.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo?view=windowsserver2022-ps +- https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d +- https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md +- https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.Common/Data/DPAPI/DPAPIBackupKey.cs#L28-L32 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-administrator-roles +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647 +- https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029 - https://github.com/rapid7/metasploit-framework/issues/11337 -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001 -- https://tria.ge/240226-fhbe7sdc39/behavioral1 -- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/ +- https://tria.ge/231212-r1bpgaefar/behavioral2 +- https://www.loobins.io/binaries/tmutil/ +- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/ +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token +- https://www.cve.org/CVERecord?id=CVE-2024-1709 +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4 +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4 +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management +- https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b +- https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/initial_access_via_system_manager.toml +- https://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content +- https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/ - https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/ +- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ +- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html +- https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/ +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles +- https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts +- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/ +- https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp +- https://www.qemu.org/docs/master/system/invocation.html#hxtool-5 +- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/ +- https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials +- https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/ +- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/ +- https://us-cert.cisa.gov/ncas/alerts/aa21-259a +- https://github.com/embedi/CVE-2017-11882 +- https://redcanary.com/blog/msix-installers/ +- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ +- https://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40 +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/ +- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/ +- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace +- https://web.archive.org/web/20230329172447/https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html +- https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet +- https://learn.microsoft.com/en-gb/sysinternals/downloads/sdelete +- https://malware.guide/browser-hijacker/remove-onelaunch-virus/ +- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 - https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe -- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role -- https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0 -- https://www.cyberciti.biz/faq/how-force-kill-process-linux/ -- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ -- https://www.cyberciti.biz/faq/linux-remove-user-command/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins -- https://hijacklibs.net/entries/microsoft/built-in/mscorsvc.html -- https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps +- https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps +- https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa +- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks +- https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1 +- https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand +- https://help.duo.com/s/article/6327?language=en_US +- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx +- https://learn.microsoft.com/de-de/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide +- https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool +- https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/ +- https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ -- https://paper.seebug.org/1495/ -- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup +- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml - https://www.virustotal.com/gui/file/bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f/behavior -- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 -- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html -- https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html -- https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e -- https://twitter.com/DTCERT/status/1712785421845790799 -- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ -- https://learn.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo?view=windowsserver2022-ps -- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/whoami -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4 -- https://adsecurity.org/?p=1785 -- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html -- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10) -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management -- https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html -- https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11) -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4 -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7 -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012 -- https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16 -- https://objective-see.org/blog/blog_0x6D.html -- https://github.com/0xthirteen/SharpMove/ -- https://evasions.checkpoint.com/techniques/macos.html -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6416 -- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/ -- https://github.com/antonioCoco/RoguePotato -- https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-browser -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup -- https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ -- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ -- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis -- https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade -- https://nored0x.github.io/red-teaming/office-persistence/#what-is-a-wll-file -- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications -- https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference -- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ -- https://github.com/gentilkiwi/mimikatz -- https://www.loobins.io/binaries/nscurl/ -- https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp -- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials -- https://tria.ge/231212-r1bpgaefar/behavioral2 -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators -- https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019 -- https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#token-issuer-anomaly -- https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights -- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer -- https://www.elastic.co/guide/en/security/current/execution-of-com-object-via-xwizard.html -- https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool -- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html -- https://learn.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins -- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ -- https://learn.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps -- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create -- https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/ -- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes -- https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091 +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2 +- https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4699 +- https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624 +- https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027 +- https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal +- https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys +- https://learn.microsoft.com/en-us/windows/win32/msi/event-logging +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6281 +- https://ss64.com/osx/sw_vers.html +- https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#private_repository_forking +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray -- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/ -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3 -- https://linux.die.net/man/1/arecord -- https://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content -- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-administrator-roles -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation -- https://learn.microsoft.com/en-us/windows/client-management/manage-recall -- https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps -- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt -- https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md -- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/ -- https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#new-owner -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2 +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#end-user-consent +- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html +- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software - https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ -- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ -- https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files -- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml -- https://learn.microsoft.com/en-us/azure/dns/dns-zones-records -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423 -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services -- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/ -- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure -- https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps -- https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732 -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks -- https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741 -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010 -- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ -- https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount/ +- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4 +- https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85) +- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins +- https://objective-see.org/blog/blog_0x1E.html +- https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html +- https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change +- https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776 +- https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware +- https://github.com/0xthirteen/SharpMove/ - https://learn.microsoft.com/en-us/windows/win32/shell/launch +- https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb - https://www.loobins.io/binaries/sysctl/# -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1 -- https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html -- https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420 -- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/ -- https://localtonet.com/documents/supported-tunnels -- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html -- https://anydesk.com/en/changelog/windows +- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel +- https://app.any.run/tasks/9a8fd563-4c54-4d0a-9ad8-1fe08339cbc3/ +- https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension - https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows +- https://learn.microsoft.com/en-us/windows/client-management/manage-recall +- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4706 +- https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/ +- https://x.com/_st0pp3r_/status/1742203752361128162?s=20 +- https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details +- https://ngrok.com/blog-post/new-ngrok-domains +- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ +- https://www.group-ib.com/blog/apt41-world-tour-2021/ +- https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776 -- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup -- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a -- https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf -- https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/ +- https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install +- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization +- https://blackpointcyber.com/resources/blog/breaking-through-the-screen/ +- https://labs.withsecure.com/publications/kapeka +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010 +- https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661 +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3 +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-browser +- https://paper.seebug.org/1495/ +- https://cloud.google.com/access-context-manager/docs/audit-logging +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-registrations-and-joins-outside-policy +- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/ +- https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor +- https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78 +- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4 +- https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#things-to-monitor +- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 +- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown +- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ +- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf +- https://twitter.com/Max_Mal_/status/1775222576639291859 +- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands +- https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues +- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4 +- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b +- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult +- https://support.google.com/a/answer/9261439 +- https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/ - https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access +- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/ +- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/ +- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/ +- https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt +- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts +- https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass +- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine +- https://news.ycombinator.com/item?id=29504755 +- https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1 +- https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/ +- https://learn.microsoft.com/en-us/sysinternals/downloads/psexec +- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/ +- https://twitter.com/NathanMcNulty/status/1785051227568632263 +- https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/ - https://twitter.com/MsftSecIntel/status/1737895710169628824 -- https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql +- https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html +- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed +- https://localtonet.com/documents/supported-tunnels - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic -- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts -- https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2 -- https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps -- https://malware.guide/browser-hijacker/remove-onelaunch-virus/ -- https://asec.ahnlab.com/en/58878/ +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration +- https://tria.ge/231023-lpw85she57/behavioral2 +- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4649 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11) +- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory +- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers +- https://megatools.megous.com/ +- https://github.com/GhostPack/SharpDPAPI - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue -- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647 -- https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts -- https://learn.microsoft.com/en-us/windows-hardware/drivers/taef/ -- https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673 -- https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps -- https://github.com/grayhatkiller/SharpExShell -- https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps -- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml -- https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/ -- https://ss64.com/osx/sw_vers.html -- https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html -- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29 -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/ -- https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior -- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/ -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in -- https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging -- https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/ -- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations +- https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/ +- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ +- https://nvd.nist.gov/vuln/detail/CVE-2024-3400 +- https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps +- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/whoami +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2 +- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash +- https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure +- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis +- https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html +- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/ +- https://anydesk.com/en/changelog/windows +- https://learn.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8 +- https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0 +- https://thehackernews.com/2024/03/github-rolls-out-default-secret.html +- https://objective-see.org/blog/blog_0x6D.html +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions +- https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html +- https://www.loobins.io/binaries/pbpaste/ +- https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/ +- https://learn.microsoft.com/en-us/azure/dns/dns-zones-records +- https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete +- https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things +- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services +- https://www.sans.org/cyber-security-summit/archives +- https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import -- https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d -- https://learn.microsoft.com/en-us/sysinternals/downloads/psexec -- https://learn.microsoft.com/en-us/windows/win32/msi/event-logging -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token -- https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027 -- https://bazaar.abuse.ch/browse/signature/RaspberryRobin/ +- https://tria.ge/240521-ynezpagf56/behavioral1 - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661 -- https://nvd.nist.gov/vuln/detail/CVE-2024-3400 -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 -- https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983 -- https://www.tarasco.org/security/pwdump_7/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#things-to-monitor -- https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/ -- https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1 -- https://github.com/embedi/CVE-2017-11882 -- https://redcanary.com/blog/msix-installers/ -- https://learn.microsoft.com/en-us/sysinternals/downloads/psservice -- https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil -- https://x.com/_st0pp3r_/status/1742203752361128162?s=20 -- https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/ -- https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/ +- https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps +- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +- https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10) - https://learn.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml- -- https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/clip -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions -- https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85) -- https://www.mandiant.com/resources/blog/triton-actor-ttp-profile-custom-attack-tools-detections -- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/ -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#end-user-consent -- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns +- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode +- https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens +- https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership +- https://github.com/amjcyber/EDRNoiseMaker +- https://learn.microsoft.com/en-us/windows-hardware/drivers/taef/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#token-issuer-anomaly +- https://boinc.berkeley.edu/ +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 +- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/ +- https://github.com/AaLl86/WindowsInternals/blob/070dc4f317726dfb6ffd2b7a7c121a33a8659b5e/Slides/Hypervisor-enforced%20Paging%20Translation%20-%20The%20end%20of%20non%20data-driven%20Kernel%20Exploits%20(Recon2024).pdf +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown +- https://www.tarasco.org/security/pwdump_7/ +- https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities +- https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections +- https://nored0x.github.io/red-teaming/office-persistence/#what-is-a-wll-file +- https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps +- https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-user-activity +- https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in +- https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2 +- https://evasions.checkpoint.com/techniques/macos.html - https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country -- https://news.ycombinator.com/item?id=29504755 -- https://app.any.run/tasks/9a8fd563-4c54-4d0a-9ad8-1fe08339cbc3/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address -- https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps -- https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html +- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role -- https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules -- https://blog.sekoia.io/darkgate-internals/ -- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616 -- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference -- https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680 -- https://www.softperfect.com/products/networkscanner/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-user-activity -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd -- https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/ -- https://megatools.megous.com/ -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-registrations-and-joins-outside-policy -- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.4 -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4 -- https://us-cert.cisa.gov/ncas/alerts/aa21-259a -- https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) +- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/ +- https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2 +- https://us-cert.cisa.gov/ncas/alerts/aa21-008a +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423 +- https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/ +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac +- https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html +- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/ +- https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1 +- https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/ +- https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794 - https://www.group-ib.com/resources/threat-research/red-curl-2.html -- https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/ -- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/ -- https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/ +- https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl +- https://www.cyberciti.biz/faq/linux-remove-user-command/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10) +- https://www.loobins.io/binaries/nscurl/ +- https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16 +- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule +- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1 +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount/ +- https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/ - https://pentestlab.blog/tag/svchost/ -- https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) -- https://securelist.com/network-tunneling-with-qemu/111803/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/replace -- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 +- https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior +- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616 +- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16 +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address +- https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/ +- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins +- https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019 +- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf +- https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ +- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ +- https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder +- https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#new-owner - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8 -- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set -- https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b -- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ -- https://cloud.google.com/access-context-manager/docs/audit-logging -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials -- https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/ -- https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc -- https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/800c0e06571993a54e39571cf27fd474dcc5c0bc/2017/2017.11.14.Muddying_the_Water/muddying-the-water-targeted-attacks.pdf -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4 -- https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior -- https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet -- https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038 -- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml -- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands -- https://www.sans.org/cyber-security-summit/archives -- https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html -- https://labs.withsecure.com/publications/kapeka -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes -- https://blackpointcyber.com/resources/blog/breaking-through-the-screen/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2 -- https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates -- https://www.cve.org/CVERecord?id=CVE-2024-1709 -- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/ -- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ -- https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass -- https://learn.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps -- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted -- https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl -- https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/ +- https://learn.microsoft.com/en-us/windows/win32/shell/app-registration +- https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code +- https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/ +- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 +- https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/ +- https://learn.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps +- https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support +- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval +- https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html +- https://research.splunk.com/endpoint/10399c1e-f51e-11eb-b920-acde48001122/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins - https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps -- https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 -- https://objective-see.org/blog/blog_0x1E.html -- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ -- https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg -- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ -- https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v -- https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13 -- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/ -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac -- https://tria.ge/231023-lpw85she57/behavioral2 -- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ -- https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4706 -- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/ -- https://ngrok.com/blog-post/new-ngrok-domains -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6281 -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4701 -- https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/ -- https://us-cert.cisa.gov/ncas/alerts/aa21-008a -- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 -- https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete -- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage -- https://github.com/amjcyber/EDRNoiseMaker -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/ -- https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer -- https://help.duo.com/s/article/6327?language=en_US -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine -- https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps -- https://support.google.com/a/answer/9261439 +- https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html +- https://www.loobins.io/binaries/launchctl/ +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001 +- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN +- https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/ +- https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html +- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user - https://www.attackiq.com/2023/09/20/emulating-rhysida/ -- https://unit42.paloaltonetworks.com/chromeloader-malware/ -- https://tria.ge/240521-ynezpagf56/behavioral1 -- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10) -- https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all -- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4 -- https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/clip +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4 +- https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer +- https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/ +- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services +- https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183 +- https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ +- https://www.softperfect.com/products/networkscanner/ +- https://tria.ge/240226-fhbe7sdc39/behavioral1 +- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/ +- https://hijacklibs.net/entries/microsoft/built-in/mscorsvc.html +- https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/ +- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/ +- https://www.loobins.io/binaries/xattr/ +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2 +- https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html +- https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia +- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage +- https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/ +- https://learn.microsoft.com/en-us/sysinternals/downloads/psservice - https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo - https://gist.github.com/nasbench/ca6ef95db04ae04ffd1e0b1ce709cadd -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown -- https://www.qemu.org/docs/master/system/invocation.html#hxtool-5 -- https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins +- https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216 - https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1 -- https://www.loobins.io/binaries/tmutil/ -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2 +- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations +- https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743 +- https://twitter.com/standa_t/status/1808868985678803222 +- https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html +- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes +- https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis +- https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool +- https://github.com/antonioCoco/RoguePotato +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn +- https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc +- https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository +- https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini +- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts +- https://blog.sekoia.io/darkgate-internals/ +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority +- https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420 +- https://www.mandiant.com/resources/blog/triton-actor-ttp-profile-custom-attack-tools-detections +- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ +- https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details +- https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/ +- https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/ +- https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors +- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ +- https://unit42.paloaltonetworks.com/chromeloader-malware/ +- https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps +- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673 +- https://www.elastic.co/guide/en/security/current/execution-of-com-object-via-xwizard.html +- https://linux.die.net/man/1/arecord +- https://github.com/gentilkiwi/mimikatz +- https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/replace +- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) +- https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680 +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29 diff --git a/tests/rule-references.txt b/tests/rule-references.txt index 07b8e5fcb5a..533e26bbbbe 100644 --- a/tests/rule-references.txt +++ b/tests/rule-references.txt @@ -3717,3 +3717,20 @@ https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c74451 https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8 https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse +https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html +https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete +https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6416 +https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a +https://docs.github.com/en/migrations +https://learn.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps +https://security.padok.fr/en/blog/kubernetes-webhook-attackers +https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/ +https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference +https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1 +https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11) +https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4701 +https://github.com/Voyag3r-Security/CVE-2023-1389/blob/4ecada7335b17bf543c0e33b2c9fb6b6215c09ae/archer-rev-shell.py +https://asec.ahnlab.com/en/58878/ +https://learn.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps +https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules +https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html From 3359340f219b55f4b133bf527f0a2c4697783c0e Mon Sep 17 00:00:00 2001 From: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> Date: Thu, 1 Aug 2024 15:03:12 +0545 Subject: [PATCH 007/144] Merge PR #4763 from @swachchhanda000 - New rules related to Raspberry Robin TTPs new: Potential Raspberry Robin Aclui Dll SideLoading new: Potential Raspberry Robin Registry Set Internet Settings ZoneMap --------- Co-authored-by: Swachchhanda Shrawan Poudel Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- ...aspberry_robin_side_load_aclui_oleview.yml | 38 +++++++++++++++ ...robin_internet_settings_zonemap_tamper.yml | 48 +++++++++++++++++++ 2 files changed, 86 insertions(+) create mode 100644 rules-emerging-threats/2024/Malware/Raspberry-Robin/image_load_malware_raspberry_robin_side_load_aclui_oleview.yml create mode 100644 rules-emerging-threats/2024/Malware/Raspberry-Robin/registry_set_malware_raspberry_robin_internet_settings_zonemap_tamper.yml diff --git a/rules-emerging-threats/2024/Malware/Raspberry-Robin/image_load_malware_raspberry_robin_side_load_aclui_oleview.yml b/rules-emerging-threats/2024/Malware/Raspberry-Robin/image_load_malware_raspberry_robin_side_load_aclui_oleview.yml new file mode 100644 index 00000000000..5bf32408bc7 --- /dev/null +++ b/rules-emerging-threats/2024/Malware/Raspberry-Robin/image_load_malware_raspberry_robin_side_load_aclui_oleview.yml @@ -0,0 +1,38 @@ +title: Potential Raspberry Robin Aclui Dll SideLoading +id: 0f3a9db2-c17a-480e-a723-d1f1c547ab6a +status: experimental +description: | + Detects potential sideloading of malicious "aclui.dll" by OleView.This behavior was observed in Raspberry-Robin variants reported by chekpoint research on Feburary 2024. +references: + - https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/ + - https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/ + - https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/ + - https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ + - https://strontic.github.io/xcyclopedia/library/aclui.dll-F883E9CA757B622B032FDCA5BF33D0DF.html +author: Swachchhanda Shrawan Poudel +date: 2024/07/31 +tags: + - detection.emerging_threats + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + Image|endswith: '\OleView.exe' + ImageLoaded|endswith: '\aclui.dll' + filter_main_legit_oleview_paths: + Image|startswith: + - 'C:\Program Files (x86)\Windows Kits\' + - 'C:\Program Files\Microsoft SDKs\' + filter_optional_known_oleview_paths: + Image|contains: '\Windows Resource Kit\' + filter_main_is_signed: + Signed: 'true' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* +falsepositives: + - Unknown +level: high diff --git a/rules-emerging-threats/2024/Malware/Raspberry-Robin/registry_set_malware_raspberry_robin_internet_settings_zonemap_tamper.yml b/rules-emerging-threats/2024/Malware/Raspberry-Robin/registry_set_malware_raspberry_robin_internet_settings_zonemap_tamper.yml new file mode 100644 index 00000000000..15515594952 --- /dev/null +++ b/rules-emerging-threats/2024/Malware/Raspberry-Robin/registry_set_malware_raspberry_robin_internet_settings_zonemap_tamper.yml @@ -0,0 +1,48 @@ +title: Potential Raspberry Robin Registry Set Internet Settings ZoneMap +id: 16a4c7b3-4681-49d0-8d58-3e9b796dcb43 +status: experimental +description: | + Detects registry modifications related to the proxy configuration of the system, potentially associated with the Raspberry Robin malware, as seen in campaigns running in Q1 2024. + Raspberry Robin may alter proxy settings to circumvent security measures, ensuring unhindered connection with Command and Control servers for maintaining control over compromised systems if there are any proxy settings that are blocking connections. +references: + - https://tria.ge/240225-jlylpafb24/behavioral1/analog?main_event=Registry&op=SetValueKeyInt + - https://tria.ge/240307-1hlldsfe7t/behavioral2/analog?main_event=Registry&op=SetValueKeyInt + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_ProxyByPass + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_UNCAsIntranet + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_IncludeUnspecifiedLocalSites + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::SecurityPage_AutoDetect + - https://bazaar.abuse.ch/browse/signature/RaspberryRobin/ +author: Swachchhanda Shrawan Poudel +date: 2024/07/31 +tags: + - detection.emerging_threats + - attack.t1112 + - attack.defense_evasion +logsource: + category: registry_set + product: windows + definition: 'Requirements: The registry key "\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\" and its sub keys must be monitored' +detection: + selection_registry_image: + - Image|contains: + - '\AppData\Local\Temp\' + - '\Downloads\' + - '\Users\Public\' + - '\Windows\Temp\' + - Image|endswith: '\control.exe' + selection_registry_object: + TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\' + selection_value_enable: + TargetObject|endswith: + - '\IntranetName' + - '\ProxyByPass' + - '\UNCAsIntranet' + Details|contains: 'DWORD (0x00000001)' + selection_value_disable: + TargetObject|endswith: '\AutoDetect' + Details|contains: 'DWORD (0x00000000)' + condition: all of selection_registry_* and 1 of selection_value_* +falsepositives: + - Unknown +# Note: can be upgraded to medium after an initial baseline +level: low From c5e352c270c47597ef28776d8c8d235d49d80c45 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zach=20Mathis=20=28=E7=94=B0=E4=B8=AD=E3=82=B6=E3=83=83?= =?UTF-8?q?=E3=82=AF=29?= <71482215+YamatoSecurity@users.noreply.github.com> Date: Thu, 1 Aug 2024 21:12:35 +0900 Subject: [PATCH 008/144] Merge PR #4944 from @YamatoSecurity - Add missing `expand` modifier fix: Userdomain Variable Enumeration - Add missing `expand` modifier --- .../proc_creation_win_userdomain_variable_enumeration.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules-placeholder/windows/process_creation/proc_creation_win_userdomain_variable_enumeration.yml b/rules-placeholder/windows/process_creation/proc_creation_win_userdomain_variable_enumeration.yml index 26bbc586f2c..54f3f4c898f 100644 --- a/rules-placeholder/windows/process_creation/proc_creation_win_userdomain_variable_enumeration.yml +++ b/rules-placeholder/windows/process_creation/proc_creation_win_userdomain_variable_enumeration.yml @@ -7,6 +7,7 @@ references: - https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/ author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io' date: 2023/02/09 +modified: 2024/08/01 tags: - attack.discovery - attack.t1016 @@ -15,9 +16,8 @@ logsource: product: windows detection: selection: - CommandLine|contains|all: - - 'echo ' - - '%userdomain%' + CommandLine|contains: 'echo ' + CommandLine|contains|expand: '%userdomain%' condition: selection falsepositives: - Certain scripts or applications may leverage this. From 782f0f524e6f797ea114fe0d87b22cb4abaa6b7c Mon Sep 17 00:00:00 2001 From: GtUGtHGtNDtEUaE <110989433+GtUGtHGtNDtEUaE@users.noreply.github.com> Date: Thu, 1 Aug 2024 22:46:23 +0200 Subject: [PATCH 009/144] Merge PR #4945 from @GtUGtHGtNDtEUaE - Fix typo in field name for rules leveraging EID 5145 fix: Remote Task Creation via ATSVC Named Pipe - Fixed field name from `Accesses` to `AccessList` fix: Persistence and Execution at Scale via GPO Scheduled Task - Fixed field name from `Accesses` to `AccessList` fix: Remote Service Activity via SVCCTL Named Pipe - Fixed field name from `Accesses` to `AccessList` --- rules/windows/builtin/security/win_security_atsvc_task.yml | 4 ++-- .../builtin/security/win_security_gpo_scheduledtasks.yml | 4 ++-- .../builtin/security/win_security_svcctl_remote_service.yml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/windows/builtin/security/win_security_atsvc_task.yml b/rules/windows/builtin/security/win_security_atsvc_task.yml index 22c0c8c0f41..42b2bf7d604 100644 --- a/rules/windows/builtin/security/win_security_atsvc_task.yml +++ b/rules/windows/builtin/security/win_security_atsvc_task.yml @@ -6,7 +6,7 @@ references: - https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html author: Samir Bousseaden date: 2019/04/03 -modified: 2022/08/11 +modified: 2024/08/01 tags: - attack.lateral_movement - attack.persistence @@ -22,7 +22,7 @@ detection: EventID: 5145 ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$ RelativeTargetName: atsvc - Accesses|contains: 'WriteData' + AccessList|contains: 'WriteData' condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml b/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml index ff69baf0ecb..612b78bced6 100644 --- a/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml +++ b/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml @@ -7,7 +7,7 @@ references: - https://www.secureworks.com/blog/ransomware-as-a-distraction author: Samir Bousseaden date: 2019/04/03 -modified: 2021/11/27 +modified: 2024/08/01 tags: - attack.persistence - attack.lateral_movement @@ -21,7 +21,7 @@ detection: EventID: 5145 ShareName: '\\\\\*\\SYSVOL' # looking for the string \\*\SYSVOL RelativeTargetName|endswith: 'ScheduledTasks.xml' - Accesses|contains: + AccessList|contains: - 'WriteData' - '%%4417' condition: selection diff --git a/rules/windows/builtin/security/win_security_svcctl_remote_service.yml b/rules/windows/builtin/security/win_security_svcctl_remote_service.yml index 2b175525098..7b980ffe534 100644 --- a/rules/windows/builtin/security/win_security_svcctl_remote_service.yml +++ b/rules/windows/builtin/security/win_security_svcctl_remote_service.yml @@ -6,7 +6,7 @@ references: - https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html author: Samir Bousseaden date: 2019/04/03 -modified: 2022/08/11 +modified: 2024/08/01 tags: - attack.lateral_movement - attack.persistence @@ -20,7 +20,7 @@ detection: EventID: 5145 ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$ RelativeTargetName: svcctl - Accesses|contains: 'WriteData' + AccessList|contains: 'WriteData' condition: selection falsepositives: - Unknown From 22f02953b5e2f129896a04239046666d460e2d0f Mon Sep 17 00:00:00 2001 From: Josh Date: Wed, 7 Aug 2024 04:25:18 -0400 Subject: [PATCH 010/144] Merge PR #4952 from @joshnck - Fix `Potential DLL Sideloading Of DbgModel.DLL` fix: Potential DLL Sideloading Of DbgModel.DLL - Exclude Dell Support Assistant --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- rules/windows/image_load/image_load_side_load_dbgmodel.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/image_load/image_load_side_load_dbgmodel.yml b/rules/windows/image_load/image_load_side_load_dbgmodel.yml index cfcbf738657..6b772ead8d7 100644 --- a/rules/windows/image_load/image_load_side_load_dbgmodel.yml +++ b/rules/windows/image_load/image_load_side_load_dbgmodel.yml @@ -6,7 +6,7 @@ references: - https://hijacklibs.net/entries/microsoft/built-in/dbgmodel.html author: Gary Lobermier date: 2024/07/11 -modified: 2024/07/22 +modified: 2024/08/06 tags: - attack.defense_evasion - attack.t1574.002 @@ -27,6 +27,8 @@ detection: ImageLoaded|startswith: - 'C:\Program Files (x86)\Windows Kits\' - 'C:\Program Files\Windows Kits\' + filter_optional_dell_instrumentation: + ImageLoaded|startswith: 'C:\Program Files\Dell\DTP\InstrumentationSubAgent\' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Legitimate applications loading their own versions of the DLL mentioned in this rule From 4989d43ae97015f8113aed2efcd49d288b8fec21 Mon Sep 17 00:00:00 2001 From: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> Date: Wed, 7 Aug 2024 14:33:12 +0545 Subject: [PATCH 011/144] Merge PR #4946 from @swachchhanda000 - Add `Suspicious Process Masquerading As SvcHost.EXE` new: Suspicious Process Masquerading As SvcHost.EXE --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- ...c_creation_win_susp_system_exe_anomaly.yml | 3 ++ ...tion_win_svchost_masqueraded_execution.yml | 35 +++++++++++++++++++ 2 files changed, 38 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml b/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml index 1d50dec0015..4c461717db6 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml @@ -1,5 +1,8 @@ title: System File Execution Location Anomaly id: e4a6b256-3e47-40fc-89d2-7a477edd6915 +related: + - id: be58d2e2-06c8-4f58-b666-b99f6dc3b6cd # Dedicated SvcHost rule + type: derived status: experimental description: | Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location. diff --git a/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution.yml b/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution.yml new file mode 100644 index 00000000000..1ef9b1642e0 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution.yml @@ -0,0 +1,35 @@ +title: Suspicious Process Masquerading As SvcHost.EXE +id: be58d2e2-06c8-4f58-b666-b99f6dc3b6cd +related: + - id: 01d2e2a1-5f09-44f7-9fc1-24faa7479b6d + type: similar + - id: e4a6b256-3e47-40fc-89d2-7a477edd6915 + type: similar +status: experimental +description: | + Detects a suspicious process that is masquerading as the legitimate "svchost.exe" by naming its binary "svchost.exe" and executing from an uncommon location. + Adversaries often disguise their malicious binaries by naming them after legitimate system processes like "svchost.exe" to evade detection. +references: + - https://tria.ge/240731-jh4crsycnb/behavioral2 + - https://redcanary.com/blog/threat-detection/process-masquerading/ +author: Swachchhanda Shrawan Poudel +date: 2024/08/07 +tags: + - attack.defense_evasion + - attack.t1036.005 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\svchost.exe' + filter_main_img_location: + Image: + - 'C:\Windows\System32\svchost.exe' + - 'C:\Windows\SysWOW64\svchost.exe' + filter_main_ofn: + OriginalFileName: 'svchost.exe' + condition: selection and not 1 of filter_main_* +falsepositives: + - Unlikely +level: high From a47edba68d8f7ce6d86c36fedfcc716be4ea9513 Mon Sep 17 00:00:00 2001 From: David Bertho <41988314+dbertho@users.noreply.github.com> Date: Wed, 7 Aug 2024 13:49:59 +0200 Subject: [PATCH 012/144] Merge PR #4941 from @dbertho - Update Outlook Persistence related rules / Specula update: Potential Persistence Via Outlook Home Page - Update the logic to account for additional sub keys. update: Potential Persistence Via Outlook Today Page - Update the logic to account for the "URL" value. --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- ...istry_set_persistence_outlook_homepage.yml | 24 ++++++++-------- ...stry_set_persistence_outlook_todaypage.yml | 28 +++++++++++-------- 2 files changed, 29 insertions(+), 23 deletions(-) diff --git a/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml b/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml index c98cf92c712..5ed2b5ae1d4 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml @@ -1,13 +1,19 @@ title: Potential Persistence Via Outlook Home Page id: ddd171b5-2cc6-4975-9e78-f0eccd08cc76 +related: + - id: 487bb375-12ef-41f6-baae-c6a1572b4dd1 + type: similar status: test -description: Detects potential persistence activity via outlook home pages. +description: | + Detects potential persistence activity via outlook home page. + An attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys. references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70 - https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us -author: Tobias Michalski (Nextron Systems) + - https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change +author: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand date: 2021/06/09 -modified: 2023/08/17 +modified: 2024/08/07 tags: - attack.persistence - attack.t1112 @@ -15,18 +21,12 @@ logsource: product: windows category: registry_set detection: - selection_1: - TargetObject|contains: + selection: + TargetObject|contains|all: - '\Software\Microsoft\Office\' - '\Outlook\WebView\' TargetObject|endswith: '\URL' - selection_2: - TargetObject|contains: - - '\Calendar\' - - '\Inbox\' - condition: all of selection_* -fields: - - Details + condition: selection falsepositives: - Unknown level: high diff --git a/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml b/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml index 66ebe5debc2..63489638474 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml @@ -1,12 +1,18 @@ -title: Potential Persistence Via Outlook Today Pages +title: Potential Persistence Via Outlook Today Page id: 487bb375-12ef-41f6-baae-c6a1572b4dd1 +related: + - id: ddd171b5-2cc6-4975-9e78-f0eccd08cc76 + type: similar status: test -description: Detects potential persistence activity via outlook today pages. An attacker can set a custom page to execute arbitrary code and link to it via the registry key "UserDefinedUrl". +description: | + Detects potential persistence activity via outlook today page. + An attacker can set a custom page to execute arbitrary code and link to it via the registry values "URL" and "UserDefinedUrl". references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=74 -author: Tobias Michalski (Nextron Systems) + - https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change +author: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand date: 2021/06/10 -modified: 2023/08/17 +modified: 2024/08/07 tags: - attack.persistence - attack.t1112 @@ -19,18 +25,18 @@ detection: - 'Software\Microsoft\Office\' - '\Outlook\Today\' selection_value_stamp: - TargetObject|endswith: 'Stamp' + TargetObject|endswith: '\Stamp' Details: 'DWORD (0x00000001)' - selection_value_user_defined: - TargetObject|endswith: 'UserDefinedUrl' - filter_office: + selection_value_url: + TargetObject|endswith: + - '\URL' + - '\UserDefinedUrl' + filter_main_office: Image|startswith: - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\' Image|endswith: '\OfficeClickToRun.exe' - condition: selection_main and 1 of selection_value_* and not 1 of filter_* -fields: - - Details + condition: selection_main and 1 of selection_value_* and not 1 of filter_main_* falsepositives: - Unknown level: high From 8254c4f36d1c16d5916fdfcfea7063dbffa41e13 Mon Sep 17 00:00:00 2001 From: Josh Date: Wed, 7 Aug 2024 10:01:47 -0400 Subject: [PATCH 013/144] Merge PR #4955 from @joshnck - Fix `agentexecutor.exe` related rules fix: AgentExecutor PowerShell Execution - Exclude `Microsoft.Management.Services.IntuneWindowsAgent.exe` fix: Suspicious AgentExecutor PowerShell Execution - Exclude `Microsoft.Management.Services.IntuneWindowsAgent.exe` --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- .../proc_creation_win_agentexecutor_potential_abuse.yml | 5 ++++- .../proc_creation_win_agentexecutor_susp_usage.yml | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml b/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml index be7d766e359..13ec22dff46 100644 --- a/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml @@ -12,6 +12,7 @@ references: - https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension - https://twitter.com/jseerden/status/1247985304667066373/photo/1 date: 2022/12/24 +modified: 2024/08/07 tags: - attack.defense_evasion - attack.t1218 @@ -34,7 +35,9 @@ detection: CommandLine|contains: - ' -powershell' # Also covers the "-powershellDetection" flag - ' -remediationScript' - condition: all of selection_* + filter_main_intune: + ParentImage|endswith: '\Microsoft.Management.Services.IntuneWindowsAgent.exe' + condition: all of selection_* and not 1 of filter_main_* falsepositives: - Legitimate use via Intune management. You exclude script paths and names to reduce FP rate level: medium diff --git a/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml b/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml index de4ae19b5d8..3e0a1ff9bec 100644 --- a/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml @@ -12,6 +12,7 @@ references: - https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension - https://twitter.com/jseerden/status/1247985304667066373/photo/1 date: 2022/12/24 +modified: 2024/08/07 tags: - attack.defense_evasion - attack.t1218 @@ -36,8 +37,10 @@ detection: - ' -remediationScript' filter_main_pwsh: CommandLine|contains: - - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\' - 'C:\Windows\System32\WindowsPowerShell\v1.0\' + - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\' + filter_main_intune: + ParentImage|endswith: '\Microsoft.Management.Services.IntuneWindowsAgent.exe' condition: all of selection_* and not 1 of filter_main_* falsepositives: - Unknown From 8ff9cd8d20ffa6f653fa56ccd6c6b655c88506e0 Mon Sep 17 00:00:00 2001 From: Fukusuke Takahashi <41001169+fukusuket@users.noreply.github.com> Date: Sat, 10 Aug 2024 08:23:58 +0900 Subject: [PATCH 014/144] Merge PR #4958 from @fukusuket - Update unreachable/broken references chore: Credential Dumping Tools Accessing LSASS Memory chore: Potential MFA Bypass Using Legacy Client Authentication chore: Possible DC Shadow Attack chore: Potential Privileged System Service Operation - SeLoadDriverPrivilege chore: Remote Thread Creation In Uncommon Target Image chore: RDP File Creation From Suspicious Application chore: Suspicious PROCEXP152.sys File Created In TMP chore: Outbound Network Connection Initiated By Microsoft Dialer chore: NTFS Alternate Data Stream chore: PowerShell Get-Process LSASS in ScriptBlock chore: Windows Firewall Profile Disabled chore: Potentially Suspicious GrantedAccess Flags On LSASS chore: HackTool - PCHunter Execution chore: Mstsc.EXE Execution With Local RDP File chore: Suspicious Mstsc.EXE Execution With Local RDP File chore: Mstsc.EXE Execution From Uncommon Parent chore: PowerShell Get-Process LSASS chore: LSASS Access From Program In Potentially Suspicious Folder chore: Uncommon GrantedAccess Flags On LSASS --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> Thanks: @fukusuket --- deprecated/windows/proc_access_win_lsass_susp_access.yml | 2 +- .../proc_access_win_lsass_susp_source_process.yml | 2 +- .../proc_access_win_lsass_uncommon_access_flag.yml | 2 +- .../signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml | 2 +- .../builtin/security/win_security_possible_dc_shadow.yml | 2 +- .../builtin/security/win_security_user_driver_loaded.yml | 2 +- .../create_remote_thread_win_susp_uncommon_target_image.yml | 2 +- .../file/file_event/file_event_win_rdp_file_susp_creation.yml | 2 +- ...event_win_susp_procexplorer_driver_created_in_tmp_folder.yml | 2 +- .../net_connection_win_dialer_initiated_connection.yml | 2 +- .../powershell/powershell_script/posh_ps_ntfs_ads_access.yml | 2 +- .../powershell_script/posh_ps_susp_getprocess_lsass.yml | 2 +- .../posh_ps_windows_firewall_profile_disabled.yml | 2 +- .../process_access/proc_access_win_lsass_susp_access_flag.yml | 2 +- .../process_creation/proc_creation_win_hktl_pchunter.yml | 2 +- .../proc_creation_win_mstsc_run_local_rdp_file.yml | 2 +- ...proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml | 2 +- .../proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml | 2 +- .../proc_creation_win_powershell_getprocess_lsass.yml | 2 +- 19 files changed, 19 insertions(+), 19 deletions(-) diff --git a/deprecated/windows/proc_access_win_lsass_susp_access.yml b/deprecated/windows/proc_access_win_lsass_susp_access.yml index 3565fd75c5d..4e23d227cea 100644 --- a/deprecated/windows/proc_access_win_lsass_susp_access.yml +++ b/deprecated/windows/proc_access_win_lsass_susp_access.yml @@ -6,7 +6,7 @@ references: - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf + - https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community date: 2017/02/16 modified: 2023/11/30 diff --git a/rules-threat-hunting/windows/process_access/proc_access_win_lsass_susp_source_process.yml b/rules-threat-hunting/windows/process_access/proc_access_win_lsass_susp_source_process.yml index 267ba326d1b..8176e25aee1 100644 --- a/rules-threat-hunting/windows/process_access/proc_access_win_lsass_susp_source_process.yml +++ b/rules-threat-hunting/windows/process_access/proc_access_win_lsass_susp_source_process.yml @@ -7,7 +7,7 @@ references: - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf + - https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf author: Florian Roth (Nextron Systems) date: 2021/11/27 modified: 2023/12/06 diff --git a/rules-threat-hunting/windows/process_access/proc_access_win_lsass_uncommon_access_flag.yml b/rules-threat-hunting/windows/process_access/proc_access_win_lsass_uncommon_access_flag.yml index 2ff1de22f11..a29743a9c21 100644 --- a/rules-threat-hunting/windows/process_access/proc_access_win_lsass_uncommon_access_flag.yml +++ b/rules-threat-hunting/windows/process_access/proc_access_win_lsass_uncommon_access_flag.yml @@ -10,7 +10,7 @@ references: - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf + - https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf author: Florian Roth (Nextron Systems) date: 2022/03/13 modified: 2023/11/30 diff --git a/rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml b/rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml index f5bdb20e125..a906a4fd304 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml @@ -3,7 +3,7 @@ id: 53bb4f7f-48a8-4475-ac30-5a82ddfdf6fc status: test description: Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack. references: - - https://blooteem.com/march-2022 + - https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022 - https://www.microsoft.com/en-us/security/blog/2021/10/26/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations/ author: Harjot Singh, '@cyb3rjy0t' date: 2023/03/20 diff --git a/rules/windows/builtin/security/win_security_possible_dc_shadow.yml b/rules/windows/builtin/security/win_security_possible_dc_shadow.yml index 3ee0b144500..4e8e58d8440 100644 --- a/rules/windows/builtin/security/win_security_possible_dc_shadow.yml +++ b/rules/windows/builtin/security/win_security_possible_dc_shadow.yml @@ -8,7 +8,7 @@ description: Detects DCShadow via create new SPN references: - https://twitter.com/gentilkiwi/status/1003236624925413376 - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2 - - https://blog.alsid.eu/dcshadow-explained-4510f52fc19d + - https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48 author: Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah date: 2019/10/25 modified: 2022/10/17 diff --git a/rules/windows/builtin/security/win_security_user_driver_loaded.yml b/rules/windows/builtin/security/win_security_user_driver_loaded.yml index b1ccd382992..4da100b23b5 100644 --- a/rules/windows/builtin/security/win_security_user_driver_loaded.yml +++ b/rules/windows/builtin/security/win_security_user_driver_loaded.yml @@ -8,7 +8,7 @@ description: | If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff. references: - - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ + - https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673 author: xknow (@xknow_infosec), xorxes (@xor_xes) date: 2019/04/08 diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_target_image.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_target_image.yml index d2a345cd351..af25b80ee5c 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_target_image.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_target_image.yml @@ -6,7 +6,7 @@ related: status: experimental description: Detects uncommon target processes for remote thread creation references: - - https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection + - https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection author: Florian Roth (Nextron Systems) date: 2022/03/16 modified: 2024/07/15 diff --git a/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml b/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml index d44d34f4750..142f25529da 100644 --- a/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml +++ b/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml @@ -4,7 +4,7 @@ status: test description: Detects Rclone config file being created references: - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/ - - https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ + - https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023/04/18 tags: diff --git a/rules/windows/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml b/rules/windows/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml index f802af2583a..326fdddf772 100755 --- a/rules/windows/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml +++ b/rules/windows/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml @@ -5,7 +5,7 @@ description: | Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU. references: - - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ + - https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ author: xknow (@xknow_infosec), xorxes (@xor_xes) date: 2019/04/08 modified: 2022/11/22 diff --git a/rules/windows/network_connection/net_connection_win_dialer_initiated_connection.yml b/rules/windows/network_connection/net_connection_win_dialer_initiated_connection.yml index 54d9bdb22b9..a3c3c3e6384 100644 --- a/rules/windows/network_connection/net_connection_win_dialer_initiated_connection.yml +++ b/rules/windows/network_connection/net_connection_win_dialer_initiated_connection.yml @@ -6,7 +6,7 @@ description: | The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer. This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys" references: - - hhttps://tria.ge/240301-rk34sagf5x/behavioral2 + - https://tria.ge/240301-rk34sagf5x/behavioral2 - https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d - https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/ - https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html diff --git a/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml b/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml index 6485befa856..577a2fa3d97 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml @@ -3,7 +3,7 @@ id: 8c521530-5169-495d-a199-0a3a881ad24e status: test description: Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging. references: - - http://www.powertheshell.com/ntfsstreams/ + - https://web.archive.org/web/20220614030603/http://www.powertheshell.com/ntfsstreams/ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md author: Sami Ruohonen date: 2018/07/24 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml index b36d2d4b313..af6de71d8d0 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml @@ -3,7 +3,7 @@ id: 84c174ab-d3ef-481f-9c86-a50d0b8e3edb status: test description: Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity references: - - https://twitter.com/PythonResponder/status/1385064506049630211 + - https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211 author: Florian Roth (Nextron Systems) date: 2021/04/23 modified: 2022/12/25 diff --git a/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml b/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml index 54adcf55c05..2c7295a0f18 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml @@ -8,7 +8,7 @@ description: Detects when a user disables the Windows Firewall via a Profile to references: - https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps - https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell - - http://powershellhelp.space/commands/set-netfirewallrule-psv5.php + - https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php - http://woshub.com/manage-windows-firewall-powershell/ - https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html author: Austin Songer @austinsonger diff --git a/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml b/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml index ca8f74c15e4..7ab396f1e3f 100644 --- a/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml +++ b/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml @@ -10,7 +10,7 @@ references: - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf + - https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community date: 2021/11/22 modified: 2023/11/29 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml b/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml index 743a3b6ef2b..0a4956b864a 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml @@ -3,7 +3,7 @@ id: fca949cc-79ca-446e-8064-01aa7e52ece5 status: test description: Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff references: - - http://www.xuetr.com/ + - https://web.archive.org/web/20231210115125/http://www.xuetr.com/ - https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/ - https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali diff --git a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml index f3bcbfeeb4e..baa0a0a74f9 100644 --- a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml +++ b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml @@ -4,7 +4,7 @@ status: test description: Detects potential RDP connection via Mstsc using a local ".rdp" file references: - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/ - - https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ + - https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ author: Nasreddine Bencherchali (Nextron Systems), Christopher Peacock @securepeacock date: 2023/04/18 modified: 2023/04/30 diff --git a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml index 0b064545d4f..4c4dd59c728 100644 --- a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml +++ b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml @@ -4,7 +4,7 @@ status: test description: Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations. references: - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/ - - https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ + - https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023/04/18 tags: diff --git a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml index cb1c7ff8d59..4f694938e7c 100644 --- a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml @@ -4,7 +4,7 @@ status: test description: Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations. references: - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/ - - https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ + - https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023/04/18 modified: 2023/04/18 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_getprocess_lsass.yml b/rules/windows/process_creation/proc_creation_win_powershell_getprocess_lsass.yml index 41d5e49fc41..21de196ed0a 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_getprocess_lsass.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_getprocess_lsass.yml @@ -3,7 +3,7 @@ id: b2815d0d-7481-4bf0-9b6c-a4c48a94b349 status: test description: Detects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity references: - - https://twitter.com/PythonResponder/status/1385064506049630211 + - https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211 author: Florian Roth (Nextron Systems) date: 2021/04/23 modified: 2023/01/05 From 51d0119a58684c09a412346b659673b0cf1e6132 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 10 Aug 2024 11:26:33 +0200 Subject: [PATCH 015/144] Merge PR #4959 from @frack113 - Freeze pySigma to 0.11.9 before migration to v2 chore: freeze pySigma before migrating all rules to v2 --- .github/workflows/sigma-test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 316c6ef386d..a2cd5acf698 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -76,6 +76,7 @@ jobs: - name: Install dependencies run: | # pip install sigma-cli~=0.7.1 + pip install pysigma==0.11.9 pip install sigma-cli pip install pySigma-validators-sigmahq==0.7.0 - name: Test Sigma Rule Syntax From dbba992bc315070be544c7d2cf17569b857db46a Mon Sep 17 00:00:00 2001 From: Fukusuke Takahashi <41001169+fukusuket@users.noreply.github.com> Date: Sat, 10 Aug 2024 19:52:28 +0900 Subject: [PATCH 016/144] Merge PR #4960 from @fukusuket - Update unreachable/broken references chore: Unix Shell Configuration Modification - Update unreachable/broken references chore: JNDIExploit Pattern - Update unreachable/broken references chore: Load Of RstrtMgr.DLL By A Suspicious Process - Update unreachable/broken references chore: Load Of RstrtMgr.DLL By An Uncommon Process - Update unreachable/broken references chore: Potential appverifUI.DLL Sideloading - Update unreachable/broken references chore: Potential Dead Drop Resolvers - Update unreachable/broken references chore: HackTool - SecurityXploded Execution - Update unreachable/broken references chore: Suspicious Processes Spawned by Java.EXE - Update unreachable/broken references chore: Shell Process Spawned by Java.EXE - Update unreachable/broken references chore: New Firewall Rule Added Via Netsh.EXE - Update unreachable/broken references chore: PUA - AdvancedRun Execution - Update unreachable/broken references chore: PUA - AdvancedRun Suspicious Execution - Update unreachable/broken references chore: PUA - NSudo Execution - Update unreachable/broken references chore: Windows Processes Suspicious Parent Directory - Update unreachable/broken references chore: Suspect Svchost Activity - Update unreachable/broken references chore: Whoami.EXE Execution From Privileged Process - Update unreachable/broken references chore: Turla PNG Dropper Service - Update unreachable/broken references chore: Exploiting SetupComplete.cmd CVE-2019-1378 - Update unreachable/broken references chore: Log4j RCE CVE-2021-44228 Generic - Update unreachable/broken references chore: Log4j RCE CVE-2021-44228 in Fields - Update unreachable/broken references chore: .Class Extension URI Ending Request - Update unreachable/broken references chore: DLL Call by Ordinal Via Rundll32.EXE - Update unreachable/broken references --- .../2017/TA/Turla/win_system_apt_turla_service_png.yml | 2 +- .../CVE-2019-1378/proc_creation_win_exploit_cve_2019_1378.yml | 2 +- .../2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j.yml | 2 +- .../Exploits/CVE-2021-44228/web_cve_2021_44228_log4j_fields.yml | 2 +- .../web/proxy_generic/proxy_susp_class_extension_request.yml | 2 +- .../process_creation/proc_creation_win_rundll32_by_ordinal.yml | 2 +- .../auditd/lnx_auditd_unix_shell_configuration_modification.yml | 2 +- rules/web/webserver_generic/web_jndi_exploit.yml | 2 +- .../image_load/image_load_dll_rstrtmgr_suspicious_load.yml | 2 +- .../image_load/image_load_dll_rstrtmgr_uncommon_load.yml | 2 +- rules/windows/image_load/image_load_side_load_appverifui.yml | 2 +- .../net_connection_win_domain_dead_drop_resolvers.yml | 2 +- .../process_creation/proc_creation_win_hktl_secutyxploded.yml | 2 +- .../proc_creation_win_java_susp_child_process.yml | 2 +- .../proc_creation_win_java_susp_child_process_2.yml | 2 +- .../process_creation/proc_creation_win_netsh_fw_add_rule.yml | 2 +- .../process_creation/proc_creation_win_pua_advancedrun.yml | 2 +- .../proc_creation_win_pua_advancedrun_priv_user.yml | 2 +- rules/windows/process_creation/proc_creation_win_pua_nsudo.yml | 2 +- .../proc_creation_win_susp_proc_wrong_parent.yml | 2 +- .../proc_creation_win_svchost_execution_with_no_cli_flags.yml | 2 +- ...roc_creation_win_whoami_execution_from_high_priv_process.yml | 2 +- 22 files changed, 22 insertions(+), 22 deletions(-) diff --git a/rules-emerging-threats/2017/TA/Turla/win_system_apt_turla_service_png.yml b/rules-emerging-threats/2017/TA/Turla/win_system_apt_turla_service_png.yml index 1562c787175..bc83f7e4525 100644 --- a/rules-emerging-threats/2017/TA/Turla/win_system_apt_turla_service_png.yml +++ b/rules-emerging-threats/2017/TA/Turla/win_system_apt_turla_service_png.yml @@ -3,7 +3,7 @@ id: 1228f8e2-7e79-4dea-b0ad-c91f1d5016c1 status: test description: This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018 references: - - https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/ + - https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/ author: Florian Roth (Nextron Systems) date: 2018/11/23 modified: 2021/11/30 diff --git a/rules-emerging-threats/2019/Exploits/CVE-2019-1378/proc_creation_win_exploit_cve_2019_1378.yml b/rules-emerging-threats/2019/Exploits/CVE-2019-1378/proc_creation_win_exploit_cve_2019_1378.yml index 542561dc515..6ecabce62f8 100644 --- a/rules-emerging-threats/2019/Exploits/CVE-2019-1378/proc_creation_win_exploit_cve_2019_1378.yml +++ b/rules-emerging-threats/2019/Exploits/CVE-2019-1378/proc_creation_win_exploit_cve_2019_1378.yml @@ -3,7 +3,7 @@ id: 1c373b6d-76ce-4553-997d-8c1da9a6b5f5 status: test description: Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378 references: - - https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua + - https://web.archive.org/web/20200530031708/https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro date: 2019/11/15 modified: 2021/11/27 diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j.yml index 85c971186ec..28a988627e8 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j.yml @@ -3,7 +3,7 @@ id: 5ea8faa8-db8b-45be-89b0-151b84c82702 status: test description: Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 (Log4Shell) references: - - https://www.lunasec.io/docs/blog/log4j-zero-day/ + - https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/ - https://news.ycombinator.com/item?id=29504755 - https://github.com/tangxiaofeng7/apache-log4j-poc - https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j_fields.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j_fields.yml index 4a2ef9565d7..8707f74931c 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j_fields.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j_fields.yml @@ -3,7 +3,7 @@ id: 9be472ed-893c-4ec0-94da-312d2765f654 status: test description: Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell) references: - - https://www.lunasec.io/docs/blog/log4j-zero-day/ + - https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/ - https://news.ycombinator.com/item?id=29504755 - https://github.com/tangxiaofeng7/apache-log4j-poc - https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b diff --git a/rules-threat-hunting/web/proxy_generic/proxy_susp_class_extension_request.yml b/rules-threat-hunting/web/proxy_generic/proxy_susp_class_extension_request.yml index c94fe2c053b..9b912cc0280 100644 --- a/rules-threat-hunting/web/proxy_generic/proxy_susp_class_extension_request.yml +++ b/rules-threat-hunting/web/proxy_generic/proxy_susp_class_extension_request.yml @@ -5,7 +5,7 @@ description: | Detects requests to URI ending with the ".class" extension in proxy logs. This could rules can be used to hunt for potential downloads of Java classes as seen for example in Log4shell exploitation attacks against Log4j. references: - - https://www.lunasec.io/docs/blog/log4j-zero-day/ + - https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/ author: Andreas Hunkeler (@Karneades) date: 2021/12/21 modified: 2024/02/26 diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml index ed303b33ce3..bf4274cce00 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml @@ -3,7 +3,7 @@ id: e79a9e79-eb72-4e78-a628-0e7e8f59e89c status: stable description: Detects calls of DLLs exports by ordinal numbers via rundll32.dll. references: - - https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/ + - https://web.archive.org/web/20200530031906/https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/ - https://github.com/Neo23x0/DLLRunner - https://twitter.com/cyb3rops/status/1186631731543236608 - https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/ diff --git a/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml b/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml index 5c76b3f5bdf..125006950c0 100644 --- a/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml +++ b/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml @@ -7,7 +7,7 @@ status: test description: Detect unix shell configuration modification. Adversaries may establish persistence through executing malicious commands triggered when a new shell is opened. references: - https://objective-see.org/blog/blog_0x68.html - - https://www.glitch-cat.com/p/green-lambert-and-attack + - https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack - https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat author: Peter Matkovski, IAI date: 2023/03/06 diff --git a/rules/web/webserver_generic/web_jndi_exploit.yml b/rules/web/webserver_generic/web_jndi_exploit.yml index 83c9ac28dd4..538c64f0b22 100644 --- a/rules/web/webserver_generic/web_jndi_exploit.yml +++ b/rules/web/webserver_generic/web_jndi_exploit.yml @@ -4,7 +4,7 @@ status: test description: Detects exploitation attempt using the JNDI-Exploit-Kit references: - https://github.com/pimps/JNDI-Exploit-Kit - - https://githubmemory.com/repo/FunctFan/JNDIExploit + - https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit author: Florian Roth (Nextron Systems) date: 2021/12/12 modified: 2022/12/25 diff --git a/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml b/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml index 3508612218f..ad640f5bc42 100644 --- a/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml +++ b/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml @@ -11,7 +11,7 @@ description: | references: - https://www.crowdstrike.com/blog/windows-restart-manager-part-1/ - https://www.crowdstrike.com/blog/windows-restart-manager-part-2/ - - https://www.swascan.com/cactus-ransomware-malware-analysis/ + - https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/ - https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html author: Luc Génaux date: 2023/11/28 diff --git a/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml b/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml index 67cecc0da57..62b11f22489 100644 --- a/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml +++ b/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml @@ -11,7 +11,7 @@ description: | references: - https://www.crowdstrike.com/blog/windows-restart-manager-part-1/ - https://www.crowdstrike.com/blog/windows-restart-manager-part-2/ - - https://www.swascan.com/cactus-ransomware-malware-analysis/ + - https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/ - https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html author: Luc Génaux date: 2023/11/28 diff --git a/rules/windows/image_load/image_load_side_load_appverifui.yml b/rules/windows/image_load/image_load_side_load_appverifui.yml index 0e06be8b9db..43932ba19da 100644 --- a/rules/windows/image_load/image_load_side_load_appverifui.yml +++ b/rules/windows/image_load/image_load_side_load_appverifui.yml @@ -3,7 +3,7 @@ id: ee6cea48-c5b6-4304-a332-10fc6446f484 status: test description: Detects potential DLL sideloading of "appverifUI.dll" references: - - https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/ + - https://web.archive.org/web/20220519091349/https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/ author: X__Junior (Nextron Systems) date: 2023/06/20 tags: diff --git a/rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml b/rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml index b4e27a38dbd..17d1e842eec 100644 --- a/rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml +++ b/rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml @@ -8,7 +8,7 @@ description: | Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks. In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected. references: - - https://content.fireeye.com/apt-41/rpt-apt41 + - https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/ - https://securelist.com/the-tetrade-brazilian-banking-malware/97779/ - https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html - https://github.com/kleiton0x00/RedditC2 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_secutyxploded.yml b/rules/windows/process_creation/proc_creation_win_hktl_secutyxploded.yml index 11962f445b4..a4dff503acb 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_secutyxploded.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_secutyxploded.yml @@ -4,7 +4,7 @@ status: stable description: Detects the execution of SecurityXploded Tools references: - https://securityxploded.com/ - - https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/ + - https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/ author: Florian Roth (Nextron Systems) date: 2018/12/19 modified: 2023/02/04 diff --git a/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml index 76637ef15c9..9f367f33688 100644 --- a/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml @@ -6,7 +6,7 @@ related: status: experimental description: Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j) references: - - https://www.lunasec.io/docs/blog/log4j-zero-day/ + - https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/ author: Andreas Hunkeler (@Karneades), Florian Roth date: 2021/12/17 modified: 2024/01/18 diff --git a/rules/windows/process_creation/proc_creation_win_java_susp_child_process_2.yml b/rules/windows/process_creation/proc_creation_win_java_susp_child_process_2.yml index 70e02fb6726..48cf1412e5b 100644 --- a/rules/windows/process_creation/proc_creation_win_java_susp_child_process_2.yml +++ b/rules/windows/process_creation/proc_creation_win_java_susp_child_process_2.yml @@ -6,7 +6,7 @@ related: status: test description: Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation) references: - - https://www.lunasec.io/docs/blog/log4j-zero-day/ + - https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/ author: Andreas Hunkeler (@Karneades), Nasreddine Bencherchali date: 2021/12/17 modified: 2024/01/18 diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml index 7e36ad11364..0a903d4187e 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml @@ -3,7 +3,7 @@ id: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c status: test description: Detects the addition of a new rule to the Windows firewall via netsh references: - - https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf + - https://web.archive.org/web/20190508165435/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf author: Markus Neis, Sander Wiebing date: 2019/01/29 modified: 2023/02/10 diff --git a/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml b/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml index af649249af9..fc72e197338 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml @@ -8,7 +8,7 @@ description: Detects the execution of AdvancedRun utility references: - https://twitter.com/splinter_code/status/1483815103279603714 - https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3 - - https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/ + - https://www.elastic.co/security-labs/operation-bleeding-bear - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ author: Florian Roth (Nextron Systems) date: 2022/01/20 diff --git a/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml b/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml index f285dcdb8a9..331d4a3e8dc 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml @@ -8,7 +8,7 @@ description: Detects the execution of AdvancedRun utility in the context of the references: - https://twitter.com/splinter_code/status/1483815103279603714 - https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3 - - https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/ + - https://www.elastic.co/security-labs/operation-bleeding-bear - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ author: Florian Roth (Nextron Systems) date: 2022/01/20 diff --git a/rules/windows/process_creation/proc_creation_win_pua_nsudo.yml b/rules/windows/process_creation/proc_creation_win_pua_nsudo.yml index 8521ff1f8b6..9da2bd8591b 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_nsudo.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_nsudo.yml @@ -3,7 +3,7 @@ id: 771d1eb5-9587-4568-95fb-9ec44153a012 status: test description: Detects the use of NSudo tool for command execution references: - - https://nsudo.m2team.org/en-us/ + - https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/ - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali date: 2022/01/24 diff --git a/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml b/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml index c6d598d71e5..f89f6fd2441 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml @@ -3,7 +3,7 @@ id: 96036718-71cc-4027-a538-d1587e0006a7 status: test description: Detect suspicious parent processes of well-known Windows processes references: - - https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2 + - https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2 - https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/ - https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf author: vburov diff --git a/rules/windows/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml b/rules/windows/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml index 14a13591f6e..8c3c5f9be7d 100644 --- a/rules/windows/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml +++ b/rules/windows/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml @@ -3,7 +3,7 @@ id: 16c37b52-b141-42a5-a3ea-bbe098444397 status: test description: It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space. references: - - https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2 + - https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2 author: David Burkett, @signalblur date: 2019/12/28 modified: 2022/06/27 diff --git a/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml b/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml index ca3d55e499d..45e25fe47b4 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml @@ -7,7 +7,7 @@ status: experimental description: Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - - https://nsudo.m2team.org/en-us/ + - https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/ author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov date: 2022/01/28 modified: 2023/12/04 From ace902b68f86591e5b9a350cdf34d6ad110623ed Mon Sep 17 00:00:00 2001 From: peterydzynski <25185548+peterydzynski@users.noreply.github.com> Date: Sat, 10 Aug 2024 07:26:42 -0400 Subject: [PATCH 017/144] Merge PR #4957 from @peterydzynski - Update regex for `Powershell Token Obfuscation` rules update: Powershell Token Obfuscation - Process Creation - Optimized used regex update: Powershell Token Obfuscation - Powershell - Optimized used regex chore: Fixed SigmaHQ conventions broken links --- .github/PULL_REQUEST_TEMPLATE.md | 2 +- .github/workflows/greetings.yml | 2 +- CONTRIBUTING.md | 2 +- .../powershell_script/posh_ps_token_obfuscation.yml | 4 ++-- .../proc_creation_win_powershell_token_obfuscation.yml | 4 ++-- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index f9e95e5f2df..c6e644da99c 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -44,4 +44,4 @@ Link the fixed issues here, in case your commit fixes issues with rules or code ### SigmaHQ Rule Creation Conventions -- If your PR adds new rules, please consider following and applying these [conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/sigmahq_conventions.md) +- If your PR adds new rules, please consider following and applying these [conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/) diff --git a/.github/workflows/greetings.yml b/.github/workflows/greetings.yml index b6f1154d2f5..6b0778d5f68 100644 --- a/.github/workflows/greetings.yml +++ b/.github/workflows/greetings.yml @@ -29,6 +29,6 @@ jobs: It looks like this is your first pull request on the Sigma rules repository! - Please make sure to read the [SigmaHQ conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/sigmahq_conventions.md) document to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval. + Please make sure to read the [SigmaHQ conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/) document to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval. Thanks again, and welcome to the Sigma community! :smiley: diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 5a03fa60b5d..e5f6d3ada8d 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -48,6 +48,6 @@ git push origin your-feature-branch ## 📚 Adding or Updating Detection Rules -To update or contribute a new rule please make sure to follow the guidelines in the [SigmaHQ conventions document](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/sigmahq_conventions.md). Consider installing the [VsCode Sigma Extension](https://marketplace.visualstudio.com/items?itemName=humpalum.sigma) for auto completion and quality of life features. +To update or contribute a new rule please make sure to follow the guidelines in the [SigmaHQ conventions documents](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq). Consider installing the [VsCode Sigma Extension](https://marketplace.visualstudio.com/items?itemName=humpalum.sigma) for auto completion and quality of life features. Thank you for contributing to Sigma! 🧙‍♂️ diff --git a/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml b/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml index 580ee4f7ef5..507343c2993 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml @@ -9,7 +9,7 @@ references: - https://github.com/danielbohannon/Invoke-Obfuscation author: frack113 date: 2022/12/27 -modified: 2023/03/24 +modified: 2024/08/10 tags: - attack.defense_evasion - attack.t1027.009 @@ -27,7 +27,7 @@ detection: - ScriptBlockText|re: '\w+`(\w+|-|.)`[\w+|\s]' # - ScriptBlockText|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme - ScriptBlockText|re: '"(\{\d\}){2,}"\s*-f' # trigger on at least two placeholders. One might be used for legitimate string formatting - - ScriptBlockText|re: '\$\{((e|n|v)*`(e|n|v)*)+:path\}|\$\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\}|\$\{env:((p|a|t|h)*`(p|a|t|h)*)+\}' + - ScriptBlockText|re: '(?i)\$\{(?=.*`)+?`?e`?n`?v`?:`?p`?a`?t`?h`?\}' filter_chocolatey: ScriptBlockText|contains: - 'it will return true or false instead' # Chocolatey install script https://github.com/chocolatey/chocolatey diff --git a/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml b/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml index a1aceed79cb..f7be94afa4d 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml @@ -9,7 +9,7 @@ references: - https://github.com/danielbohannon/Invoke-Obfuscation author: frack113 date: 2022/12/27 -modified: 2022/12/30 +modified: 2024/08/09 tags: - attack.defense_evasion - attack.t1027.009 @@ -26,7 +26,7 @@ detection: - CommandLine|re: '\w+`(\w+|-|.)`[\w+|\s]' # - CommandLine|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme - CommandLine|re: '"(\{\d\})+"\s*-f' - - CommandLine|re: '\$\{((e|n|v)*`(e|n|v)*)+:path\}|\$\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\}|\$\{env:((p|a|t|h)*`(p|a|t|h)*)+\}' + - CommandLine|re: '(?i)\$\{(?=.*`)+?`?e`?n`?v`?:`?p`?a`?t`?h`?\}' condition: selection falsepositives: - Unknown From bfc5586e439ab11954292ec8a0be5b52b1657a2f Mon Sep 17 00:00:00 2001 From: "Omar A." Date: Sat, 10 Aug 2024 20:18:35 +0300 Subject: [PATCH 018/144] Merge PR #4949 from @omaramin17 - Add new rules related to Hdiutil usage new: Disk Image Mounting Via Hdiutil - MacOS new: Disk Image Creation Via Hdiutil - MacOS --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- .../proc_creation_macos_hdiutil_create.yml | 23 ++++++++++++++++ .../proc_creation_macos_hdiutil_mount.yml | 27 +++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 rules/macos/process_creation/proc_creation_macos_hdiutil_create.yml create mode 100644 rules/macos/process_creation/proc_creation_macos_hdiutil_mount.yml diff --git a/rules/macos/process_creation/proc_creation_macos_hdiutil_create.yml b/rules/macos/process_creation/proc_creation_macos_hdiutil_create.yml new file mode 100644 index 00000000000..7e6ec47bf93 --- /dev/null +++ b/rules/macos/process_creation/proc_creation_macos_hdiutil_create.yml @@ -0,0 +1,23 @@ +title: Disk Image Creation Via Hdiutil - MacOS +id: 1cf98dc2-fcb0-47c9-8aea-654c9284d1ae +status: experimental +description: Detects the execution of the hdiutil utility in order to create a disk image. +references: + - https://www.loobins.io/binaries/hdiutil/ + - https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/ + - https://ss64.com/mac/hdiutil.html +author: Omar Khaled (@beacon_exe) +date: 2024/08/10 +tags: + - attack.exfiltration +logsource: + product: macos + category: process_creation +detection: + selection: + Image|endswith: /hdiutil + CommandLine|contains: 'create' + condition: selection +falsepositives: + - Legitimate usage of hdiutil by administrators and users. +level: medium diff --git a/rules/macos/process_creation/proc_creation_macos_hdiutil_mount.yml b/rules/macos/process_creation/proc_creation_macos_hdiutil_mount.yml new file mode 100644 index 00000000000..ee3ae233f60 --- /dev/null +++ b/rules/macos/process_creation/proc_creation_macos_hdiutil_mount.yml @@ -0,0 +1,27 @@ +title: Disk Image Mounting Via Hdiutil - MacOS +id: bf241472-f014-4f01-a869-96f99330ca8c +status: experimental +description: Detects the execution of the hdiutil utility in order to mount disk images. +references: + - https://www.loobins.io/binaries/hdiutil/ + - https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/ + - https://ss64.com/mac/hdiutil.html +author: Omar Khaled (@beacon_exe) +date: 2024/08/10 +tags: + - attack.initial_access + - attack.t1566.001 + - attack.t1560.001 +logsource: + product: macos + category: process_creation +detection: + selection: + Image|endswith: /hdiutil + CommandLine|contains: + - 'attach ' + - 'mount ' + condition: selection +falsepositives: + - Legitimate usage of hdiutil by administrators and users. +level: medium From 118017641789f90054efadf52ae245ef26cc8ad2 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sun, 11 Aug 2024 01:39:36 +0200 Subject: [PATCH 019/144] Merge PR #4963 from @nasbench - Fix `Startup Item File Created - MacOS` fix: Startup Item File Created - MacOS - Fix broken logic and update metadata information --- .../file_event_macos_startup_items.yml | 24 --------------- ..._event_macos_susp_startup_item_created.yml | 30 +++++++++++++++++++ 2 files changed, 30 insertions(+), 24 deletions(-) delete mode 100644 rules/macos/file_event/file_event_macos_startup_items.yml create mode 100644 rules/macos/file_event/file_event_macos_susp_startup_item_created.yml diff --git a/rules/macos/file_event/file_event_macos_startup_items.yml b/rules/macos/file_event/file_event_macos_startup_items.yml deleted file mode 100644 index 137d6200aaf..00000000000 --- a/rules/macos/file_event/file_event_macos_startup_items.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Startup Items -id: dfe8b941-4e54-4242-b674-6b613d521962 -status: test -description: Detects creation of startup item plist files that automatically get executed at boot initialization to establish persistence. -references: - - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.005/T1037.005.md -author: Alejandro Ortuno, oscd.community -date: 2020/10/14 -modified: 2022/07/11 -tags: - - attack.persistence - - attack.privilege_escalation - - attack.t1037.005 -logsource: - category: file_event - product: macos -detection: - selection: - - TargetFilename|contains: '/Library/StartupItems/' - - TargetFilename|endswith: '.plist' - condition: selection -falsepositives: - - Legitimate administration activities -level: low diff --git a/rules/macos/file_event/file_event_macos_susp_startup_item_created.yml b/rules/macos/file_event/file_event_macos_susp_startup_item_created.yml new file mode 100644 index 00000000000..263f13b5a48 --- /dev/null +++ b/rules/macos/file_event/file_event_macos_susp_startup_item_created.yml @@ -0,0 +1,30 @@ +title: Startup Item File Created - MacOS +id: dfe8b941-4e54-4242-b674-6b613d521962 +status: test +description: | + Detects the creation of a startup item plist file, that automatically get executed at boot initialization to establish persistence. + Adversaries may use startup items automatically executed at boot initialization to establish persistence. + Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.005/T1037.005.md + - https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html +author: Alejandro Ortuno, oscd.community +date: 2020/10/14 +modified: 2024/08/11 +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1037.005 +logsource: + category: file_event + product: macos +detection: + selection: + TargetFilename|startswith: + - '/Library/StartupItems/' + - '/System/Library/StartupItems' + TargetFilename|endswith: '.plist' + condition: selection +falsepositives: + - Legitimate administration activities +level: low From c8a376179b1732043250d69eabc369eb7db204a2 Mon Sep 17 00:00:00 2001 From: Fukusuke Takahashi <41001169+fukusuket@users.noreply.github.com> Date: Sun, 11 Aug 2024 18:54:46 +0900 Subject: [PATCH 020/144] Merge PR #4964 from @fukusuket - Fix rules to not use `Lookahead` regex fix: Powershell Token Obfuscation - Powershell - Changed to not use Lookahead regex fix: Powershell Token Obfuscation - Process Creation - Changed to not use Lookahead regex --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- .../powershell_script/posh_ps_token_obfuscation.yml | 8 +++++--- .../proc_creation_win_powershell_token_obfuscation.yml | 10 ++++++---- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml b/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml index 507343c2993..fe4cc6b8385 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml @@ -9,7 +9,7 @@ references: - https://github.com/danielbohannon/Invoke-Obfuscation author: frack113 date: 2022/12/27 -modified: 2024/08/10 +modified: 2024/08/11 tags: - attack.defense_evasion - attack.t1027.009 @@ -23,11 +23,13 @@ detection: # IN`V`o`Ke-eXp`ResSIOn (Ne`W-ob`ject Net.WebClient).DownloadString # &('In'+'voke-Expressi'+'o'+'n') (.('New-Ob'+'jec'+'t') Net.WebClient).DownloadString # &("{2}{3}{0}{4}{1}"-f 'e','Expression','I','nvok','-') (&("{0}{1}{2}"-f'N','ew-O','bject') Net.WebClient).DownloadString - # ${e`Nv:pATh} - ScriptBlockText|re: '\w+`(\w+|-|.)`[\w+|\s]' # - ScriptBlockText|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme - ScriptBlockText|re: '"(\{\d\}){2,}"\s*-f' # trigger on at least two placeholders. One might be used for legitimate string formatting - - ScriptBlockText|re: '(?i)\$\{(?=.*`)+?`?e`?n`?v`?:`?p`?a`?t`?h`?\}' + # ${e`Nv:pATh} + - ScriptBlockText|re: '(?i)\$\{`?e`?n`?v`?:`?p`?a`?t`?h`?\}' + filter_envpath: + ScriptBlockText|contains: '${env:path}' # TODO: Fix this. See https://github.com/SigmaHQ/sigma/pull/4964 filter_chocolatey: ScriptBlockText|contains: - 'it will return true or false instead' # Chocolatey install script https://github.com/chocolatey/chocolatey diff --git a/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml b/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml index f7be94afa4d..6c88f8b51a0 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml @@ -9,7 +9,7 @@ references: - https://github.com/danielbohannon/Invoke-Obfuscation author: frack113 date: 2022/12/27 -modified: 2024/08/09 +modified: 2024/08/11 tags: - attack.defense_evasion - attack.t1027.009 @@ -22,12 +22,14 @@ detection: # IN`V`o`Ke-eXp`ResSIOn (Ne`W-ob`ject Net.WebClient).DownloadString # &('In'+'voke-Expressi'+'o'+'n') (.('New-Ob'+'jec'+'t') Net.WebClient).DownloadString # &("{2}{3}{0}{4}{1}"-f 'e','Expression','I','nvok','-') (&("{0}{1}{2}"-f'N','ew-O','bject') Net.WebClient).DownloadString - # ${e`Nv:pATh} - CommandLine|re: '\w+`(\w+|-|.)`[\w+|\s]' # - CommandLine|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme - CommandLine|re: '"(\{\d\})+"\s*-f' - - CommandLine|re: '(?i)\$\{(?=.*`)+?`?e`?n`?v`?:`?p`?a`?t`?h`?\}' - condition: selection + # ${e`Nv:pATh} + - CommandLine|re: '(?i)\$\{`?e`?n`?v`?:`?p`?a`?t`?h`?\}' + filter_main_envpath: + CommandLine|contains: '${env:path}' + condition: selection and not 1 of filter_main_* falsepositives: - Unknown level: high From 598d29f811c1859ba18e05b8c419cc94410c9a55 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 12 Aug 2024 12:02:50 +0200 Subject: [PATCH 021/144] Merge PR #4950 from @nasbench - Comply With v2 Spec Changes chore: change tags, date, modified fields to comply with v2 of the Sigma spec. chore: update the related type from `obsoletes` to `obsolete`. chore: update local json schema to the latest version. --- .github/workflows/sigma-test.yml | 3 +- other/godmode_sigma_rule.yml | 4 +- ...web_cve_2010_5278_exploitation_attempt.yml | 10 ++--- .../web_cve_2014_6287_hfs_rce.yml | 10 ++--- .../Axiom/proc_creation_win_apt_zxshell.yml | 8 ++-- ...eation_win_apt_turla_commands_critical.yml | 8 ++-- ...oc_creation_win_apt_turla_comrat_may20.yml | 6 +-- ...roc_creation_win_exploit_cve_2015_1641.yml | 10 ++--- ...roc_creation_win_exploit_cve_2017_0261.yml | 10 ++--- ...oc_creation_win_exploit_cve_2017_11882.yml | 10 ++--- ...roc_creation_win_exploit_cve_2017_8759.yml | 10 ++--- .../proc_creation_win_malware_adwind.yml | 6 +-- ...n_security_mal_cosmik_duke_persistence.yml | 6 +-- .../proc_creation_win_malware_fireball.yml | 8 ++-- ..._access_win_malware_verclsid_shellcode.yml | 10 ++--- .../proc_creation_win_malware_notpetya.yml | 10 ++--- ...n_win_malware_plugx_susp_exe_locations.yml | 8 ++-- .../StoneDrill/win_system_apt_stonedrill.yml | 6 +-- .../proc_creation_win_malware_wannacry.yml | 10 ++--- ...oc_creation_win_apt_apt10_cloud_hopper.yml | 6 +-- .../proc_creation_win_apt_ta17_293a_ps.yml | 8 ++-- .../net_firewall_apt_equationgroup_c2.yml | 8 ++-- ...on_win_apt_lazarus_binary_masquerading.yml | 8 ++-- .../pipe_created_apt_turla_named_pipes.yml | 6 +-- .../win_system_apt_carbonpaper_turla.yml | 6 +-- .../win_system_apt_turla_service_png.yml | 6 +-- ...18_13379_fortinet_preauth_read_exploit.yml | 10 ++--- .../web_cve_2018_2894_weblogic_exploit.yml | 10 ++--- .../proc_creation_win_malware_elise.yml | 6 +-- ..._creation_win_apt_apt27_emissary_panda.yml | 8 ++-- .../TA/APT28/proc_creation_win_apt_sofacy.yml | 8 ++-- ...cozy_bear_phishing_campaign_indicators.yml | 8 ++-- ...apt_apt29_phishing_campaign_indicators.yml | 10 ++--- ...registry_event_apt_oceanlotus_registry.yml | 8 ++-- ...c_creation_win_apt_muddywater_activity.yml | 6 +-- .../proc_creation_win_apt_oilrig_mar18.yml | 10 ++--- .../registry_event_apt_oilrig_mar18.yml | 10 ++--- .../OilRig/win_security_apt_oilrig_mar18.yml | 10 ++--- .../TA/OilRig/win_system_apt_oilrig_mar18.yml | 10 ++--- .../proc_creation_win_apt_slingshot.yml | 6 +-- .../Slingshot/win_security_apt_slingshot.yml | 6 +-- .../proc_creation_win_apt_tropictrooper.yml | 6 +-- ...roc_creation_win_exploit_other_bearlpe.yml | 8 ++-- ...web_cve_2019_11510_pulsesecure_exploit.yml | 10 ++--- ...roc_creation_win_exploit_cve_2019_1378.yml | 10 ++--- ...roc_creation_win_exploit_cve_2019_1388.yml | 10 ++--- .../web_cve_2019_19781_citrix_exploit.yml | 10 ++--- .../web_cve_2019_3398_confluence.yml | 10 ++--- .../proc_creation_win_malware_babyshark.yml | 8 ++-- .../proxy_malware_chafer_url_pattern.yml | 6 +-- .../proc_creation_win_malware_dridex.yml | 10 ++--- .../proc_creation_win_malware_dtrack.yml | 6 +-- .../proc_creation_win_malware_emotet.yml | 8 ++-- .../proc_creation_win_malware_formbook.yml | 8 ++-- ...tion_win_malware_lockergoga_ransomware.yml | 6 +-- .../QBot/proc_creation_win_malware_qbot.yml | 6 +-- .../Ryuk/proc_creation_win_malware_ryuk.yml | 8 ++-- ...creation_win_malware_snatch_ransomware.yml | 6 +-- .../Ursnif/proxy_malware_ursnif_c2_url.yml | 8 ++-- .../proxy_malware_ursnif_download_url.yml | 6 +-- .../Ursnif/registry_add_malware_ursnif.yml | 6 +-- ...c_creation_win_apt_aptc12_bluemushroom.yml | 8 ++-- ...creation_win_apt_apt31_judgement_panda.yml | 10 ++--- .../APT40/proxy_apt_apt40_dropbox_tool_ua.yml | 6 +-- ...c_creation_win_apt_bear_activity_gtr19.yml | 8 ++-- .../proc_creation_win_apt_empiremonkey.yml | 8 ++-- ...ation_win_apt_equationgroup_dll_u_load.yml | 8 ++-- .../proc_creation_win_apt_mustangpanda.yml | 8 ++-- .../proc_creation_win_apt_wocao.yml | 8 ++-- .../win_security_apt_wocao.yml | 8 ++-- .../web_cve_2020_0688_exchange_exploit.yml | 10 ++--- .../web_cve_2020_0688_msexchange.yml | 10 ++--- .../CVE-2020-0688/win_vul_cve_2020_0688.yml | 10 ++--- .../web_cve_2020_10148_solarwinds_exploit.yml | 10 ++--- ...oc_creation_win_exploit_cve_2020_10189.yml | 10 ++--- ...roc_creation_win_exploit_cve_2020_1048.yml | 8 ++-- ...exploit_cve_2020_1048_new_printer_port.yml | 8 ++-- ...roc_creation_win_exploit_cve_2020_1350.yml | 10 ++--- .../web_cve_2020_14882_weblogic_exploit.yml | 10 ++--- ...cve_2020_28188_terramaster_rce_exploit.yml | 10 ++--- .../web_cve_2020_3452_cisco_asa_ftd.yml | 10 ++--- .../web_cve_2020_5902_f5_bigip.yml | 10 ++--- .../web_cve_2020_8193_8195_citrix_exploit.yml | 12 +++--- ..._creation_win_malware_blue_mockingbird.yml | 6 +-- ...roxy_malware_comrat_network_indicators.yml | 8 ++-- ..._win_malware_emotet_rundll32_execution.yml | 8 ++-- ...gistry_event_malware_flowcloud_markers.yml | 4 +- ...creation_win_malware_ke3chang_tidepool.yml | 8 ++-- ...c_creation_win_malware_maze_ransomware.yml | 6 +-- ...c_creation_win_malware_trickbot_wermgr.yml | 6 +-- .../proc_creation_win_apt_evilnum_jul20.yml | 8 ++-- .../proc_creation_win_apt_gallium_iocs.yml | 10 ++--- .../GALLIUM/win_dns_analytic_apt_gallium.yml | 10 ++--- .../proc_creation_win_apt_greenbug_may20.yml | 10 ++--- ...reation_win_apt_lazarus_group_activity.yml | 8 ++-- .../registry_event_apt_leviathan.yml | 6 +-- .../proc_creation_win_apt_unc2452_cmds.yml | 6 +-- .../proc_creation_win_apt_unc2452_ps.yml | 6 +-- ...ation_win_apt_unc2452_vbscript_pattern.yml | 6 +-- .../web_solarwinds_supernova_webshell.yml | 6 +-- .../proc_creation_win_apt_taidoor.yml | 6 +-- ...c_creation_win_apt_winnti_mal_hk_jan20.yml | 8 ++-- .../proc_creation_win_apt_winnti_pipemon.yml | 8 ++-- .../av_printernightmare_cve_2021_34527.yml | 6 +-- ...e_event_win_cve_2021_1675_printspooler.yml | 12 +++--- ...win_exploit_cve_2021_1675_printspooler.yml | 8 ++-- ...cve_2021_1675_printspooler_operational.yml | 8 ++-- ...it_cve_2021_1675_printspooler_security.yml | 10 ++--- ...web_cve_2021_2109_weblogic_rce_exploit.yml | 10 ++--- ..._2021_21972_vsphere_unauth_rce_exploit.yml | 10 ++--- ...2021_21978_vmware_view_planner_exploit.yml | 10 ++--- .../web_cve_2021_22005_vmware_file_upload.yml | 10 ++--- .../web_cve_2021_22123_fortinet_exploit.yml | 10 ++--- ...ve_2021_22893_pulse_secure_rce_exploit.yml | 10 ++--- ...it_cve_2021_26084_atlassian_confluence.yml | 10 ++--- ..._cve_2021_26084_confluence_rce_exploit.yml | 10 ++--- .../web_cve_2021_26814_wzuh_rce.yml | 12 +++--- ..._win_exploit_cve_2021_26857_msexchange.yml | 8 ++-- ...le_event_win_cve_2021_26858_msexchange.yml | 8 ++-- .../web_cve_2021_26858_iis_rce.yml | 10 ++--- ...web_cve_2021_27905_apache_solr_exploit.yml | 10 ++--- .../web_cve_2021_28480_exchange_exploit.yml | 10 ++--- ...b_cve_2021_33766_msexchange_proxytoken.yml | 10 ++--- ...ation_win_exploit_cve_2021_35211_servu.yml | 8 ++-- .../file_event_win_exploit_cve_2021_40444.yml | 8 ++-- ...oc_creation_win_exploit_cve_2021_40444.yml | 8 ++-- ..._2021_40444_office_directory_traversal.yml | 10 ++--- .../web_cve_2021_40539_adselfservice.yml | 10 ++--- ...539_manageengine_adselfservice_exploit.yml | 10 ++--- .../file_event_win_cve_2021_41379_msi_lpe.yml | 8 ++-- ...oc_creation_win_exploit_cve_2021_41379.yml | 10 ++--- .../CVE-2021-41379/win_vul_cve_2021_41379.yml | 8 ++-- ...b_cve_2021_41773_apache_path_traversal.yml | 10 ++--- ...eb_cve_2021_42237_sitecore_report_ashx.yml | 10 ++--- .../win_system_exploit_cve_2021_42278.yml | 10 ++--- ...samaccountname_spoofing_cve_2021_42287.yml | 10 ++--- .../web_cve_2021_43798_grafana.yml | 10 ++--- ...t_win_cve_2021_44077_poc_default_files.yml | 6 +-- .../web_cve_2021_44228_log4j.yml | 8 ++-- .../web_cve_2021_44228_log4j_fields.yml | 10 ++--- .../web_exchange_proxyshell.yml | 8 ++-- .../web_exchange_proxyshell_successful.yml | 8 ++-- ...n_win_exploit_other_razorinstaller_lpe.yml | 8 ++-- ...tion_win_exploit_other_systemnightmare.yml | 8 ++-- .../web_sonicwall_jarrewrite_exploit.yml | 8 ++-- ...cve_2021_31979_cve_2021_33771_exploits.yml | 12 +++--- ...cve_2021_31979_cve_2021_33771_exploits.yml | 12 +++--- ...090_2021_20091_arcadyan_router_exploit.yml | 12 +++--- .../Exploits/win_exchange_cve_2021_42321.yml | 8 ++-- ...ation_win_malware_blackbyte_ransomware.yml | 8 ++-- .../Conti/proc_creation_win_malware_conti.yml | 6 +-- .../proc_creation_win_malware_conti_7zip.yml | 6 +-- ..._win_malware_conti_ransomware_commands.yml | 6 +-- ...malware_conti_ransomware_database_dump.yml | 6 +-- ...eation_win_malware_darkside_ransomware.yml | 4 +- ...ent_win_malware_devil_bait_script_drop.yml | 6 +-- ...win_malware_devil_bait_output_redirect.yml | 6 +-- ...xy_malware_devil_bait_c2_communication.yml | 8 ++-- .../image_load_malware_foggyweb_nobelium.yml | 8 ++-- ...alware_goofy_guineapig_file_indicators.yml | 6 +-- ...win_malware_goofy_guineapig_broken_cmd.yml | 4 +- ...g_googleupdate_uncommon_child_instance.yml | 6 +-- ...lware_goofy_gunieapig_c2_communication.yml | 6 +-- ...re_goofy_guineapig_service_persistence.yml | 4 +- .../file_event_win_moriya_rootkit.yml | 8 ++-- ...le_event_win_malware_pingback_backdoor.yml | 6 +-- .../image_load_malware_pingback_backdoor.yml | 6 +-- ...creation_win_malware_pingback_backdoor.yml | 6 +-- ...t_win_malware_small_sieve_evasion_typo.yml | 6 +-- ...eation_win_malware_small_sieve_cli_arg.yml | 4 +- ...are_small_sieve_telegram_communication.yml | 6 +-- ...y_set_malware_small_sieve_evasion_typo.yml | 6 +-- .../HAFNIUM/proc_creation_win_apt_hafnium.yml | 6 +-- .../web_exchange_exploitation_hafnium.yml | 8 ++-- .../proc_creation_win_apt_revil_kaseya.yml | 6 +-- .../image_load_usp_svchost_clfsw32.yml | 10 ++--- .../proc_creation_win_apt_sourgrum.yml | 8 ++-- .../web_unc2546_dewmode_php_webshell.yml | 6 +-- ...win_exploit_cve_2023_21554_queuejumper.yml | 8 ++-- .../web_cve_2022_21587_oracle_ebs.yml | 8 ++-- .../file_event_win_cve_2022_24527_lpe.yml | 8 ++-- ...2022_26809_rpcss_child_process_anomaly.yml | 10 ++--- .../web_cve_2022_27925_exploit.yml | 10 ++--- ...eation_win_exploit_cve_2022_29072_7zip.yml | 8 ++-- ...et_exploit_cve_2022_30190_msdt_follina.yml | 6 +-- .../web_cve_2022_31656_auth_bypass.yml | 10 ++--- .../web_cve_2022_31659_vmware_rce.yml | 10 ++--- ...22_33891_spark_shell_command_injection.yml | 10 ++--- ..._atlassian_bitbucket_command_injection.yml | 10 ++--- ...22_36804_exchange_owassrf_exploitation.yml | 4 +- ...6804_exchange_owassrf_poc_exploitation.yml | 4 +- ...22_36804_exchange_owassrf_exploitation.yml | 8 ++-- ...6804_exchange_owassrf_poc_exploitation.yml | 8 ++-- ..._win_exploit_cve_2022_41120_sysmon_eop.yml | 10 ++--- ...cve_2022_42475_exploitation_indicators.yml | 8 ++-- ...eb_cve_2022_44877_exploitation_attempt.yml | 8 ++-- ..._2022_46169_cacti_exploitation_attempt.yml | 10 ++--- ...re_bluesky_ransomware_files_indicators.yml | 4 +- ...te_remote_thread_win_malware_bumblebee.yml | 6 +-- ...on_win_malware_hermetic_wiper_activity.yml | 8 ++-- ...raspberry_robin_single_dot_ending_file.yml | 6 +-- .../2022/Malware/win_mssql_sp_maggie.yml | 6 +-- ..._creation_win_apt_actinium_persistence.yml | 6 +-- .../MERCURY/proc_creation_win_apt_mercury.yml | 6 +-- ...h_command_injection_tplink_archer_ax21.yml | 8 ++-- ...co_syslog_cve_2023_20198_ios_xe_web_ui.yml | 8 ++-- ..._2023_22518_confluence_java_child_proc.yml | 8 ++-- ...023_22518_confluence_tomcat_child_proc.yml | 8 ++-- ..._cve_2023_22518_confluence_auth_bypass.yml | 8 ++-- ..._cve_2023_22518_confluence_auth_bypass.yml | 8 ++-- ...2023_2283_libssh_authentication_bypass.yml | 8 ++-- ...ve_2023_23397_outlook_reminder_trigger.yml | 8 ++-- ...e_2023_23397_outlook_remote_file_query.yml | 12 +++--- ...oit_cve_2023_23397_outlook_remote_file.yml | 8 ++-- ..._cve_2023_23752_joomla_exploit_attempt.yml | 8 ++-- ...cve_2023_25157_geoserver_sql_injection.yml | 8 ++-- ..._ruckus_wireless_admin_exploit_attempt.yml | 8 ++-- ...ile_event_win_cve_2023_27363_foxit_rce.yml | 6 +-- ..._cve_2023_27997_pre_authentication_rce.yml | 8 ++-- ...exploit_cve_2023_34362_moveit_transfer.yml | 10 ++--- ...e_2023_34362_known_payload_request.yml.yml | 8 ++-- ...exploit_cve_2023_36874_report_creation.yml | 6 +-- ...exploit_cve_2023_36874_wermgr_creation.yml | 8 ++-- ...win_exploit_cve_2023_36874_fake_wermgr.yml | 6 +-- ..._office_windows_html_rce_file_patterns.yml | 8 ++-- ...cve_2023_36884_office_windows_html_rce.yml | 8 ++-- ...html_rce_extenstion_ip_pattern_traffic.yml | 8 ++-- ..._36884_office_windows_html_rce_traffic.yml | 8 ++-- ...ce_windows_html_rce_url_marker_traffic.yml | 8 ++-- ..._windows_html_rce_share_access_pattern.yml | 8 ++-- ..._cve_2023_38331_winrar_susp_double_ext.yml | 6 +-- ...ploit_cve_2023_38831_winrar_child_proc.yml | 8 ++-- ...t_cve_2023_40477_winrar_rev_file_abuse.yml | 6 +-- ...on_exploit_cve_2023_40477_winrar_crash.yml | 6 +-- ...43261_milesight_information_disclosure.yml | 10 ++--- ...43261_milesight_information_disclosure.yml | 10 ++--- ...b_cve_2023_46214_rce_splunk_enterprise.yml | 8 ++-- ...e_2023_46214_rce_splunk_enterprise_poc.yml | 8 ++-- ...ve_2023_46747_f5_remote_code_execution.yml | 8 ++-- ...ve_2023_46747_f5_remote_code_execution.yml | 8 ++-- ...nsitive_information_disclosure_exploit.yml | 8 ++-- ...information_disclosure_exploit_attempt.yml | 8 ++-- ...nsitive_information_disclosure_exploit.yml | 8 ++-- ...information_disclosure_exploit_attempt.yml | 8 ++-- ...loit_other_win_server_undocumented_rce.yml | 6 +-- .../Exploits/win_msmq_corrupted_packet.yml | 4 +- ...vent_win_malware_coldsteel_renamed_cmd.yml | 6 +-- ...malware_coldsteel_service_dll_creation.yml | 6 +-- ...ware_coldsteel_persistence_service_dll.yml | 6 +-- ...in_malware_coldsteel_anonymous_process.yml | 6 +-- ...creation_win_malware_coldsteel_cleanup.yml | 6 +-- ..._malware_coldsteel_service_persistence.yml | 6 +-- ...ry_set_malware_coldsteel_created_users.yml | 6 +-- ..._malware_coldsteel_persistence_service.yml | 6 +-- ...lware_darkgate_autoit3_binary_creation.yml | 6 +-- ..._autoit3_from_susp_parent_and_location.yml | 4 +- ...win_malware_darkgate_net_user_creation.yml | 6 +-- ..._creation_win_malware_griffon_patterns.yml | 4 +- ...ware_icedid_rundll32_dllregisterserver.yml | 6 +-- ..._win_malware_pikabot_rundll32_activity.yml | 8 ++-- ...re_pikabot_combined_commands_execution.yml | 4 +- ...creation_win_malware_pikabot_discovery.yml | 6 +-- ...win_malware_pikabot_rundll32_hollowing.yml | 8 ++-- ...re_pikabot_rundll32_uncommon_extension.yml | 6 +-- ...n_malware_qakbot_regsvr32_calc_pattern.yml | 8 ++-- ..._win_malware_qakbot_rundll32_execution.yml | 6 +-- ...on_win_malware_qakbot_rundll32_exports.yml | 8 ++-- ...are_qakbot_rundll32_fake_dll_execution.yml | 6 +-- ...win_malware_qakbot_uninstaller_cleanup.yml | 6 +-- ...alware_rhadamanthys_stealer_dll_launch.yml | 8 ++-- ..._malware_rorschach_ransomware_activity.yml | 8 ++-- ...in_malware_snake_encrypted_payload_ioc.yml | 4 +- ...event_win_malware_snake_installers_ioc.yml | 4 +- ...nt_win_malware_snake_werfault_creation.yml | 6 +-- ...n_win_malware_snake_installer_cli_args.yml | 4 +- ...ation_win_malware_snake_installer_exec.yml | 4 +- ...on_win_malware_snake_service_execution.yml | 4 +- ...y_event_malware_snake_covert_store_key.yml | 4 +- ...gistry_set_malware_snake_encrypted_key.yml | 6 +-- ...stem_malware_snake_persistence_service.yml | 4 +- ...win_malware_socgholish_second_stage_c2.yml | 6 +-- .../dns_query_win_malware_3cx_compromise.yml | 8 ++-- ...e_load_malware_3cx_compromise_susp_dll.yml | 6 +-- ...ware_3cx_compromise_beaconing_activity.yml | 8 ++-- ...n_win_malware_3cx_compromise_execution.yml | 8 ++-- ...n_malware_3cx_compromise_susp_children.yml | 6 +-- ...win_malware_3cx_compromise_susp_update.yml | 6 +-- ...ware_3cx_compromise_c2_beacon_activity.yml | 8 ++-- ...lware_3cx_compromise_susp_ico_requests.yml | 6 +-- ...ad_apt_cozy_bear_graphical_proton_dlls.yml | 4 +- ...ity_apt_cozy_bear_scheduled_tasks_name.yml | 2 +- ..._cozy_bear_graphical_proton_task_names.yml | 2 +- ...query_win_apt_diamond_steel_indicators.yml | 6 +-- ...event_win_apt_diamond_sleet_indicators.yml | 4 +- ...image_load_apt_diamond_sleet_side_load.yml | 6 +-- ...ation_win_apt_diamond_sleet_indicators.yml | 4 +- ...event_apt_diamond_sleet_scheduled_task.yml | 6 +-- ...urity_apt_diamond_sleet_scheduled_task.yml | 6 +-- ...t_equation_group_triangulation_c2_coms.yml | 6 +-- ...t_equation_group_triangulation_c2_coms.yml | 6 +-- ...7_powershell_scripts_naming_convention.yml | 4 +- .../TA/FIN7/posh_ps_apt_fin7_powerhold.yml | 4 +- .../posh_ps_apt_fin7_powertrash_execution.yml | 4 +- ...n_apt_fin7_powertrash_lateral_movement.yml | 4 +- ..._event_win_apt_lace_tempest_indicators.yml | 4 +- ...posh_ps_apt_lace_tempest_eraser_script.yml | 4 +- ...h_ps_apt_lace_tempest_malware_launcher.yml | 4 +- ...pt_lace_tempest_cobalt_strike_download.yml | 4 +- ..._win_apt_lace_tempest_loader_execution.yml | 4 +- ...ge_load_apt_lazarus_side_load_activity.yml | 8 ++-- ...storm_aspera_faspex_susp_child_process.yml | 6 +-- ...int_sandstorm_log4j_wstomcat_execution.yml | 6 +-- ...storm_manage_engine_susp_child_process.yml | 6 +-- ...ation_win_apt_mustang_panda_indicators.yml | 4 +- .../okta_apt_suspicious_user_creation.yml | 6 +-- ...le_event_win_apt_onyx_sleet_indicators.yml | 4 +- ...int_management_exploitation_indicators.yml | 4 +- ...t_print_management_exploitation_pc_app.yml | 6 +-- ...ion_win_apt_peach_sandstorm_indicators.yml | 4 +- ...h_sandstorm_falsefont_backdoor_c2_coms.yml | 6 +-- ...ent_lnx_apt_unc4841_exfil_mail_pattern.yml | 6 +-- ..._event_lnx_apt_unc4841_file_indicators.yml | 6 +-- ...ion_lnx_apt_unc4841_openssl_connection.yml | 6 +-- ..._wget_download_compressed_file_tmep_sh.yml | 6 +-- ...4841_wget_download_tar_files_direct_ip.yml | 6 +-- ...ation_lnx_atp_unc4841_seaspy_execution.yml | 4 +- .../web_exploit_cve_2024_1212_.yml | 6 +-- ...in_exploit_cve_2024_1708_screenconnect.yml | 4 +- ...ty_exploit_cve_2024_1708_screenconnect.yml | 6 +-- ...er_database_modification_screenconnect.yml | 4 +- ...eb_exploit_cve_2024_1709_screenconnect.yml | 6 +-- ...er_database_modification_screenconnect.yml | 6 +-- ...ploit_cve_2024_3094_sshd_child_process.yml | 6 +-- ...2024_3400_command_inject_file_creation.yml | 6 +-- ...xploit_cve_2024_3400_command_injection.yml | 12 +++--- ..._2024_37085_esxi_admins_group_creation.yml | 6 +-- ...ploit_cve_2024_37085_esxi_admins_group.yml | 6 +-- ...ad_malware_csharp_streamer_dotnet_load.yml | 4 +- ...win_malware_darkgate_autoit3_save_temp.yml | 2 +- ...malware_kamikakabot_lnk_lure_execution.yml | 4 +- ...lware_kamikakabot_schtasks_persistence.yml | 4 +- ...lware_kamikakabot_winlogon_persistence.yml | 4 +- ...aspberry_robin_side_load_aclui_oleview.yml | 8 ++-- ...ry_robin_rundll32_shell32_cpl_exection.yml | 6 +-- ...robin_internet_settings_zonemap_tamper.yml | 6 +-- ...win_malware_kapeka_backdoor_indicators.yml | 4 +- ...image_load_malware_kapeka_backdoor_wll.yml | 4 +- ...in_malware_kapeka_backdoor_persistence.yml | 2 +- ...are_kapeka_backdoor_rundll32_execution.yml | 4 +- ...re_kapeka_backdoor_autorun_persistence.yml | 2 +- ..._malware_kapeka_backdoor_configuration.yml | 4 +- ...apeka_backdoor_scheduled_task_creation.yml | 4 +- ...s_query_win_apt_dprk_malicious_domains.yml | 6 +-- ...n_win_apt_fin7_exploitation_indicators.yml | 2 +- ...event_win_apt_forest_blizzard_activity.yml | 6 +-- ...win_apt_forest_blizzard_constrained_js.yml | 4 +- ...ation_win_apt_forest_blizzard_activity.yml | 6 +-- ...orest_blizzard_custom_protocol_handler.yml | 2 +- ...t_blizzard_custom_protocol_handler_dll.yml | 2 +- ...in_apt_unknown_exploitation_indicators.yml | 4 +- ...count_created_deleted_nonapproved_user.yml | 6 +-- .../azure_ad_account_signin_outside_hours.yml | 4 +- .../azure_privileged_account_no_saw_paw.yml | 8 ++-- ...ileged_account_sigin_expected_controls.yml | 6 +-- ...rivileged_account_signin_outside_hours.yml | 4 +- .../security/win_security_admin_logon.yml | 10 ++--- .../win_security_exploit_cve_2020_1472.yml | 8 ++-- .../win_security_potential_pass_the_hash.yml | 6 +-- ...ity_remote_registry_management_via_reg.yml | 8 ++-- .../win_security_susp_interactive_logons.yml | 6 +-- ...on_win_susp_rdp_from_domain_controller.yml | 4 +- ...on_win_userdomain_variable_enumeration.yml | 4 +- ...soft365_susp_email_forwarding_activity.yml | 4 +- .../okta_password_health_report_query.yml | 6 +-- ...nt_lnx_python_path_configuration_files.yml | 4 +- ..._macos_python_path_configuration_files.yml | 4 +- .../proc_creation_macos_pbpaste_execution.yml | 6 +-- .../proxy_susp_class_extension_request.yml | 8 ++-- .../win_firewall_as_change_rule.yml | 8 ++-- .../win_security_scheduled_task_deletion.yml | 8 ++-- .../create_remote_thread_win_loadlibrary.yml | 8 ++-- ...e_remote_thread_win_powershell_generic.yml | 6 +-- ..._win_browsers_chromium_sensitive_files.yml | 6 +-- .../file_access_win_browsers_credential.yml | 8 ++-- ...ess_win_office_outlook_mail_credential.yml | 8 ++-- ...s_win_susp_gpo_access_uncommon_process.yml | 6 +-- .../file_access_win_susp_reg_and_hive.yml | 8 ++-- .../file_access_win_susp_unattend_xml.yml | 6 +-- .../file_delete_win_zone_identifier_ads.yml | 6 +-- .../file_event_win_dump_file_creation.yml | 6 +-- ...nt_win_python_path_configuration_files.yml | 4 +- ...file_event_win_scheduled_task_creation.yml | 6 +-- .../file_event_win_susp_binary_dropper.yml | 8 ++-- ...ile_event_win_vscode_tunnel_indicators.yml | 6 +-- ...file_event_win_webdav_tmpfile_creation.yml | 6 +-- .../file_rename_win_non_dll_to_dll_ext.yml | 8 ++-- .../image_load_dll_amsi_uncommon_process.yml | 8 ++-- ...age_load_dll_dbghelp_dbgcore_susp_load.yml | 8 ++-- .../image_load_dll_system_drawing_load.yml | 6 +-- .../image_load_office_excel_xll_load.yml | 4 +- .../image_load_office_word_wll_load.yml | 4 +- ...ad_wmi_module_load_by_uncommon_process.yml | 6 +-- .../net_connection_win_dfsvc_non_local_ip.yml | 6 +-- ...et_connection_win_dfsvc_uncommon_ports.yml | 4 +- ...et_connection_win_dllhost_non_local_ip.yml | 8 ++-- .../net_connection_win_hh_http_connection.yml | 6 +-- .../net_connection_win_msiexec_http.yml | 8 ++-- ...tion_win_powershell_network_connection.yml | 6 +-- ...ction_win_susp_initaited_public_folder.yml | 6 +-- ...eated_sysinternals_psexec_default_pipe.yml | 6 +-- .../posh_pc_alternate_powershell_hosts.yml | 6 +-- .../posh_pm_susp_netfirewallrule_recon.yml | 4 +- .../posh_ps_compress_archive_usage.yml | 6 +-- .../posh_ps_mailbox_access.yml | 6 +-- .../posh_ps_new_netfirewallrule_allow.yml | 6 +-- .../posh_ps_new_smbmapping_quic.yml | 6 +-- .../posh_ps_registry_reconnaissance.yml | 4 +- .../posh_ps_remove_item_path.yml | 8 ++-- .../posh_ps_win_api_functions_access.yml | 4 +- .../posh_ps_win_api_library_access.yml | 4 +- ...roc_access_win_lsass_powershell_access.yml | 10 ++--- ...c_access_win_lsass_susp_source_process.yml | 6 +-- ..._access_win_lsass_uncommon_access_flag.yml | 10 ++--- ...win_susp_potential_shellcode_injection.yml | 10 ++--- ..._creation_win_7zip_password_extraction.yml | 6 +-- .../proc_creation_win_attrib_system.yml | 8 ++-- .../proc_creation_win_boinc_execution.yml | 4 +- .../proc_creation_win_cmd_redirect.yml | 6 +-- ...reation_win_conhost_headless_execution.yml | 4 +- .../proc_creation_win_csc_compilation.yml | 6 +-- .../proc_creation_win_curl_download.yml | 8 ++-- .../proc_creation_win_curl_execution.yml | 8 ++-- .../proc_creation_win_curl_fileupload.yml | 6 +-- .../proc_creation_win_curl_useragent.yml | 8 ++-- ...roc_creation_win_dfsvc_child_processes.yml | 6 +-- ..._creation_win_diskshadow_child_process.yml | 6 +-- ...oc_creation_win_diskshadow_script_mode.yml | 8 ++-- ...on_win_explorer_child_of_shell_process.yml | 8 ++-- ...oc_creation_win_findstr_password_recon.yml | 6 +-- .../proc_creation_win_iexpress_execution.yml | 6 +-- ...proc_creation_win_mode_codepage_change.yml | 6 +-- .../proc_creation_win_net_execution.yml | 8 ++-- .../proc_creation_win_net_quic.yml | 6 +-- ...roc_creation_win_office_svchost_parent.yml | 8 ++-- ...n_powershell_abnormal_commandline_size.yml | 6 +-- ...eation_win_powershell_crypto_namespace.yml | 6 +-- ..._creation_win_powershell_import_module.yml | 6 +-- ...n_powershell_new_netfirewallrule_allow.yml | 2 +- ...on_win_powershell_susp_child_processes.yml | 6 +-- ...on_win_regsvr32_dllregisterserver_exec.yml | 6 +-- ..._access_tools_screenconnect_child_proc.yml | 6 +-- .../proc_creation_win_rundll32_by_ordinal.yml | 8 ++-- ...reation_win_rundll32_dllregisterserver.yml | 6 +-- .../proc_creation_win_sc_query.yml | 6 +-- ...win_schtasks_creation_from_susp_parent.yml | 6 +-- ...c_creation_win_susp_compression_params.yml | 6 +-- ...reation_win_susp_elevated_system_shell.yml | 8 ++-- ...proc_creation_win_susp_event_log_query.yml | 8 ++-- ..._susp_execution_from_guid_folder_names.yml | 8 ++-- ...tion_win_susp_execution_path_webserver.yml | 6 +-- ...usp_exfil_and_tunneling_tool_execution.yml | 8 ++-- ...win_susp_file_permission_modifications.yml | 8 ++-- .../proc_creation_win_taskkill_execution.yml | 6 +-- ..._creation_win_tasklist_basic_execution.yml | 6 +-- ...oc_creation_win_wmic_recon_system_info.yml | 4 +- ...eation_win_wscript_cscript_script_exec.yml | 8 ++-- ...registry_event_scheduled_task_creation.yml | 6 +-- .../registry_set_office_trusted_location.yml | 8 ++-- ...gistry_set_powershell_crypto_namespace.yml | 6 +-- ...vice_image_path_user_controlled_folder.yml | 10 ++--- ...istry_set_shell_context_menu_tampering.yml | 4 +- .../django/appframework_django_exceptions.yml | 6 +-- ...va_jndi_injection_exploitation_attempt.yml | 4 +- .../application/jvm/java_local_file_read.yml | 4 +- ...va_ognl_injection_exploitation_attempt.yml | 8 ++-- .../jvm/java_rce_exploitation_attempt.yml | 4 +- .../jvm/java_xxe_exploitation_attempt.yml | 4 +- ...etes_audit_change_admission_controller.yml | 4 +- .../kubernetes_audit_cronjob_modification.yml | 4 +- .../kubernetes_audit_deployment_deleted.yml | 2 +- .../audit/kubernetes_audit_events_deleted.yml | 2 +- .../kubernetes_audit_exec_into_container.yml | 2 +- .../audit/kubernetes_audit_hostpath_mount.yml | 2 +- ...bernetes_audit_pod_in_system_namespace.yml | 2 +- ...bernetes_audit_privileged_pod_creation.yml | 2 +- ...bernetes_audit_rbac_permisions_listing.yml | 2 +- ...ernetes_audit_rolebinding_modification.yml | 4 +- .../kubernetes_audit_secrets_enumeration.yml | 2 +- ...etes_audit_secrets_modified_or_deleted.yml | 4 +- ...bernetes_audit_serviceaccount_creation.yml | 2 +- .../kubernetes_audit_sidecar_injection.yml | 2 +- ...t_unauthorized_unauthenticated_actions.yml | 4 +- .../nodejs_rce_exploitation_attempt.yml | 4 +- .../opencanary_ftp_login_attempt.yml | 4 +- .../opencanary_git_clone_request.yml | 2 +- .../opencanary/opencanary_http_get.yml | 4 +- .../opencanary_http_post_login_attempt.yml | 4 +- .../opencanary_httpproxy_login_attempt.yml | 6 +-- .../opencanary_mssql_login_sqlauth.yml | 4 +- .../opencanary_mssql_login_winauth.yml | 4 +- .../opencanary_mysql_login_attempt.yml | 4 +- .../opencanary/opencanary_ntp_monlist.yml | 2 +- .../opencanary/opencanary_redis_command.yml | 4 +- .../opencanary/opencanary_sip_request.yml | 2 +- .../opencanary/opencanary_smb_file_open.yml | 4 +- .../opencanary/opencanary_snmp_cmd.yml | 4 +- .../opencanary_ssh_login_attempt.yml | 6 +-- .../opencanary_ssh_new_connection.yml | 6 +-- .../opencanary_telnet_login_attempt.yml | 6 +-- .../opencanary/opencanary_tftp_request.yml | 2 +- .../opencanary_vnc_connection_attempt.yml | 4 +- .../python/app_python_sql_exceptions.yml | 6 +-- .../rpc_firewall_atsvc_lateral_movement.yml | 6 +-- .../rpc_firewall/rpc_firewall_atsvc_recon.yml | 4 +- .../rpc_firewall_dcsync_attack.yml | 4 +- .../rpc_firewall/rpc_firewall_efs_abuse.yml | 6 +-- .../rpc_firewall_eventlog_recon.yml | 4 +- ...itaskschedulerservice_lateral_movement.yml | 6 +-- ...c_firewall_itaskschedulerservice_recon.yml | 4 +- ...rpc_firewall_printing_lateral_movement.yml | 6 +-- .../rpc_firewall_remote_dcom_or_wmi.yml | 6 +-- ...ewall_remote_registry_lateral_movement.yml | 6 +-- .../rpc_firewall_remote_registry_recon.yml | 4 +- ...c_firewall_remote_server_service_abuse.yml | 6 +-- ...rewall_remote_service_lateral_movement.yml | 6 +-- .../rpc_firewall_sasec_lateral_movement.yml | 6 +-- .../rpc_firewall/rpc_firewall_sasec_recon.yml | 4 +- .../rpc_firewall_sharphound_recon_account.yml | 4 +- ...rpc_firewall_sharphound_recon_sessions.yml | 4 +- .../appframework_ruby_on_rails_exceptions.yml | 6 +-- .../spring/spring_application_exceptions.yml | 6 +-- .../spring/spring_spel_injection.yml | 4 +- .../sql/app_sqlinjection_errors.yml | 6 +-- .../velocity/velocity_ssti_injection.yml | 4 +- rules/category/antivirus/av_exploiting.yml | 6 +-- rules/category/antivirus/av_hacktool.yml | 4 +- .../category/antivirus/av_password_dumper.yml | 6 +-- rules/category/antivirus/av_ransomware.yml | 4 +- .../category/antivirus/av_relevant_files.yml | 6 +-- rules/category/antivirus/av_webshell.yml | 4 +- .../category/database/db_anomalous_query.yml | 6 +-- .../aws_attached_malicious_lambda_layer.yml | 6 +-- .../aws_cloudtrail_disable_logging.yml | 6 +-- .../aws_cloudtrail_imds_malicious_usage.yml | 6 +-- .../aws_cloudtrail_new_acl_entries.yml | 4 +- .../aws_cloudtrail_new_route_added.yml | 4 +- ...l_security_group_change_ingress_egress.yml | 4 +- ...ail_security_group_change_loadbalancer.yml | 4 +- ...s_cloudtrail_security_group_change_rds.yml | 4 +- .../aws_cloudtrail_ssm_malicious_usage.yml | 4 +- .../aws_config_disable_recording.yml | 6 +-- .../cloudtrail/aws_console_getsignintoken.yml | 4 +- .../aws/cloudtrail/aws_delete_identity.yml | 6 +-- .../aws_disable_bucket_versioning.yml | 2 +- .../cloudtrail/aws_ec2_disable_encryption.yml | 4 +- .../aws_ec2_startup_script_change.yml | 4 +- .../cloudtrail/aws_ec2_vm_export_failure.yml | 4 +- ...cs_task_definition_cred_endpoint_query.yml | 4 +- .../aws_efs_fileshare_modified_or_deleted.yml | 4 +- ...fs_fileshare_mount_modified_or_deleted.yml | 4 +- .../aws_eks_cluster_created_or_deleted.yml | 4 +- ...aws_elasticache_security_group_created.yml | 4 +- ...che_security_group_modified_or_deleted.yml | 4 +- .../cloud/aws/cloudtrail/aws_enum_buckets.yml | 4 +- .../cloudtrail/aws_guardduty_disruption.yml | 6 +-- .../aws_iam_backdoor_users_keys.yml | 4 +- ...ws_iam_s3browser_loginprofile_creation.yml | 2 +- ...er_templated_s3_bucket_policy_creation.yml | 4 +- ...m_s3browser_user_or_accesskey_creation.yml | 2 +- ...ssed_role_to_glue_development_endpoint.yml | 6 +-- .../aws_rds_change_master_password.yml | 4 +- .../cloudtrail/aws_rds_public_db_restore.yml | 4 +- .../aws/cloudtrail/aws_root_account_usage.yml | 6 +-- ...te_53_domain_transferred_lock_disabled.yml | 6 +-- ..._domain_transferred_to_another_account.yml | 6 +-- .../aws_s3_data_management_tampering.yml | 4 +- .../aws_securityhub_finding_evasion.yml | 4 +- .../aws_snapshot_backup_exfiltration.yml | 4 +- .../aws/cloudtrail/aws_sso_idp_change.yml | 2 +- .../cloudtrail/aws_sts_assumerole_misuse.yml | 8 ++-- .../aws_sts_getsessiontoken_misuse.yml | 8 ++-- .../aws/cloudtrail/aws_susp_saml_activity.yml | 10 ++--- .../cloudtrail/aws_update_login_profile.yml | 4 +- .../azure_aadhybridhealth_adfs_new_server.yml | 6 +-- ...re_aadhybridhealth_adfs_service_delete.yml | 6 +-- .../azure_ad_user_added_to_admin_role.yml | 6 +-- .../azure_app_credential_modification.yml | 4 +- .../azure_application_deleted.yml | 6 +-- ...pplication_gateway_modified_or_deleted.yml | 4 +- ...ion_security_group_modified_or_deleted.yml | 4 +- ..._container_registry_created_or_deleted.yml | 4 +- ...creating_number_of_resources_detection.yml | 4 +- ..._device_no_longer_managed_or_compliant.yml | 4 +- ...e_or_configuration_modified_or_deleted.yml | 4 +- .../azure_dns_zone_modified_or_deleted.yml | 4 +- .../azure_firewall_modified_or_deleted.yml | 6 +-- ...ll_rule_collection_modified_or_deleted.yml | 6 +-- .../azure_granting_permission_detection.yml | 4 +- ...azure_keyvault_key_modified_or_deleted.yml | 6 +-- .../azure_keyvault_modified_or_deleted.yml | 6 +-- ...e_keyvault_secrets_modified_or_deleted.yml | 6 +-- .../azure_kubernetes_admission_controller.yml | 6 +-- ..._kubernetes_cluster_created_or_deleted.yml | 4 +- .../azure_kubernetes_cronjob.yml | 6 +-- .../azure_kubernetes_events_deleted.yml | 6 +-- ...azure_kubernetes_network_policy_change.yml | 6 +-- .../azure_kubernetes_pods_deleted.yml | 4 +- .../azure_kubernetes_role_access.yml | 4 +- ...rnetes_rolebinding_modified_or_deleted.yml | 6 +-- ...ernetes_secret_or_config_object_access.yml | 4 +- ...es_service_account_modified_or_deleted.yml | 4 +- .../activity_logs/azure_mfa_disabled.yml | 2 +- ...rk_firewall_policy_modified_or_deleted.yml | 6 +-- ...work_firewall_rule_modified_or_deleted.yml | 4 +- ...re_network_p2s_vpn_modified_or_deleted.yml | 4 +- ...e_network_security_modified_or_deleted.yml | 4 +- ...ork_virtual_device_modified_or_deleted.yml | 4 +- .../azure_new_cloudshell_created.yml | 4 +- ..._from_application_or_service_principal.yml | 6 +-- .../activity_logs/azure_rare_operations.yml | 4 +- .../azure_service_principal_created.yml | 6 +-- .../azure_service_principal_removed.yml | 6 +-- ...permissions_elevation_via_activitylogs.yml | 6 +-- .../azure_suppression_rule_created.yml | 4 +- ...re_virtual_network_modified_or_deleted.yml | 4 +- ...ure_vpn_connection_modified_or_deleted.yml | 4 +- ...d_secops_ca_policy_removedby_bad_actor.yml | 4 +- ...d_secops_ca_policy_updatedby_bad_actor.yml | 6 +-- ...secops_new_ca_policy_addedby_bad_actor.yml | 4 +- .../azure_ad_account_created_deleted.yml | 6 +-- .../azure_ad_bitlocker_key_retrieval.yml | 4 +- ...certificate_based_authencation_enabled.yml | 4 +- ..._ad_device_registration_policy_changes.yml | 6 +-- ...ted_to_tenant_by_non_approved_inviters.yml | 4 +- .../audit_logs/azure_ad_new_root_ca_added.yml | 4 +- ...e_ad_users_added_to_device_admin_roles.yml | 6 +-- .../azure_app_appid_uri_changes.yml | 6 +-- .../audit_logs/azure_app_credential_added.yml | 2 +- ...re_app_delegated_permissions_all_users.yml | 4 +- .../audit_logs/azure_app_end_user_consent.yml | 4 +- .../azure_app_end_user_consent_blocked.yml | 4 +- .../audit_logs/azure_app_owner_added.yml | 4 +- .../audit_logs/azure_app_permissions_msft.yml | 4 +- .../azure_app_privileged_permissions.yml | 8 ++-- .../azure/audit_logs/azure_app_role_added.yml | 4 +- .../azure_app_uri_modifications.yml | 6 +-- ...zure_auditlogs_laps_credential_dumping.yml | 2 +- .../azure_change_to_authentication_method.yml | 8 ++-- .../audit_logs/azure_federation_modified.yml | 6 +-- ...re_group_user_addition_ca_modification.yml | 4 +- ...ure_group_user_removal_ca_modification.yml | 4 +- .../audit_logs/azure_guest_invite_failure.yml | 4 +- .../audit_logs/azure_guest_to_member.yml | 6 +-- .../azure_pim_activation_approve_deny.yml | 4 +- .../audit_logs/azure_pim_alerts_disabled.yml | 4 +- .../audit_logs/azure_pim_change_settings.yml | 4 +- .../azure_priviledged_role_assignment_add.yml | 6 +-- ...riviledged_role_assignment_bulk_change.yml | 2 +- .../azure_privileged_account_creation.yml | 6 +-- ...on_permissions_elevation_via_auditlogs.yml | 6 +-- .../azure/audit_logs/azure_tap_added.yml | 2 +- .../audit_logs/azure_user_password_change.yml | 4 +- ...re_identity_protection_anomalous_token.yml | 4 +- ...ure_identity_protection_anomalous_user.yml | 2 +- ...ntity_protection_anonymous_ip_activity.yml | 8 ++-- ...entity_protection_anonymous_ip_address.yml | 4 +- ...re_identity_protection_atypical_travel.yml | 8 ++-- ..._identity_protection_impossible_travel.yml | 8 ++-- ...ntity_protection_inbox_forwarding_rule.yml | 4 +- ...identity_protection_inbox_manipulation.yml | 4 +- ...identity_protection_leaked_credentials.yml | 2 +- ...entity_protection_malicious_ip_address.yml | 4 +- ...ection_malicious_ip_address_suspicious.yml | 4 +- ..._identity_protection_malware_linked_ip.yml | 4 +- ..._identity_protection_new_coutry_region.yml | 8 ++-- ...ure_identity_protection_password_spray.yml | 4 +- .../azure_identity_protection_prt_access.yml | 4 +- ...identity_protection_suspicious_browser.yml | 8 ++-- ...azure_identity_protection_threat_intel.yml | 8 ++-- ...entity_protection_token_issuer_anomaly.yml | 4 +- ..._identity_protection_unfamilar_sign_in.yml | 8 ++-- .../azure_pim_account_stale.yml | 4 +- .../azure_pim_invalid_license.yml | 4 +- ...azure_pim_role_assigned_outside_of_pim.yml | 4 +- .../azure_pim_role_frequent_activation.yml | 4 +- .../azure_pim_role_no_mfa_required.yml | 4 +- .../azure_pim_role_not_used.yml | 4 +- .../azure_pim_too_many_global_admins.yml | 4 +- .../signin_logs/azure_account_lockout.yml | 6 +-- .../azure_ad_auth_failure_increase.yml | 4 +- .../azure_ad_auth_sucess_increase.yml | 6 +-- ...mportant_apps_using_single_factor_auth.yml | 4 +- ...om_countries_you_do_not_operate_out_of.yml | 6 +-- .../azure_ad_azurehound_discovery.yml | 2 +- ...evice_registration_or_join_without_mfa.yml | 4 +- ...om_countries_you_do_not_operate_out_of.yml | 6 +-- ...re_ad_only_single_factor_auth_required.yml | 6 +-- ..._singlefactorauth_from_unknown_devices.yml | 4 +- ..._ad_sign_ins_from_noncompliant_devices.yml | 4 +- ...azure_ad_sign_ins_from_unknown_devices.yml | 6 +-- ...ure_ad_suspicious_signin_bypassing_mfa.yml | 6 +-- .../azure_app_device_code_authentication.yml | 8 ++-- .../azure_app_ropc_authentication.yml | 8 ++-- .../azure_blocked_account_attempt.yml | 4 +- .../azure_conditional_access_failure.yml | 6 +-- .../azure_legacy_authentication_protocols.yml | 6 +-- .../azure_login_to_disabled_account.yml | 6 +-- .../azure/signin_logs/azure_mfa_denies.yml | 6 +-- .../signin_logs/azure_mfa_interrupted.yml | 8 ++-- ...re_unusual_authentication_interruption.yml | 6 +-- ...er_login_blocked_by_conditional_access.yml | 8 ++-- ...thenticating_to_other_azure_ad_tenants.yml | 4 +- ...ucket_audit_full_data_export_triggered.yml | 2 +- ...dit_global_permissions_change_detected.yml | 4 +- ...it_global_secret_scanning_rule_deleted.yml | 4 +- ...it_global_ssh_settings_change_detected.yml | 6 +-- ...udit_log_configuration_update_detected.yml | 4 +- ...roject_secret_scanning_allowlist_added.yml | 4 +- ...et_scanning_exempt_repository_detected.yml | 4 +- ...ket_audit_secret_scanning_rule_deleted.yml | 4 +- ...ket_audit_unauthorized_access_detected.yml | 4 +- ...nauthorized_full_data_export_triggered.yml | 4 +- ...t_user_details_export_attempt_detected.yml | 2 +- ...cket_audit_user_login_failure_detected.yml | 6 +-- ...it_user_login_failure_via_ssh_detected.yml | 2 +- ...er_permissions_export_attempt_detected.yml | 2 +- .../cisco_duo_mfa_bypass_via_bypass_code.yml | 8 ++-- .../gcp/audit/gcp_access_policy_deleted.yml | 4 +- ...breakglass_container_workload_deployed.yml | 4 +- .../gcp/audit/gcp_bucket_enumeration.yml | 4 +- .../audit/gcp_bucket_modified_or_deleted.yml | 4 +- ...lp_re_identifies_sensitive_information.yml | 4 +- .../gcp_dns_zone_modified_or_deleted.yml | 4 +- .../gcp_firewall_rule_modified_or_deleted.yml | 6 +-- ...cp_full_network_traffic_packet_capture.yml | 4 +- .../gcp_kubernetes_admission_controller.yml | 6 +-- .../gcp/audit/gcp_kubernetes_cronjob.yml | 6 +-- .../gcp/audit/gcp_kubernetes_rolebinding.yml | 6 +-- ...kubernetes_secrets_modified_or_deleted.yml | 6 +-- ...cp_service_account_disabled_or_deleted.yml | 4 +- .../audit/gcp_service_account_modified.yml | 4 +- .../gcp_sql_database_modified_or_deleted.yml | 4 +- .../gcp_vpn_tunnel_modified_or_deleted.yml | 4 +- ...ace_application_access_levels_modified.yml | 4 +- .../gcp_gworkspace_application_removed.yml | 4 +- ...p_gworkspace_granted_domain_api_access.yml | 4 +- .../gcp_gworkspace_mfa_disabled.yml | 4 +- ...cp_gworkspace_role_modified_or_deleted.yml | 4 +- .../gcp_gworkspace_role_privilege_deleted.yml | 4 +- ...orkspace_user_granted_admin_privileges.yml | 4 +- .../github/github_delete_action_invoked.yml | 2 +- ...github_disable_high_risk_configuration.yml | 8 ++-- ...d_outdated_dependency_or_vulnerability.yml | 4 +- ..._fork_private_repos_enabled_or_cleared.yml | 2 +- rules/cloud/github/github_new_org_member.yml | 2 +- .../github/github_new_secret_created.yml | 8 ++-- .../github_outside_collaborator_detected.yml | 2 +- ...github_push_protection_bypass_detected.yml | 4 +- .../github_push_protection_disabled.yml | 4 +- .../github/github_repo_or_org_transferred.yml | 2 +- ...ithub_secret_scanning_feature_disabled.yml | 6 +-- ...ub_self_hosted_runner_changes_detected.yml | 8 ++-- .../github_ssh_certificate_config_changed.yml | 4 +- .../m365/audit/microsoft365_disabling_mfa.yml | 2 +- ...ft365_new_federated_domain_added_audit.yml | 2 +- ...65_new_federated_domain_added_exchange.yml | 2 +- .../microsoft365_from_susp_ip_addresses.yml | 6 +-- ...crosoft365_activity_by_terminated_user.yml | 4 +- ...5_activity_from_anonymous_ip_addresses.yml | 6 +-- ...ft365_activity_from_infrequent_country.yml | 6 +-- ..._data_exfiltration_to_unsanctioned_app.yml | 4 +- ...icrosoft365_impossible_travel_activity.yml | 6 +-- ...crosoft365_logon_from_risky_ip_address.yml | 6 +-- ...osoft365_potential_ransomware_activity.yml | 4 +- .../microsoft365_pst_export_alert.yml | 4 +- ...alert_using_new_compliancesearchaction.yml | 2 +- .../microsoft365_susp_inbox_forwarding.yml | 4 +- ...usp_oauth_app_file_download_activities.yml | 4 +- ...oft365_unusual_volume_of_file_deletion.yml | 4 +- ...365_user_restricted_from_sending_email.yml | 6 +-- .../okta_admin_activity_from_proxy_query.yml | 4 +- ...a_admin_role_assigned_to_user_or_group.yml | 4 +- .../okta_admin_role_assignment_created.yml | 2 +- rules/cloud/okta/okta_api_token_created.yml | 4 +- rules/cloud/okta/okta_api_token_revoked.yml | 4 +- .../okta_application_modified_or_deleted.yml | 4 +- ...ion_sign_on_policy_modified_or_deleted.yml | 4 +- .../okta/okta_fastpass_phishing_detection.yml | 4 +- .../okta/okta_identity_provider_created.yml | 2 +- .../okta/okta_mfa_reset_or_deactivated.yml | 8 ++-- ...ta_network_zone_deactivated_or_deleted.yml | 4 +- .../okta_new_behaviours_admin_console.yml | 6 +-- .../okta_password_in_alternateid_field.yml | 6 +-- .../okta/okta_policy_modified_or_deleted.yml | 4 +- .../okta_policy_rule_modified_or_deleted.yml | 4 +- .../okta/okta_security_threat_detected.yml | 6 +-- ...kta_suspicious_activity_enduser_report.yml | 4 +- .../okta/okta_unauthorized_access_to_app.yml | 4 +- .../okta/okta_user_account_locked_out.yml | 4 +- rules/cloud/okta/okta_user_created.yml | 4 +- ...ser_session_start_via_anonymised_proxy.yml | 4 +- .../onelogin_assumed_another_user.yml | 4 +- .../onelogin/onelogin_user_account_locked.yml | 4 +- .../compliance/default_credentials_usage.yml | 4 +- rules/compliance/host_without_firewall.yml | 4 +- .../netflow_cleartext_protocols.yml | 6 +-- .../linux/auditd/lnx_auditd_audio_capture.yml | 4 +- .../lnx_auditd_auditing_config_change.yml | 6 +-- .../auditd/lnx_auditd_binary_padding.yml | 6 +-- .../lnx_auditd_bpfdoor_file_accessed.yml | 2 +- .../lnx_auditd_bpfdoor_port_redirect.yml | 4 +- .../lnx_auditd_capabilities_discovery.yml | 6 +-- .../lnx_auditd_change_file_time_attr.yml | 6 +-- .../lnx_auditd_chattr_immutable_removal.yml | 6 +-- .../lnx_auditd_clipboard_collection.yml | 4 +- .../lnx_auditd_clipboard_image_collection.yml | 4 +- rules/linux/auditd/lnx_auditd_coinminer.yml | 6 +-- .../auditd/lnx_auditd_create_account.yml | 4 +- .../auditd/lnx_auditd_data_compressed.yml | 4 +- .../auditd/lnx_auditd_data_exfil_wget.yml | 4 +- .../auditd/lnx_auditd_dd_delete_file.yml | 2 +- .../lnx_auditd_disable_system_firewall.yml | 4 +- .../lnx_auditd_file_or_folder_permissions.yml | 6 +-- .../auditd/lnx_auditd_find_cred_in_files.yml | 6 +-- .../lnx_auditd_hidden_binary_execution.yml | 4 +- .../lnx_auditd_hidden_files_directories.yml | 6 +-- ..._auditd_hidden_zip_files_steganography.yml | 6 +-- .../lnx_auditd_keylogging_with_pam_d.yml | 6 +-- .../auditd/lnx_auditd_ld_so_preload_mod.yml | 6 +-- .../auditd/lnx_auditd_load_module_insmod.yml | 6 +-- .../lnx_auditd_logging_config_change.yml | 6 +-- .../auditd/lnx_auditd_masquerading_crond.yml | 6 +-- .../lnx_auditd_modify_system_firewall.yml | 4 +- .../lnx_auditd_network_service_scanning.yml | 4 +- .../auditd/lnx_auditd_network_sniffing.yml | 6 +-- ..._scx_runasprovider_executeshellcommand.yml | 8 ++-- .../lnx_auditd_password_policy_discovery.yml | 4 +- .../auditd/lnx_auditd_pers_systemd_reload.yml | 4 +- .../lnx_auditd_screencapture_import.yml | 4 +- .../auditd/lnx_auditd_screencaputre_xwd.yml | 4 +- .../lnx_auditd_split_file_into_pieces.yml | 4 +- ...nx_auditd_steghide_embed_steganography.yml | 6 +-- ..._auditd_steghide_extract_steganography.yml | 6 +-- .../auditd/lnx_auditd_susp_c2_commands.yml | 6 +-- rules/linux/auditd/lnx_auditd_susp_cmds.yml | 4 +- .../auditd/lnx_auditd_susp_exe_folders.yml | 6 +-- .../lnx_auditd_susp_histfile_operations.yml | 6 +-- .../lnx_auditd_system_info_discovery.yml | 4 +- .../lnx_auditd_system_info_discovery2.yml | 4 +- .../lnx_auditd_system_shutdown_reboot.yml | 4 +- .../lnx_auditd_systemd_service_creation.yml | 4 +- ..._unix_shell_configuration_modification.yml | 6 +-- ...d_unzip_hidden_zip_files_steganography.yml | 6 +-- .../auditd/lnx_auditd_user_discovery.yml | 4 +- rules/linux/auditd/lnx_auditd_web_rce.yml | 4 +- ...auth_pwnkit_local_privilege_escalation.yml | 6 +-- .../clamav/lnx_clamav_relevant_message.yml | 4 +- .../lnx_cron_crontab_file_modification.yml | 2 +- .../lnx_guacamole_susp_guacamole.yml | 6 +-- .../builtin/lnx_apt_equationgroup_lnx.yml | 4 +- rules/linux/builtin/lnx_buffer_overflows.yml | 4 +- rules/linux/builtin/lnx_clear_syslog.yml | 4 +- rules/linux/builtin/lnx_file_copy.yml | 6 +-- .../builtin/lnx_ldso_preload_injection.yml | 6 +-- ...nimbuspwn_privilege_escalation_exploit.yml | 6 +-- .../lnx_potential_susp_ebpf_activity.yml | 4 +- .../builtin/lnx_privileged_user_creation.yml | 2 +- .../builtin/lnx_shell_clear_cmd_history.yml | 6 +-- .../linux/builtin/lnx_shell_susp_commands.yml | 4 +- .../builtin/lnx_shell_susp_log_entries.yml | 4 +- .../builtin/lnx_shell_susp_rev_shells.yml | 4 +- rules/linux/builtin/lnx_shellshock.yml | 4 +- .../builtin/lnx_space_after_filename_.yml | 4 +- rules/linux/builtin/lnx_susp_dev_tcp.yml | 4 +- rules/linux/builtin/lnx_susp_jexboss.yml | 4 +- .../linux/builtin/lnx_symlink_etc_passwd.yml | 4 +- .../sshd/lnx_sshd_ssh_cve_2018_15473.yml | 4 +- .../linux/builtin/sshd/lnx_sshd_susp_ssh.yml | 6 +-- .../sudo/lnx_sudo_cve_2019_14287_user.yml | 8 ++-- ...syslog_security_tools_disabling_syslog.yml | 6 +-- .../builtin/syslog/lnx_syslog_susp_named.yml | 6 +-- .../vsftpd/lnx_vsftpd_susp_error_messages.yml | 6 +-- .../file_event_lnx_doas_conf_creation.yml | 6 +-- .../file_event_lnx_persistence_cron_files.yml | 4 +- ...le_event_lnx_persistence_sudoers_files.yml | 4 +- ...p_shell_script_under_profile_directory.yml | 2 +- ...ent_lnx_triple_cross_rootkit_lock_file.yml | 6 +-- ...t_lnx_triple_cross_rootkit_persistence.yml | 6 +-- ...vent_lnx_wget_download_file_in_tmp_dir.yml | 4 +- ..._connection_lnx_back_connect_shell_dev.yml | 4 +- ...onnection_lnx_crypto_mining_indicators.yml | 2 +- ...onnection_lnx_domain_localtonet_tunnel.yml | 4 +- .../net_connection_lnx_ngrok_tunnel.yml | 4 +- ...nection_lnx_susp_malware_callback_port.yml | 4 +- .../proc_creation_lnx_at_command.yml | 4 +- .../proc_creation_lnx_base64_decode.yml | 6 +-- .../proc_creation_lnx_base64_execution.yml | 6 +-- .../proc_creation_lnx_base64_shebang_cli.yml | 4 +- ...oc_creation_lnx_bash_interactive_shell.yml | 2 +- ...creation_lnx_bpf_kprob_tracing_enabled.yml | 4 +- ...ation_lnx_bpftrace_unsafe_option_usage.yml | 2 +- .../proc_creation_lnx_capa_discovery.yml | 4 +- .../proc_creation_lnx_cat_sudoers.yml | 4 +- ..._creation_lnx_chattr_immutable_removal.yml | 4 +- .../proc_creation_lnx_clear_logs.yml | 6 +-- .../proc_creation_lnx_clear_syslog.yml | 6 +-- ...proc_creation_lnx_clipboard_collection.yml | 4 +- ...c_creation_lnx_cp_passwd_or_shadow_tmp.yml | 4 +- .../proc_creation_lnx_crontab_enumeration.yml | 2 +- .../proc_creation_lnx_crontab_removal.yml | 4 +- .../proc_creation_lnx_crypto_mining.yml | 4 +- .../proc_creation_lnx_curl_usage.yml | 4 +- ...nx_cve_2022_26134_atlassian_confluence.yml | 6 +-- ...22_33891_spark_shell_command_injection.yml | 6 +-- .../proc_creation_lnx_dd_file_overwrite.yml | 4 +- ...proc_creation_lnx_dd_process_injection.yml | 4 +- .../proc_creation_lnx_disable_ufw.yml | 4 +- .../proc_creation_lnx_doas_execution.yml | 4 +- ..._creation_lnx_esxcli_network_discovery.yml | 2 +- ...ion_lnx_esxcli_permission_change_admin.yml | 2 +- ..._creation_lnx_esxcli_storage_discovery.yml | 2 +- ...eation_lnx_esxcli_syslog_config_change.yml | 4 +- ...c_creation_lnx_esxcli_system_discovery.yml | 2 +- ...ation_lnx_esxcli_user_account_creation.yml | 2 +- .../proc_creation_lnx_esxcli_vm_discovery.yml | 2 +- .../proc_creation_lnx_esxcli_vm_kill.yml | 2 +- ...roc_creation_lnx_esxcli_vsan_discovery.yml | 2 +- ...ation_lnx_file_and_directory_discovery.yml | 4 +- .../proc_creation_lnx_file_deletion.yml | 6 +-- ...oc_creation_lnx_grep_os_arch_discovery.yml | 2 +- .../proc_creation_lnx_groupdel.yml | 2 +- .../proc_creation_lnx_gtfobin_apt.yml | 2 +- .../proc_creation_lnx_gtfobin_vim.yml | 2 +- ..._creation_lnx_install_root_certificate.yml | 6 +-- ...eation_lnx_install_suspicioua_packages.yml | 4 +- .../proc_creation_lnx_iptables_flush_ufw.yml | 4 +- .../proc_creation_lnx_kill_process.yml | 4 +- .../proc_creation_lnx_local_account.yml | 4 +- .../proc_creation_lnx_local_groups.yml | 4 +- ..._malware_gobrat_grep_payload_discovery.yml | 2 +- ...reation_lnx_mkfifo_named_pipe_creation.yml | 2 +- ...fifo_named_pipe_creation_susp_location.yml | 2 +- .../proc_creation_lnx_mount_hidepid.yml | 4 +- ...proc_creation_lnx_netcat_reverse_shell.yml | 2 +- .../proc_creation_lnx_nohup.yml | 2 +- ...proc_creation_lnx_nohup_susp_execution.yml | 2 +- ...omigod_scx_runasprovider_executescript.yml | 8 ++-- ..._scx_runasprovider_executeshellcommand.yml | 8 ++-- .../proc_creation_lnx_perl_reverse_shell.yml | 2 +- .../proc_creation_lnx_php_reverse_shell.yml | 2 +- ...creation_lnx_pnscan_binary_cli_pattern.yml | 2 +- .../proc_creation_lnx_process_discovery.yml | 4 +- .../proc_creation_lnx_proxy_connection.yml | 6 +-- .../proc_creation_lnx_python_pty_spawn.yml | 4 +- ...proc_creation_lnx_python_reverse_shell.yml | 2 +- ...s_tools_teamviewer_incoming_connection.yml | 4 +- ...c_creation_lnx_remote_system_discovery.yml | 4 +- .../proc_creation_lnx_remove_package.yml | 4 +- .../proc_creation_lnx_ruby_reverse_shell.yml | 2 +- ...oc_creation_lnx_schedule_task_job_cron.yml | 6 +-- ...eation_lnx_security_software_discovery.yml | 4 +- ..._creation_lnx_security_tools_disabling.yml | 6 +-- ...creation_lnx_services_stop_and_disable.yml | 4 +- .../proc_creation_lnx_setgid_setuid.yml | 4 +- .../proc_creation_lnx_ssm_agent_abuse.yml | 4 +- .../proc_creation_lnx_sudo_cve_2019_14287.yml | 8 ++-- ...oc_creation_lnx_susp_chmod_directories.yml | 4 +- ...lnx_susp_container_residence_discovery.yml | 2 +- ...proc_creation_lnx_susp_curl_fileupload.yml | 4 +- .../proc_creation_lnx_susp_curl_useragent.yml | 4 +- ...proc_creation_lnx_susp_dockerenv_recon.yml | 2 +- ...creation_lnx_susp_execution_tmp_folder.yml | 4 +- .../proc_creation_lnx_susp_find_execution.yml | 2 +- .../proc_creation_lnx_susp_git_clone.yml | 4 +- .../proc_creation_lnx_susp_history_delete.yml | 4 +- .../proc_creation_lnx_susp_history_recon.yml | 4 +- .../proc_creation_lnx_susp_hktl_execution.yml | 6 +-- .../proc_creation_lnx_susp_inod_listing.yml | 2 +- ...roc_creation_lnx_susp_interactive_bash.yml | 4 +- .../proc_creation_lnx_susp_java_children.yml | 2 +- ...n_lnx_susp_network_utilities_execution.yml | 4 +- .../proc_creation_lnx_susp_pipe_shell.yml | 6 +-- ...roc_creation_lnx_susp_recon_indicators.yml | 4 +- ...reation_lnx_susp_sensitive_file_access.yml | 2 +- ...l_child_process_from_parent_tmp_folder.yml | 2 +- ...p_shell_script_exec_from_susp_location.yml | 2 +- ...roc_creation_lnx_system_info_discovery.yml | 4 +- ...x_system_network_connections_discovery.yml | 4 +- ..._creation_lnx_system_network_discovery.yml | 4 +- .../proc_creation_lnx_touch_susp.yml | 4 +- ...lnx_triple_cross_rootkit_execve_hijack.yml | 6 +-- ...ation_lnx_triple_cross_rootkit_install.yml | 4 +- .../proc_creation_lnx_userdel.yml | 2 +- .../proc_creation_lnx_usermod_susp_group.yml | 4 +- .../proc_creation_lnx_webshell_detection.yml | 4 +- ...lnx_wget_download_suspicious_directory.yml | 4 +- .../proc_creation_lnx_xterm_reverse_shell.yml | 2 +- .../file_event_macos_emond_launch_daemon.yml | 6 +-- ..._event_macos_susp_startup_item_created.yml | 6 +-- .../proc_creation_macos_applescript.yml | 4 +- .../proc_creation_macos_base64_decode.yml | 6 +-- .../proc_creation_macos_binary_padding.yml | 6 +-- ...c_creation_macos_change_file_time_attr.yml | 6 +-- .../proc_creation_macos_clear_system_logs.yml | 6 +-- ...ion_macos_clipboard_data_via_osascript.yml | 2 +- .../proc_creation_macos_create_account.yml | 4 +- ...c_creation_macos_create_hidden_account.yml | 6 +-- ...roc_creation_macos_creds_from_keychain.yml | 6 +-- .../proc_creation_macos_csrutil_disable.yml | 2 +- .../proc_creation_macos_csrutil_status.yml | 2 +- ..._creation_macos_disable_security_tools.yml | 6 +-- ...ion_macos_dscl_add_user_to_admin_group.yml | 8 ++-- ...n_macos_dseditgroup_add_to_admin_group.yml | 6 +-- ...macos_dsenableroot_enable_root_account.yml | 4 +- ...ion_macos_file_and_directory_discovery.yml | 4 +- ...proc_creation_macos_find_cred_in_files.yml | 6 +-- .../proc_creation_macos_gui_input_capture.yml | 6 +-- .../proc_creation_macos_hdiutil_create.yml | 2 +- .../proc_creation_macos_hdiutil_mount.yml | 4 +- ...ion_macos_installer_susp_child_process.yml | 4 +- .../proc_creation_macos_ioreg_discovery.yml | 4 +- .../proc_creation_macos_jamf_susp_child.yml | 2 +- .../proc_creation_macos_jamf_usage.yml | 2 +- ...creation_macos_jxa_in_memory_execution.yml | 2 +- ...roc_creation_macos_launchctl_execution.yml | 2 +- .../proc_creation_macos_local_account.yml | 4 +- .../proc_creation_macos_local_groups.yml | 4 +- ...reation_macos_network_service_scanning.yml | 4 +- .../proc_creation_macos_network_sniffing.yml | 6 +-- .../proc_creation_macos_nscurl_usage.yml | 6 +-- ...tion_macos_office_susp_child_processes.yml | 4 +- ...ion_macos_osacompile_runonly_execution.yml | 2 +- ...on_macos_payload_decoded_and_decrypted.yml | 4 +- ...ation_macos_persistence_via_plistbuddy.yml | 2 +- ...s_tools_teamviewer_incoming_connection.yml | 4 +- ...creation_macos_remote_system_discovery.yml | 4 +- ..._creation_macos_schedule_task_job_cron.yml | 6 +-- .../proc_creation_macos_screencapture.yml | 4 +- ...tion_macos_security_software_discovery.yml | 4 +- ...oc_creation_macos_space_after_filename.yml | 6 +-- ..._creation_macos_split_file_into_pieces.yml | 4 +- ...ation_macos_susp_browser_child_process.yml | 4 +- ...cos_susp_execution_macos_script_editor.yml | 8 ++-- ...roc_creation_macos_susp_find_execution.yml | 2 +- ...reation_macos_susp_histfile_operations.yml | 6 +-- ...os_susp_in_memory_download_and_compile.yml | 4 +- ...ion_macos_susp_macos_firmware_activity.yml | 4 +- ...tion_macos_suspicious_applet_behaviour.yml | 2 +- .../proc_creation_macos_swvers_discovery.yml | 2 +- ...os_sysadminctl_add_user_to_admin_group.yml | 8 ++-- ...macos_sysadminctl_enable_guest_account.yml | 4 +- .../proc_creation_macos_sysctl_discovery.yml | 4 +- ...s_system_network_connections_discovery.yml | 4 +- ...reation_macos_system_network_discovery.yml | 4 +- ...eation_macos_system_profiler_discovery.yml | 4 +- ..._creation_macos_system_shutdown_reboot.yml | 4 +- ...on_macos_tail_base64_decode_from_image.yml | 4 +- ...oc_creation_macos_tmutil_delete_backup.yml | 2 +- ...c_creation_macos_tmutil_disable_backup.yml | 2 +- ..._macos_tmutil_exclude_file_from_backup.yml | 2 +- ...n_macos_wizardupdate_malware_infection.yml | 4 +- ...creation_macos_xattr_gatekeeper_bypass.yml | 6 +-- ...reation_macos_xcsset_malware_infection.yml | 4 +- .../cisco/aaa/cisco_cli_clear_logs.yml | 6 +-- .../cisco/aaa/cisco_cli_collect_data.yml | 6 +-- .../cisco/aaa/cisco_cli_crypto_actions.yml | 8 ++-- .../cisco/aaa/cisco_cli_disable_logging.yml | 6 +-- .../network/cisco/aaa/cisco_cli_discovery.yml | 4 +- rules/network/cisco/aaa/cisco_cli_dos.yml | 4 +- .../cisco/aaa/cisco_cli_file_deletion.yml | 6 +-- .../cisco/aaa/cisco_cli_input_capture.yml | 6 +-- .../cisco/aaa/cisco_cli_local_accounts.yml | 4 +- .../cisco/aaa/cisco_cli_modify_config.yml | 4 +- .../cisco/aaa/cisco_cli_moving_data.yml | 8 ++-- .../network/cisco/aaa/cisco_cli_net_sniff.yml | 6 +-- .../cisco/bgp/cisco_bgp_md5_auth_failed.yml | 12 +++--- .../cisco/ldp/cisco_ldp_md5_auth_failed.yml | 10 ++--- ...s_external_service_interaction_domains.yml | 4 +- .../network/dns/net_dns_mal_cobaltstrike.yml | 6 +-- .../dns/net_dns_pua_cryptocoin_mining_xmr.yml | 2 +- .../network/dns/net_dns_susp_b64_queries.yml | 6 +-- .../network/dns/net_dns_susp_telegram_api.yml | 6 +-- .../dns/net_dns_susp_txt_exec_strings.yml | 6 +-- .../net_dns_wannacry_killswitch_domain.yml | 6 +-- .../net_firewall_cleartext_protocols.yml | 6 +-- .../huawei/bgp/huawei_bgp_auth_failed.yml | 12 +++--- .../juniper/bgp/juniper_bgp_missing_md5.yml | 12 +++--- .../zeek_dce_rpc_mitre_bzar_execution.yml | 4 +- .../zeek_dce_rpc_mitre_bzar_persistence.yml | 4 +- ...rpc_potential_petit_potam_efs_rpc_call.yml | 4 +- ...pc_printnightmare_print_driver_install.yml | 10 ++--- .../zeek_dce_rpc_smb_spoolss_named_pipe.yml | 6 +-- ...zeek_default_cobalt_strike_certificate.yml | 6 +-- rules/network/zeek/zeek_dns_mining_pools.yml | 4 +- rules/network/zeek/zeek_dns_nkn.yml | 4 +- .../network/zeek/zeek_dns_susp_zbit_flag.yml | 6 +-- rules/network/zeek/zeek_dns_torproxy.yml | 4 +- ...k_http_executable_download_from_webdav.yml | 6 +-- .../zeek/zeek_http_omigod_no_auth_rce.yml | 10 ++--- .../zeek/zeek_http_webdav_put_request.yml | 4 +- .../network/zeek/zeek_rdp_public_listener.yml | 6 +-- .../zeek_smb_converted_win_atsvc_task.yml | 6 +-- ..._smb_converted_win_impacket_secretdump.yml | 6 +-- .../zeek_smb_converted_win_lm_namedpipe.yml | 6 +-- .../zeek_smb_converted_win_susp_psexec.yml | 6 +-- ...verted_win_susp_raccess_sensitive_fext.yml | 4 +- ...ransferring_files_with_credential_data.yml | 6 +-- rules/network/zeek/zeek_susp_kerberos_rc4.yml | 6 +-- .../product/apache/web_apache_segfault.yml | 4 +- .../apache/web_apache_threading_error.yml | 8 ++-- .../web/product/nginx/web_nginx_core_dump.yml | 4 +- .../proxy_download_susp_dyndns.yml | 8 ++-- .../proxy_download_susp_tlds_blacklist.yml | 6 +-- .../proxy_download_susp_tlds_whitelist.yml | 6 +-- .../proxy_downloadcradle_webdav.yml | 6 +-- .../proxy_f5_tm_utility_bash_api_request.yml | 4 +- ...roxy_hktl_baby_shark_default_agent_url.yml | 6 +-- ...tl_cobalt_strike_malleable_c2_requests.yml | 14 +++---- .../proxy_hktl_empire_ua_uri_patterns.yml | 8 ++-- ...y_pua_advanced_ip_scanner_update_check.yml | 4 +- rules/web/proxy_generic/proxy_pwndrop.yml | 6 +-- .../proxy_raw_paste_service_access.yml | 8 ++-- .../proxy_susp_flash_download_loc.yml | 8 ++-- .../proxy_susp_ipfs_cred_harvest.yml | 4 +- .../web/proxy_generic/proxy_telegram_api.yml | 8 ++-- rules/web/proxy_generic/proxy_ua_apt.yml | 6 +-- .../proxy_generic/proxy_ua_base64_encoded.yml | 4 +- .../proxy_ua_bitsadmin_susp_ip.yml | 8 ++-- .../proxy_ua_bitsadmin_susp_tld.yml | 8 ++-- .../proxy_generic/proxy_ua_cryptominer.yml | 6 +-- rules/web/proxy_generic/proxy_ua_empty.yml | 8 ++-- .../web/proxy_generic/proxy_ua_frameworks.yml | 6 +-- rules/web/proxy_generic/proxy_ua_hacktool.yml | 8 ++-- rules/web/proxy_generic/proxy_ua_malware.yml | 6 +-- .../web/proxy_generic/proxy_ua_powershell.yml | 8 ++-- rules/web/proxy_generic/proxy_ua_rclone.yml | 2 +- rules/web/proxy_generic/proxy_ua_susp.yml | 6 +-- .../proxy_generic/proxy_ua_susp_base64.yml | 6 +-- .../proxy_webdav_external_execution.yml | 4 +- .../web_f5_tm_utility_bash_api_request.yml | 2 +- .../web_iis_tilt_shortname_scan.yml | 6 +-- .../web_java_payload_in_access_logs.yml | 10 ++--- .../webserver_generic/web_jndi_exploit.yml | 6 +-- ...eb_path_traversal_exploitation_attempt.yml | 6 +-- .../web_source_code_enumeration.yml | 4 +- .../web_sql_injection_in_access_logs.yml | 6 +-- .../web_ssti_in_access_logs.yml | 4 +- .../webserver_generic/web_susp_useragents.yml | 6 +-- .../web_susp_windows_path_uri.yml | 4 +- .../web_webshell_regeorg.yml | 4 +- .../web_win_webshells_in_access_logs.yml | 4 +- .../web_xss_in_access_logs.yml | 6 +-- .../Other/win_av_relevant_match.yml | 6 +-- .../win_application_msmpeng_crash_error.yml | 6 +-- ...in_werfault_susp_lsass_credential_dump.yml | 4 +- .../esent/win_esent_ntdsutil_abuse.yml | 4 +- ...win_esent_ntdsutil_abuse_susp_location.yml | 4 +- .../win_audit_cve.yml | 12 +++--- .../win_susp_backup_delete.yml | 6 +-- ...in_software_restriction_policies_block.yml | 4 +- .../win_builtin_remove_application.yml | 4 +- .../win_msi_install_from_susp_locations.yml | 4 +- .../msiinstaller/win_msi_install_from_web.yml | 6 +-- .../win_software_atera_rmm_agent_install.yml | 4 +- .../win_mssql_add_sysadmin_account.yml | 4 +- .../win_mssql_disable_audit_settings.yml | 6 +-- .../mssqlserver/win_mssql_failed_logon.yml | 6 +-- ...sql_failed_logon_from_external_network.yml | 6 +-- .../win_mssql_sp_procoption_set.yml | 4 +- .../win_mssql_xp_cmdshell_audit_log.yml | 4 +- .../win_mssql_xp_cmdshell_change.yml | 4 +- ...ccess_tools_screenconnect_command_exec.yml | 2 +- ...cess_tools_screenconnect_file_transfer.yml | 2 +- .../win_application_msmpeng_crash_wer.yml | 6 +-- ..._applocker_file_was_not_allowed_to_run.yml | 4 +- ...time_sysinternals_tools_appx_execution.yml | 6 +-- ..._appxdeployment_server_applocker_block.yml | 4 +- ...n_appxdeployment_server_mal_appx_names.yml | 6 +-- ...win_appxdeployment_server_policy_block.yml | 4 +- ..._server_susp_appx_package_installation.yml | 4 +- ...win_appxdeployment_server_susp_domains.yml | 6 +-- ...ployment_server_susp_package_locations.yml | 4 +- ...ment_server_uncommon_package_locations.yml | 4 +- ...n_appxpackaging_om_sups_appx_signature.yml | 4 +- .../win_bits_client_new_job_via_bitsadmin.yml | 6 +-- ...win_bits_client_new_job_via_powershell.yml | 6 +-- ...nt_new_transfer_saving_susp_extensions.yml | 6 +-- ..._new_transfer_via_file_sharing_domains.yml | 6 +-- ...its_client_new_transfer_via_ip_address.yml | 6 +-- ...s_client_new_transfer_via_uncommon_tld.yml | 6 +-- ..._client_new_trasnfer_susp_local_folder.yml | 6 +-- ..._capi2_acquire_certificate_private_key.yml | 4 +- ...sclient_lifecycle_system_cert_exported.yml | 4 +- .../win_codeintegrity_attempted_dll_load.yml | 4 +- ...tegrity_blocked_protected_process_file.yml | 4 +- ...in_codeintegrity_enforced_policy_block.yml | 6 +-- ...n_codeintegrity_revoked_driver_blocked.yml | 4 +- ...in_codeintegrity_revoked_driver_loaded.yml | 4 +- ...in_codeintegrity_revoked_image_blocked.yml | 4 +- ...win_codeintegrity_revoked_image_loaded.yml | 4 +- ...n_codeintegrity_unsigned_driver_loaded.yml | 4 +- ...in_codeintegrity_unsigned_image_loaded.yml | 4 +- .../win_codeintegrity_whql_failure.yml | 6 +-- ...diagnosis_scripted_load_remote_diagcab.yml | 2 +- .../win_dns_client__mal_cobaltstrike.yml | 4 +- .../win_dns_client_anonymfiles_com.yml | 2 +- .../dns_client/win_dns_client_mega_nz.yml | 2 +- .../dns_client/win_dns_client_tor_onion.yml | 4 +- .../dns_client/win_dns_client_ufile_io.yml | 4 +- ...in_dns_server_failed_dns_zone_transfer.yml | 2 +- ...ns_server_susp_server_level_plugin_dll.yml | 6 +-- .../win_usb_device_plugged.yml | 6 +-- .../firewall_as/win_firewall_as_add_rule.yml | 6 +-- .../win_firewall_as_add_rule_susp_folder.yml | 6 +-- .../win_firewall_as_add_rule_wmiprvse.yml | 4 +- .../win_firewall_as_delete_all_rules.yml | 6 +-- .../win_firewall_as_delete_rule.yml | 6 +-- .../win_firewall_as_failed_load_gpo.yml | 6 +-- .../win_firewall_as_reset_config.yml | 6 +-- .../win_firewall_as_setting_change.yml | 6 +-- rules/windows/builtin/ldap/win_ldap_recon.yml | 4 +- .../win_lsa_server_normal_user_admin.yml | 8 ++-- .../win_exchange_proxylogon_oabvirtualdir.yml | 6 +-- ...ange_proxyshell_certificate_generation.yml | 4 +- ...win_exchange_proxyshell_mailbox_export.yml | 4 +- ...hange_proxyshell_remove_mailbox_export.yml | 6 +-- ...ge_set_oabvirtualdirectory_externalurl.yml | 4 +- .../win_exchange_transportagent.yml | 4 +- .../win_exchange_transportagent_failed.yml | 4 +- .../builtin/ntlm/win_susp_ntlm_auth.yml | 6 +-- .../ntlm/win_susp_ntlm_brute_force.yml | 4 +- .../builtin/ntlm/win_susp_ntlm_rdp.yml | 6 +-- ...shd_openssh_server_listening_on_socket.yml | 4 +- .../win_security_access_token_abuse.yml | 8 ++-- .../win_security_admin_rdp_login.yml | 6 +-- ...y_diagtrack_eop_default_login_username.yml | 4 +- ...er_added_security_enabled_global_group.yml | 4 +- ..._removed_security_enabled_global_group.yml | 4 +- .../win_security_overpass_the_hash.yml | 6 +-- .../win_security_pass_the_hash_2.yml | 6 +-- .../win_security_rdp_bluekeep_poc_scanner.yml | 6 +-- .../win_security_rdp_localhost_login.yml | 6 +-- ...scrcons_remote_wmi_scripteventconsumer.yml | 8 ++-- ..._security_enabled_global_group_deleted.yml | 4 +- ...y_successful_external_remote_rdp_login.yml | 8 ++-- ...y_successful_external_remote_smb_login.yml | 8 ++-- .../win_security_susp_failed_logon_source.yml | 6 +-- ...win_security_susp_logon_newcredentials.yml | 6 +-- ..._susp_privesc_kerberos_relay_over_ldap.yml | 8 ++-- .../win_security_susp_rottenpotato.yml | 8 ++-- .../win_security_susp_wmi_login.yml | 4 +- ...in_security_wfp_endpoint_agent_blocked.yml | 4 +- ...rity_aadhealth_mon_agent_regkey_access.yml | 4 +- ...rity_aadhealth_svc_agent_regkey_access.yml | 4 +- ...ecurity_account_backdoor_dcsync_rights.yml | 4 +- .../win_security_account_discovery.yml | 4 +- ...win_security_ad_object_writedac_access.yml | 6 +-- ...ity_ad_replication_non_machine_account.yml | 6 +-- .../win_security_ad_user_enumeration.yml | 4 +- ...e_template_configuration_vulnerability.yml | 8 ++-- ...mplate_configuration_vulnerability_eku.yml | 8 ++-- .../win_security_add_remove_computer.yml | 4 +- .../win_security_admin_share_access.yml | 6 +-- ...ty_alert_active_directory_user_control.yml | 4 +- .../win_security_alert_ad_user_backdoors.yml | 4 +- ..._security_alert_enable_weak_encryption.yml | 6 +-- .../security/win_security_alert_ruler.yml | 4 +- .../security/win_security_atsvc_task.yml | 6 +-- .../win_security_audit_log_cleared.yml | 10 ++--- .../win_security_camera_microphone_access.yml | 4 +- ...security_cobaltstrike_service_installs.yml | 8 ++-- ...n_security_codeintegrity_check_failure.yml | 6 +-- ...ecurity_dce_rpc_smb_spoolss_named_pipe.yml | 6 +-- .../win_security_dcom_iertutil_dll_hijack.yml | 6 +-- .../builtin/security/win_security_dcsync.yml | 6 +-- ...n_security_device_installation_blocked.yml | 4 +- .../win_security_disable_event_auditing.yml | 6 +-- ...curity_disable_event_auditing_critical.yml | 6 +-- .../win_security_dot_net_etw_tamper.yml | 6 +-- ...rity_dpapi_domain_backupkey_extraction.yml | 6 +-- ..._dpapi_domain_masterkey_backup_attempt.yml | 6 +-- .../security/win_security_external_device.yml | 8 ++-- .../win_security_gpo_scheduledtasks.yml | 6 +-- .../win_security_hidden_user_creation.yml | 4 +- .../win_security_hktl_edr_silencer.yml | 6 +-- .../security/win_security_hktl_nofilter.yml | 4 +- ...y_hybridconnectionmgr_svc_installation.yml | 4 +- .../security/win_security_impacket_psexec.yml | 6 +-- .../win_security_impacket_secretdump.yml | 6 +-- ...oke_obfuscation_clip_services_security.yml | 6 +-- ...ation_obfuscated_iex_services_security.yml | 6 +-- ...ke_obfuscation_stdin_services_security.yml | 6 +-- ...voke_obfuscation_var_services_security.yml | 6 +-- ...scation_via_compress_services_security.yml | 6 +-- ...fuscation_via_rundll_services_security.yml | 6 +-- ...bfuscation_via_stdin_services_security.yml | 6 +-- ...scation_via_use_clip_services_security.yml | 6 +-- ...cation_via_use_mshta_services_security.yml | 6 +-- ...ion_via_use_rundll32_services_security.yml | 6 +-- ..._obfuscation_via_var_services_security.yml | 6 +-- .../security/win_security_iso_mount.yml | 6 +-- .../security/win_security_lm_namedpipe.yml | 6 +-- ...curity_lsass_access_non_system_account.yml | 6 +-- .../security/win_security_mal_creddumper.yml | 6 +-- .../security/win_security_mal_wceaux_dll.yml | 6 +-- ...win_security_metasploit_authentication.yml | 6 +-- ...or_impacket_smb_psexec_service_install.yml | 6 +-- ...cobaltstrike_getsystem_service_install.yml | 6 +-- .../win_security_net_ntlm_downgrade.yml | 6 +-- ...ecurity_net_share_obj_susp_desktop_ini.yml | 4 +- ..._renamed_user_account_with_dollar_sign.yml | 6 +-- .../win_security_not_allowed_rdp_access.yml | 6 +-- ...in_security_password_policy_enumerated.yml | 2 +- .../security/win_security_pcap_drivers.yml | 6 +-- .../win_security_petitpotam_network_share.yml | 6 +-- ...n_security_petitpotam_susp_tgt_request.yml | 6 +-- .../win_security_possible_dc_shadow.yml | 6 +-- ...powershell_script_installed_as_service.yml | 4 +- ...urity_protected_storage_service_access.yml | 6 +-- .../win_security_rdp_reverse_tunnel.yml | 10 ++--- ...y_register_new_logon_process_by_rubeus.yml | 8 ++-- ...ty_registry_permissions_weakness_check.yml | 6 +-- ...win_security_remote_powershell_session.yml | 4 +- .../win_security_replay_attack_detected.yml | 4 +- ...urity_sam_registry_hive_handle_request.yml | 6 +-- ...n_security_scm_database_handle_failure.yml | 4 +- ...rity_scm_database_privileged_operation.yml | 6 +-- ...service_install_remote_access_software.yml | 4 +- ..._service_installation_by_unusal_client.yml | 6 +-- ...ecurity_smb_file_creation_admin_shares.yml | 6 +-- .../win_security_susp_add_domain_trust.yml | 4 +- .../win_security_susp_add_sid_history.yml | 4 +- .../win_security_susp_computer_name.yml | 10 ++--- ...win_security_susp_dsrm_password_change.yml | 4 +- ...win_security_susp_failed_logon_reasons.yml | 10 ++--- ...in_security_susp_kerberos_manipulation.yml | 6 +-- .../win_security_susp_ldap_dataexchange.yml | 6 +-- ...security_susp_local_anon_logon_created.yml | 4 +- ...curity_susp_logon_explicit_credentials.yml | 6 +-- .../security/win_security_susp_lsass_dump.yml | 6 +-- .../win_security_susp_lsass_dump_generic.yml | 6 +-- .../win_security_susp_net_recon_activity.yml | 4 +- ...win_security_susp_opened_encrypted_zip.yml | 4 +- ...ity_susp_opened_encrypted_zip_filename.yml | 6 +-- ...rity_susp_opened_encrypted_zip_outlook.yml | 6 +-- ...rity_susp_outbound_kerberos_connection.yml | 6 +-- ...susp_possible_shadow_credentials_added.yml | 4 +- .../security/win_security_susp_psexec.yml | 6 +-- ...n_security_susp_raccess_sensitive_fext.yml | 4 +- .../win_security_susp_rc4_kerberos.yml | 6 +-- ..._security_susp_scheduled_task_creation.yml | 6 +-- ..._susp_scheduled_task_delete_or_disable.yml | 6 +-- ...in_security_susp_scheduled_task_update.yml | 4 +- .../security/win_security_susp_sdelete.yml | 6 +-- .../win_security_susp_time_modification.yml | 6 +-- .../win_security_svcctl_remote_service.yml | 6 +-- .../win_security_syskey_registry_access.yml | 4 +- ...rity_sysmon_channel_reference_deletion.yml | 6 +-- .../win_security_tap_driver_installation.yml | 4 +- ...security_teams_suspicious_objectaccess.yml | 4 +- ...iles_with_cred_data_via_network_shares.yml | 6 +-- ...ity_user_added_to_local_administrators.yml | 6 +-- ...l_priv_service_lsaregisterlogonprocess.yml | 8 ++-- .../security/win_security_user_creation.yml | 4 +- .../win_security_user_driver_loaded.yml | 6 +-- .../security/win_security_user_logoff.yml | 2 +- ..._vssaudit_secevent_source_registration.yml | 6 +-- ..._defender_exclusions_registry_modified.yml | 6 +-- ...ndows_defender_exclusions_write_access.yml | 6 +-- ...dows_defender_exclusions_write_deleted.yml | 6 +-- .../security/win_security_wmi_persistence.yml | 6 +-- ..._security_wmiprvse_wbemcomn_dll_hijack.yml | 6 +-- .../win_security_workstation_was_locked.yml | 4 +- ...mitigations_defender_load_unsigned_dll.yml | 6 +-- ...ations_unsigned_dll_from_susp_location.yml | 6 +-- .../win_hybridconnectionmgr_svc_running.yml | 6 +-- ...win_shell_core_susp_packages_installed.yml | 2 +- ...lient_security_susp_failed_guest_logon.yml | 6 +-- .../win_system_application_sysmon_crash.yml | 6 +-- .../lsasrv/win_system_lsasrv_ntlmv1.yml | 8 ++-- ..._system_adcs_enrollment_request_denied.yml | 4 +- .../win_system_susp_dhcp_config.yml | 6 +-- .../win_system_susp_dhcp_config_failed.yml | 6 +-- .../win_system_exploit_cve_2021_42287.yml | 6 +-- .../win_system_lpe_indicators_tabtip.yml | 4 +- .../win_system_eventlog_cleared.yml | 8 ++-- .../win_system_susp_eventlog_cleared.yml | 6 +-- ...stem_kdcsvc_cert_use_no_strong_mapping.yml | 4 +- .../win_system_kdcsvc_rc4_downgrade.yml | 4 +- ...c_tgs_no_suitable_encryption_key_found.yml | 4 +- ...ical_hive_location_access_bits_cleared.yml | 8 ++-- .../win_system_volume_shadow_copy_mount.yml | 6 +-- ..._vuln_cve_2022_21919_or_cve_2021_34484.yml | 4 +- .../win_system_susp_system_update_error.yml | 6 +-- ...gon_exploitation_using_wellknown_tools.yml | 6 +-- .../netlogon/win_system_vul_cve_2020_1472.yml | 6 +-- .../ntfs/win_system_ntfs_vuln_exploit.yml | 4 +- ...n_system_cobaltstrike_service_installs.yml | 8 ++-- .../win_system_defender_disabled.yml | 6 +-- .../win_system_hack_smbexec.yml | 6 +-- ...ystem_invoke_obfuscation_clip_services.yml | 6 +-- ...ke_obfuscation_obfuscated_iex_services.yml | 6 +-- ...stem_invoke_obfuscation_stdin_services.yml | 6 +-- ...system_invoke_obfuscation_var_services.yml | 6 +-- ...voke_obfuscation_via_compress_services.yml | 6 +-- ...invoke_obfuscation_via_rundll_services.yml | 6 +-- ..._invoke_obfuscation_via_stdin_services.yml | 6 +-- ...voke_obfuscation_via_use_clip_services.yml | 6 +-- ...oke_obfuscation_via_use_mshta_services.yml | 6 +-- ..._obfuscation_via_use_rundll32_services.yml | 6 +-- ...em_invoke_obfuscation_via_var_services.yml | 6 +-- ...system_krbrelayup_service_installation.yml | 6 +-- .../win_system_mal_creddumper.yml | 6 +-- ...tstrike_getsystem_service_installation.yml | 6 +-- .../win_system_moriya_rootkit.yml | 6 +-- ...powershell_script_installed_as_service.yml | 4 +- .../win_system_service_install_anydesk.yml | 2 +- .../win_system_service_install_csexecsvc.yml | 2 +- .../win_system_service_install_hacktools.yml | 4 +- .../win_system_service_install_mesh_agent.yml | 4 +- ...tem_service_install_netsupport_manager.yml | 2 +- .../win_system_service_install_paexec.yml | 2 +- .../win_system_service_install_pdqdeploy.yml | 4 +- ...ystem_service_install_pdqdeploy_runner.yml | 4 +- ...ystem_service_install_pua_proceshacker.yml | 6 +-- .../win_system_service_install_remcom.yml | 2 +- ...service_install_remote_access_software.yml | 4 +- ...ystem_service_install_remote_utilities.yml | 2 +- .../win_system_service_install_sliver.yml | 4 +- ...tem_service_install_sups_unusal_client.yml | 6 +-- .../win_system_service_install_susp.yml | 8 ++-- ...em_service_install_sysinternals_psexec.yml | 4 +- ...win_system_service_install_tacticalrmm.yml | 4 +- .../win_system_service_install_tap_driver.yml | 4 +- .../win_system_service_install_uncommon.yml | 8 ++-- ...ystem_service_terminated_error_generic.yml | 4 +- ...tem_service_terminated_error_important.yml | 4 +- ...system_service_terminated_unexpectedly.yml | 4 +- ...n_system_susp_rtcore64_service_install.yml | 2 +- ...ystem_susp_service_installation_folder.yml | 6 +-- ...sp_service_installation_folder_pattern.yml | 6 +-- ...ystem_susp_service_installation_script.yml | 6 +-- ...win_system_rdp_potential_cve_2019_0708.yml | 6 +-- ...cheduler_execution_from_susp_locations.yml | 4 +- ...er_lolbin_execution_via_task_scheduler.yml | 4 +- ...win_taskscheduler_susp_schtasks_delete.yml | 4 +- .../win_terminalservices_rdp_ngrok.yml | 4 +- .../builtin/win_alert_mimikatz_keywords.yml | 8 ++-- ..._defender_antimalware_platform_expired.yml | 8 ++-- .../win_defender_asr_lsass_access.yml | 6 +-- .../windefend/win_defender_asr_psexec_wmi.yml | 6 +-- ...defender_config_change_exclusion_added.yml | 6 +-- ...der_config_change_exploit_guard_tamper.yml | 6 +-- ...onfig_change_sample_submission_consent.yml | 4 +- .../windefend/win_defender_history_delete.yml | 6 +-- ...defender_malware_and_pua_scan_disabled.yml | 8 ++-- ..._defender_malware_detected_amsi_source.yml | 4 +- ...defender_real_time_protection_disabled.yml | 8 ++-- ...n_defender_real_time_protection_errors.yml | 6 +-- .../win_defender_restored_quarantine_file.yml | 4 +- ...defender_suspicious_features_tampering.yml | 6 +-- ...win_defender_tamper_protection_trigger.yml | 6 +-- .../builtin/windefend/win_defender_threat.yml | 2 +- .../win_defender_virus_scan_disabled.yml | 8 ++-- .../builtin/wmi/win_wmi_persistence.yml | 6 +-- ...ate_remote_thread_win_hktl_cactustorch.yml | 6 +-- ...te_remote_thread_win_hktl_cobaltstrike.yml | 6 +-- .../create_remote_thread_win_keepass.yml | 6 +-- ..._remote_thread_win_mstsc_susp_location.yml | 6 +-- ...ate_remote_thread_win_powershell_lsass.yml | 8 ++-- ...ote_thread_win_powershell_susp_targets.yml | 6 +-- ..._thread_win_susp_password_dumper_lsass.yml | 6 +-- ..._thread_win_susp_relevant_source_image.yml | 8 ++-- ...read_win_susp_target_shell_application.yml | 4 +- ..._thread_win_susp_uncommon_source_image.yml | 8 ++-- ..._thread_win_susp_uncommon_target_image.yml | 10 ++--- .../create_remote_thread_win_ttdinjec.yml | 6 +-- .../create_stream_hash_ads_executable.yml | 6 +-- ...ate_stream_hash_creation_internet_file.yml | 6 +-- ...haring_domains_download_susp_extension.yml | 6 +-- ...ing_domains_download_unusual_extension.yml | 6 +-- ...eate_stream_hash_hktl_generic_download.yml | 6 +-- ...eate_stream_hash_regedit_export_to_ads.yml | 6 +-- .../create_stream_hash_susp_ip_domains.yml | 6 +-- ...stream_hash_winget_susp_package_source.yml | 4 +- .../create_stream_hash_zip_tld_download.yml | 4 +- .../dns_query_win_anonymfiles_com.yml | 4 +- .../dns_query/dns_query_win_appinstaller.yml | 6 +-- ...ns_query_win_cloudflared_communication.yml | 4 +- ...dns_query_win_devtunnels_communication.yml | 6 +-- ...in_dns_server_discovery_via_ldap_query.yml | 4 +- .../dns_query_win_domain_azurewebsites.yml | 4 +- ...ery_win_hybridconnectionmgr_servicebus.yml | 4 +- .../dns_query_win_mal_cobaltstrike.yml | 6 +-- .../dns_query/dns_query_win_mega_nz.yml | 4 +- ...dns_query_win_onelaunch_update_service.yml | 2 +- .../dns_query_win_regsvr32_dns_query.yml | 6 +-- ...e_access_software_domains_non_browsers.yml | 12 +++--- .../dns_query_win_susp_external_ip_lookup.yml | 4 +- ...eamviewer_domain_query_by_uncommon_app.yml | 6 +-- .../dns_query_win_tor_onion_domain_query.yml | 6 +-- .../dns_query_win_ufile_io_query.yml | 4 +- ..._query_win_vscode_tunnel_communication.yml | 6 +-- .../driver_load_win_mal_drivers.yml | 6 +-- .../driver_load_win_mal_drivers_names.yml | 6 +-- .../driver_load_win_pua_process_hacker.yml | 8 ++-- .../driver_load_win_pua_system_informer.yml | 4 +- .../driver_load_win_susp_temp_use.yml | 6 +-- .../driver_load_win_vuln_drivers.yml | 6 +-- .../driver_load_win_vuln_drivers_names.yml | 6 +-- .../driver_load_win_vuln_hevd_driver.yml | 6 +-- .../driver_load_win_vuln_winring0_driver.yml | 6 +-- .../driver_load/driver_load_win_windivert.yml | 6 +-- ...ess_win_susp_credential_manager_access.yml | 6 +-- .../file_access_win_susp_credhist.yml | 6 +-- ...ccess_win_susp_crypto_currency_wallets.yml | 4 +- ...ccess_win_susp_dpapi_master_key_access.yml | 6 +-- .../file_access_win_susp_gpo_files.yml | 6 +-- .../file_access_win_teams_sensitive_files.yml | 4 +- .../file_change_win_2022_timestomping.yml | 6 +-- ...ge_win_unusual_modification_by_dns_exe.yml | 4 +- ...lete_win_cve_2021_1675_print_nightmare.yml | 10 ++--- .../file_delete_win_delete_backup_file.yml | 4 +- ...file_delete_win_delete_event_log_files.yml | 4 +- ...te_win_delete_exchange_powershell_logs.yml | 6 +-- ...file_delete_win_delete_iis_access_logs.yml | 6 +-- ..._win_delete_powershell_command_history.yml | 4 +- .../file_delete_win_delete_prefetch.yml | 6 +-- ...file_delete_win_delete_teamviewer_logs.yml | 6 +-- .../file_delete_win_delete_tomcat_logs.yml | 4 +- ...win_sysinternals_sdelete_file_deletion.yml | 6 +-- ...delete_win_unusual_deletion_by_dns_exe.yml | 6 +-- ...elete_win_zone_identifier_ads_uncommon.yml | 6 +-- ...n_adsi_cache_creation_by_uncommon_tool.yml | 6 +-- .../file_event_win_advanced_ip_scanner.yml | 4 +- .../file_event_win_anydesk_artefact.yml | 6 +-- ...vent_win_anydesk_writing_susp_binaries.yml | 4 +- .../file_event_win_aspnet_temp_files.yml | 2 +- .../file_event_win_bloodhound_collection.yml | 4 +- ...t_win_create_evtx_non_common_locations.yml | 6 +-- ...ile_event_win_create_non_existent_dlls.yml | 8 ++-- ...e_event_win_creation_new_shim_database.yml | 4 +- ...ile_event_win_creation_scr_binary_file.yml | 4 +- ...le_event_win_creation_system_dll_files.yml | 4 +- .../file_event_win_creation_system_file.yml | 6 +-- ...ent_win_creation_unquoted_service_path.yml | 2 +- ...vent_win_cred_dump_tools_dropped_files.yml | 6 +-- ...file_event_win_cscript_wscript_dropper.yml | 4 +- .../file_event_win_csexec_service.yml | 2 +- ...file_event_win_csharp_compile_artefact.yml | 6 +-- ...ile_event_win_dcom_iertutil_dll_hijack.yml | 8 ++-- ...e_event_win_dll_sideloading_space_path.yml | 6 +-- ...file_event_win_dump_file_susp_creation.yml | 4 +- ...ile_event_win_errorhandler_persistence.yml | 4 +- .../file_event_win_exchange_webshell_drop.yml | 2 +- ..._win_exchange_webshell_drop_suspicious.yml | 4 +- .../file_event_win_gotoopener_artefact.yml | 4 +- ...event_win_hktl_crackmapexec_indicators.yml | 8 ++-- .../file_event_win_hktl_dumpert.yml | 6 +-- ...nt_win_hktl_hivenightmare_file_exports.yml | 8 ++-- .../file_event_win_hktl_inveigh_artefacts.yml | 6 +-- ...ile_event_win_hktl_krbrelay_remote_ioc.yml | 4 +- .../file_event_win_hktl_mimikatz_files.yml | 8 ++-- .../file_event/file_event_win_hktl_nppspy.yml | 6 +-- ...le_event_win_hktl_powerup_dllhijacking.yml | 8 ++-- .../file_event_win_hktl_quarkspw_filedump.yml | 6 +-- .../file_event_win_hktl_remote_cred_dump.yml | 6 +-- .../file_event_win_hktl_safetykatz.yml | 6 +-- ...tial_access_dll_search_order_hijacking.yml | 6 +-- ...e_event_win_install_teamviewer_desktop.yml | 4 +- ...ile_event_win_iphlpapi_dll_sideloading.yml | 6 +-- .../file_event_win_iso_file_mount.yml | 4 +- .../file_event_win_iso_file_recent.yml | 4 +- ...lbin_gather_network_info_script_output.yml | 2 +- ...vent_win_lsass_default_dump_file_names.yml | 10 ++--- .../file_event_win_lsass_shtinkering.yml | 4 +- .../file_event_win_lsass_werfault_dump.yml | 4 +- .../file_event/file_event_win_mal_adwind.yml | 4 +- .../file_event_win_mal_octopus_scanner.yml | 4 +- .../file_event_win_msdt_susp_directories.yml | 6 +-- ...vent_win_mysqld_uncommon_file_creation.yml | 4 +- .../file_event_win_net_cli_artefact.yml | 8 ++-- ...n_new_files_in_uncommon_appdata_folder.yml | 6 +-- .../file_event_win_new_scr_file.yml | 6 +-- ...vent_win_notepad_plus_plus_persistence.yml | 4 +- .../file_event_win_ntds_dit_creation.yml | 4 +- ...t_win_ntds_dit_uncommon_parent_process.yml | 6 +-- ...le_event_win_ntds_dit_uncommon_process.yml | 6 +-- .../file_event_win_ntds_exfil_tools.yml | 6 +-- ...ile_event_win_office_addin_persistence.yml | 4 +- ...e_event_win_office_macro_files_created.yml | 4 +- ...vent_win_office_macro_files_downloaded.yml | 6 +-- ...n_office_macro_files_from_susp_process.yml | 6 +-- ...office_onenote_files_in_susp_locations.yml | 6 +-- ..._win_office_onenote_susp_dropped_files.yml | 6 +-- ...vent_win_office_outlook_macro_creation.yml | 6 +-- .../file_event_win_office_outlook_newform.yml | 4 +- ...win_office_outlook_susp_macro_creation.yml | 4 +- ...fice_publisher_files_in_susp_locations.yml | 4 +- ...e_event_win_office_startup_persistence.yml | 4 +- ...e_event_win_office_susp_file_extension.yml | 4 +- ...event_win_office_uncommon_file_startup.yml | 6 +-- .../file_event_win_pcre_net_temp_file.yml | 4 +- .../file_event_win_perflogs_susp_files.yml | 2 +- ...t_win_powershell_drop_binary_or_script.yml | 4 +- ...e_event_win_powershell_drop_powershell.yml | 2 +- ...e_event_win_powershell_exploit_scripts.yml | 4 +- ...e_event_win_powershell_module_creation.yml | 2 +- ...nt_win_powershell_module_susp_creation.yml | 2 +- ...in_powershell_module_uncommon_creation.yml | 4 +- ...event_win_powershell_startup_shortcuts.yml | 4 +- ...licy_test_creation_by_uncommon_process.yml | 6 +-- .../file_event_win_rclone_config_files.yml | 4 +- .../file_event_win_rdp_file_susp_creation.yml | 4 +- ...e_event_win_redmimicry_winnti_filedrop.yml | 6 +-- .../file_event_win_regedit_print_as_pdf.yml | 4 +- .../file_event_win_remcom_service.yml | 2 +- ...te_access_tools_screenconnect_artefact.yml | 4 +- ...access_tools_screenconnect_remote_file.yml | 2 +- .../file_event_win_ripzip_attack.yml | 4 +- .../file_event/file_event_win_sam_dump.yml | 6 +-- .../file_event_win_sed_file_creation.yml | 4 +- ...e_event_win_shell_write_susp_directory.yml | 4 +- ..._win_shell_write_susp_files_extensions.yml | 6 +-- ...le_event_win_startup_folder_file_write.yml | 4 +- .../file_event_win_susp_colorcpl.yml | 6 +-- ...ile_event_win_susp_creation_by_mobsync.yml | 6 +-- ...e_event_win_susp_default_gpo_dir_write.yml | 4 +- .../file_event_win_susp_desktop_ini.yml | 4 +- .../file_event_win_susp_desktop_txt.yml | 2 +- ..._event_win_susp_desktopimgdownldr_file.yml | 6 +-- .../file_event_win_susp_diagcab.yml | 4 +- .../file_event_win_susp_double_extension.yml | 6 +-- ..._susp_dpapi_backup_and_cert_export_ioc.yml | 2 +- ...ile_event_win_susp_exchange_aspx_write.yml | 4 +- ...ile_event_win_susp_executable_creation.yml | 6 +-- .../file_event_win_susp_get_variable.yml | 4 +- ...t_win_susp_hidden_dir_index_allocation.yml | 4 +- ...file_event_win_susp_homoglyph_filename.yml | 4 +- ...n_susp_legitimate_app_dropping_archive.yml | 4 +- ...t_win_susp_legitimate_app_dropping_exe.yml | 6 +-- ...in_susp_legitimate_app_dropping_script.yml | 6 +-- ...le_event_win_susp_lnk_double_extension.yml | 6 +-- .../file_event_win_susp_pfx_file_creation.yml | 6 +-- ...file_event_win_susp_powershell_profile.yml | 6 +-- ...cexplorer_driver_created_in_tmp_folder.yml | 6 +-- ...e_event_win_susp_recycle_bin_fake_exec.yml | 6 +-- ...vent_win_susp_spool_drivers_color_drop.yml | 4 +- ...nt_win_susp_startup_folder_persistence.yml | 4 +- ...win_susp_system_interactive_powershell.yml | 4 +- .../file_event_win_susp_task_write.yml | 4 +- ...ent_win_susp_teamviewer_remote_session.yml | 4 +- ...ent_win_susp_vscode_powershell_profile.yml | 6 +-- ...vent_win_susp_windows_terminal_profile.yml | 2 +- ..._event_win_susp_winsxs_binary_creation.yml | 2 +- ..._sysinternals_livekd_default_dump_name.yml | 6 +-- ...e_event_win_sysinternals_livekd_driver.yml | 6 +-- ...sinternals_livekd_driver_susp_creation.yml | 6 +-- ...internals_procexp_driver_susp_creation.yml | 4 +- ...internals_procmon_driver_susp_creation.yml | 4 +- ..._event_win_sysinternals_psexec_service.yml | 4 +- ...nt_win_sysinternals_psexec_service_key.yml | 8 ++-- ...em32_local_folder_privilege_escalation.yml | 8 ++-- .../file_event_win_taskmgr_lsass_dump.yml | 4 +- ...e_event_win_tsclient_filewrite_startup.yml | 6 +-- ..._event_win_uac_bypass_consent_comctl32.yml | 8 ++-- ...e_event_win_uac_bypass_dotnet_profiler.yml | 8 ++-- .../file_event_win_uac_bypass_eventvwr.yml | 8 ++-- ...ent_win_uac_bypass_idiagnostic_profile.yml | 6 +-- .../file_event_win_uac_bypass_ieinstal.yml | 8 ++-- ...file_event_win_uac_bypass_msconfig_gui.yml | 8 ++-- ...vent_win_uac_bypass_ntfs_reparse_point.yml | 8 ++-- .../file_event_win_uac_bypass_winsat.yml | 8 ++-- .../file_event_win_uac_bypass_wmp.yml | 8 ++-- ...le_event_win_vhd_download_via_browsers.yml | 6 +-- ...scode_tunnel_remote_creation_artefacts.yml | 4 +- ...nt_win_vscode_tunnel_renamed_execution.yml | 4 +- ...ile_event_win_webshell_creation_detect.yml | 4 +- .../file_event_win_werfault_dll_hijacking.yml | 4 +- .../file_event_win_winrm_awl_bypass.yml | 6 +-- ...ersistence_script_event_consumer_write.yml | 4 +- ...ile_event_win_wmiexec_default_filename.yml | 6 +-- ...event_win_wmiprvse_wbemcomn_dll_hijack.yml | 6 +-- .../file_event_win_wpbbin_persistence.yml | 4 +- ...le_event_win_writing_local_admin_share.yml | 6 +-- ...ble_detected_win_susp_embeded_sed_file.yml | 4 +- .../file_rename_win_ransomware.yml | 4 +- ...load_cmstp_load_dll_from_susp_location.yml | 6 +-- ...image_load_dll_amsi_suspicious_process.yml | 6 +-- ...rosoft_account_token_provider_dll_load.yml | 8 ++-- ...msvcs_load_renamed_version_by_rundll32.yml | 8 ++-- ..._load_dll_credui_uncommon_process_load.yml | 6 +-- ...load_dll_dbghelp_dbgcore_unsigned_load.yml | 6 +-- .../image_load_dll_pcre_dotnet_dll_load.yml | 4 +- ...mage_load_dll_rstrtmgr_suspicious_load.yml | 4 +- .../image_load_dll_rstrtmgr_uncommon_load.yml | 4 +- .../image_load_dll_sdiageng_load_by_msdt.yml | 8 ++-- ...system_management_automation_susp_load.yml | 8 ++-- .../image_load_dll_tttracer_module_load.yml | 8 ++-- .../image_load_dll_vss_ps_susp_load.yml | 6 +-- .../image_load_dll_vssapi_susp_load.yml | 6 +-- .../image_load_dll_vsstrace_susp_load.yml | 6 +-- .../image_load_hktl_sharpevtmute.yml | 6 +-- .../image_load_hktl_silenttrinity_stager.yml | 6 +-- ...load_iexplore_dcom_iertutil_dll_hijack.yml | 8 ++-- .../image_load_lsass_unsigned_image_load.yml | 6 +-- ...e_load_office_dotnet_assembly_dll_load.yml | 4 +- .../image_load_office_dotnet_clr_dll_load.yml | 4 +- .../image_load_office_dotnet_gac_dll_load.yml | 4 +- .../image_load_office_dsparse_dll_load.yml | 4 +- .../image_load_office_excel_xll_susp_load.yml | 2 +- .../image_load_office_kerberos_dll_load.yml | 4 +- ...image_load_office_outlook_outlvba_load.yml | 4 +- .../image_load_office_powershell_dll_load.yml | 4 +- .../image_load_office_vbadll_load.yml | 4 +- .../image_load_rundll32_remote_share_load.yml | 2 +- ...e_load_scrcons_wmi_scripteventconsumer.yml | 8 ++-- .../image_load/image_load_side_load_7za.yml | 6 +-- ..._load_side_load_abused_dlls_susp_paths.yml | 2 +- .../image_load_side_load_antivirus.yml | 8 ++-- .../image_load_side_load_appverifui.yml | 6 +-- ...aruba_networks_virtual_intranet_access.yml | 6 +-- .../image_load_side_load_avkkid.yml | 6 +-- .../image_load_side_load_ccleaner_du.yml | 6 +-- ...ge_load_side_load_ccleaner_reactivator.yml | 6 +-- ...age_load_side_load_chrome_frame_helper.yml | 8 ++-- ...image_load_side_load_classicexplorer32.yml | 6 +-- .../image_load_side_load_comctl32.yml | 8 ++-- .../image_load_side_load_coregen.yml | 4 +- ...side_load_cpl_from_non_system_location.yml | 4 +- .../image_load_side_load_dbgcore.yml | 8 ++-- .../image_load_side_load_dbghelp.yml | 8 ++-- .../image_load_side_load_dbgmodel.yml | 8 ++-- .../image_load_side_load_eacore.yml | 6 +-- .../image_load_side_load_edputil.yml | 6 +-- ...oad_side_load_from_non_system_location.yml | 8 ++-- .../image_load_side_load_goopdate.yml | 8 ++-- .../image_load_side_load_gup_libcurl.yml | 6 +-- .../image_load_side_load_iviewers.yml | 6 +-- .../image_load_side_load_jsschhlp.yml | 6 +-- .../image_load_side_load_keyscrambler.yml | 6 +-- .../image_load_side_load_libvlc.yml | 6 +-- .../image_load_side_load_mfdetours.yml | 6 +-- ...mage_load_side_load_mfdetours_unsigned.yml | 6 +-- .../image_load/image_load_side_load_mpsvc.yml | 4 +- .../image_load_side_load_mscorsvc.yml | 4 +- ...image_load_side_load_non_existent_dlls.yml | 10 ++--- .../image_load_side_load_office_dlls.yml | 8 ++-- .../image_load/image_load_side_load_rcdll.yml | 8 ++-- ...side_load_rjvplatform_default_location.yml | 6 +-- ..._load_rjvplatform_non_default_location.yml | 6 +-- .../image_load_side_load_robform.yml | 6 +-- .../image_load_side_load_shell_chrome_api.yml | 6 +-- .../image_load_side_load_shelldispatch.yml | 6 +-- .../image_load_side_load_smadhook.yml | 6 +-- .../image_load_side_load_solidpdfcreator.yml | 6 +-- .../image_load_side_load_third_party.yml | 6 +-- .../image_load_side_load_ualapi.yml | 6 +-- .../image_load_side_load_vivaldi_elf.yml | 6 +-- .../image_load_side_load_vmguestlib.yml | 6 +-- ...ge_load_side_load_vmmap_dbghelp_signed.yml | 6 +-- ..._load_side_load_vmmap_dbghelp_unsigned.yml | 8 ++-- .../image_load_side_load_vmware_xfer.yml | 6 +-- .../image_load_side_load_waveedit.yml | 6 +-- .../image_load/image_load_side_load_wazuh.yml | 8 ++-- .../image_load_side_load_windows_defender.yml | 6 +-- .../image_load/image_load_side_load_wwlib.yml | 6 +-- .../image_load_spoolsv_dll_load.yml | 12 +++--- ..._susp_clickonce_unsigned_module_loaded.yml | 2 +- ...mage_load_susp_dll_load_system_process.yml | 6 +-- .../image_load_susp_python_image_load.yml | 6 +-- ...e_load_susp_script_dotnet_clr_dll_load.yml | 6 +-- .../image_load_susp_unsigned_dll.yml | 6 +-- .../image_load_thor_unsigned_execution.yml | 4 +- .../image_load_uac_bypass_iscsicpl.yml | 8 ++-- .../image_load_uac_bypass_via_dism.yml | 8 ++-- ...persistence_commandline_event_consumer.yml | 4 +- ...ge_load_wmic_remote_xsl_scripting_dlls.yml | 6 +-- ...mage_load_wmiprvse_wbemcomn_dll_hijack.yml | 6 +-- .../image_load_wsman_provider_image_load.yml | 6 +-- ...net_connection_win_addinutil_initiated.yml | 6 +-- ...tion_win_certutil_initiated_connection.yml | 6 +-- ...nection_win_cmstp_initiated_connection.yml | 6 +-- ...ection_win_dialer_initiated_connection.yml | 2 +- ...et_connection_win_domain_azurewebsites.yml | 6 +-- ...n_win_domain_cloudflared_communication.yml | 4 +- ...nection_win_domain_crypto_mining_pools.yml | 4 +- ...nection_win_domain_dead_drop_resolvers.yml | 8 ++-- .../net_connection_win_domain_devtunnels.yml | 2 +- .../net_connection_win_domain_dropbox_api.yml | 4 +- ...nnection_win_domain_external_ip_lookup.yml | 4 +- ...n_domain_google_api_non_browser_access.yml | 6 +-- ...onnection_win_domain_localtonet_tunnel.yml | 4 +- .../net_connection_win_domain_mega_nz.yml | 4 +- .../net_connection_win_domain_ngrok.yml | 4 +- ...net_connection_win_domain_ngrok_tunnel.yml | 6 +-- ...n_domain_notion_api_susp_communication.yml | 4 +- .../net_connection_win_domain_portmap.yml | 4 +- ...domain_telegram_api_non_browser_access.yml | 4 +- ...on_win_domain_vscode_tunnel_connection.yml | 2 +- .../net_connection_win_eqnedt.yml | 4 +- .../net_connection_win_imewdbld.yml | 6 +-- .../net_connection_win_notepad.yml | 8 ++-- ...ction_win_office_outbound_non_local_ip.yml | 4 +- ...t_connection_win_office_uncommon_ports.yml | 8 ++-- .../net_connection_win_python.yml | 4 +- ...n_rdp_outbound_over_non_standard_tools.yml | 6 +-- .../net_connection_win_rdp_reverse_tunnel.yml | 8 ++-- .../net_connection_win_rdp_to_http.yml | 8 ++-- ...connection_win_regasm_network_activity.yml | 4 +- ...nnection_win_regsvr32_network_activity.yml | 6 +-- ...onnection_win_rundll32_net_connections.yml | 6 +-- ..._silenttrinity_stager_msbuild_activity.yml | 4 +- ..._connection_win_susp_binary_no_cmdline.yml | 4 +- ...susp_file_sharing_domains_susp_folders.yml | 8 ++-- ...iated_uncommon_or_suspicious_locations.yml | 6 +-- ...nection_win_susp_malware_callback_port.yml | 6 +-- ...n_susp_malware_callback_ports_uncommon.yml | 6 +-- ..._win_susp_outbound_kerberos_connection.yml | 8 ++-- ...n_win_susp_outbound_mobsync_connection.yml | 6 +-- ...ion_win_susp_outbound_smtp_connections.yml | 4 +- ...ion_win_susp_remote_powershell_session.yml | 6 +-- ...onnection_win_winlogon_net_connections.yml | 8 ++-- ..._connection_win_wordpad_uncommon_ports.yml | 8 ++-- ...n_win_wscript_cscript_local_connection.yml | 6 +-- ...in_wscript_cscript_outbound_connection.yml | 6 +-- ...nection_win_wuauclt_network_connection.yml | 6 +-- ...dfs_namedpipe_connection_uncommon_tool.yml | 4 +- .../pipe_created_hktl_cobaltstrike.yml | 8 ++-- .../pipe_created_hktl_cobaltstrike_re.yml | 8 ++-- ...d_hktl_cobaltstrike_susp_pipe_patterns.yml | 8 ++-- .../pipe_created_hktl_coercedpotato.yml | 6 +-- .../pipe_created_hktl_diagtrack_eop.yml | 6 +-- .../pipe_created_hktl_efspotato.yml | 8 ++-- ...ted_hktl_generic_cred_dump_tools_pipes.yml | 6 +-- .../pipe_created_hktl_koh_default_pipe.yml | 8 ++-- ...created_powershell_alternate_host_pipe.yml | 4 +- ...pipe_created_powershell_execution_pipe.yml | 4 +- .../pipe_created_pua_csexec_default_pipe.yml | 8 ++-- .../pipe_created_pua_paexec_default_pipe.yml | 2 +- .../pipe_created_pua_remcom_default_pipe.yml | 8 ++-- ...created_scrcons_wmi_consumer_namedpipe.yml | 4 +- ...pipe_created_susp_malicious_namedpipes.yml | 8 ++-- ...nals_psexec_default_pipe_susp_location.yml | 4 +- ...osh_pc_abuse_nslookup_with_dns_records.yml | 4 +- .../posh_pc_delete_volume_shadow_copies.yml | 4 +- .../posh_pc_downgrade_attack.yml | 6 +-- .../posh_pc_exe_calling_ps.yml | 6 +-- .../powershell_classic/posh_pc_powercat.yml | 6 +-- .../posh_pc_remote_powershell_session.yml | 6 +-- .../posh_pc_remotefxvgpudisablement_abuse.yml | 6 +-- .../posh_pc_renamed_powershell.yml | 4 +- .../posh_pc_susp_download.yml | 4 +- .../posh_pc_susp_get_nettcpconnection.yml | 4 +- .../posh_pc_susp_zip_compress.yml | 4 +- ...posh_pc_tamper_windows_defender_set_mp.yml | 6 +-- ...sh_pc_wsman_com_provider_no_powershell.yml | 6 +-- .../posh_pc_xor_commandline.yml | 4 +- ..._pm_active_directory_module_dll_import.yml | 2 +- .../posh_pm_alternate_powershell_hosts.yml | 4 +- .../posh_pm_bad_opsec_artifacts.yml | 4 +- .../posh_pm_clear_powershell_history.yml | 6 +-- .../posh_pm_decompress_commands.yml | 6 +-- .../posh_pm_exploit_scripts.yml | 6 +-- .../posh_pm_get_addbaccount.yml | 4 +- .../posh_pm_get_clipboard.yml | 4 +- .../posh_pm_hktl_evil_winrm_execution.yml | 4 +- .../posh_pm_invoke_obfuscation_clip.yml | 6 +-- ...h_pm_invoke_obfuscation_obfuscated_iex.yml | 6 +-- .../posh_pm_invoke_obfuscation_stdin.yml | 6 +-- .../posh_pm_invoke_obfuscation_var.yml | 6 +-- ...osh_pm_invoke_obfuscation_via_compress.yml | 6 +-- .../posh_pm_invoke_obfuscation_via_rundll.yml | 6 +-- .../posh_pm_invoke_obfuscation_via_stdin.yml | 6 +-- ...osh_pm_invoke_obfuscation_via_use_clip.yml | 6 +-- ...sh_pm_invoke_obfuscation_via_use_mhsta.yml | 6 +-- ...pm_invoke_obfuscation_via_use_rundll32.yml | 6 +-- .../posh_pm_invoke_obfuscation_via_var.yml | 6 +-- .../posh_pm_malicious_commandlets.yml | 4 +- .../posh_pm_remote_powershell_session.yml | 6 +-- .../posh_pm_remotefxvgpudisablement_abuse.yml | 6 +-- .../posh_pm_susp_ad_group_reco.yml | 4 +- .../posh_pm_susp_download.yml | 4 +- .../posh_pm_susp_get_nettcpconnection.yml | 4 +- .../posh_pm_susp_invocation_generic.yml | 4 +- .../posh_pm_susp_invocation_specific.yml | 6 +-- .../posh_pm_susp_local_group_reco.yml | 4 +- ..._pm_susp_reset_computermachinepassword.yml | 4 +- .../posh_pm_susp_smb_share_reco.yml | 4 +- .../posh_pm_susp_zip_compress.yml | 4 +- .../posh_pm_syncappvpublishingserver_exe.yml | 6 +-- ...posh_ps_aadinternals_cmdlets_execution.yml | 4 +- .../posh_ps_access_to_browser_login_data.yml | 6 +-- ..._ps_active_directory_module_dll_import.yml | 2 +- .../posh_ps_add_dnsclient_rule.yml | 4 +- .../posh_ps_add_windows_capability.yml | 4 +- .../posh_ps_adrecon_execution.yml | 4 +- .../posh_ps_amsi_bypass_pattern_nov22.yml | 4 +- .../posh_ps_amsi_null_bits_bypass.yml | 6 +-- .../posh_ps_apt_silence_eda.yml | 6 +-- .../posh_ps_as_rep_roasting.yml | 2 +- .../posh_ps_audio_exfiltration.yml | 2 +- .../posh_ps_automated_collection.yml | 4 +- .../posh_ps_capture_screenshots.yml | 4 +- .../posh_ps_clear_powershell_history.yml | 6 +-- ...sh_ps_clearing_windows_console_history.yml | 6 +-- .../posh_ps_cmdlet_scheduled_task.yml | 2 +- ...h_ps_computer_discovery_get_adcomputer.yml | 2 +- .../posh_ps_copy_item_system_directory.yml | 6 +-- .../posh_ps_cor_profiler.yml | 2 +- .../posh_ps_create_local_user.yml | 4 +- .../posh_ps_create_volume_shadow_copy.yml | 4 +- .../posh_ps_detect_vm_env.yml | 6 +-- .../posh_ps_directorysearcher.yml | 2 +- ...ps_directoryservices_accountmanagement.yml | 2 +- ..._ps_disable_psreadline_command_history.yml | 4 +- ...sh_ps_disable_windows_optional_feature.yml | 4 +- .../posh_ps_dotnet_assembly_from_file.yml | 4 +- .../posh_ps_download_com_cradles.yml | 4 +- .../posh_ps_dsinternals_cmdlets.yml | 2 +- ...mp_password_windows_credential_manager.yml | 6 +-- .../posh_ps_enable_psremoting.yml | 4 +- ...s_enable_susp_windows_optional_feature.yml | 6 +-- ...te_password_windows_credential_manager.yml | 6 +-- .../posh_ps_etw_trace_evasion.yml | 6 +-- ..._exchange_mailbox_smpt_forwarding_rule.yml | 2 +- .../posh_ps_export_certificate.yml | 6 +-- .../posh_ps_frombase64string_archive.yml | 4 +- .../posh_ps_get_acl_service.yml | 2 +- .../posh_ps_get_adcomputer.yml | 4 +- .../powershell_script/posh_ps_get_adgroup.yml | 4 +- .../posh_ps_get_adreplaccount.yml | 4 +- .../posh_ps_get_childitem_bookmarks.yml | 4 +- ...et_process_security_software_discovery.yml | 4 +- .../powershell_script/posh_ps_hktl_rubeus.yml | 6 +-- .../powershell_script/posh_ps_hktl_winpwn.yml | 8 ++-- .../powershell_script/posh_ps_hotfix_enum.yml | 2 +- .../posh_ps_icmp_exfiltration.yml | 4 +- .../posh_ps_import_module_susp_dirs.yml | 4 +- ...posh_ps_install_unsigned_appx_packages.yml | 4 +- .../posh_ps_invoke_command_remote.yml | 4 +- .../posh_ps_invoke_dnsexfiltration.yml | 2 +- .../posh_ps_invoke_obfuscation_clip.yml | 6 +-- ...h_ps_invoke_obfuscation_obfuscated_iex.yml | 6 +-- .../posh_ps_invoke_obfuscation_stdin.yml | 6 +-- .../posh_ps_invoke_obfuscation_var.yml | 6 +-- ...osh_ps_invoke_obfuscation_via_compress.yml | 6 +-- .../posh_ps_invoke_obfuscation_via_rundll.yml | 6 +-- .../posh_ps_invoke_obfuscation_via_stdin.yml | 6 +-- ...osh_ps_invoke_obfuscation_via_use_clip.yml | 6 +-- ...sh_ps_invoke_obfuscation_via_use_mhsta.yml | 6 +-- ...ps_invoke_obfuscation_via_use_rundll32.yml | 6 +-- .../posh_ps_invoke_obfuscation_via_var.yml | 6 +-- .../powershell_script/posh_ps_keylogging.yml | 4 +- .../powershell_script/posh_ps_localuser.yml | 2 +- .../posh_ps_mailboxexport_share.yml | 2 +- .../posh_ps_malicious_commandlets.yml | 8 ++-- .../posh_ps_malicious_keywords.yml | 4 +- ...ps_memorydump_getstoragediagnosticinfo.yml | 4 +- .../posh_ps_modify_group_policy_settings.yml | 6 +-- .../powershell_script/posh_ps_msxml_com.yml | 4 +- .../posh_ps_nishang_malicious_commandlets.yml | 4 +- .../posh_ps_ntfs_ads_access.yml | 6 +-- .../posh_ps_office_comobject_registerxll.yml | 2 +- .../posh_ps_packet_capture.yml | 4 +- .../posh_ps_potential_invoke_mimikatz.yml | 4 +- ...osh_ps_powerview_malicious_commandlets.yml | 4 +- .../posh_ps_prompt_credentials.yml | 6 +-- .../posh_ps_psasyncshell.yml | 2 +- .../powershell_script/posh_ps_psattack.yml | 4 +- .../posh_ps_remote_session_creation.yml | 4 +- .../posh_ps_remotefxvgpudisablement_abuse.yml | 4 +- .../posh_ps_request_kerberos_ticket.yml | 4 +- .../posh_ps_resolve_list_of_ip_from_file.yml | 2 +- .../posh_ps_root_certificate_installed.yml | 6 +-- .../posh_ps_run_from_mount_diskimage.yml | 4 +- ...osh_ps_script_with_upload_capabilities.yml | 4 +- .../posh_ps_send_mailmessage.yml | 2 +- .../posh_ps_sensitive_file_discovery.yml | 2 +- .../powershell_script/posh_ps_set_acl.yml | 4 +- .../posh_ps_set_acl_susp_location.yml | 4 +- ...posh_ps_set_policies_to_unsecure_level.yml | 4 +- .../posh_ps_shellcode_b64.yml | 8 ++-- ...sh_ps_shellintel_malicious_commandlets.yml | 4 +- .../posh_ps_software_discovery.yml | 4 +- ...ps_store_file_in_alternate_data_stream.yml | 6 +-- .../posh_ps_susp_ace_tampering.yml | 6 +-- .../posh_ps_susp_ad_group_reco.yml | 4 +- .../posh_ps_susp_alias_obfscuation.yml | 4 +- .../posh_ps_susp_clear_eventlog.yml | 4 +- .../posh_ps_susp_directory_enum.yml | 2 +- .../posh_ps_susp_download.yml | 4 +- .../posh_ps_susp_execute_batch_script.yml | 2 +- .../posh_ps_susp_extracting.yml | 6 +-- .../posh_ps_susp_follina_execution.yml | 4 +- ...susp_get_addefaultdomainpasswordpolicy.yml | 2 +- .../posh_ps_susp_get_current_user.yml | 2 +- .../posh_ps_susp_get_gpo.yml | 2 +- .../posh_ps_susp_get_process.yml | 2 +- .../posh_ps_susp_getprocess_lsass.yml | 6 +-- .../posh_ps_susp_gettypefromclsid.yml | 4 +- .../posh_ps_susp_hyper_v_condlet.yml | 4 +- .../posh_ps_susp_invocation_generic.yml | 4 +- .../posh_ps_susp_invocation_specific.yml | 6 +-- ...sh_ps_susp_invoke_webrequest_useragent.yml | 6 +-- .../posh_ps_susp_iofilestream.yml | 6 +-- .../posh_ps_susp_keylogger_activity.yml | 4 +- .../posh_ps_susp_keywords.yml | 4 +- .../posh_ps_susp_local_group_reco.yml | 4 +- .../posh_ps_susp_mail_acces.yml | 4 +- .../posh_ps_susp_mount_diskimage.yml | 4 +- .../posh_ps_susp_mounted_share_deletion.yml | 6 +-- .../posh_ps_susp_networkcredential.yml | 4 +- .../posh_ps_susp_new_psdrive.yml | 4 +- .../posh_ps_susp_proxy_scripts.yml | 4 +- .../posh_ps_susp_recon_export.yml | 4 +- .../posh_ps_susp_remove_adgroupmember.yml | 2 +- ..._service_dacl_modification_set_service.yml | 6 +-- .../posh_ps_susp_set_alias.yml | 4 +- .../posh_ps_susp_smb_share_reco.yml | 4 +- .../posh_ps_susp_ssl_keyword.yml | 4 +- .../posh_ps_susp_start_process.yml | 4 +- .../posh_ps_susp_unblock_file.yml | 4 +- .../posh_ps_susp_wallpaper.yml | 2 +- .../posh_ps_susp_win32_pnpentity.yml | 4 +- .../posh_ps_susp_win32_shadowcopy.yml | 4 +- ...posh_ps_susp_win32_shadowcopy_deletion.yml | 4 +- .../posh_ps_susp_windowstyle.yml | 6 +-- .../posh_ps_susp_write_eventlog.yml | 4 +- .../posh_ps_susp_zip_compress.yml | 4 +- .../posh_ps_syncappvpublishingserver_exe.yml | 6 +-- ...posh_ps_tamper_windows_defender_rem_mp.yml | 4 +- ...posh_ps_tamper_windows_defender_set_mp.yml | 6 +-- .../posh_ps_test_netconnection.yml | 4 +- .../powershell_script/posh_ps_timestomp.yml | 6 +-- .../posh_ps_token_obfuscation.yml | 12 +++--- .../posh_ps_user_discovery_get_aduser.yml | 2 +- .../posh_ps_user_profile_tampering.yml | 6 +-- ..._ps_using_set_service_to_hide_services.yml | 6 +-- ...osh_ps_veeam_credential_dumping_script.yml | 4 +- .../posh_ps_web_request_cmd_and_cmdlets.yml | 4 +- .../posh_ps_win32_nteventlogfile_usage.yml | 4 +- .../posh_ps_win32_product_install_msi.yml | 4 +- .../posh_ps_win_api_susp_access.yml | 4 +- .../posh_ps_win_defender_exclusions_added.yml | 6 +-- ...h_ps_windows_firewall_profile_disabled.yml | 6 +-- .../posh_ps_winlogon_helper_dll.yml | 4 +- .../posh_ps_wmi_persistence.yml | 6 +-- .../posh_ps_wmi_unquoted_service_search.yml | 4 +- .../powershell_script/posh_ps_wmimplant.yml | 4 +- .../posh_ps_x509enrollment.yml | 4 +- .../powershell_script/posh_ps_xml_iex.yml | 4 +- ...c_access_win_cmstp_execution_by_access.yml | 6 +-- ...ktl_cobaltstrike_bof_injection_pattern.yml | 6 +-- .../proc_access_win_hktl_generic_access.yml | 4 +- ...ccess_win_hktl_handlekatz_lsass_access.yml | 6 +-- ...n_hktl_littlecorporal_generated_maldoc.yml | 4 +- .../proc_access_win_hktl_sysmonente.yml | 6 +-- ...proc_access_win_lsass_dump_comsvcs_dll.yml | 6 +-- ...oc_access_win_lsass_dump_keyword_image.yml | 6 +-- .../proc_access_win_lsass_memdump.yml | 6 +-- ...roc_access_win_lsass_python_based_tool.yml | 10 ++--- ...s_win_lsass_remote_access_trough_winrm.yml | 8 ++-- .../proc_access_win_lsass_seclogon_access.yml | 4 +- ...proc_access_win_lsass_susp_access_flag.yml | 6 +-- .../proc_access_win_lsass_werfault.yml | 6 +-- ...ss_win_lsass_whitelisted_process_names.yml | 6 +-- ...ss_win_susp_all_access_uncommon_target.yml | 6 +-- ...ess_win_susp_direct_ntopenprocess_call.yml | 4 +- ..._access_win_svchost_credential_dumping.yml | 4 +- ...access_win_svchost_susp_access_request.yml | 6 +-- ...in_uac_bypass_editionupgrademanagerobj.yml | 8 ++-- ...roc_access_win_uac_bypass_wow64_logger.yml | 8 ++-- ...proc_creation_win_7zip_exfil_dmp_files.yml | 4 +- ...creation_win_7zip_password_compression.yml | 4 +- ...ation_win_addinutil_suspicious_cmdline.yml | 4 +- ...n_win_addinutil_uncommon_child_process.yml | 4 +- ...reation_win_addinutil_uncommon_cmdline.yml | 4 +- ...eation_win_addinutil_uncommon_dir_exec.yml | 4 +- .../proc_creation_win_adplus_memory_dump.yml | 6 +-- ...tion_win_agentexecutor_potential_abuse.yml | 6 +-- ..._creation_win_agentexecutor_susp_usage.yml | 6 +-- ...tion_win_appvlp_uncommon_child_process.yml | 6 +-- ...creation_win_aspnet_compiler_exectuion.yml | 6 +-- ...win_aspnet_compiler_susp_child_process.yml | 4 +- ...reation_win_aspnet_compiler_susp_paths.yml | 4 +- ..._creation_win_at_interactive_execution.yml | 6 +-- ...on_win_atbroker_uncommon_ats_execution.yml | 6 +-- .../proc_creation_win_attrib_hiding_files.yml | 6 +-- ..._creation_win_attrib_system_susp_paths.yml | 6 +-- ...ion_win_auditpol_nt_resource_kit_usage.yml | 6 +-- ...c_creation_win_auditpol_susp_execution.yml | 6 +-- ...oc_creation_win_bash_command_execution.yml | 6 +-- .../proc_creation_win_bash_file_execution.yml | 4 +- ..._creation_win_bcdedit_boot_conf_tamper.yml | 4 +- ...oc_creation_win_bcdedit_susp_execution.yml | 6 +-- ...on_win_bginfo_suspicious_child_process.yml | 4 +- ...tion_win_bginfo_uncommon_child_process.yml | 6 +-- ...c_creation_win_bitlockertogo_execution.yml | 4 +- .../proc_creation_win_bitsadmin_download.yml | 6 +-- ...ation_win_bitsadmin_download_direct_ip.yml | 6 +-- ...itsadmin_download_file_sharing_domains.yml | 6 +-- ...win_bitsadmin_download_susp_extensions.yml | 6 +-- ...n_bitsadmin_download_susp_targetfolder.yml | 6 +-- ...tsadmin_download_uncommon_targetfolder.yml | 6 +-- ...on_win_bitsadmin_potential_persistence.yml | 6 +-- ...n_browsers_chromium_headless_debugging.yml | 4 +- ...on_win_browsers_chromium_headless_exec.yml | 4 +- ...owsers_chromium_headless_file_download.yml | 6 +-- ...n_win_browsers_chromium_load_extension.yml | 4 +- ...on_win_browsers_chromium_mockbin_abuse.yml | 2 +- ..._browsers_chromium_susp_load_extension.yml | 4 +- ...tion_win_browsers_inline_file_download.yml | 6 +-- ...creation_win_browsers_remote_debugging.yml | 6 +-- ...oc_creation_win_browsers_tor_execution.yml | 6 +-- .../proc_creation_win_calc_uncommon_exec.yml | 6 +-- ...on_win_cdb_arbitrary_command_execution.yml | 6 +-- ...n_win_certmgr_certificate_installation.yml | 6 +-- .../proc_creation_win_certoc_download.yml | 6 +-- ...creation_win_certoc_download_direct_ip.yml | 4 +- .../proc_creation_win_certoc_load_dll.yml | 6 +-- ...ion_win_certoc_load_dll_susp_locations.yml | 6 +-- ..._win_certutil_certificate_installation.yml | 8 ++-- .../proc_creation_win_certutil_decode.yml | 6 +-- .../proc_creation_win_certutil_download.yml | 4 +- ...eation_win_certutil_download_direct_ip.yml | 4 +- ...certutil_download_file_sharing_domains.yml | 6 +-- .../proc_creation_win_certutil_encode.yml | 6 +-- ...on_win_certutil_encode_susp_extensions.yml | 6 +-- ...tion_win_certutil_encode_susp_location.yml | 6 +-- .../proc_creation_win_certutil_export_pfx.yml | 6 +-- ...oc_creation_win_certutil_ntlm_coercion.yml | 6 +-- ...proc_creation_win_chcp_codepage_lookup.yml | 4 +- ...proc_creation_win_chcp_codepage_switch.yml | 6 +-- ...tion_win_cipher_overwrite_deleted_data.yml | 4 +- ...ion_win_citrix_trolleyexpress_procdump.yml | 8 ++-- .../proc_creation_win_clip_execution.yml | 4 +- ...ion_win_cloudflared_portable_execution.yml | 4 +- ..._win_cloudflared_quicktunnel_execution.yml | 4 +- ...reation_win_cloudflared_tunnel_cleanup.yml | 6 +-- ...oc_creation_win_cloudflared_tunnel_run.yml | 6 +-- .../proc_creation_win_cmd_assoc_execution.yml | 4 +- ..._cmd_assoc_tamper_exe_file_association.yml | 4 +- ...c_creation_win_cmd_copy_dmp_from_share.yml | 6 +-- ...ation_win_cmd_curl_download_exec_combo.yml | 8 ++-- .../proc_creation_win_cmd_del_execution.yml | 6 +-- ...c_creation_win_cmd_del_greedy_deletion.yml | 6 +-- .../proc_creation_win_cmd_dir_execution.yml | 4 +- .../proc_creation_win_cmd_dosfuscation.yml | 4 +- .../proc_creation_win_cmd_http_appdata.yml | 6 +-- .../proc_creation_win_cmd_mklink_osk_cmd.yml | 6 +-- ...md_mklink_shadow_copies_access_symlink.yml | 6 +-- ...reation_win_cmd_net_use_and_exec_combo.yml | 4 +- ...oc_creation_win_cmd_no_space_execution.yml | 4 +- ...oc_creation_win_cmd_ntdllpipe_redirect.yml | 6 +-- .../proc_creation_win_cmd_path_traversal.yml | 4 +- ...n_win_cmd_ping_copy_combined_execution.yml | 6 +-- ...on_win_cmd_ping_del_combined_execution.yml | 6 +-- ...eation_win_cmd_redirection_susp_folder.yml | 6 +-- .../proc_creation_win_cmd_rmdir_execution.yml | 6 +-- ...roc_creation_win_cmd_shadowcopy_access.yml | 4 +- .../proc_creation_win_cmd_stdin_redirect.yml | 4 +- ...cmd_sticky_key_like_backdoor_execution.yml | 6 +-- ...c_creation_win_cmd_sticky_keys_replace.yml | 6 +-- ...n_win_cmd_type_arbitrary_file_download.yml | 4 +- .../proc_creation_win_cmd_unusual_parent.yml | 4 +- ...eation_win_cmdkey_adding_generic_creds.yml | 6 +-- .../proc_creation_win_cmdkey_recon.yml | 6 +-- ...ion_win_cmdl32_arbitrary_file_download.yml | 6 +-- ...eation_win_cmstp_execution_by_creation.yml | 6 +-- ...win_configsecuritypolicy_download_file.yml | 4 +- ...eation_win_conhost_headless_powershell.yml | 4 +- ...roc_creation_win_conhost_legacy_option.yml | 4 +- ...oc_creation_win_conhost_path_traversal.yml | 2 +- ...reation_win_conhost_susp_child_process.yml | 6 +-- ...c_creation_win_conhost_uncommon_parent.yml | 4 +- .../proc_creation_win_control_panel_item.yml | 6 +-- ...eation_win_createdump_lolbin_execution.yml | 6 +-- ...ation_win_csc_susp_dynamic_compilation.yml | 6 +-- .../proc_creation_win_csc_susp_parent.yml | 6 +-- .../proc_creation_win_csi_execution.yml | 6 +-- ...creation_win_csi_use_of_csharp_console.yml | 4 +- .../proc_creation_win_csvde_export.yml | 2 +- ...roc_creation_win_curl_cookie_hijacking.yml | 2 +- ...oc_creation_win_curl_custom_user_agent.yml | 2 +- ...ation_win_curl_download_direct_ip_exec.yml | 2 +- ...url_download_direct_ip_susp_extensions.yml | 2 +- ...url_download_susp_file_sharing_domains.yml | 4 +- ..._creation_win_curl_insecure_connection.yml | 2 +- ...reation_win_curl_insecure_porxy_or_doh.yml | 2 +- ...proc_creation_win_curl_local_file_read.yml | 2 +- .../proc_creation_win_curl_susp_download.yml | 6 +-- ...64_arbitrary_command_and_dll_execution.yml | 6 +-- ...win_defaultpack_uncommon_child_process.yml | 6 +-- ...desktopimgdownldr_remote_file_download.yml | 4 +- ...n_win_desktopimgdownldr_susp_execution.yml | 6 +-- ...ion_win_deviceenroller_dll_sideloading.yml | 6 +-- ...proc_creation_win_devinit_lolbin_usage.yml | 6 +-- ...n_win_dfsvc_suspicious_child_processes.yml | 4 +- .../proc_creation_win_dirlister_execution.yml | 4 +- ...tion_win_diskshadow_child_process_susp.yml | 4 +- ...on_win_diskshadow_script_mode_susp_ext.yml | 6 +-- ...n_diskshadow_script_mode_susp_location.yml | 4 +- ..._creation_win_dll_sideload_vmware_xfer.yml | 4 +- ..._creation_win_dllhost_no_cli_execution.yml | 6 +-- ...n_win_dns_exfiltration_tools_execution.yml | 6 +-- ...oc_creation_win_dns_susp_child_process.yml | 6 +-- .../proc_creation_win_dnscmd_discovery.yml | 4 +- ...md_install_new_server_level_plugin_dll.yml | 6 +-- ...c_creation_win_dnx_execute_csharp_code.yml | 6 +-- ..._dotnet_arbitrary_dll_csproj_execution.yml | 6 +-- ...tion_win_dotnet_trace_lolbin_execution.yml | 4 +- ...oc_creation_win_dotnetdump_memory_dump.yml | 4 +- .../proc_creation_win_driverquery_recon.yml | 4 +- .../proc_creation_win_driverquery_usage.yml | 4 +- ..._creation_win_dsacls_abuse_permissions.yml | 6 +-- ...roc_creation_win_dsacls_password_spray.yml | 6 +-- .../proc_creation_win_dsim_remove.yml | 6 +-- ...ion_win_dsquery_domain_trust_discovery.yml | 6 +-- .../proc_creation_win_dtrace_kernel_dump.yml | 2 +- ...n_win_dump64_defender_av_bypass_rename.yml | 6 +-- ...oc_creation_win_dumpminitool_execution.yml | 6 +-- ...eation_win_dumpminitool_susp_execution.yml | 6 +-- .../proc_creation_win_esentutl_params.yml | 6 +-- ...ation_win_esentutl_sensitive_file_copy.yml | 6 +-- .../proc_creation_win_esentutl_webcache.yml | 4 +- ...eation_win_eventvwr_susp_child_process.yml | 8 ++-- ...proc_creation_win_expand_cabinet_files.yml | 6 +-- ...eation_win_explorer_break_process_tree.yml | 6 +-- .../proc_creation_win_explorer_nouaccheck.yml | 6 +-- .../proc_creation_win_findstr_download.yml | 8 ++-- ...roc_creation_win_findstr_gpp_passwords.yml | 6 +-- .../proc_creation_win_findstr_lnk.yml | 6 +-- .../proc_creation_win_findstr_lsass.yml | 6 +-- ...oc_creation_win_findstr_recon_everyone.yml | 6 +-- ...creation_win_findstr_recon_pipe_output.yml | 4 +- ...on_win_findstr_security_keyword_lookup.yml | 4 +- ..._creation_win_findstr_subfolder_search.yml | 8 ++-- ..._sysmon_discovery_via_default_altitude.yml | 4 +- .../proc_creation_win_finger_execution.yml | 6 +-- .../proc_creation_win_fltmc_unload_driver.yml | 6 +-- ...reation_win_fltmc_unload_driver_sysmon.yml | 6 +-- ...in_forfiles_child_process_masquerading.yml | 4 +- ...creation_win_forfiles_proxy_execution_.yml | 8 ++-- ...on_win_format_uncommon_filesystem_load.yml | 6 +-- ...creation_win_fsi_fsharp_code_execution.yml | 4 +- ..._creation_win_fsutil_drive_enumeration.yml | 4 +- ..._creation_win_fsutil_symlinkevaluation.yml | 4 +- .../proc_creation_win_fsutil_usage.yml | 6 +-- ...on_win_ftp_arbitrary_command_execution.yml | 6 +-- ...ownloadwrapper_arbitrary_file_download.yml | 6 +-- .../proc_creation_win_git_susp_clone.yml | 4 +- ...on_win_googleupdate_susp_child_process.yml | 6 +-- .../proc_creation_win_gpg4win_decryption.yml | 2 +- .../proc_creation_win_gpg4win_encryption.yml | 2 +- ...reation_win_gpg4win_portable_execution.yml | 4 +- ...roc_creation_win_gpg4win_susp_location.yml | 4 +- .../proc_creation_win_gpresult_execution.yml | 2 +- ...ion_win_gup_arbitrary_binary_execution.yml | 4 +- .../proc_creation_win_gup_download.yml | 6 +-- ..._creation_win_gup_suspicious_execution.yml | 6 +-- .../proc_creation_win_hh_chm_execution.yml | 6 +-- ...in_hh_chm_remote_download_or_execution.yml | 6 +-- ...on_win_hh_html_help_susp_child_process.yml | 8 ++-- .../proc_creation_win_hh_susp_execution.yml | 8 ++-- .../proc_creation_win_hktl_adcspwn.yml | 6 +-- ...reation_win_hktl_bloodhound_sharphound.yml | 4 +- ..._creation_win_hktl_c3_rundll32_pattern.yml | 6 +-- .../proc_creation_win_hktl_certify.yml | 6 +-- .../proc_creation_win_hktl_certipy.yml | 4 +- ...ion_win_hktl_cobaltstrike_bloopers_cmd.yml | 4 +- ...win_hktl_cobaltstrike_bloopers_modules.yml | 4 +- ...win_hktl_cobaltstrike_load_by_rundll32.yml | 6 +-- ...win_hktl_cobaltstrike_process_patterns.yml | 4 +- .../proc_creation_win_hktl_coercedpotato.yml | 8 ++-- .../proc_creation_win_hktl_covenant.yml | 6 +-- ...eation_win_hktl_crackmapexec_execution.yml | 8 ++-- ...n_hktl_crackmapexec_execution_patterns.yml | 4 +- ...reation_win_hktl_crackmapexec_patterns.yml | 6 +-- ...tl_crackmapexec_powershell_obfuscation.yml | 6 +-- .../proc_creation_win_hktl_createminidump.yml | 6 +-- .../proc_creation_win_hktl_dinjector.yml | 6 +-- .../proc_creation_win_hktl_dumpert.yml | 6 +-- .../proc_creation_win_hktl_edrsilencer.yml | 4 +- ...tion_win_hktl_empire_powershell_launch.yml | 4 +- ..._win_hktl_empire_powershell_uac_bypass.yml | 8 ++-- .../proc_creation_win_hktl_evil_winrm.yml | 6 +-- ...ation_win_hktl_execution_via_imphashes.yml | 6 +-- ...ion_win_hktl_execution_via_pe_metadata.yml | 6 +-- .../proc_creation_win_hktl_gmer.yml | 6 +-- .../proc_creation_win_hktl_handlekatz.yml | 6 +-- .../proc_creation_win_hktl_hashcat.yml | 6 +-- ...c_creation_win_hktl_htran_or_natbypass.yml | 6 +-- .../proc_creation_win_hktl_hydra.yml | 6 +-- ...ion_win_hktl_impacket_lateral_movement.yml | 8 ++-- .../proc_creation_win_hktl_impacket_tools.yml | 4 +- .../proc_creation_win_hktl_impersonate.yml | 8 ++-- .../proc_creation_win_hktl_inveigh.yml | 6 +-- ...ation_win_hktl_invoke_obfuscation_clip.yml | 6 +-- ...obfuscation_obfuscated_iex_commandline.yml | 6 +-- ...tion_win_hktl_invoke_obfuscation_stdin.yml | 6 +-- ...eation_win_hktl_invoke_obfuscation_var.yml | 6 +-- ...n_hktl_invoke_obfuscation_via_compress.yml | 6 +-- ..._win_hktl_invoke_obfuscation_via_stdin.yml | 6 +-- ...n_hktl_invoke_obfuscation_via_use_clip.yml | 6 +-- ..._hktl_invoke_obfuscation_via_use_mhsta.yml | 6 +-- ...on_win_hktl_invoke_obfuscation_via_var.yml | 6 +-- ...eation_win_hktl_jlaive_batch_execution.yml | 4 +- .../proc_creation_win_hktl_koadic.yml | 4 +- .../proc_creation_win_hktl_krbrelay.yml | 6 +-- ...proc_creation_win_hktl_krbrelay_remote.yml | 4 +- .../proc_creation_win_hktl_krbrelayup.yml | 8 ++-- .../proc_creation_win_hktl_lazagne.yml | 4 +- .../proc_creation_win_hktl_localpotato.yml | 8 ++-- ...reation_win_hktl_meterpreter_getsystem.yml | 6 +-- ...reation_win_hktl_mimikatz_command_line.yml | 6 +-- .../proc_creation_win_hktl_pchunter.yml | 4 +- ...tl_powersploit_empire_default_schtasks.yml | 6 +-- .../proc_creation_win_hktl_powertool.yml | 6 +-- ...eation_win_hktl_purplesharp_indicators.yml | 6 +-- .../proc_creation_win_hktl_pypykatz.yml | 6 +-- .../proc_creation_win_hktl_quarks_pwdump.yml | 6 +-- ...on_win_hktl_redmimicry_winnti_playbook.yml | 6 +-- ..._creation_win_hktl_relay_attacks_tools.yml | 4 +- .../proc_creation_win_hktl_rubeus.yml | 8 ++-- .../proc_creation_win_hktl_safetykatz.yml | 6 +-- .../proc_creation_win_hktl_secutyxploded.yml | 6 +-- .../proc_creation_win_hktl_selectmyparent.yml | 6 +-- .../proc_creation_win_hktl_sharp_chisel.yml | 6 +-- ...reation_win_hktl_sharp_dpapi_execution.yml | 6 +-- ..._creation_win_hktl_sharp_impersonation.yml | 8 ++-- ...c_creation_win_hktl_sharp_ldap_monitor.yml | 4 +- .../proc_creation_win_hktl_sharpersist.yml | 4 +- .../proc_creation_win_hktl_sharpevtmute.yml | 6 +-- ...proc_creation_win_hktl_sharpldapwhoami.yml | 4 +- .../proc_creation_win_hktl_sharpmove.yml | 4 +- .../proc_creation_win_hktl_sharpup.yml | 6 +-- .../proc_creation_win_hktl_sharpview.yml | 4 +- ...creation_win_hktl_silenttrinity_stager.yml | 6 +-- ...n_win_hktl_sliver_c2_execution_pattern.yml | 4 +- ...ation_win_hktl_stracciatella_execution.yml | 4 +- .../proc_creation_win_hktl_sysmoneop.yml | 8 ++-- .../proc_creation_win_hktl_trufflesnout.yml | 4 +- .../proc_creation_win_hktl_uacme.yml | 8 ++-- .../proc_creation_win_hktl_wce.yml | 6 +-- .../proc_creation_win_hktl_winpeas.yml | 6 +-- .../proc_creation_win_hktl_winpwn.yml | 8 ++-- ...on_win_hktl_wmiexec_default_powershell.yml | 6 +-- .../proc_creation_win_hktl_xordump.yml | 6 +-- .../proc_creation_win_hktl_zipexec.yml | 6 +-- .../proc_creation_win_hostname_execution.yml | 2 +- .../proc_creation_win_hwp_exploits.yml | 6 +-- .../proc_creation_win_hxtsr_masquerading.yml | 6 +-- .../proc_creation_win_icacls_deny.yml | 6 +-- .../proc_creation_win_ieexec_download.yml | 6 +-- ...c_creation_win_iexpress_susp_execution.yml | 6 +-- ...c_creation_win_iis_appcmd_http_logging.yml | 6 +-- ...appcmd_service_account_password_dumped.yml | 6 +-- ...ion_win_iis_appcmd_susp_module_install.yml | 4 +- ...ation_win_iis_appcmd_susp_rewrite_rule.yml | 4 +- ..._win_iis_connection_strings_decryption.yml | 6 +-- ...ation_win_iis_susp_module_registration.yml | 4 +- ...creation_win_ilasm_il_code_compilation.yml | 6 +-- ...ion_win_imagingdevices_unusual_parents.yml | 6 +-- .../proc_creation_win_imewbdld_download.yml | 4 +- ..._infdefaultinstall_execute_sct_scripts.yml | 6 +-- ...proc_creation_win_installutil_download.yml | 6 +-- ...eation_win_instalutil_no_log_execution.yml | 6 +-- ...on_win_java_keytool_susp_child_process.yml | 8 ++-- ...n_java_manageengine_susp_child_process.yml | 6 +-- ...roc_creation_win_java_remote_debugging.yml | 4 +- ...c_creation_win_java_susp_child_process.yml | 8 ++-- ...creation_win_java_susp_child_process_2.yml | 8 ++-- ...n_java_sysaidserver_susp_child_process.yml | 4 +- .../proc_creation_win_jsc_execution.yml | 6 +-- ...tion_win_kavremover_uncommon_execution.yml | 4 +- .../proc_creation_win_kd_execution.yml | 8 ++-- ...on_win_keyscrambler_susp_child_process.yml | 6 +-- ...on_win_ksetup_password_change_computer.yml | 2 +- ...eation_win_ksetup_password_change_user.yml | 2 +- .../proc_creation_win_ldifde_export.yml | 2 +- .../proc_creation_win_ldifde_file_load.yml | 8 ++-- ...ation_win_link_uncommon_parent_process.yml | 6 +-- ...n_lodctr_performance_counter_tampering.yml | 4 +- ...c_creation_win_logman_disable_eventlog.yml | 6 +-- ...oc_creation_win_lolbin_customshellhost.yml | 4 +- ...data_exfiltration_by_using_datasvcutil.yml | 4 +- ...in_lolbin_device_credential_deployment.yml | 4 +- ...c_creation_win_lolbin_devtoolslauncher.yml | 6 +-- .../proc_creation_win_lolbin_diantz_ads.yml | 6 +-- ..._creation_win_lolbin_diantz_remote_cab.yml | 6 +-- .../proc_creation_win_lolbin_extexport.yml | 6 +-- .../proc_creation_win_lolbin_extrac32.yml | 6 +-- .../proc_creation_win_lolbin_extrac32_ads.yml | 6 +-- ...reation_win_lolbin_gather_network_info.yml | 4 +- .../proc_creation_win_lolbin_gpscript.yml | 6 +-- .../proc_creation_win_lolbin_ie4uinit.yml | 6 +-- ..._creation_win_lolbin_launch_vsdevshell.yml | 4 +- .../proc_creation_win_lolbin_manage_bde.yml | 6 +-- ...win_lolbin_mavinject_process_injection.yml | 10 ++--- .../proc_creation_win_lolbin_mpiexec.yml | 6 +-- .../proc_creation_win_lolbin_msdeploy.yml | 6 +-- ...c_creation_win_lolbin_msdt_answer_file.yml | 4 +- .../proc_creation_win_lolbin_openconsole.yml | 2 +- .../proc_creation_win_lolbin_openwith.yml | 6 +-- .../proc_creation_win_lolbin_pcalua.yml | 6 +-- .../proc_creation_win_lolbin_pcwrun.yml | 6 +-- ...roc_creation_win_lolbin_pcwrun_follina.yml | 4 +- .../proc_creation_win_lolbin_pcwutl.yml | 6 +-- .../proc_creation_win_lolbin_pester.yml | 4 +- .../proc_creation_win_lolbin_pester_1.yml | 6 +-- .../proc_creation_win_lolbin_printbrm.yml | 6 +-- .../proc_creation_win_lolbin_pubprn.yml | 4 +- ...tion_win_lolbin_rasautou_dll_execution.yml | 4 +- .../proc_creation_win_lolbin_register_app.yml | 4 +- .../proc_creation_win_lolbin_remote.yml | 4 +- .../proc_creation_win_lolbin_replace.yml | 6 +-- .../proc_creation_win_lolbin_runexehelper.yml | 4 +- ...oc_creation_win_lolbin_runscripthelper.yml | 6 +-- .../proc_creation_win_lolbin_scriptrunner.yml | 4 +- ...oc_creation_win_lolbin_settingsynchost.yml | 6 +-- .../proc_creation_win_lolbin_sftp.yml | 4 +- .../proc_creation_win_lolbin_sigverif.yml | 4 +- .../proc_creation_win_lolbin_ssh.yml | 6 +-- ...eation_win_lolbin_susp_acccheckconsole.yml | 2 +- ...ation_win_lolbin_susp_certreq_download.yml | 6 +-- ...olbin_susp_driver_installed_by_pnputil.yml | 4 +- .../proc_creation_win_lolbin_susp_dxcap.yml | 6 +-- .../proc_creation_win_lolbin_susp_grpconv.yml | 2 +- ...ion_win_lolbin_susp_sqldumper_activity.yml | 6 +-- ...n_syncappvpublishingserver_execute_psh.yml | 8 ++-- ...ncappvpublishingserver_vbs_execute_psh.yml | 6 +-- .../proc_creation_win_lolbin_tracker.yml | 6 +-- .../proc_creation_win_lolbin_ttdinject.yml | 4 +- ..._creation_win_lolbin_tttracer_mod_load.yml | 8 ++-- .../proc_creation_win_lolbin_unregmp2.yml | 6 +-- ...c_creation_win_lolbin_utilityfunctions.yml | 4 +- ...ation_win_lolbin_visual_basic_compiler.yml | 6 +-- ...ation_win_lolbin_visualuiaverifynative.yml | 4 +- ...c_creation_win_lolbin_vsiisexelauncher.yml | 4 +- .../proc_creation_win_lolbin_wfc.yml | 4 +- ..._creation_win_lolbin_workflow_compiler.yml | 6 +-- ...oc_creation_win_lolscript_register_app.yml | 6 +-- .../proc_creation_win_lsass_process_clone.yml | 6 +-- ...roc_creation_win_mftrace_child_process.yml | 6 +-- ...reation_win_mmc_mmc20_lateral_movement.yml | 4 +- ...oc_creation_win_mmc_susp_child_process.yml | 6 +-- ...roc_creation_win_mode_codepage_russian.yml | 4 +- .../proc_creation_win_mofcomp_execution.yml | 6 +-- ...ion_win_mpcmdrun_dll_sideload_defender.yml | 6 +-- ...n_win_mpcmdrun_download_arbitrary_file.yml | 8 ++-- ...run_remove_windows_defender_definition.yml | 6 +-- ...eation_win_msbuild_susp_parent_process.yml | 4 +- ...n_win_msdt_arbitrary_command_execution.yml | 6 +-- ...roc_creation_win_msdt_susp_cab_options.yml | 8 ++-- .../proc_creation_win_msdt_susp_parent.yml | 6 +-- ...roc_creation_win_msedge_proxy_download.yml | 4 +- .../proc_creation_win_mshta_http.yml | 6 +-- ...roc_creation_win_mshta_inline_vbscript.yml | 4 +- .../proc_creation_win_mshta_javascript.yml | 6 +-- ...creation_win_mshta_lethalhta_technique.yml | 6 +-- ...reation_win_mshta_susp_child_processes.yml | 6 +-- ...proc_creation_win_mshta_susp_execution.yml | 8 ++-- .../proc_creation_win_mshta_susp_pattern.yml | 4 +- .../proc_creation_win_msiexec_dll.yml | 6 +-- .../proc_creation_win_msiexec_embedding.yml | 6 +-- .../proc_creation_win_msiexec_execute_dll.yml | 6 +-- ...roc_creation_win_msiexec_install_quiet.yml | 6 +-- ...oc_creation_win_msiexec_install_remote.yml | 6 +-- ...proc_creation_win_msiexec_masquerading.yml | 6 +-- .../proc_creation_win_msiexec_web_install.yml | 8 ++-- .../proc_creation_win_msohtmed_download.yml | 6 +-- .../proc_creation_win_mspub_download.yml | 6 +-- ...oc_creation_win_msra_process_injection.yml | 6 +-- ...reation_win_mssql_sqlps_susp_execution.yml | 6 +-- ...on_win_mssql_sqltoolsps_susp_execution.yml | 6 +-- ..._creation_win_mssql_susp_child_process.yml | 10 ++--- ...n_win_mssql_veaam_susp_child_processes.yml | 6 +-- ...reation_win_mstsc_rdp_hijack_shadowing.yml | 6 +-- ...c_creation_win_mstsc_remote_connection.yml | 6 +-- ..._creation_win_mstsc_run_local_rdp_file.yml | 6 +-- ...mstsc_run_local_rdp_file_susp_location.yml | 4 +- ...n_mstsc_run_local_rpd_file_susp_parent.yml | 6 +-- .../proc_creation_win_msxsl_execution.yml | 6 +-- ...oc_creation_win_msxsl_remote_execution.yml | 4 +- ...tion_win_net_groups_and_accounts_recon.yml | 4 +- .../proc_creation_win_net_share_unmount.yml | 6 +-- .../proc_creation_win_net_start_service.yml | 4 +- .../proc_creation_win_net_stop_service.yml | 4 +- ...creation_win_net_use_mount_admin_share.yml | 6 +-- ...ation_win_net_use_mount_internet_share.yml | 6 +-- .../proc_creation_win_net_use_mount_share.yml | 6 +-- ..._net_use_network_connections_discovery.yml | 4 +- ...reation_win_net_use_password_plaintext.yml | 12 +++--- .../proc_creation_win_net_user_add.yml | 4 +- ...creation_win_net_user_add_never_expire.yml | 4 +- ...net_user_default_accounts_manipulation.yml | 4 +- ...n_win_net_view_share_and_sessions_enum.yml | 4 +- .../proc_creation_win_netsh_fw_add_rule.yml | 6 +-- ...etsh_fw_allow_program_in_susp_location.yml | 6 +-- .../proc_creation_win_netsh_fw_allow_rdp.yml | 6 +-- ...proc_creation_win_netsh_fw_delete_rule.yml | 6 +-- .../proc_creation_win_netsh_fw_disable.yml | 6 +-- ...reation_win_netsh_fw_enable_group_rule.yml | 6 +-- ..._creation_win_netsh_fw_rules_discovery.yml | 4 +- .../proc_creation_win_netsh_fw_set_rule.yml | 4 +- ...ation_win_netsh_helper_dll_persistence.yml | 6 +-- ...proc_creation_win_netsh_packet_capture.yml | 6 +-- ...roc_creation_win_netsh_port_forwarding.yml | 10 ++--- ...reation_win_netsh_port_forwarding_3389.yml | 10 ++--- ...n_win_netsh_wifi_credential_harvesting.yml | 6 +-- .../proc_creation_win_nltest_execution.yml | 4 +- .../proc_creation_win_nltest_recon.yml | 6 +-- .../proc_creation_win_node_abuse.yml | 6 +-- ...on_win_node_adobe_creative_cloud_abuse.yml | 4 +- ...creation_win_nslookup_domain_discovery.yml | 2 +- ...eation_win_nslookup_poweshell_download.yml | 8 ++-- .../proc_creation_win_ntdsutil_susp_usage.yml | 4 +- .../proc_creation_win_ntdsutil_usage.yml | 6 +-- ...c_creation_win_odbcconf_driver_install.yml | 4 +- ...ation_win_odbcconf_driver_install_susp.yml | 4 +- ...ation_win_odbcconf_exec_susp_locations.yml | 6 +-- ...ation_win_odbcconf_register_dll_regsvr.yml | 4 +- ..._win_odbcconf_register_dll_regsvr_susp.yml | 4 +- ...oc_creation_win_odbcconf_response_file.yml | 8 ++-- ...eation_win_odbcconf_response_file_susp.yml | 8 ++-- ...on_win_odbcconf_uncommon_child_process.yml | 4 +- ...tion_win_office_arbitrary_cli_download.yml | 8 ++-- ...win_office_excel_dcom_lateral_movement.yml | 4 +- ...win_office_exec_from_trusted_locations.yml | 6 +-- ...in_office_onenote_susp_child_processes.yml | 6 +-- ...utlook_enable_unsafe_client_mail_rules.yml | 4 +- ...win_office_outlook_execution_from_temp.yml | 6 +-- ...in_office_outlook_susp_child_processes.yml | 4 +- ...ce_outlook_susp_child_processes_remote.yml | 4 +- ..._office_spawn_exe_from_users_directory.yml | 4 +- ...eation_win_office_susp_child_processes.yml | 12 +++--- ...c_creation_win_office_winword_dll_load.yml | 8 ++-- ...flinescannershell_mpclient_sideloading.yml | 6 +-- .../proc_creation_win_pdqdeploy_execution.yml | 6 +-- ...ion_win_pdqdeploy_runner_susp_children.yml | 4 +- ...tion_win_perl_inline_command_execution.yml | 2 +- ...ation_win_php_inline_command_execution.yml | 2 +- .../proc_creation_win_ping_hex_ip.yml | 6 +-- .../proc_creation_win_pktmon_execution.yml | 6 +-- ...roc_creation_win_plink_port_forwarding.yml | 8 ++-- ...proc_creation_win_plink_susp_tunneling.yml | 6 +-- .../proc_creation_win_powercfg_execution.yml | 4 +- ...ershell_aadinternals_cmdlets_execution.yml | 4 +- ...ell_active_directory_module_dll_import.yml | 2 +- ..._win_powershell_add_windows_capability.yml | 4 +- ...win_powershell_amsi_init_failed_bypass.yml | 8 ++-- ...n_win_powershell_amsi_null_bits_bypass.yml | 6 +-- ..._creation_win_powershell_audio_capture.yml | 4 +- ...tion_win_powershell_base64_encoded_cmd.yml | 4 +- ...powershell_base64_encoded_cmd_patterns.yml | 4 +- ...n_win_powershell_base64_encoded_obfusc.yml | 6 +-- ...win_powershell_base64_frombase64string.yml | 6 +-- ...tion_win_powershell_base64_hidden_flag.yml | 4 +- ...roc_creation_win_powershell_base64_iex.yml | 4 +- ..._creation_win_powershell_base64_invoke.yml | 8 ++-- ...ion_win_powershell_base64_mppreference.yml | 6 +-- ...rshell_base64_reflection_assembly_load.yml | 6 +-- ...base64_reflection_assembly_load_obfusc.yml | 6 +-- ...tion_win_powershell_base64_wmi_classes.yml | 6 +-- ..._creation_win_powershell_cl_invocation.yml | 6 +-- ...reation_win_powershell_cl_loadassembly.yml | 6 +-- ...ation_win_powershell_cl_mutexverifiers.yml | 6 +-- ...ershell_cmdline_convertto_securestring.yml | 6 +-- ...in_powershell_cmdline_reversed_strings.yml | 6 +-- ..._powershell_cmdline_special_characters.yml | 6 +-- ...hell_computer_discovery_get_adcomputer.yml | 4 +- ...creation_win_powershell_create_service.yml | 4 +- ...oc_creation_win_powershell_decode_gzip.yml | 4 +- ...reation_win_powershell_decrypt_pattern.yml | 4 +- ...in_powershell_defender_disable_feature.yml | 6 +-- ...tion_win_powershell_defender_exclusion.yml | 6 +-- ...isable_defender_av_security_monitoring.yml | 6 +-- ...eation_win_powershell_disable_firewall.yml | 6 +-- ...ion_win_powershell_disable_ie_features.yml | 6 +-- ...eation_win_powershell_downgrade_attack.yml | 6 +-- ...on_win_powershell_download_com_cradles.yml | 4 +- ...eation_win_powershell_download_cradles.yml | 6 +-- ...c_creation_win_powershell_download_dll.yml | 4 +- ...c_creation_win_powershell_download_iex.yml | 4 +- ...ation_win_powershell_download_patterns.yml | 4 +- ...ell_download_susp_file_sharing_domains.yml | 2 +- ...ion_win_powershell_dsinternals_cmdlets.yml | 2 +- ...oc_creation_win_powershell_email_exfil.yml | 2 +- ...l_enable_susp_windows_optional_feature.yml | 4 +- .../proc_creation_win_powershell_encode.yml | 4 +- ...ation_win_powershell_encoding_patterns.yml | 6 +-- ...creation_win_powershell_exec_data_file.yml | 2 +- ...tion_win_powershell_export_certificate.yml | 4 +- ...eation_win_powershell_frombase64string.yml | 6 +-- ...in_powershell_frombase64string_archive.yml | 4 +- ..._creation_win_powershell_get_clipboard.yml | 4 +- ...powershell_get_localgroup_member_recon.yml | 2 +- ...eation_win_powershell_getprocess_lsass.yml | 6 +-- ...wershell_hide_services_via_set_service.yml | 6 +-- ...c_creation_win_powershell_iex_patterns.yml | 4 +- ..._powershell_import_cert_susp_locations.yml | 6 +-- ...win_powershell_import_module_susp_dirs.yml | 2 +- ...ershell_install_unsigned_appx_packages.yml | 4 +- ...ion_win_powershell_invocation_specific.yml | 6 +-- ...powershell_invoke_webrequest_direct_ip.yml | 4 +- ..._powershell_invoke_webrequest_download.yml | 6 +-- ...ion_win_powershell_mailboxexport_share.yml | 4 +- ...ation_win_powershell_malicious_cmdlets.yml | 4 +- ..._powershell_msexchange_transport_agent.yml | 4 +- ...n_powershell_non_interactive_execution.yml | 4 +- ...on_win_powershell_obfuscation_via_utf8.yml | 6 +-- ..._creation_win_powershell_public_folder.yml | 4 +- ...wershell_remotefxvgpudisablement_abuse.yml | 6 +-- ...ion_win_powershell_remove_mppreference.yml | 4 +- ...in_powershell_reverse_shell_connection.yml | 4 +- ...ion_win_powershell_run_script_from_ads.yml | 6 +-- ...owershell_run_script_from_input_stream.yml | 6 +-- ...roc_creation_win_powershell_sam_access.yml | 6 +-- ...on_win_powershell_script_engine_parent.yml | 4 +- ..._service_dacl_modification_set_service.yml | 2 +- .../proc_creation_win_powershell_set_acl.yml | 4 +- ...n_win_powershell_set_acl_susp_location.yml | 4 +- ...ershell_set_policies_to_unsecure_level.yml | 4 +- ...on_win_powershell_set_service_disabled.yml | 4 +- ...ion_win_powershell_shadowcopy_deletion.yml | 4 +- ...reation_win_powershell_snapins_hafnium.yml | 4 +- ...c_creation_win_powershell_stop_service.yml | 4 +- ..._win_powershell_susp_download_patterns.yml | 4 +- ...in_powershell_susp_parameter_variation.yml | 4 +- ...ion_win_powershell_susp_parent_process.yml | 4 +- ...reation_win_powershell_susp_ps_appdata.yml | 4 +- ...on_win_powershell_susp_ps_downloadfile.yml | 6 +-- ...ation_win_powershell_token_obfuscation.yml | 6 +-- ...n_powershell_user_discovery_get_aduser.yml | 4 +- ...eation_win_powershell_webclient_casing.yml | 4 +- ...creation_win_powershell_x509enrollment.yml | 4 +- ...reation_win_powershell_xor_commandline.yml | 8 ++-- ...c_creation_win_powershell_zip_compress.yml | 4 +- ...creation_win_presentationhost_download.yml | 6 +-- ...resentationhost_uncommon_location_exec.yml | 6 +-- ...ation_win_pressanykey_lolbin_execution.yml | 6 +-- ...oc_creation_win_print_remote_file_copy.yml | 6 +-- ..._creation_win_protocolhandler_download.yml | 6 +-- ...reation_win_provlaunch_potential_abuse.yml | 4 +- ...tion_win_provlaunch_susp_child_process.yml | 4 +- ...c_creation_win_psr_capture_screenshots.yml | 4 +- ...proc_creation_win_pua_3proxy_execution.yml | 6 +-- ...oc_creation_win_pua_adfind_enumeration.yml | 4 +- ...roc_creation_win_pua_adfind_susp_usage.yml | 6 +-- ...c_creation_win_pua_advanced_ip_scanner.yml | 4 +- ...creation_win_pua_advanced_port_scanner.yml | 4 +- .../proc_creation_win_pua_advancedrun.yml | 8 ++-- ...creation_win_pua_advancedrun_priv_user.yml | 8 ++-- .../proc_creation_win_pua_chisel.yml | 6 +-- .../proc_creation_win_pua_cleanwipe.yml | 6 +-- .../proc_creation_win_pua_crassus.yml | 2 +- .../proc_creation_win_pua_csexec.yml | 6 +-- .../proc_creation_win_pua_defendercheck.yml | 6 +-- .../proc_creation_win_pua_ditsnap.yml | 6 +-- .../proc_creation_win_pua_frp.yml | 6 +-- .../proc_creation_win_pua_iox.yml | 6 +-- ...c_creation_win_pua_mouselock_execution.yml | 6 +-- .../proc_creation_win_pua_netcat.yml | 6 +-- .../proc_creation_win_pua_netscan.yml | 2 +- .../proc_creation_win_pua_ngrok.yml | 6 +-- .../proc_creation_win_pua_nimgrab.yml | 6 +-- .../proc_creation_win_pua_nircmd.yml | 4 +- ...proc_creation_win_pua_nircmd_as_system.yml | 4 +- .../proc_creation_win_pua_nmap_zenmap.yml | 4 +- .../proc_creation_win_pua_nps.yml | 6 +-- .../proc_creation_win_pua_nsudo.yml | 4 +- .../proc_creation_win_pua_pingcastle.yml | 2 +- ...ation_win_pua_pingcastle_script_parent.yml | 2 +- .../proc_creation_win_pua_process_hacker.yml | 8 ++-- .../proc_creation_win_pua_radmin.yml | 6 +-- ...proc_creation_win_pua_rcedit_execution.yml | 6 +-- ...proc_creation_win_pua_rclone_execution.yml | 8 ++-- .../proc_creation_win_pua_runxcmd.yml | 4 +- .../proc_creation_win_pua_seatbelt.yml | 4 +- .../proc_creation_win_pua_system_informer.yml | 6 +-- ...oc_creation_win_pua_webbrowserpassview.yml | 6 +-- ..._creation_win_pua_wsudo_susp_execution.yml | 6 +-- .../proc_creation_win_python_adidnsdump.yml | 4 +- ...on_win_python_inline_command_execution.yml | 4 +- .../proc_creation_win_python_pty_spawn.yml | 2 +- ...creation_win_qemu_suspicious_execution.yml | 4 +- .../proc_creation_win_query_session_exfil.yml | 4 +- .../proc_creation_win_rar_compress_data.yml | 4 +- ...tion_win_rar_compression_with_password.yml | 4 +- ...eation_win_rar_susp_greedy_compression.yml | 4 +- .../proc_creation_win_rasdial_execution.yml | 6 +-- ...eation_win_rdrleakdiag_process_dumping.yml | 8 ++-- .../proc_creation_win_reg_add_run_key.yml | 4 +- .../proc_creation_win_reg_add_safeboot.yml | 6 +-- .../proc_creation_win_reg_bitlocker.yml | 4 +- ..._credential_access_via_password_filter.yml | 6 +-- ...oc_creation_win_reg_defender_exclusion.yml | 6 +-- .../proc_creation_win_reg_delete_safeboot.yml | 6 +-- .../proc_creation_win_reg_delete_services.yml | 6 +-- ...tion_win_reg_desktop_background_change.yml | 4 +- ...direct_asep_registry_keys_modification.yml | 4 +- ..._creation_win_reg_disable_sec_services.yml | 6 +-- ...eation_win_reg_dumping_sensitive_hives.yml | 10 ++--- ...creation_win_reg_enable_windows_recall.yml | 2 +- ...numeration_for_credentials_in_registry.yml | 6 +-- ...n_win_reg_import_from_suspicious_paths.yml | 6 +-- ...n_win_reg_lsa_disable_restricted_admin.yml | 6 +-- ...on_win_reg_lsa_ppl_protection_disabled.yml | 6 +-- .../proc_creation_win_reg_machineguid.yml | 2 +- ...n_win_reg_modify_group_policy_settings.yml | 6 +-- .../proc_creation_win_reg_nolmhash.yml | 6 +-- .../proc_creation_win_reg_open_command.yml | 6 +-- .../proc_creation_win_reg_query_registry.yml | 4 +- .../proc_creation_win_reg_rdp_keys_tamper.yml | 8 ++-- .../proc_creation_win_reg_screensaver.yml | 6 +-- ...ation_win_reg_service_imagepath_change.yml | 4 +- ...oc_creation_win_reg_software_discovery.yml | 4 +- .../proc_creation_win_reg_susp_paths.yml | 6 +-- .../proc_creation_win_reg_volsnap_disable.yml | 6 +-- ...eation_win_reg_windows_defender_tamper.yml | 6 +-- ...reg_write_protect_for_storage_disabled.yml | 6 +-- ...m_regsvcs_uncommon_extension_execution.yml | 4 +- ...sm_regsvcs_uncommon_location_execution.yml | 6 +-- ...ation_win_regedit_export_critical_keys.yml | 4 +- .../proc_creation_win_regedit_export_keys.yml | 4 +- .../proc_creation_win_regedit_import_keys.yml | 6 +-- ...c_creation_win_regedit_import_keys_ads.yml | 6 +-- ..._creation_win_regedit_trustedinstaller.yml | 6 +-- .../proc_creation_win_regini_ads.yml | 6 +-- .../proc_creation_win_regini_execution.yml | 6 +-- ...tion_win_registry_cimprovider_dll_load.yml | 6 +-- ...gistry_enumeration_for_credentials_cli.yml | 4 +- ...urity_zone_protocol_defaults_downgrade.yml | 4 +- ...registry_install_reg_debugger_backdoor.yml | 6 +-- ...roc_creation_win_registry_logon_script.yml | 4 +- ...tion_win_registry_new_network_provider.yml | 6 +-- ...y_privilege_escalation_via_service_key.yml | 6 +-- ...gistry_provlaunch_provisioning_command.yml | 4 +- ...egistry_set_unsecure_powershell_policy.yml | 4 +- ...n_win_registry_typed_paths_persistence.yml | 2 +- ...oc_creation_win_regsvr32_flags_anomaly.yml | 6 +-- ..._creation_win_regsvr32_http_ip_pattern.yml | 6 +-- ..._creation_win_regsvr32_network_pattern.yml | 8 ++-- ...roc_creation_win_regsvr32_remote_share.yml | 4 +- ...eation_win_regsvr32_susp_child_process.yml | 8 ++-- ...creation_win_regsvr32_susp_exec_path_1.yml | 6 +-- ...creation_win_regsvr32_susp_exec_path_2.yml | 4 +- ..._creation_win_regsvr32_susp_extensions.yml | 8 ++-- ...proc_creation_win_regsvr32_susp_parent.yml | 6 +-- ...eation_win_regsvr32_uncommon_extension.yml | 6 +-- ...eation_win_remote_access_tools_anydesk.yml | 6 +-- ...s_tools_anydesk_piped_password_via_cli.yml | 6 +-- ...mote_access_tools_anydesk_revoked_cert.yml | 4 +- ...te_access_tools_anydesk_silent_install.yml | 6 +-- ..._remote_access_tools_anydesk_susp_exec.yml | 6 +-- ...ion_win_remote_access_tools_gotoopener.yml | 6 +-- ...eation_win_remote_access_tools_logmein.yml | 6 +-- ...ion_win_remote_access_tools_netsupport.yml | 6 +-- ...mote_access_tools_netsupport_susp_exec.yml | 6 +-- ...ccess_tools_rurat_non_default_location.yml | 6 +-- ..._win_remote_access_tools_screenconnect.yml | 6 +-- ...s_screenconnect_installation_cli_param.yml | 6 +-- ...s_tools_screenconnect_remote_execution.yml | 4 +- ...ls_screenconnect_remote_execution_susp.yml | 6 +-- ...te_access_tools_screenconnect_webshell.yml | 4 +- ...on_win_remote_access_tools_simple_help.yml | 4 +- ...s_tools_teamviewer_incoming_connection.yml | 4 +- ...on_win_remote_access_tools_ultraviewer.yml | 6 +-- ...roc_creation_win_remote_time_discovery.yml | 4 +- .../proc_creation_win_renamed_adfind.yml | 4 +- .../proc_creation_win_renamed_autohotkey.yml | 4 +- .../proc_creation_win_renamed_autoit.yml | 6 +-- .../proc_creation_win_renamed_binary.yml | 6 +-- ...ion_win_renamed_binary_highly_relevant.yml | 12 +++--- .../proc_creation_win_renamed_boinc.yml | 4 +- .../proc_creation_win_renamed_browsercore.yml | 4 +- .../proc_creation_win_renamed_cloudflared.yml | 4 +- .../proc_creation_win_renamed_createdump.yml | 6 +-- .../proc_creation_win_renamed_curl.yml | 6 +-- .../proc_creation_win_renamed_dctask64.yml | 6 +-- .../proc_creation_win_renamed_ftp.yml | 6 +-- .../proc_creation_win_renamed_gpg4win.yml | 2 +- .../proc_creation_win_renamed_jusched.yml | 6 +-- .../proc_creation_win_renamed_mavinject.yml | 8 ++-- .../proc_creation_win_renamed_megasync.yml | 6 +-- .../proc_creation_win_renamed_msdt.yml | 6 +-- .../proc_creation_win_renamed_msteams.yml | 4 +- ...oc_creation_win_renamed_netsupport_rat.yml | 6 +-- .../proc_creation_win_renamed_nircmd.yml | 4 +- ..._creation_win_renamed_office_processes.yml | 6 +-- .../proc_creation_win_renamed_paexec.yml | 8 ++-- .../proc_creation_win_renamed_pingcastle.yml | 4 +- .../proc_creation_win_renamed_plink.yml | 6 +-- .../proc_creation_win_renamed_pressanykey.yml | 4 +- ...win_renamed_rundll32_dllregisterserver.yml | 4 +- .../proc_creation_win_renamed_rurat.yml | 8 ++-- ...ion_win_renamed_sysinternals_debugview.yml | 6 +-- ...tion_win_renamed_sysinternals_procdump.yml | 8 ++-- ...in_renamed_sysinternals_psexec_service.yml | 2 +- ...ation_win_renamed_sysinternals_sdelete.yml | 4 +- .../proc_creation_win_renamed_vmnat.yml | 6 +-- .../proc_creation_win_renamed_whoami.yml | 4 +- ...reation_win_rpcping_credential_capture.yml | 6 +-- ...tion_win_ruby_inline_command_execution.yml | 2 +- ..._win_rundll32_ads_stored_dll_execution.yml | 6 +-- ...ndll32_advpack_obfuscated_ordinal_call.yml | 4 +- .../proc_creation_win_rundll32_inline_vbs.yml | 6 +-- ...eation_win_rundll32_installscreensaver.yml | 6 +-- .../proc_creation_win_rundll32_keymgr.yml | 6 +-- ...win_rundll32_mshtml_runhtmlapplication.yml | 10 ++--- .../proc_creation_win_rundll32_no_params.yml | 6 +-- .../proc_creation_win_rundll32_ntlmrelay.yml | 8 ++-- ...n_win_rundll32_obfuscated_ordinal_call.yml | 4 +- ..._creation_win_rundll32_parent_explorer.yml | 6 +-- ..._win_rundll32_process_dump_via_comsvcs.yml | 10 ++--- ...on_win_rundll32_registered_com_objects.yml | 6 +-- ...oc_creation_win_rundll32_run_locations.yml | 6 +-- ...n_rundll32_setupapi_installhinfsection.yml | 6 +-- ...on_win_rundll32_shell32_susp_execution.yml | 6 +-- ...rundll32_shelldispatch_potential_abuse.yml | 4 +- ...c_creation_win_rundll32_spawn_explorer.yml | 6 +-- ...oc_creation_win_rundll32_susp_activity.yml | 6 +-- ...ion_win_rundll32_susp_control_dll_load.yml | 6 +-- ...32_susp_execution_with_image_extension.yml | 4 +- ..._win_rundll32_susp_shellexec_execution.yml | 8 ++-- ...tion_win_rundll32_susp_shimcache_flush.yml | 4 +- .../proc_creation_win_rundll32_sys.yml | 6 +-- .../proc_creation_win_rundll32_unc_path.yml | 4 +- ...on_win_rundll32_uncommon_dll_extension.yml | 6 +-- .../proc_creation_win_rundll32_user32_dll.yml | 6 +-- ...n_win_rundll32_webdav_client_execution.yml | 4 +- ..._rundll32_webdav_client_susp_execution.yml | 6 +-- ...eation_win_rundll32_without_parameters.yml | 6 +-- .../proc_creation_win_runonce_execution.yml | 6 +-- ..._change_sevice_image_path_by_non_admin.yml | 8 ++-- .../proc_creation_win_sc_create_service.yml | 4 +- .../proc_creation_win_sc_disable_service.yml | 6 +-- ...proc_creation_win_sc_new_kernel_driver.yml | 6 +-- ...tion_win_sc_query_interesting_services.yml | 2 +- ...ion_win_sc_sdset_allow_service_changes.yml | 2 +- ...ation_win_sc_sdset_deny_service_access.yml | 4 +- ...roc_creation_win_sc_sdset_hide_sevices.yml | 8 ++-- ...roc_creation_win_sc_sdset_modification.yml | 6 +-- ...ation_win_sc_service_path_modification.yml | 6 +-- ..._win_sc_service_tamper_for_persistence.yml | 4 +- .../proc_creation_win_sc_stop_service.yml | 6 +-- ...tion_win_schtasks_appdata_local_system.yml | 4 +- .../proc_creation_win_schtasks_change.yml | 4 +- .../proc_creation_win_schtasks_creation.yml | 6 +-- ...tion_win_schtasks_creation_temp_folder.yml | 4 +- .../proc_creation_win_schtasks_delete.yml | 2 +- .../proc_creation_win_schtasks_delete_all.yml | 2 +- .../proc_creation_win_schtasks_disable.yml | 4 +- .../proc_creation_win_schtasks_env_folder.yml | 4 +- ...oc_creation_win_schtasks_folder_combos.yml | 4 +- ...c_creation_win_schtasks_guid_task_name.yml | 2 +- ...n_schtasks_one_time_only_midnight_task.yml | 6 +-- ...schtasks_persistence_windows_telemetry.yml | 4 +- ...on_win_schtasks_powershell_persistence.yml | 4 +- .../proc_creation_win_schtasks_reg_loader.yml | 2 +- ...eation_win_schtasks_reg_loader_encoded.yml | 4 +- ...oc_creation_win_schtasks_schedule_type.yml | 2 +- ...tion_win_schtasks_schedule_type_system.yml | 2 +- ...asks_schedule_via_masqueraded_xml_file.yml | 4 +- ...roc_creation_win_schtasks_susp_pattern.yml | 4 +- .../proc_creation_win_schtasks_system.yml | 4 +- ...reation_win_scrcons_susp_child_process.yml | 4 +- ..._creation_win_sdbinst_shim_persistence.yml | 6 +-- ...oc_creation_win_sdbinst_susp_extension.yml | 6 +-- .../proc_creation_win_sdclt_child_process.yml | 6 +-- ...roc_creation_win_sdiagnhost_susp_child.yml | 6 +-- .../proc_creation_win_secedit_execution.yml | 10 ++--- ..._creation_win_servu_susp_child_process.yml | 8 ++-- ...tion_win_setres_uncommon_child_process.yml | 6 +-- ...oc_creation_win_setspn_spn_enumeration.yml | 6 +-- .../proc_creation_win_shutdown_execution.yml | 2 +- .../proc_creation_win_shutdown_logoff.yml | 2 +- ...eation_win_sndvol_susp_child_processes.yml | 2 +- ...eation_win_soundrecorder_audio_capture.yml | 4 +- ...proc_creation_win_splwow64_cli_anomaly.yml | 6 +-- ...ation_win_spoolsv_susp_child_processes.yml | 6 +-- ...roc_creation_win_sqlcmd_veeam_db_recon.yml | 2 +- .../proc_creation_win_sqlcmd_veeam_dump.yml | 4 +- ...ation_win_sqlite_chromium_profile_data.yml | 6 +-- ..._win_sqlite_firefox_gecko_profile_data.yml | 6 +-- .../proc_creation_win_squirrel_download.yml | 8 ++-- ..._creation_win_squirrel_proxy_execution.yml | 8 ++-- .../proc_creation_win_ssh_port_forward.yml | 8 ++-- .../proc_creation_win_ssh_rdp_tunneling.yml | 6 +-- .../proc_creation_win_ssm_agent_abuse.yml | 4 +- ...eation_win_stordiag_susp_child_process.yml | 6 +-- ...oc_creation_win_susp_16bit_application.yml | 6 +-- ...ation_win_susp_abusing_debug_privilege.yml | 6 +-- ...on_win_susp_add_user_local_admin_group.yml | 4 +- ...ion_win_susp_add_user_privileged_group.yml | 2 +- ...win_susp_add_user_remote_desktop_group.yml | 6 +-- ...eation_win_susp_alternate_data_streams.yml | 6 +-- ...ays_install_elevated_windows_installer.yml | 6 +-- .../proc_creation_win_susp_appx_execution.yml | 6 +-- ...ary_shell_execution_via_settingcontent.yml | 6 +-- ...reation_win_susp_archiver_iso_phishing.yml | 4 +- ...creation_win_susp_automated_collection.yml | 6 +-- ...n_susp_bad_opsec_sacrificial_processes.yml | 8 ++-- ...er_launch_from_document_reader_process.yml | 2 +- ...tion_win_susp_child_process_as_system_.yml | 6 +-- ...n_win_susp_cli_obfuscation_escape_char.yml | 6 +-- ...ation_win_susp_cli_obfuscation_unicode.yml | 8 ++-- ...usp_commandline_path_traversal_evasion.yml | 6 +-- ...oc_creation_win_susp_copy_browser_data.yml | 6 +-- ...reation_win_susp_copy_lateral_movement.yml | 6 +-- ...proc_creation_win_susp_copy_system_dir.yml | 6 +-- ...eation_win_susp_copy_system_dir_lolbin.yml | 4 +- ...creation_win_susp_crypto_mining_monero.yml | 4 +- ...ion_win_susp_data_exfiltration_via_cli.yml | 4 +- ...proc_creation_win_susp_disable_raccine.yml | 6 +-- ...roc_creation_win_susp_double_extension.yml | 6 +-- ...ation_win_susp_double_extension_parent.yml | 6 +-- ...eation_win_susp_download_office_domain.yml | 6 +-- ...reation_win_susp_dumpstack_log_evasion.yml | 6 +-- ...on_win_susp_elavated_msi_spawned_shell.yml | 6 +-- ...reation_win_susp_electron_app_children.yml | 4 +- ...tion_win_susp_electron_execution_proxy.yml | 4 +- ..._elevated_system_shell_uncommon_parent.yml | 8 ++-- .../proc_creation_win_susp_embed_exe_lnk.yml | 2 +- ...tion_win_susp_etw_modification_cmdline.yml | 6 +-- ...oc_creation_win_susp_etw_trace_evasion.yml | 6 +-- .../proc_creation_win_susp_eventlog_clear.yml | 6 +-- ...eation_win_susp_eventlog_content_recon.yml | 6 +-- ...execution_from_public_folder_as_parent.yml | 6 +-- .../proc_creation_win_susp_execution_path.yml | 6 +-- ...creation_win_susp_file_characteristics.yml | 4 +- ...win_susp_gather_network_info_execution.yml | 2 +- ...n_win_susp_hidden_dir_index_allocation.yml | 4 +- ...in_susp_hiding_malware_in_fonts_folder.yml | 6 +-- ...win_susp_homoglyph_cyrillic_lookalikes.yml | 4 +- .../proc_creation_win_susp_image_missing.yml | 6 +-- ...ation_win_susp_inline_base64_mz_header.yml | 2 +- ...reation_win_susp_inline_win_api_access.yml | 4 +- ...p_local_system_owner_account_discovery.yml | 4 +- ..._win_susp_lolbin_exec_from_non_c_drive.yml | 6 +-- ...eation_win_susp_lsass_dmp_cli_keywords.yml | 6 +-- ...tion_win_susp_ms_appinstaller_download.yml | 4 +- ...proc_creation_win_susp_network_command.yml | 4 +- ...oc_creation_win_susp_network_scan_loop.yml | 2 +- ...roc_creation_win_susp_network_sniffing.yml | 6 +-- .../proc_creation_win_susp_no_image_name.yml | 4 +- .../proc_creation_win_susp_non_exe_image.yml | 6 +-- ...c_creation_win_susp_non_priv_reg_or_ps.yml | 6 +-- .../proc_creation_win_susp_ntds.yml | 6 +-- ...creation_win_susp_nteventlogfile_usage.yml | 4 +- ..._win_susp_ntfs_short_name_path_use_cli.yml | 6 +-- ...in_susp_ntfs_short_name_path_use_image.yml | 6 +-- ...ation_win_susp_ntfs_short_name_use_cli.yml | 6 +-- ...ion_win_susp_ntfs_short_name_use_image.yml | 6 +-- ...eation_win_susp_obfuscated_ip_download.yml | 4 +- ...reation_win_susp_obfuscated_ip_via_cli.yml | 4 +- ..._creation_win_susp_office_token_search.yml | 4 +- .../proc_creation_win_susp_parents.yml | 6 +-- ..._win_susp_powershell_execution_via_dll.yml | 6 +-- ...in_susp_priv_escalation_via_named_pipe.yml | 6 +-- ...c_creation_win_susp_private_keys_recon.yml | 6 +-- ...susp_privilege_escalation_cli_patterns.yml | 4 +- ...oc_creation_win_susp_proc_wrong_parent.yml | 6 +-- .../proc_creation_win_susp_progname.yml | 4 +- .../proc_creation_win_susp_recon.yml | 4 +- ...on_win_susp_recycle_bin_fake_execution.yml | 6 +-- ...on_win_susp_redirect_local_admin_share.yml | 4 +- ...tion_win_susp_remote_desktop_tunneling.yml | 4 +- ...eation_win_susp_right_to_left_override.yml | 4 +- ...n_win_susp_script_exec_from_env_folder.yml | 4 +- ...reation_win_susp_script_exec_from_temp.yml | 4 +- ..._susp_sensitive_file_access_shadowcopy.yml | 4 +- ...roc_creation_win_susp_service_creation.yml | 6 +-- .../proc_creation_win_susp_service_dir.yml | 6 +-- .../proc_creation_win_susp_service_tamper.yml | 10 ++--- ...eation_win_susp_shadow_copies_creation.yml | 6 +-- ...eation_win_susp_shadow_copies_deletion.yml | 6 +-- ...tion_win_susp_shell_spawn_susp_program.yml | 6 +-- .../proc_creation_win_susp_sysnative.yml | 8 ++-- ...c_creation_win_susp_system_exe_anomaly.yml | 6 +-- ..._creation_win_susp_system_user_anomaly.yml | 10 ++--- .../proc_creation_win_susp_sysvol_access.yml | 6 +-- ..._creation_win_susp_task_folder_evasion.yml | 6 +-- .../proc_creation_win_susp_use_of_te_bin.yml | 6 +-- ...tion_win_susp_use_of_vsjitdebugger_bin.yml | 6 +-- .../proc_creation_win_susp_userinit_child.yml | 6 +-- ...tion_win_susp_weak_or_abused_passwords.yml | 6 +-- ...n_win_susp_web_request_cmd_and_cmdlets.yml | 8 ++-- ...proc_creation_win_susp_whoami_as_param.yml | 4 +- .../proc_creation_win_susp_workfolders.yml | 6 +-- ...in_svchost_execution_with_no_cli_flags.yml | 8 ++-- ...tion_win_svchost_masqueraded_execution.yml | 4 +- ...eation_win_svchost_termserv_proc_spawn.yml | 8 ++-- ...on_win_svchost_uncommon_parent_process.yml | 6 +-- ...sinternals_accesschk_check_permissions.yml | 4 +- ..._win_sysinternals_adexplorer_execution.yml | 4 +- ...sysinternals_adexplorer_susp_execution.yml | 4 +- ...reation_win_sysinternals_eula_accepted.yml | 6 +-- ...tion_win_sysinternals_livekd_execution.yml | 4 +- ...sysinternals_livekd_kernel_memory_dump.yml | 6 +-- ...roc_creation_win_sysinternals_procdump.yml | 6 +-- ...tion_win_sysinternals_procdump_evasion.yml | 6 +-- ...eation_win_sysinternals_procdump_lsass.yml | 8 ++-- ...tion_win_sysinternals_psexec_execution.yml | 4 +- ...nternals_psexec_paexec_escalate_system.yml | 6 +-- ...n_sysinternals_psexec_remote_execution.yml | 4 +- ...roc_creation_win_sysinternals_psexesvc.yml | 6 +-- ...on_win_sysinternals_psexesvc_as_system.yml | 4 +- ...oc_creation_win_sysinternals_psloglist.yml | 4 +- ...oc_creation_win_sysinternals_psservice.yml | 4 +- ...n_win_sysinternals_pssuspend_execution.yml | 2 +- ..._sysinternals_pssuspend_susp_execution.yml | 4 +- ...proc_creation_win_sysinternals_sdelete.yml | 4 +- ..._sysinternals_susp_psexec_paexec_flags.yml | 6 +-- ..._win_sysinternals_sysmon_config_update.yml | 6 +-- ...tion_win_sysinternals_sysmon_uninstall.yml | 6 +-- ...on_win_sysinternals_tools_masquerading.yml | 6 +-- .../proc_creation_win_sysprep_appdata.yml | 4 +- ...proc_creation_win_systeminfo_execution.yml | 4 +- ...ettingsadminflows_turn_on_dev_features.yml | 4 +- ...roc_creation_win_takeown_recursive_own.yml | 6 +-- ...proc_creation_win_tapinstall_execution.yml | 4 +- .../proc_creation_win_tar_compression.yml | 2 +- .../proc_creation_win_tar_extraction.yml | 2 +- .../proc_creation_win_taskkill_sep.yml | 4 +- ...eation_win_tasklist_module_enumeration.yml | 4 +- .../proc_creation_win_taskmgr_localsystem.yml | 6 +-- ...reation_win_taskmgr_susp_child_process.yml | 6 +-- ...ms_suspicious_command_line_cred_access.yml | 6 +-- ...on_win_tpmvscmgr_add_virtual_smartcard.yml | 2 +- .../proc_creation_win_tscon_localsystem.yml | 6 +-- .../proc_creation_win_tscon_rdp_redirect.yml | 6 +-- ...eation_win_tscon_rdp_session_hijacking.yml | 2 +- ..._creation_win_uac_bypass_changepk_slui.yml | 8 ++-- .../proc_creation_win_uac_bypass_cleanmgr.yml | 8 ++-- .../proc_creation_win_uac_bypass_cmstp.yml | 8 ++-- ...win_uac_bypass_cmstp_com_object_access.yml | 8 ++-- ...eation_win_uac_bypass_computerdefaults.yml | 8 ++-- ...eation_win_uac_bypass_consent_comctl32.yml | 8 ++-- .../proc_creation_win_uac_bypass_dismhost.yml | 8 ++-- ...on_win_uac_bypass_eventvwr_recentviews.yml | 6 +-- ...proc_creation_win_uac_bypass_fodhelper.yml | 6 +-- ...n_uac_bypass_hijacking_firwall_snap_in.yml | 4 +- ...roc_creation_win_uac_bypass_icmluautil.yml | 8 ++-- ...ion_win_uac_bypass_idiagnostic_profile.yml | 6 +-- .../proc_creation_win_uac_bypass_ieinstal.yml | 8 ++-- ...c_creation_win_uac_bypass_msconfig_gui.yml | 8 ++-- ...tion_win_uac_bypass_ntfs_reparse_point.yml | 8 ++-- ...oc_creation_win_uac_bypass_pkgmgr_dism.yml | 8 ++-- .../proc_creation_win_uac_bypass_sdclt.yml | 8 ++-- ...oc_creation_win_uac_bypass_trustedpath.yml | 4 +- .../proc_creation_win_uac_bypass_winsat.yml | 8 ++-- .../proc_creation_win_uac_bypass_wmp.yml | 8 ++-- .../proc_creation_win_uac_bypass_wsreset.yml | 10 ++--- ...win_uac_bypass_wsreset_integrity_level.yml | 8 ++-- .../proc_creation_win_ultravnc.yml | 4 +- ...c_creation_win_ultravnc_susp_execution.yml | 6 +-- ...ation_win_uninstall_crowdstrike_falcon.yml | 6 +-- ..._win_userinit_uncommon_child_processes.yml | 4 +- .../proc_creation_win_vaultcmd_list_creds.yml | 6 +-- .../proc_creation_win_verclsid_runs_com.yml | 6 +-- ...proc_creation_win_virtualbox_execution.yml | 6 +-- ...n_win_virtualbox_vboxdrvinst_execution.yml | 6 +-- ...ion_win_vmware_toolbox_cmd_persistence.yml | 2 +- ...in_vmware_toolbox_cmd_persistence_susp.yml | 2 +- ...win_vmware_vmtoolsd_susp_child_process.yml | 4 +- ...n_win_vscode_child_processes_anomalies.yml | 6 +-- ...c_creation_win_vscode_tunnel_execution.yml | 4 +- ...eation_win_vscode_tunnel_remote_shell_.yml | 4 +- ...on_win_vscode_tunnel_renamed_execution.yml | 4 +- ...tion_win_vscode_tunnel_service_install.yml | 4 +- ...tion_win_vsdiagnostics_execution_proxy.yml | 4 +- ..._win_vslsagent_agentextensionpath_load.yml | 4 +- .../proc_creation_win_w32tm.yml | 2 +- ...ab_execution_from_non_default_location.yml | 6 +-- .../proc_creation_win_wab_unusual_parents.yml | 6 +-- ...reation_win_wbadmin_delete_all_backups.yml | 4 +- ...oc_creation_win_wbadmin_delete_backups.yml | 4 +- ...ation_win_wbadmin_dump_sensitive_files.yml | 4 +- ...proc_creation_win_wbadmin_restore_file.yml | 2 +- ...on_win_wbadmin_restore_sensitive_files.yml | 4 +- ...proc_creation_win_webdav_lnk_execution.yml | 2 +- .../proc_creation_win_webshell_chopper.yml | 2 +- .../proc_creation_win_webshell_hacking.yml | 4 +- ..._webshell_recon_commands_and_processes.yml | 4 +- ...ll_susp_process_spawned_from_webserver.yml | 4 +- .../proc_creation_win_webshell_tool_recon.yml | 4 +- ...reation_win_werfault_lsass_shtinkering.yml | 6 +-- ...ion_win_werfault_reflect_debugger_exec.yml | 4 +- ...creation_win_wermgr_susp_child_process.yml | 8 ++-- ...creation_win_wermgr_susp_exec_location.yml | 4 +- ...c_creation_win_wget_download_direct_ip.yml | 2 +- ...get_download_susp_file_sharing_domains.yml | 4 +- ...ation_win_wget_download_susp_locations.yml | 2 +- ..._creation_win_where_browser_data_recon.yml | 4 +- ...proc_creation_win_whoami_all_execution.yml | 4 +- .../proc_creation_win_whoami_execution.yml | 4 +- ...hoami_execution_from_high_priv_process.yml | 8 ++-- ...c_creation_win_whoami_groups_discovery.yml | 2 +- .../proc_creation_win_whoami_output.yml | 4 +- ...roc_creation_win_whoami_parent_anomaly.yml | 4 +- ...roc_creation_win_whoami_priv_discovery.yml | 6 +-- ...ion_win_windows_terminal_susp_children.yml | 4 +- ..._creation_win_winget_add_custom_source.yml | 4 +- ..._win_winget_add_insecure_custom_source.yml | 4 +- ...tion_win_winget_add_susp_custom_source.yml | 6 +-- ..._win_winget_local_install_via_manifest.yml | 6 +-- ...oc_creation_win_winrar_exfil_dmp_files.yml | 4 +- ...creation_win_winrar_susp_child_process.yml | 2 +- ...n_win_winrar_uncommon_folder_execution.yml | 4 +- .../proc_creation_win_winrm_awl_bypass.yml | 6 +-- ..._execution_via_scripting_api_winrm_vbs.yml | 6 +-- ...inrm_remote_powershell_session_process.yml | 4 +- ..._creation_win_winrm_susp_child_process.yml | 8 ++-- ...eation_win_winzip_password_compression.yml | 4 +- ...tion_win_wlrmdr_uncommon_child_process.yml | 6 +-- ..._wmi_backdoor_exchange_transport_agent.yml | 4 +- ..._wmi_persistence_script_event_consumer.yml | 6 +-- ...eation_win_wmic_eventconsumer_creation.yml | 4 +- ...c_creation_win_wmic_namespace_defender.yml | 6 +-- ...roc_creation_win_wmic_process_creation.yml | 4 +- ...creation_win_wmic_recon_computersystem.yml | 4 +- ...proc_creation_win_wmic_recon_csproduct.yml | 2 +- .../proc_creation_win_wmic_recon_group.yml | 4 +- .../proc_creation_win_wmic_recon_hotfix.yml | 4 +- .../proc_creation_win_wmic_recon_process.yml | 4 +- .../proc_creation_win_wmic_recon_product.yml | 2 +- ..._creation_win_wmic_recon_product_class.yml | 4 +- .../proc_creation_win_wmic_recon_service.yml | 2 +- ...on_win_wmic_recon_system_info_uncommon.yml | 4 +- ...win_wmic_recon_unquoted_service_search.yml | 4 +- .../proc_creation_win_wmic_recon_volume.yml | 2 +- ...roc_creation_win_wmic_remote_execution.yml | 6 +-- ...creation_win_wmic_service_manipulation.yml | 4 +- ...oc_creation_win_wmic_squiblytwo_bypass.yml | 6 +-- ...wmic_susp_execution_via_office_process.yml | 14 +++---- ...reation_win_wmic_susp_process_creation.yml | 4 +- ...reation_win_wmic_terminate_application.yml | 2 +- ...reation_win_wmic_uninstall_application.yml | 4 +- ...n_win_wmic_uninstall_security_products.yml | 6 +-- ...reation_win_wmic_xsl_script_processing.yml | 6 +-- ...creation_win_wmiprvse_spawning_process.yml | 4 +- ...reation_win_wmiprvse_spawns_powershell.yml | 4 +- ...tion_win_wmiprvse_susp_child_processes.yml | 8 ++-- ...ation_win_wpbbin_potential_persistence.yml | 4 +- ...c_creation_win_wscript_cscript_dropper.yml | 4 +- ...n_wscript_cscript_susp_child_processes.yml | 4 +- ...script_cscript_uncommon_extension_exec.yml | 4 +- ...tion_win_wsl_child_processes_anomalies.yml | 6 +-- ...proc_creation_win_wsl_lolbin_execution.yml | 6 +-- ...ion_win_wsl_windows_binaries_execution.yml | 4 +- .../proc_creation_win_wuauclt_dll_loading.yml | 10 ++--- ...ion_win_wuauclt_no_cli_flags_execution.yml | 6 +-- ...creation_win_wusa_cab_files_extraction.yml | 2 +- ...a_cab_files_extraction_from_susp_paths.yml | 4 +- ...reation_win_wusa_susp_parent_execution.yml | 2 +- ...xwizard_execution_non_default_location.yml | 6 +-- ..._win_xwizard_runwizard_com_object_exec.yml | 6 +-- .../proc_tampering_susp_process_hollowing.yml | 8 ++-- ..._susp_disk_access_using_uncommon_tools.yml | 6 +-- .../registry_add_malware_netwire.yml | 6 +-- ...egistry_add_persistence_amsi_providers.yml | 4 +- ...gistry_add_persistence_com_key_linking.yml | 4 +- ...persistence_disk_cleanup_handler_entry.yml | 4 +- ...e_logon_scripts_userinitmprlogonscript.yml | 6 +-- ...dd_pua_sysinternals_execution_via_eula.yml | 6 +-- ...ysinternals_renamed_execution_via_eula.yml | 6 +-- ...a_sysinternals_susp_execution_via_eula.yml | 8 ++-- .../registry_delete_enable_windows_recall.yml | 2 +- ...delete_exploit_guard_protected_folders.yml | 6 +-- .../registry_delete_mstsc_history_cleared.yml | 6 +-- ...istry_delete_removal_amsi_registry_key.yml | 6 +-- ...ete_removal_com_hijacking_registry_key.yml | 6 +-- ...asks_hide_task_via_index_value_removal.yml | 6 +-- ...chtasks_hide_task_via_sd_value_removal.yml | 6 +-- .../registry_event_add_local_hidden_user.yml | 4 +- .../registry_event_apt_pandemic.yml | 6 +-- .../registry_event_bypass_via_wsreset.yml | 8 ++-- ...stry_event_cmstp_execution_by_registry.yml | 6 +-- ...y_events_logging_adding_reg_key_minint.yml | 6 +-- ...event_disable_wdigest_credential_guard.yml | 6 +-- ...entutl_volume_shadow_copy_service_keys.yml | 6 +-- .../registry_event_hack_wce_reg.yml | 6 +-- ...t_hybridconnectionmgr_svc_installation.yml | 6 +-- .../registry_event_mal_azorult.yml | 4 +- ...registry_event_malware_qakbot_registry.yml | 4 +- ...gistry_event_mimikatz_printernightmare.yml | 8 ++-- ...y_event_modify_screensaver_binary_path.yml | 6 +-- ...ry_event_narrator_feedback_persistance.yml | 4 +- .../registry_event_net_ntlm_downgrade.yml | 6 +-- ..._dll_added_to_appcertdlls_registry_key.yml | 4 +- ...dll_added_to_appinit_dlls_registry_key.yml | 4 +- .../registry_event_office_test_regadd.yml | 4 +- ...event_office_trust_record_modification.yml | 6 +-- ...registry_event_persistence_recycle_bin.yml | 4 +- .../registry_event_portproxy_registry_key.yml | 10 ++--- .../registry_event_redmimicry_winnti_reg.yml | 6 +-- .../registry_event_runkey_winekey.yml | 4 +- .../registry_event_runonce_persistence.yml | 6 +-- ...try_event_shell_open_keys_manipulation.yml | 8 ++-- ...registry_event_silentprocessexit_lsass.yml | 6 +-- .../registry_event_ssp_added_lsa_config.yml | 4 +- ...registry_event_stickykey_like_backdoor.yml | 6 +-- .../registry_event_susp_atbroker_change.yml | 6 +-- .../registry_event_susp_download_run_key.yml | 4 +- .../registry_event_susp_lsass_dll_load.yml | 4 +- .../registry_event_susp_mic_cam_access.yml | 4 +- ...gistry_set_enable_anonymous_connection.yml | 4 +- ...stry_set_add_load_service_in_safe_mode.yml | 6 +-- .../registry_set_add_port_monitor.yml | 4 +- .../registry_set_aedebug_persistence.yml | 4 +- ...et_allow_rdp_remote_assistance_feature.yml | 6 +-- .../registry_set_amsi_com_hijack.yml | 6 +-- ...set_asep_reg_keys_modification_classes.yml | 6 +-- ..._set_asep_reg_keys_modification_common.yml | 6 +-- ...eg_keys_modification_currentcontrolset.yml | 6 +-- ...p_reg_keys_modification_currentversion.yml | 6 +-- ...eg_keys_modification_currentversion_nt.yml | 6 +-- ...eg_keys_modification_internet_explorer.yml | 6 +-- ..._set_asep_reg_keys_modification_office.yml | 6 +-- ..._reg_keys_modification_session_manager.yml | 6 +-- ...p_reg_keys_modification_system_scripts.yml | 6 +-- ...et_asep_reg_keys_modification_winsock2.yml | 4 +- ...asep_reg_keys_modification_wow6432node.yml | 6 +-- ..._keys_modification_wow6432node_classes.yml | 6 +-- ...odification_wow6432node_currentversion.yml | 6 +-- .../registry_set_bginfo_custom_db.yml | 4 +- .../registry_set_bginfo_custom_vbscript.yml | 4 +- .../registry_set_bginfo_custom_wmi_query.yml | 4 +- .../registry_set_blackbyte_ransomware.yml | 6 +-- ...y_set_bypass_uac_using_delegateexecute.yml | 8 ++-- ...istry_set_bypass_uac_using_eventviewer.yml | 4 +- ...et_bypass_uac_using_silentcleanup_task.yml | 8 ++-- .../registry_set_change_rdp_port.yml | 4 +- .../registry_set_change_security_zones.yml | 4 +- ...stry_set_change_sysmon_driver_altitude.yml | 6 +-- ...gistry_set_change_winevt_channelaccess.yml | 6 +-- .../registry_set_chrome_extension.yml | 4 +- .../registry_set_clickonce_trust_prompt.yml | 6 +-- ...stry_set_cobaltstrike_service_installs.yml | 8 ++-- .../registry_set_comhijack_sdclt.yml | 6 +-- .../registry_set_crashdump_disabled.yml | 4 +- ...istry_set_creation_service_susp_folder.yml | 8 ++-- ...file_open_handler_powershell_execution.yml | 6 +-- ...try_set_dbgmanageddebugger_persistence.yml | 4 +- .../registry_set_defender_exclusions.yml | 6 +-- ...registry_set_desktop_background_change.yml | 4 +- ...pervisorenforcedcodeintegrity_disabled.yml | 6 +-- ...isorenforcedpagingtranslation_disabled.yml | 4 +- .../registry_set_dhcp_calloutdll.yml | 6 +-- ...istry_set_disable_administrative_share.yml | 6 +-- ...gistry_set_disable_autologger_sessions.yml | 6 +-- ...registry_set_disable_defender_firewall.yml | 6 +-- .../registry_set_disable_function_user.yml | 6 +-- ...stry_set_disable_macroruntimescanscope.yml | 6 +-- ...et_disable_privacy_settings_experience.yml | 6 +-- ..._disable_security_center_notifications.yml | 6 +-- .../registry_set_disable_system_restore.yml | 4 +- ...y_set_disable_windows_defender_service.yml | 6 +-- .../registry_set_disable_windows_firewall.yml | 6 +-- .../registry_set_disable_winevt_logging.yml | 6 +-- ...it_guard_net_protection_on_ms_defender.yml | 6 +-- ...t_disabled_microsoft_defender_eventlog.yml | 6 +-- ...d_pua_protection_on_microsoft_defender.yml | 6 +-- ...amper_protection_on_microsoft_defender.yml | 6 +-- .../registry_set_disallowrun_execution.yml | 6 +-- ...sk_cleanup_handler_autorun_persistence.yml | 4 +- .../registry_set_dns_over_https_enabled.yml | 6 +-- ...gistry_set_dns_server_level_plugin_dll.yml | 6 +-- .../registry_set_dot_net_etw_tamper.yml | 6 +-- .../registry_set_dsrm_tampering.yml | 2 +- .../registry_set_enable_periodic_backup.yml | 2 +- .../registry_set_enable_windows_recall.yml | 2 +- ...et_enabling_cor_profiler_env_variables.yml | 8 ++-- .../registry_set_enabling_turnoffcheck.yml | 6 +-- .../registry_set_evtx_file_key_tamper.yml | 6 +-- ...ry_set_exploit_guard_susp_allowed_apps.yml | 6 +-- .../registry_set_fax_change_service_user.yml | 6 +-- .../registry_set_fax_dll_persistance.yml | 6 +-- .../registry_set_file_association_exefile.yml | 6 +-- ...egistry_set_hangs_debugger_persistence.yml | 4 +- .../registry_set_hhctrl_persistence.yml | 4 +- .../registry_set_hidden_extention.yml | 4 +- .../registry_set/registry_set_hide_file.yml | 6 +-- .../registry_set_hide_function_user.yml | 6 +-- ...t_hide_scheduled_task_via_index_tamper.yml | 6 +-- ...urity_zone_protocol_defaults_downgrade.yml | 4 +- ...registry_set_ime_non_default_extension.yml | 4 +- .../registry_set_ime_suspicious_paths.yml | 4 +- ...stry_set_install_root_or_ca_certificat.yml | 4 +- ...t_explorer_disable_first_run_customize.yml | 6 +-- .../registry_set_legalnotice_susp_message.yml | 4 +- ...y_set_lolbin_onedrivestandaloneupdater.yml | 6 +-- ...egistry_set_lsa_disablerestrictedadmin.yml | 6 +-- .../registry_set_lsass_usermode_dumping.yml | 6 +-- .../registry_set_mal_blue_mockingbird.yml | 4 +- ...istry_set_net_cli_ngenassemblyusagelog.yml | 6 +-- ...tsh_help_dll_persistence_susp_location.yml | 2 +- ...netsh_helper_dll_potential_persistence.yml | 2 +- ...registry_set_new_application_appcompat.yml | 4 +- .../registry_set_new_network_provider.yml | 6 +-- .../registry_set_odbc_driver_registered.yml | 4 +- ...gistry_set_odbc_driver_registered_susp.yml | 4 +- ...registry_set_office_access_vbom_tamper.yml | 8 ++-- ...office_disable_protected_view_features.yml | 8 ++-- .../registry_set_office_enable_dde.yml | 4 +- ...ook_enable_load_macro_provider_on_boot.yml | 6 +-- ..._office_outlook_enable_macro_execution.yml | 6 +-- ...utlook_enable_unsafe_client_mail_rules.yml | 6 +-- ...y_set_office_outlook_security_settings.yml | 4 +- ..._set_office_trust_record_susp_location.yml | 6 +-- ...y_set_office_trusted_location_uncommon.yml | 6 +-- ...egistry_set_office_vba_warnings_tamper.yml | 8 ++-- ...stry_set_optimize_file_sharing_network.yml | 4 +- ...ce_app_cpmpat_layer_registerapprestart.yml | 2 +- .../registry_set_persistence_app_paths.yml | 4 +- ...registry_set_persistence_appx_debugger.yml | 4 +- .../registry_set_persistence_autodial_dll.yml | 4 +- .../registry_set_persistence_chm.yml | 4 +- ..._set_persistence_com_hijacking_builtin.yml | 2 +- ..._persistence_comhijack_psfactorybuffer.yml | 4 +- ...et_persistence_custom_protocol_handler.yml | 6 +-- ...et_persistence_event_viewer_events_asp.yml | 6 +-- .../registry_set_persistence_globalflags.yml | 10 ++--- .../registry_set_persistence_ie.yml | 6 +-- .../registry_set_persistence_ifilter.yml | 4 +- ...registry_set_persistence_lsa_extension.yml | 4 +- .../registry_set_persistence_mpnotify.yml | 4 +- .../registry_set_persistence_mycomputer.yml | 4 +- ...istry_set_persistence_natural_language.yml | 4 +- .../registry_set_persistence_office_vsto.yml | 4 +- ...istry_set_persistence_outlook_homepage.yml | 4 +- ...stry_set_persistence_outlook_todaypage.yml | 4 +- ...gistry_set_persistence_reflectdebugger.yml | 4 +- .../registry_set_persistence_scrobj_dll.yml | 4 +- .../registry_set_persistence_search_order.yml | 4 +- ...registry_set_persistence_shim_database.yml | 4 +- ...istence_shim_database_susp_application.yml | 4 +- ...stence_shim_database_uncommon_location.yml | 4 +- .../registry_set_persistence_typed_paths.yml | 4 +- .../registry_set_persistence_xll.yml | 4 +- ...istry_set_policies_associations_tamper.yml | 6 +-- ...gistry_set_policies_attachments_tamper.yml | 6 +-- .../registry_set_powershell_as_service.yml | 4 +- ...y_set_powershell_enablescripts_enabled.yml | 2 +- ...gistry_set_powershell_execution_policy.yml | 6 +-- .../registry_set_powershell_in_run_keys.yml | 4 +- ...gistry_set_powershell_logging_disabled.yml | 6 +-- ...egistry_set_provisioning_command_abuse.yml | 6 +-- ...set_renamed_sysinternals_eula_accepted.yml | 6 +-- .../registry_set_rpcrt4_etw_tamper.yml | 6 +-- ...stry_set_scr_file_executed_by_rundll32.yml | 6 +-- ...et_sentinelone_shell_context_tampering.yml | 2 +- .../registry_set_servicedll_hijack.yml | 6 +-- .../registry_set_services_etw_tamper.yml | 6 +-- .../registry_set_set_nopolicies_user.yml | 6 +-- .../registry_set_sip_persistence.yml | 6 +-- .../registry_set_sophos_av_tamper.yml | 6 +-- .../registry_set_special_accounts.yml | 8 ++-- ...ry_set_suppress_defender_notifications.yml | 6 +-- ...registry_set_susp_keyboard_layout_load.yml | 6 +-- ...y_set_susp_pendingfilerenameoperations.yml | 6 +-- .../registry_set_susp_printer_driver.yml | 8 ++-- ...stry_set_susp_reg_persist_explorer_run.yml | 4 +- .../registry_set_susp_run_key_img_folder.yml | 4 +- .../registry_set_susp_service_installed.yml | 6 +-- .../registry_set_susp_user_shell_folders.yml | 6 +-- .../registry_set_suspicious_env_variables.yml | 6 +-- .../registry_set_system_lsa_nolmhash.yml | 4 +- .../registry_set_taskcache_entry.yml | 4 +- .../registry_set_telemetry_persistence.yml | 6 +-- ...egistry_set_terminal_server_suspicious.yml | 6 +-- ...registry_set_terminal_server_tampering.yml | 10 ++--- .../registry_set_timeproviders_dllname.yml | 6 +-- ...y_set_tls_protocol_old_version_enabled.yml | 4 +- .../registry_set_treatas_persistence.yml | 4 +- .../registry_set_turn_on_dev_features.yml | 6 +-- .../registry_set_uac_bypass_eventvwr.yml | 8 ++-- .../registry_set_uac_bypass_sdclt.yml | 8 ++-- .../registry_set_uac_bypass_winsat.yml | 8 ++-- .../registry_set_uac_bypass_wmp.yml | 8 ++-- .../registry_set/registry_set_uac_disable.yml | 8 ++-- .../registry_set_uac_disable_notification.yml | 6 +-- ..._set_uac_disable_secure_desktop_prompt.yml | 6 +-- .../registry_set_vbs_payload_stored.yml | 4 +- .../registry_set_wab_dllpath_reg_change.yml | 6 +-- ..._set_wdigest_enable_uselogoncredential.yml | 6 +-- .../registry_set_windows_defender_tamper.yml | 10 ++--- ...ry_set_winget_admin_settings_tampering.yml | 6 +-- ...istry_set_winget_enable_local_manifest.yml | 6 +-- ...set_winlogon_allow_multiple_tssessions.yml | 6 +-- .../registry_set_winlogon_notify_key.yml | 4 +- .../sysmon/sysmon_config_modification.yml | 4 +- .../sysmon_config_modification_error.yml | 6 +-- .../sysmon_config_modification_status.yml | 6 +-- .../sysmon/sysmon_file_block_executable.yml | 6 +-- .../sysmon/sysmon_file_block_shredding.yml | 4 +- .../sysmon_file_executable_detected.yml | 4 +- .../sysmon_wmi_event_subscription.yml | 4 +- .../sysmon_wmi_susp_encoded_scripts.yml | 4 +- .../wmi_event/sysmon_wmi_susp_scripting.yml | 4 +- tests/test_rules.py | 8 ++-- tests/thor.yml | 8 +++- tests/validate-sigma-schema/sigma-schema.json | 38 +++++++++++++++---- 3405 files changed, 9146 insertions(+), 9125 deletions(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index a2cd5acf698..911a72d0e20 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -75,8 +75,7 @@ jobs: python-version: 3.11 - name: Install dependencies run: | - # pip install sigma-cli~=0.7.1 - pip install pysigma==0.11.9 + pip install pysigma pip install sigma-cli pip install pySigma-validators-sigmahq==0.7.0 - name: Test Sigma Rule Syntax diff --git a/other/godmode_sigma_rule.yml b/other/godmode_sigma_rule.yml index 1288301ad55..c4e21aa3da9 100644 --- a/other/godmode_sigma_rule.yml +++ b/other/godmode_sigma_rule.yml @@ -18,8 +18,8 @@ id: def6caac-a999-4fc9-8800-cfeff700ba98 description: 'PoC rule to detect malicious activity - following the principle: if you had only one shot, what would you look for?' status: experimental author: Florian Roth (Nextron Systems) -date: 2019/12/22 -modified: 2022/08/04 +date: 2019-12-22 +modified: 2022-08-04 level: high action: global --- diff --git a/rules-emerging-threats/2010/Exploits/CVE-2010-5278/web_cve_2010_5278_exploitation_attempt.yml b/rules-emerging-threats/2010/Exploits/CVE-2010-5278/web_cve_2010_5278_exploitation_attempt.yml index ee750830e00..9346e4f0605 100644 --- a/rules-emerging-threats/2010/Exploits/CVE-2010-5278/web_cve_2010_5278_exploitation_attempt.yml +++ b/rules-emerging-threats/2010/Exploits/CVE-2010-5278/web_cve_2010_5278_exploitation_attempt.yml @@ -7,13 +7,13 @@ description: | references: - https://github.com/projectdiscovery/nuclei-templates author: Subhash Popuri (@pbssubhash) -date: 2021/08/25 -modified: 2023/01/02 +date: 2021-08-25 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2010.5278 - - detection.emerging_threats + - cve.2010-5278 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yml b/rules-emerging-threats/2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yml index 0860e557ca5..9f11fc0186c 100644 --- a/rules-emerging-threats/2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yml +++ b/rules-emerging-threats/2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yml @@ -7,14 +7,14 @@ references: - https://www.exploit-db.com/exploits/39161 - https://github.com/Twigonometry/Cybersecurity-Notes/blob/c875b0f52df7d2c7a870e75e1f0c2679d417931d/Writeups/Hack%20the%20Box/Boxes/Optimum/10%20-%20Website.md author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/19 -modified: 2023/01/02 +date: 2022-07-19 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - attack.t1505.003 - - cve.2014.6287 - - detection.emerging_threats + - cve.2014-6287 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2014/TA/Axiom/proc_creation_win_apt_zxshell.yml b/rules-emerging-threats/2014/TA/Axiom/proc_creation_win_apt_zxshell.yml index e95751a8549..d93c2786c8d 100644 --- a/rules-emerging-threats/2014/TA/Axiom/proc_creation_win_apt_zxshell.yml +++ b/rules-emerging-threats/2014/TA/Axiom/proc_creation_win_apt_zxshell.yml @@ -6,16 +6,16 @@ references: - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100 - https://pub-7cb8ac806c1b4c4383e585c474a24719.r2.dev/116309e7121bc8b0e66e4166c06f7b818e1d3629.pdf author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro -date: 2017/07/20 -modified: 2021/11/27 +date: 2017-07-20 +modified: 2021-11-27 tags: - attack.execution - attack.t1059.003 - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 - attack.s0412 - attack.g0001 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_commands_critical.yml b/rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_commands_critical.yml index b533f2f3dd0..f35fd53e08c 100644 --- a/rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_commands_critical.yml +++ b/rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_commands_critical.yml @@ -5,18 +5,18 @@ description: Detects automated lateral movement by Turla group references: - https://securelist.com/the-epic-turla-operation/65545/ author: Markus Neis -date: 2017/11/07 -modified: 2022/10/09 +date: 2017-11-07 +modified: 2022-10-09 tags: - attack.g0010 - attack.execution - attack.t1059 - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 - attack.discovery - attack.t1083 - attack.t1135 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml b/rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml index a42eb311a8f..c912f3e8321 100644 --- a/rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml +++ b/rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml @@ -5,15 +5,15 @@ description: Detects commands used by Turla group as reported by ESET in May 202 references: - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf author: Florian Roth (Nextron Systems) -date: 2020/05/26 -modified: 2021/11/27 +date: 2020-05-26 +modified: 2021-11-27 tags: - attack.g0010 - attack.execution - attack.t1059.001 - attack.t1053.005 - attack.t1027 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2015/Exploits/CVE-2015-1641/proc_creation_win_exploit_cve_2015_1641.yml b/rules-emerging-threats/2015/Exploits/CVE-2015-1641/proc_creation_win_exploit_cve_2015_1641.yml index 99125133b68..a617999f5f4 100644 --- a/rules-emerging-threats/2015/Exploits/CVE-2015-1641/proc_creation_win_exploit_cve_2015_1641.yml +++ b/rules-emerging-threats/2015/Exploits/CVE-2015-1641/proc_creation_win_exploit_cve_2015_1641.yml @@ -6,13 +6,13 @@ references: - https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/ - https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100 author: Florian Roth (Nextron Systems) -date: 2018/02/22 -modified: 2021/11/27 +date: 2018-02-22 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.005 - - cve.2015.1641 - - detection.emerging_threats + - cve.2015-1641 + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2017/Exploits/CVE-2017-0261/proc_creation_win_exploit_cve_2017_0261.yml b/rules-emerging-threats/2017/Exploits/CVE-2017-0261/proc_creation_win_exploit_cve_2017_0261.yml index e876e676da2..19eeb1a14eb 100644 --- a/rules-emerging-threats/2017/Exploits/CVE-2017-0261/proc_creation_win_exploit_cve_2017_0261.yml +++ b/rules-emerging-threats/2017/Exploits/CVE-2017-0261/proc_creation_win_exploit_cve_2017_0261.yml @@ -5,16 +5,16 @@ description: Detects Winword starting uncommon sub process FLTLDR.exe as used in references: - https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html author: Florian Roth (Nextron Systems) -date: 2018/02/22 -modified: 2021/11/27 +date: 2018-02-22 +modified: 2021-11-27 tags: - attack.execution - attack.t1203 - attack.t1204.002 - - attack.initial_access + - attack.initial-access - attack.t1566.001 - - cve.2017.0261 - - detection.emerging_threats + - cve.2017-0261 + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2017/Exploits/CVE-2017-11882/proc_creation_win_exploit_cve_2017_11882.yml b/rules-emerging-threats/2017/Exploits/CVE-2017-11882/proc_creation_win_exploit_cve_2017_11882.yml index a68aafcfc77..cb60fe737db 100644 --- a/rules-emerging-threats/2017/Exploits/CVE-2017-11882/proc_creation_win_exploit_cve_2017_11882.yml +++ b/rules-emerging-threats/2017/Exploits/CVE-2017-11882/proc_creation_win_exploit_cve_2017_11882.yml @@ -7,16 +7,16 @@ references: - https://www.linkedin.com/pulse/exploit-available-dangerous-ms-office-rce-vuln-called-thebenygreen- - https://github.com/embedi/CVE-2017-11882 author: Florian Roth (Nextron Systems) -date: 2017/11/23 -modified: 2021/11/27 +date: 2017-11-23 +modified: 2021-11-27 tags: - attack.execution - attack.t1203 - attack.t1204.002 - - attack.initial_access + - attack.initial-access - attack.t1566.001 - - cve.2017.11882 - - detection.emerging_threats + - cve.2017-11882 + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2017/Exploits/CVE-2017-8759/proc_creation_win_exploit_cve_2017_8759.yml b/rules-emerging-threats/2017/Exploits/CVE-2017-8759/proc_creation_win_exploit_cve_2017_8759.yml index c3e2ac7fac3..06e16bf5596 100644 --- a/rules-emerging-threats/2017/Exploits/CVE-2017-8759/proc_creation_win_exploit_cve_2017_8759.yml +++ b/rules-emerging-threats/2017/Exploits/CVE-2017-8759/proc_creation_win_exploit_cve_2017_8759.yml @@ -6,16 +6,16 @@ references: - https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 - https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 author: Florian Roth (Nextron Systems) -date: 2017/09/15 -modified: 2021/11/27 +date: 2017-09-15 +modified: 2021-11-27 tags: - attack.execution - attack.t1203 - attack.t1204.002 - - attack.initial_access + - attack.initial-access - attack.t1566.001 - - cve.2017.8759 - - detection.emerging_threats + - cve.2017-8759 + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2017/Malware/Adwind-RAT/proc_creation_win_malware_adwind.yml b/rules-emerging-threats/2017/Malware/Adwind-RAT/proc_creation_win_malware_adwind.yml index 29eb1d61f86..ceb0385b32d 100644 --- a/rules-emerging-threats/2017/Malware/Adwind-RAT/proc_creation_win_malware_adwind.yml +++ b/rules-emerging-threats/2017/Malware/Adwind-RAT/proc_creation_win_malware_adwind.yml @@ -6,13 +6,13 @@ references: - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100 - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf author: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community -date: 2017/11/10 -modified: 2022/10/09 +date: 2017-11-10 +modified: 2022-10-09 tags: - attack.execution - attack.t1059.005 - attack.t1059.007 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2017/Malware/CosmicDuke/win_security_mal_cosmik_duke_persistence.yml b/rules-emerging-threats/2017/Malware/CosmicDuke/win_security_mal_cosmik_duke_persistence.yml index 4bb92e609fc..d6f85a435e9 100644 --- a/rules-emerging-threats/2017/Malware/CosmicDuke/win_security_mal_cosmik_duke_persistence.yml +++ b/rules-emerging-threats/2017/Malware/CosmicDuke/win_security_mal_cosmik_duke_persistence.yml @@ -10,13 +10,13 @@ description: | references: - https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf author: Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update) -date: 2017/03/27 -modified: 2022/10/09 +date: 2017-03-27 +modified: 2022-10-09 tags: - attack.persistence - attack.t1543.003 - attack.t1569.002 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows service: security diff --git a/rules-emerging-threats/2017/Malware/Fireball/proc_creation_win_malware_fireball.yml b/rules-emerging-threats/2017/Malware/Fireball/proc_creation_win_malware_fireball.yml index f3293580964..b7d93cf2876 100644 --- a/rules-emerging-threats/2017/Malware/Fireball/proc_creation_win_malware_fireball.yml +++ b/rules-emerging-threats/2017/Malware/Fireball/proc_creation_win_malware_fireball.yml @@ -6,13 +6,13 @@ references: - https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/ - https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100 author: Florian Roth (Nextron Systems) -date: 2017/06/03 -modified: 2021/11/27 +date: 2017-06-03 +modified: 2021-11-27 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2017/Malware/Hancitor/proc_access_win_malware_verclsid_shellcode.yml b/rules-emerging-threats/2017/Malware/Hancitor/proc_access_win_malware_verclsid_shellcode.yml index 22367001c0d..9da9226b0ae 100644 --- a/rules-emerging-threats/2017/Malware/Hancitor/proc_access_win_malware_verclsid_shellcode.yml +++ b/rules-emerging-threats/2017/Malware/Hancitor/proc_access_win_malware_verclsid_shellcode.yml @@ -5,13 +5,13 @@ description: Detects a process access to verclsid.exe that injects shellcode fro references: - https://twitter.com/JohnLaTwC/status/837743453039534080 author: John Lambert (tech), Florian Roth (Nextron Systems) -date: 2017/03/04 -modified: 2021/11/27 +date: 2017-03-04 +modified: 2021-11-27 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1055 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_access product: windows diff --git a/rules-emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml b/rules-emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml index f4596170e37..a6eb9f685b7 100644 --- a/rules-emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml +++ b/rules-emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml @@ -6,16 +6,16 @@ references: - https://securelist.com/schroedingers-petya/78870/ - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100 author: Florian Roth (Nextron Systems), Tom Ueltschi -date: 2019/01/16 -modified: 2022/12/15 +date: 2019-01-16 +modified: 2022-12-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 - attack.t1070.001 - - attack.credential_access + - attack.credential-access - attack.t1003.001 - car.2016-04-002 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml b/rules-emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml index e6c5c0f0e20..5c4b90c595e 100644 --- a/rules-emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml +++ b/rules-emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml @@ -6,13 +6,13 @@ references: - http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ - https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/ author: Florian Roth (Nextron Systems) -date: 2017/06/12 -modified: 2023/02/03 +date: 2017-06-12 +modified: 2023-02-03 tags: - attack.s0013 - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2017/Malware/StoneDrill/win_system_apt_stonedrill.yml b/rules-emerging-threats/2017/Malware/StoneDrill/win_system_apt_stonedrill.yml index 51e8590c46d..526e33f1d28 100644 --- a/rules-emerging-threats/2017/Malware/StoneDrill/win_system_apt_stonedrill.yml +++ b/rules-emerging-threats/2017/Malware/StoneDrill/win_system_apt_stonedrill.yml @@ -5,13 +5,13 @@ description: This method detects a service install of the malicious Microsoft Ne references: - https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/ author: Florian Roth (Nextron Systems) -date: 2017/03/07 -modified: 2021/11/30 +date: 2017-03-07 +modified: 2021-11-30 tags: - attack.persistence - attack.g0064 - attack.t1543.003 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows service: system diff --git a/rules-emerging-threats/2017/Malware/WannaCry/proc_creation_win_malware_wannacry.yml b/rules-emerging-threats/2017/Malware/WannaCry/proc_creation_win_malware_wannacry.yml index 20ffd682792..c365b84e4d7 100644 --- a/rules-emerging-threats/2017/Malware/WannaCry/proc_creation_win_malware_wannacry.yml +++ b/rules-emerging-threats/2017/Malware/WannaCry/proc_creation_win_malware_wannacry.yml @@ -5,19 +5,19 @@ description: Detects WannaCry ransomware activity references: - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 author: Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro -date: 2019/01/16 -modified: 2023/02/03 +date: 2019-01-16 +modified: 2023-02-03 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1210 - attack.discovery - attack.t1083 - - attack.defense_evasion + - attack.defense-evasion - attack.t1222.001 - attack.impact - attack.t1486 - attack.t1490 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2017/TA/APT10/proc_creation_win_apt_apt10_cloud_hopper.yml b/rules-emerging-threats/2017/TA/APT10/proc_creation_win_apt_apt10_cloud_hopper.yml index c9a25e892f0..f7ab1ce7f29 100644 --- a/rules-emerging-threats/2017/TA/APT10/proc_creation_win_apt_apt10_cloud_hopper.yml +++ b/rules-emerging-threats/2017/TA/APT10/proc_creation_win_apt_apt10_cloud_hopper.yml @@ -5,13 +5,13 @@ description: Detects potential process and execution activity related to APT10 C references: - https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf author: Florian Roth (Nextron Systems) -date: 2017/04/07 -modified: 2023/03/08 +date: 2017-04-07 +modified: 2023-03-08 tags: - attack.execution - attack.g0045 - attack.t1059.005 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2017/TA/Dragonfly/proc_creation_win_apt_ta17_293a_ps.yml b/rules-emerging-threats/2017/TA/Dragonfly/proc_creation_win_apt_ta17_293a_ps.yml index b21b69fe37f..fb69934e96f 100644 --- a/rules-emerging-threats/2017/TA/Dragonfly/proc_creation_win_apt_ta17_293a_ps.yml +++ b/rules-emerging-threats/2017/TA/Dragonfly/proc_creation_win_apt_ta17_293a_ps.yml @@ -5,14 +5,14 @@ description: Detects renamed SysInternals tool execution with a binary named ps. references: - https://www.us-cert.gov/ncas/alerts/TA17-293A author: Florian Roth (Nextron Systems) -date: 2017/10/22 -modified: 2023/05/02 +date: 2017-10-22 +modified: 2023-05-02 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.g0035 - attack.t1036.003 - car.2013-05-009 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2017/TA/Equation-Group/net_firewall_apt_equationgroup_c2.yml b/rules-emerging-threats/2017/TA/Equation-Group/net_firewall_apt_equationgroup_c2.yml index fbf7da355f5..626ef71ea8c 100644 --- a/rules-emerging-threats/2017/TA/Equation-Group/net_firewall_apt_equationgroup_c2.yml +++ b/rules-emerging-threats/2017/TA/Equation-Group/net_firewall_apt_equationgroup_c2.yml @@ -6,13 +6,13 @@ references: - https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation - https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195 author: Florian Roth (Nextron Systems) -date: 2017/04/15 -modified: 2021/11/27 +date: 2017-04-15 +modified: 2021-11-27 tags: - - attack.command_and_control + - attack.command-and-control - attack.g0020 - attack.t1041 - - detection.emerging_threats + - detection.emerging-threats logsource: category: firewall detection: diff --git a/rules-emerging-threats/2017/TA/Lazarus/proc_creation_win_apt_lazarus_binary_masquerading.yml b/rules-emerging-threats/2017/TA/Lazarus/proc_creation_win_apt_lazarus_binary_masquerading.yml index 5845cd19793..e9758f1b592 100644 --- a/rules-emerging-threats/2017/TA/Lazarus/proc_creation_win_apt_lazarus_binary_masquerading.yml +++ b/rules-emerging-threats/2017/TA/Lazarus/proc_creation_win_apt_lazarus_binary_masquerading.yml @@ -5,12 +5,12 @@ description: Detects binaries used by the Lazarus group which use system names b references: - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf author: Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1) -date: 2020/06/03 -modified: 2023/03/10 +date: 2020-06-03 +modified: 2023-03-10 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.005 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2017/TA/Turla/pipe_created_apt_turla_named_pipes.yml b/rules-emerging-threats/2017/TA/Turla/pipe_created_apt_turla_named_pipes.yml index b6bd6caafc5..3c364eb3626 100644 --- a/rules-emerging-threats/2017/TA/Turla/pipe_created_apt_turla_named_pipes.yml +++ b/rules-emerging-threats/2017/TA/Turla/pipe_created_apt_turla_named_pipes.yml @@ -6,13 +6,13 @@ references: - Internal Research - https://attack.mitre.org/groups/G0010/ author: Markus Neis -date: 2017/11/06 -modified: 2021/11/27 +date: 2017-11-06 +modified: 2021-11-27 tags: - attack.g0010 - attack.execution - attack.t1106 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: pipe_created diff --git a/rules-emerging-threats/2017/TA/Turla/win_system_apt_carbonpaper_turla.yml b/rules-emerging-threats/2017/TA/Turla/win_system_apt_carbonpaper_turla.yml index 437e24c7789..1fed02ec236 100644 --- a/rules-emerging-threats/2017/TA/Turla/win_system_apt_carbonpaper_turla.yml +++ b/rules-emerging-threats/2017/TA/Turla/win_system_apt_carbonpaper_turla.yml @@ -5,13 +5,13 @@ description: This method detects a service install of malicious services mention references: - https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/ author: Florian Roth (Nextron Systems) -date: 2017/03/31 -modified: 2021/11/30 +date: 2017-03-31 +modified: 2021-11-30 tags: - attack.persistence - attack.g0010 - attack.t1543.003 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows service: system diff --git a/rules-emerging-threats/2017/TA/Turla/win_system_apt_turla_service_png.yml b/rules-emerging-threats/2017/TA/Turla/win_system_apt_turla_service_png.yml index bc83f7e4525..b1b89ef6824 100644 --- a/rules-emerging-threats/2017/TA/Turla/win_system_apt_turla_service_png.yml +++ b/rules-emerging-threats/2017/TA/Turla/win_system_apt_turla_service_png.yml @@ -5,13 +5,13 @@ description: This method detects malicious services mentioned in Turla PNG dropp references: - https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/ author: Florian Roth (Nextron Systems) -date: 2018/11/23 -modified: 2021/11/30 +date: 2018-11-23 +modified: 2021-11-30 tags: - attack.persistence - attack.g0010 - attack.t1543.003 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows service: system diff --git a/rules-emerging-threats/2018/Exploits/CVE-2018-13379/web_cve_2018_13379_fortinet_preauth_read_exploit.yml b/rules-emerging-threats/2018/Exploits/CVE-2018-13379/web_cve_2018_13379_fortinet_preauth_read_exploit.yml index 551b0efdc0a..331779396da 100644 --- a/rules-emerging-threats/2018/Exploits/CVE-2018-13379/web_cve_2018_13379_fortinet_preauth_read_exploit.yml +++ b/rules-emerging-threats/2018/Exploits/CVE-2018-13379/web_cve_2018_13379_fortinet_preauth_read_exploit.yml @@ -5,13 +5,13 @@ description: Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VP references: - https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/ author: Bhabesh Raj -date: 2020/12/08 -modified: 2023/01/02 +date: 2020-12-08 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2018.13379 - - detection.emerging_threats + - cve.2018-13379 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2018/Exploits/CVE-2018-2894/web_cve_2018_2894_weblogic_exploit.yml b/rules-emerging-threats/2018/Exploits/CVE-2018-2894/web_cve_2018_2894_weblogic_exploit.yml index 79e5e5a3aa2..53aeb47c34f 100644 --- a/rules-emerging-threats/2018/Exploits/CVE-2018-2894/web_cve_2018_2894_weblogic_exploit.yml +++ b/rules-emerging-threats/2018/Exploits/CVE-2018-2894/web_cve_2018_2894_weblogic_exploit.yml @@ -6,15 +6,15 @@ references: - https://twitter.com/pyn3rd/status/1020620932967223296 - https://github.com/LandGrey/CVE-2018-2894 author: Florian Roth (Nextron Systems) -date: 2018/07/22 -modified: 2023/01/02 +date: 2018-07-22 +modified: 2023-01-02 tags: - attack.t1190 - - attack.initial_access + - attack.initial-access - attack.persistence - attack.t1505.003 - - cve.2018.2894 - - detection.emerging_threats + - cve.2018-2894 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2018/Malware/Elise-Backdoor/proc_creation_win_malware_elise.yml b/rules-emerging-threats/2018/Malware/Elise-Backdoor/proc_creation_win_malware_elise.yml index d1b92b65c2c..ebcbf0b4240 100644 --- a/rules-emerging-threats/2018/Malware/Elise-Backdoor/proc_creation_win_malware_elise.yml +++ b/rules-emerging-threats/2018/Malware/Elise-Backdoor/proc_creation_win_malware_elise.yml @@ -6,15 +6,15 @@ references: - https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting - https://web.archive.org/web/20200302083912/https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2018/01/31 -modified: 2023/03/09 +date: 2018-01-31 +modified: 2023-03-09 tags: - attack.g0030 - attack.g0050 - attack.s0081 - attack.execution - attack.t1059.003 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2018/TA/APT27/proc_creation_win_apt_apt27_emissary_panda.yml b/rules-emerging-threats/2018/TA/APT27/proc_creation_win_apt_apt27_emissary_panda.yml index 7812dcabeb6..eb55fc440c3 100644 --- a/rules-emerging-threats/2018/TA/APT27/proc_creation_win_apt_apt27_emissary_panda.yml +++ b/rules-emerging-threats/2018/TA/APT27/proc_creation_win_apt_apt27_emissary_panda.yml @@ -7,13 +7,13 @@ references: - https://twitter.com/cyb3rops/status/1168863899531132929 - https://research.nccgroup.com/2018/05/18/emissary-panda-a-potential-new-malicious-tool/ author: Florian Roth (Nextron Systems) -date: 2018/09/03 -modified: 2023/03/09 +date: 2018-09-03 +modified: 2023-03-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 - attack.g0027 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2018/TA/APT28/proc_creation_win_apt_sofacy.yml b/rules-emerging-threats/2018/TA/APT28/proc_creation_win_apt_sofacy.yml index 2fd608d271f..d26593a3f0a 100644 --- a/rules-emerging-threats/2018/TA/APT28/proc_creation_win_apt_sofacy.yml +++ b/rules-emerging-threats/2018/TA/APT28/proc_creation_win_apt_sofacy.yml @@ -7,16 +7,16 @@ references: - https://www.hybrid-analysis.com/sample/ff808d0a12676bfac88fd26f955154f8884f2bb7c534b9936510fd6296c543e8?environmentId=110 - https://twitter.com/ClearskySec/status/960924755355369472 author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community -date: 2018/03/01 -modified: 2023/05/31 +date: 2018-03-01 +modified: 2023-05-31 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.g0007 - attack.t1059.003 - attack.t1218.011 - car.2013-10-002 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2018/TA/APT29-CozyBear/file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml b/rules-emerging-threats/2018/TA/APT29-CozyBear/file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml index bbf33f2e4a2..d106fb093f4 100644 --- a/rules-emerging-threats/2018/TA/APT29-CozyBear/file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml +++ b/rules-emerging-threats/2018/TA/APT29-CozyBear/file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml @@ -9,12 +9,12 @@ references: - https://twitter.com/DrunkBinary/status/1063075530180886529 - https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign author: '@41thexplorer' -date: 2018/11/20 -modified: 2023/02/20 +date: 2018-11-20 +modified: 2023-02-20 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: file_event diff --git a/rules-emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml b/rules-emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml index d18f6cb7065..855a3cd55db 100644 --- a/rules-emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml +++ b/rules-emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml @@ -2,7 +2,7 @@ title: APT29 2018 Phishing Campaign CommandLine Indicators id: 7453575c-a747-40b9-839b-125a0aae324b related: - id: 033fe7d6-66d1-4240-ac6b-28908009c71f - type: obsoletes + type: obsolete status: stable description: Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant references: @@ -10,13 +10,13 @@ references: - https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/ - https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign author: Florian Roth (Nextron Systems), @41thexplorer -date: 2018/11/20 -modified: 2023/03/08 +date: 2018-11-20 +modified: 2023-03-08 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1218.011 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2018/TA/APT32-Oceanlotus/registry_event_apt_oceanlotus_registry.yml b/rules-emerging-threats/2018/TA/APT32-Oceanlotus/registry_event_apt_oceanlotus_registry.yml index 7b5138e8323..93af1448760 100644 --- a/rules-emerging-threats/2018/TA/APT32-Oceanlotus/registry_event_apt_oceanlotus_registry.yml +++ b/rules-emerging-threats/2018/TA/APT32-Oceanlotus/registry_event_apt_oceanlotus_registry.yml @@ -6,12 +6,12 @@ references: - https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/ - https://github.com/eset/malware-ioc/tree/master/oceanlotus author: megan201296, Jonhnathan Ribeiro -date: 2019/04/14 -modified: 2023/09/28 +date: 2019-04-14 +modified: 2023-09-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 - - detection.emerging_threats + - detection.emerging-threats logsource: category: registry_event product: windows diff --git a/rules-emerging-threats/2018/TA/MuddyWater/proc_creation_win_apt_muddywater_activity.yml b/rules-emerging-threats/2018/TA/MuddyWater/proc_creation_win_apt_muddywater_activity.yml index 0bc8d901ed1..01866f87444 100644 --- a/rules-emerging-threats/2018/TA/MuddyWater/proc_creation_win_apt_muddywater_activity.yml +++ b/rules-emerging-threats/2018/TA/MuddyWater/proc_creation_win_apt_muddywater_activity.yml @@ -5,12 +5,12 @@ description: Detects potential Muddywater APT activity references: - https://www.mandiant.com/resources/blog/iranian-threat-group-updates-ttps-in-spear-phishing-campaign author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/10 +date: 2023-03-10 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.g0069 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2018/TA/OilRig/proc_creation_win_apt_oilrig_mar18.yml b/rules-emerging-threats/2018/TA/OilRig/proc_creation_win_apt_oilrig_mar18.yml index 0b5ee7012bb..9887fdd3fe6 100644 --- a/rules-emerging-threats/2018/TA/OilRig/proc_creation_win_apt_oilrig_mar18.yml +++ b/rules-emerging-threats/2018/TA/OilRig/proc_creation_win_apt_oilrig_mar18.yml @@ -12,19 +12,19 @@ description: Detects OilRig activity as reported by Nyotron in their March 2018 references: - https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community -date: 2018/03/23 -modified: 2023/03/08 +date: 2018-03-23 +modified: 2023-03-08 tags: - attack.persistence - attack.g0049 - attack.t1053.005 - attack.s0111 - attack.t1543.003 - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 - - attack.command_and_control + - attack.command-and-control - attack.t1071.004 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2018/TA/OilRig/registry_event_apt_oilrig_mar18.yml b/rules-emerging-threats/2018/TA/OilRig/registry_event_apt_oilrig_mar18.yml index 942171b5dc0..677e3d762d3 100644 --- a/rules-emerging-threats/2018/TA/OilRig/registry_event_apt_oilrig_mar18.yml +++ b/rules-emerging-threats/2018/TA/OilRig/registry_event_apt_oilrig_mar18.yml @@ -12,19 +12,19 @@ description: Detects OilRig registry persistence as reported by Nyotron in their references: - https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community -date: 2018/03/23 -modified: 2023/03/08 +date: 2018-03-23 +modified: 2023-03-08 tags: - attack.persistence - attack.g0049 - attack.t1053.005 - attack.s0111 - attack.t1543.003 - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 - - attack.command_and_control + - attack.command-and-control - attack.t1071.004 - - detection.emerging_threats + - detection.emerging-threats logsource: category: registry_event product: windows diff --git a/rules-emerging-threats/2018/TA/OilRig/win_security_apt_oilrig_mar18.yml b/rules-emerging-threats/2018/TA/OilRig/win_security_apt_oilrig_mar18.yml index d96e56b803f..d797c0193af 100644 --- a/rules-emerging-threats/2018/TA/OilRig/win_security_apt_oilrig_mar18.yml +++ b/rules-emerging-threats/2018/TA/OilRig/win_security_apt_oilrig_mar18.yml @@ -12,19 +12,19 @@ description: Detects OilRig schedule task persistence as reported by Nyotron in references: - https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community -date: 2018/03/23 -modified: 2023/03/08 +date: 2018-03-23 +modified: 2023-03-08 tags: - attack.persistence - attack.g0049 - attack.t1053.005 - attack.s0111 - attack.t1543.003 - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 - - attack.command_and_control + - attack.command-and-control - attack.t1071.004 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows service: security diff --git a/rules-emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml b/rules-emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml index 67c8c5d5fdd..ea748e64f55 100644 --- a/rules-emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml +++ b/rules-emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml @@ -12,19 +12,19 @@ description: Detects OilRig schedule task persistence as reported by Nyotron in references: - https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community -date: 2018/03/23 -modified: 2023/03/08 +date: 2018-03-23 +modified: 2023-03-08 tags: - attack.persistence - attack.g0049 - attack.t1053.005 - attack.s0111 - attack.t1543.003 - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 - - attack.command_and_control + - attack.command-and-control - attack.t1071.004 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows service: system diff --git a/rules-emerging-threats/2018/TA/Slingshot/proc_creation_win_apt_slingshot.yml b/rules-emerging-threats/2018/TA/Slingshot/proc_creation_win_apt_slingshot.yml index 6af6aec3490..fe275344b6c 100644 --- a/rules-emerging-threats/2018/TA/Slingshot/proc_creation_win_apt_slingshot.yml +++ b/rules-emerging-threats/2018/TA/Slingshot/proc_creation_win_apt_slingshot.yml @@ -5,13 +5,13 @@ description: Detects the deactivation and disabling of the Scheduled defragmenta references: - https://securelist.com/apt-slingshot/84312/ author: Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1) -date: 2019/03/04 -modified: 2022/10/09 +date: 2019-03-04 +modified: 2022-10-09 tags: - attack.persistence - attack.t1053.005 - attack.s0111 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2018/TA/Slingshot/win_security_apt_slingshot.yml b/rules-emerging-threats/2018/TA/Slingshot/win_security_apt_slingshot.yml index d2e8c9cd8e3..c5c66cf4c3b 100644 --- a/rules-emerging-threats/2018/TA/Slingshot/win_security_apt_slingshot.yml +++ b/rules-emerging-threats/2018/TA/Slingshot/win_security_apt_slingshot.yml @@ -8,13 +8,13 @@ description: Detects the deactivation and disabling of the Scheduled defragmenta references: - https://securelist.com/apt-slingshot/84312/ author: Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1) -date: 2019/03/04 -modified: 2022/11/27 +date: 2019-03-04 +modified: 2022-11-27 tags: - attack.persistence - attack.t1053 - attack.s0111 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows service: security diff --git a/rules-emerging-threats/2018/TA/TropicTrooper/proc_creation_win_apt_tropictrooper.yml b/rules-emerging-threats/2018/TA/TropicTrooper/proc_creation_win_apt_tropictrooper.yml index eb693619abd..f8a485040d9 100644 --- a/rules-emerging-threats/2018/TA/TropicTrooper/proc_creation_win_apt_tropictrooper.yml +++ b/rules-emerging-threats/2018/TA/TropicTrooper/proc_creation_win_apt_tropictrooper.yml @@ -5,12 +5,12 @@ description: Detects TropicTrooper activity, an actor who targeted high-profile references: - https://www.microsoft.com/en-us/security/blog/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/ author: '@41thexplorer, Microsoft Defender ATP' -date: 2019/11/12 -modified: 2020/08/27 +date: 2019-11-12 +modified: 2020-08-27 tags: - attack.execution - attack.t1059.001 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2019/Exploits/BearLPE-Exploit/proc_creation_win_exploit_other_bearlpe.yml b/rules-emerging-threats/2019/Exploits/BearLPE-Exploit/proc_creation_win_exploit_other_bearlpe.yml index 699ab3f7d0b..d41cc4f1d82 100644 --- a/rules-emerging-threats/2019/Exploits/BearLPE-Exploit/proc_creation_win_exploit_other_bearlpe.yml +++ b/rules-emerging-threats/2019/Exploits/BearLPE-Exploit/proc_creation_win_exploit_other_bearlpe.yml @@ -5,13 +5,13 @@ description: Detects potential exploitation of the BearLPE exploit using Task Sc references: - https://github.com/djhohnstein/polarbearrepo/blob/f26d3e008093cc5c835e92a7165170baf6713d43/bearlpe/polarbear/polarbear/exploit.cpp author: Olaf Hartong -date: 2019/05/22 -modified: 2023/01/26 +date: 2019-05-22 +modified: 2023-01-26 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1053.005 - car.2013-08-001 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2019/Exploits/CVE-2019-11510/web_cve_2019_11510_pulsesecure_exploit.yml b/rules-emerging-threats/2019/Exploits/CVE-2019-11510/web_cve_2019_11510_pulsesecure_exploit.yml index 756ba1f4667..40f4a3b5e7c 100644 --- a/rules-emerging-threats/2019/Exploits/CVE-2019-11510/web_cve_2019_11510_pulsesecure_exploit.yml +++ b/rules-emerging-threats/2019/Exploits/CVE-2019-11510/web_cve_2019_11510_pulsesecure_exploit.yml @@ -5,13 +5,13 @@ description: Detects CVE-2019-11510 exploitation attempt - URI contains Guacamol references: - https://www.exploit-db.com/exploits/47297 author: Florian Roth (Nextron Systems) -date: 2019/11/18 -modified: 2023/01/02 +date: 2019-11-18 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2019.11510 - - detection.emerging_threats + - cve.2019-11510 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2019/Exploits/CVE-2019-1378/proc_creation_win_exploit_cve_2019_1378.yml b/rules-emerging-threats/2019/Exploits/CVE-2019-1378/proc_creation_win_exploit_cve_2019_1378.yml index 6ecabce62f8..e84490ea8c2 100644 --- a/rules-emerging-threats/2019/Exploits/CVE-2019-1378/proc_creation_win_exploit_cve_2019_1378.yml +++ b/rules-emerging-threats/2019/Exploits/CVE-2019-1378/proc_creation_win_exploit_cve_2019_1378.yml @@ -5,16 +5,16 @@ description: Detects exploitation attempt of privilege escalation vulnerability references: - https://web.archive.org/web/20200530031708/https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro -date: 2019/11/15 -modified: 2021/11/27 +date: 2019-11-15 +modified: 2021-11-27 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1068 - attack.execution - attack.t1059.003 - attack.t1574 - - cve.2019.1378 - - detection.emerging_threats + - cve.2019-1378 + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml b/rules-emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml index 343aad9ab2c..87ece1d91c7 100644 --- a/rules-emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml +++ b/rules-emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml @@ -6,13 +6,13 @@ references: - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388 - https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege author: Florian Roth (Nextron Systems) -date: 2019/11/20 -modified: 2022/05/27 +date: 2019-11-20 +modified: 2022-05-27 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1068 - - cve.2019.1388 - - detection.emerging_threats + - cve.2019-1388 + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2019/Exploits/CVE-2019-19781/web_cve_2019_19781_citrix_exploit.yml b/rules-emerging-threats/2019/Exploits/CVE-2019-19781/web_cve_2019_19781_citrix_exploit.yml index 22fdd1436aa..78a57cd6e88 100644 --- a/rules-emerging-threats/2019/Exploits/CVE-2019-19781/web_cve_2019_19781_citrix_exploit.yml +++ b/rules-emerging-threats/2019/Exploits/CVE-2019-19781/web_cve_2019_19781_citrix_exploit.yml @@ -9,13 +9,13 @@ references: - https://twitter.com/mpgn_x64/status/1216787131210829826 - https://github.com/x1sec/CVE-2019-19781/blob/25f7ab97275b2d41800bb3414dac8ca3a78af7e5/CVE-2019-19781-DFIR.md author: Arnim Rupp, Florian Roth -date: 2020/01/02 -modified: 2023/01/02 +date: 2020-01-02 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2019.19781 - - detection.emerging_threats + - cve.2019-19781 + - detection.emerging-threats logsource: category: webserver definition: 'Make sure that your Netscaler appliance logs all kinds of attacks (test with http://your-citrix-gw.net/robots.txt). The directory traversal with ../ might not be needed on certain cloud instances or for authenticated users, so we also check for direct paths. All scripts in portal/scripts are exploitable except logout.pl.' diff --git a/rules-emerging-threats/2019/Exploits/CVE-2019-3398/web_cve_2019_3398_confluence.yml b/rules-emerging-threats/2019/Exploits/CVE-2019-3398/web_cve_2019_3398_confluence.yml index 7210477bd9e..f0e48ddee13 100644 --- a/rules-emerging-threats/2019/Exploits/CVE-2019-3398/web_cve_2019_3398_confluence.yml +++ b/rules-emerging-threats/2019/Exploits/CVE-2019-3398/web_cve_2019_3398_confluence.yml @@ -5,13 +5,13 @@ description: Detects the exploitation of the Confluence vulnerability described references: - https://devcentral.f5.com/s/articles/confluence-arbitrary-file-write-via-path-traversal-cve-2019-3398-34181 author: Florian Roth (Nextron Systems) -date: 2020/05/26 -modified: 2023/01/02 +date: 2020-05-26 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2019.3398 - - detection.emerging_threats + - cve.2019-3398 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2019/Malware/BabyShark/proc_creation_win_malware_babyshark.yml b/rules-emerging-threats/2019/Malware/BabyShark/proc_creation_win_malware_babyshark.yml index 1c0e3e1e650..1ed49d349e8 100644 --- a/rules-emerging-threats/2019/Malware/BabyShark/proc_creation_win_malware_babyshark.yml +++ b/rules-emerging-threats/2019/Malware/BabyShark/proc_creation_win_malware_babyshark.yml @@ -5,17 +5,17 @@ description: Detects activity that could be related to Baby Shark malware references: - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ author: Florian Roth (Nextron Systems) -date: 2019/02/24 -modified: 2023/03/08 +date: 2019-02-24 +modified: 2023-03-08 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.discovery - attack.t1012 - attack.t1059.003 - attack.t1059.001 - attack.t1218.005 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2019/Malware/Chafer/proxy_malware_chafer_url_pattern.yml b/rules-emerging-threats/2019/Malware/Chafer/proxy_malware_chafer_url_pattern.yml index 4c73c0f57fe..d941bd527d0 100644 --- a/rules-emerging-threats/2019/Malware/Chafer/proxy_malware_chafer_url_pattern.yml +++ b/rules-emerging-threats/2019/Malware/Chafer/proxy_malware_chafer_url_pattern.yml @@ -5,10 +5,10 @@ description: Detects HTTP request used by Chafer malware to receive data from it references: - https://securelist.com/chafer-used-remexi-malware/89538/ author: Florian Roth (Nextron Systems) -date: 2019/01/31 -modified: 2024/02/15 +date: 2019-01-31 +modified: 2024-02-15 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: category: proxy diff --git a/rules-emerging-threats/2019/Malware/Dridex/proc_creation_win_malware_dridex.yml b/rules-emerging-threats/2019/Malware/Dridex/proc_creation_win_malware_dridex.yml index 7aaa79043d7..4dd71e5450e 100644 --- a/rules-emerging-threats/2019/Malware/Dridex/proc_creation_win_malware_dridex.yml +++ b/rules-emerging-threats/2019/Malware/Dridex/proc_creation_win_malware_dridex.yml @@ -6,16 +6,16 @@ references: - https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3 - https://redcanary.com/threat-detection-report/threats/dridex/ author: Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2019/01/10 -modified: 2023/02/03 +date: 2019-01-10 +modified: 2023-02-03 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1055 - attack.discovery - attack.t1135 - attack.t1033 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2019/Malware/Dtrack-RAT/proc_creation_win_malware_dtrack.yml b/rules-emerging-threats/2019/Malware/Dtrack-RAT/proc_creation_win_malware_dtrack.yml index b09706f95dd..108fd86e650 100644 --- a/rules-emerging-threats/2019/Malware/Dtrack-RAT/proc_creation_win_malware_dtrack.yml +++ b/rules-emerging-threats/2019/Malware/Dtrack-RAT/proc_creation_win_malware_dtrack.yml @@ -9,12 +9,12 @@ references: - https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/ - https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2019/10/30 -modified: 2023/02/03 +date: 2019-10-30 +modified: 2023-02-03 tags: - attack.impact - attack.t1490 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2019/Malware/Emotet/proc_creation_win_malware_emotet.yml b/rules-emerging-threats/2019/Malware/Emotet/proc_creation_win_malware_emotet.yml index 6fba1a1e590..223126b3d94 100644 --- a/rules-emerging-threats/2019/Malware/Emotet/proc_creation_win_malware_emotet.yml +++ b/rules-emerging-threats/2019/Malware/Emotet/proc_creation_win_malware_emotet.yml @@ -8,14 +8,14 @@ references: - https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/ - https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/ author: Florian Roth (Nextron Systems) -date: 2019/09/30 -modified: 2023/02/04 +date: 2019-09-30 +modified: 2023-02-04 tags: - attack.execution - attack.t1059.001 - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2019/Malware/Formbook/proc_creation_win_malware_formbook.yml b/rules-emerging-threats/2019/Malware/Formbook/proc_creation_win_malware_formbook.yml index 2758a1833cc..6d81e2930bc 100644 --- a/rules-emerging-threats/2019/Malware/Formbook/proc_creation_win_malware_formbook.yml +++ b/rules-emerging-threats/2019/Malware/Formbook/proc_creation_win_malware_formbook.yml @@ -8,12 +8,12 @@ references: - https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/ - https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/ author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro -date: 2019/09/30 -modified: 2022/10/06 +date: 2019-09-30 +modified: 2022-10-06 tags: - - attack.resource_development + - attack.resource-development - attack.t1587.001 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2019/Malware/LockerGoga/proc_creation_win_malware_lockergoga_ransomware.yml b/rules-emerging-threats/2019/Malware/LockerGoga/proc_creation_win_malware_lockergoga_ransomware.yml index f9e2db5b00e..0f737589f66 100644 --- a/rules-emerging-threats/2019/Malware/LockerGoga/proc_creation_win_malware_lockergoga_ransomware.yml +++ b/rules-emerging-threats/2019/Malware/LockerGoga/proc_creation_win_malware_lockergoga_ransomware.yml @@ -7,12 +7,12 @@ references: - https://blog.f-secure.com/analysis-of-lockergoga-ransomware/ - https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/ author: Vasiliy Burov, oscd.community -date: 2020/10/18 -modified: 2023/02/03 +date: 2020-10-18 +modified: 2023-02-03 tags: - attack.impact - attack.t1486 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2019/Malware/QBot/proc_creation_win_malware_qbot.yml b/rules-emerging-threats/2019/Malware/QBot/proc_creation_win_malware_qbot.yml index c0069c0c7a5..02d06b8baa5 100644 --- a/rules-emerging-threats/2019/Malware/QBot/proc_creation_win_malware_qbot.yml +++ b/rules-emerging-threats/2019/Malware/QBot/proc_creation_win_malware_qbot.yml @@ -6,12 +6,12 @@ references: - https://twitter.com/killamjr/status/1179034907932315648 - https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/ author: Florian Roth (Nextron Systems) -date: 2019/10/01 -modified: 2023/02/03 +date: 2019-10-01 +modified: 2023-02-03 tags: - attack.execution - attack.t1059.005 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2019/Malware/Ryuk/proc_creation_win_malware_ryuk.yml b/rules-emerging-threats/2019/Malware/Ryuk/proc_creation_win_malware_ryuk.yml index 7588a51af8c..8ec78b3feb0 100644 --- a/rules-emerging-threats/2019/Malware/Ryuk/proc_creation_win_malware_ryuk.yml +++ b/rules-emerging-threats/2019/Malware/Ryuk/proc_creation_win_malware_ryuk.yml @@ -4,19 +4,19 @@ related: - id: 58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27 type: similar - id: 0acaad27-9f02-4136-a243-c357202edd74 - type: obsoletes + type: obsolete status: stable description: Detects Ryuk ransomware activity references: - https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/ - https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/ author: Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems) -date: 2019/12/16 -modified: 2023/02/03 +date: 2019-12-16 +modified: 2023-02-03 tags: - attack.persistence - attack.t1547.001 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2019/Malware/Snatch/proc_creation_win_malware_snatch_ransomware.yml b/rules-emerging-threats/2019/Malware/Snatch/proc_creation_win_malware_snatch_ransomware.yml index e85aac7806e..faea3df8bc2 100644 --- a/rules-emerging-threats/2019/Malware/Snatch/proc_creation_win_malware_snatch_ransomware.yml +++ b/rules-emerging-threats/2019/Malware/Snatch/proc_creation_win_malware_snatch_ransomware.yml @@ -5,12 +5,12 @@ description: Detects specific process characteristics of Snatch ransomware word references: - https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/ author: Florian Roth (Nextron Systems) -date: 2020/08/26 -modified: 2023/02/13 +date: 2020-08-26 +modified: 2023-02-13 tags: - attack.execution - attack.t1204 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2019/Malware/Ursnif/proxy_malware_ursnif_c2_url.yml b/rules-emerging-threats/2019/Malware/Ursnif/proxy_malware_ursnif_c2_url.yml index 4e3ae946ae1..bd63088d9ec 100644 --- a/rules-emerging-threats/2019/Malware/Ursnif/proxy_malware_ursnif_c2_url.yml +++ b/rules-emerging-threats/2019/Malware/Ursnif/proxy_malware_ursnif_c2_url.yml @@ -5,14 +5,14 @@ description: Detects Ursnif C2 traffic. references: - https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html author: Thomas Patzke -date: 2019/12/19 -modified: 2021/08/09 +date: 2019-12-19 +modified: 2021-08-09 tags: - - attack.initial_access + - attack.initial-access - attack.t1566.001 - attack.execution - attack.t1204.002 - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: category: proxy diff --git a/rules-emerging-threats/2019/Malware/Ursnif/proxy_malware_ursnif_download_url.yml b/rules-emerging-threats/2019/Malware/Ursnif/proxy_malware_ursnif_download_url.yml index bcecae99053..c72792b5e45 100644 --- a/rules-emerging-threats/2019/Malware/Ursnif/proxy_malware_ursnif_download_url.yml +++ b/rules-emerging-threats/2019/Malware/Ursnif/proxy_malware_ursnif_download_url.yml @@ -5,12 +5,12 @@ description: Detects download of Ursnif malware done by dropper documents. references: - https://notebook.community/Cyb3rWard0g/HELK/docker/helk-jupyter/notebooks/sigma/proxy_ursnif_malware author: Thomas Patzke -date: 2019/12/19 -modified: 2022/08/15 +date: 2019-12-19 +modified: 2022-08-15 logsource: category: proxy tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 detection: selection: diff --git a/rules-emerging-threats/2019/Malware/Ursnif/registry_add_malware_ursnif.yml b/rules-emerging-threats/2019/Malware/Ursnif/registry_add_malware_ursnif.yml index 0a8694ea6e1..13245e218c8 100644 --- a/rules-emerging-threats/2019/Malware/Ursnif/registry_add_malware_ursnif.yml +++ b/rules-emerging-threats/2019/Malware/Ursnif/registry_add_malware_ursnif.yml @@ -6,12 +6,12 @@ references: - https://blog.yoroi.company/research/ursnif-long-live-the-steganography/ - https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/ author: megan201296 -date: 2019/02/13 -modified: 2023/02/07 +date: 2019-02-13 +modified: 2023-02-07 tags: - attack.execution - attack.t1112 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: registry_add diff --git a/rules-emerging-threats/2019/TA/APC-C-12/proc_creation_win_apt_aptc12_bluemushroom.yml b/rules-emerging-threats/2019/TA/APC-C-12/proc_creation_win_apt_aptc12_bluemushroom.yml index 7a03ad83df3..6cd18c00314 100644 --- a/rules-emerging-threats/2019/TA/APC-C-12/proc_creation_win_apt_aptc12_bluemushroom.yml +++ b/rules-emerging-threats/2019/TA/APC-C-12/proc_creation_win_apt_aptc12_bluemushroom.yml @@ -5,12 +5,12 @@ description: Detects potential BlueMushroom DLL loading activity via regsvr32 fr references: - https://pbs.twimg.com/media/EF3yLGoWkAEGeLa?format=jpg author: Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems) -date: 2019/10/02 -modified: 2023/03/29 +date: 2019-10-02 +modified: 2023-03-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.010 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2019/TA/APT31/proc_creation_win_apt_apt31_judgement_panda.yml b/rules-emerging-threats/2019/TA/APT31/proc_creation_win_apt_apt31_judgement_panda.yml index b27308919bc..69a560650a8 100644 --- a/rules-emerging-threats/2019/TA/APT31/proc_creation_win_apt_apt31_judgement_panda.yml +++ b/rules-emerging-threats/2019/TA/APT31/proc_creation_win_apt_apt31_judgement_panda.yml @@ -5,15 +5,15 @@ description: Detects APT31 Judgement Panda activity as described in the Crowdstr references: - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html author: Florian Roth (Nextron Systems) -date: 2019/02/21 -modified: 2023/03/10 +date: 2019-02-21 +modified: 2023-03-10 tags: - - attack.lateral_movement - - attack.credential_access + - attack.lateral-movement + - attack.credential-access - attack.g0128 - attack.t1003.001 - attack.t1560.001 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2019/TA/APT40/proxy_apt_apt40_dropbox_tool_ua.yml b/rules-emerging-threats/2019/TA/APT40/proxy_apt_apt40_dropbox_tool_ua.yml index 66143182d98..2a3ea6b97dc 100644 --- a/rules-emerging-threats/2019/TA/APT40/proxy_apt_apt40_dropbox_tool_ua.yml +++ b/rules-emerging-threats/2019/TA/APT40/proxy_apt_apt40_dropbox_tool_ua.yml @@ -5,10 +5,10 @@ description: Detects suspicious user agent string of APT40 Dropbox tool references: - Internal research from Florian Roth author: Thomas Patzke -date: 2019/11/12 -modified: 2023/05/18 +date: 2019-11-12 +modified: 2023-05-18 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 - attack.exfiltration - attack.t1567.002 diff --git a/rules-emerging-threats/2019/TA/Bear-APT-Activity/proc_creation_win_apt_bear_activity_gtr19.yml b/rules-emerging-threats/2019/TA/Bear-APT-Activity/proc_creation_win_apt_bear_activity_gtr19.yml index 7e13d564f0c..22f0019998a 100644 --- a/rules-emerging-threats/2019/TA/Bear-APT-Activity/proc_creation_win_apt_bear_activity_gtr19.yml +++ b/rules-emerging-threats/2019/TA/Bear-APT-Activity/proc_creation_win_apt_bear_activity_gtr19.yml @@ -5,13 +5,13 @@ description: Detects Russian group activity as described in Global Threat Report references: - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html author: Florian Roth (Nextron Systems) -date: 2019/02/21 -modified: 2023/03/08 +date: 2019-02-21 +modified: 2023-03-08 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.001 - attack.t1003.003 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2019/TA/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml b/rules-emerging-threats/2019/TA/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml index d14cb8f9618..da6f6944f62 100644 --- a/rules-emerging-threats/2019/TA/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml +++ b/rules-emerging-threats/2019/TA/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml @@ -6,12 +6,12 @@ references: - https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/ - https://malpedia.caad.fkie.fraunhofer.de/actor/anthropoid_spider author: Markus Neis, Nasreddine Bencherchali (Nextron Systems) -date: 2019/04/02 -modified: 2023/03/09 +date: 2019-04-02 +modified: 2023-03-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.010 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2019/TA/EquationGroup/proc_creation_win_apt_equationgroup_dll_u_load.yml b/rules-emerging-threats/2019/TA/EquationGroup/proc_creation_win_apt_equationgroup_dll_u_load.yml index f223899dd68..387db7a6aab 100644 --- a/rules-emerging-threats/2019/TA/EquationGroup/proc_creation_win_apt_equationgroup_dll_u_load.yml +++ b/rules-emerging-threats/2019/TA/EquationGroup/proc_creation_win_apt_equationgroup_dll_u_load.yml @@ -6,13 +6,13 @@ references: - https://github.com/00derp/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type= - https://twitter.com/cyb3rops/status/972186477512839170 author: Florian Roth (Nextron Systems) -date: 2019/03/04 -modified: 2023/03/09 +date: 2019-03-04 +modified: 2023-03-09 tags: - attack.g0020 - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2019/TA/MustangPanda/proc_creation_win_apt_mustangpanda.yml b/rules-emerging-threats/2019/TA/MustangPanda/proc_creation_win_apt_mustangpanda.yml index e9371a21880..6b14a14ef95 100644 --- a/rules-emerging-threats/2019/TA/MustangPanda/proc_creation_win_apt_mustangpanda.yml +++ b/rules-emerging-threats/2019/TA/MustangPanda/proc_creation_win_apt_mustangpanda.yml @@ -7,12 +7,12 @@ references: - https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/ - https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations author: Florian Roth (Nextron Systems), oscd.community -date: 2019/10/30 -modified: 2021/11/27 +date: 2019-10-30 +modified: 2021-11-27 tags: - attack.t1587.001 - - attack.resource_development - - detection.emerging_threats + - attack.resource-development + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2019/TA/Operation-Wocao/proc_creation_win_apt_wocao.yml b/rules-emerging-threats/2019/TA/Operation-Wocao/proc_creation_win_apt_wocao.yml index 4a5f5f8ec09..22a24d09e71 100644 --- a/rules-emerging-threats/2019/TA/Operation-Wocao/proc_creation_win_apt_wocao.yml +++ b/rules-emerging-threats/2019/TA/Operation-Wocao/proc_creation_win_apt_wocao.yml @@ -9,18 +9,18 @@ references: - https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ - https://twitter.com/SBousseaden/status/1207671369963646976 author: Florian Roth (Nextron Systems), frack113 -date: 2019/12/20 -modified: 2022/10/09 +date: 2019-12-20 +modified: 2022-10-09 tags: - attack.discovery - attack.t1012 - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.004 - attack.t1027 - attack.execution - attack.t1053.005 - attack.t1059.001 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2019/TA/Operation-Wocao/win_security_apt_wocao.yml b/rules-emerging-threats/2019/TA/Operation-Wocao/win_security_apt_wocao.yml index 9510e2acf60..4507c1bb2bf 100644 --- a/rules-emerging-threats/2019/TA/Operation-Wocao/win_security_apt_wocao.yml +++ b/rules-emerging-threats/2019/TA/Operation-Wocao/win_security_apt_wocao.yml @@ -7,18 +7,18 @@ references: - https://web.archive.org/web/20200226212615/https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf - https://twitter.com/SBousseaden/status/1207671369963646976 author: Florian Roth (Nextron Systems), frack113 -date: 2019/12/20 -modified: 2022/11/27 +date: 2019-12-20 +modified: 2022-11-27 tags: - attack.discovery - attack.t1012 - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.004 - attack.t1027 - attack.execution - attack.t1053.005 - attack.t1059.001 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows service: security diff --git a/rules-emerging-threats/2020/Exploits/CVE-2020-0688/web_cve_2020_0688_exchange_exploit.yml b/rules-emerging-threats/2020/Exploits/CVE-2020-0688/web_cve_2020_0688_exchange_exploit.yml index 4d369797354..1cc2c265b00 100644 --- a/rules-emerging-threats/2020/Exploits/CVE-2020-0688/web_cve_2020_0688_exchange_exploit.yml +++ b/rules-emerging-threats/2020/Exploits/CVE-2020-0688/web_cve_2020_0688_exchange_exploit.yml @@ -5,13 +5,13 @@ description: Detects CVE-2020-0688 Exploitation attempts references: - https://github.com/Ridter/cve-2020-0688 author: NVISO -date: 2020/02/27 -modified: 2023/01/02 +date: 2020-02-27 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2020.0688 - - detection.emerging_threats + - cve.2020-0688 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2020/Exploits/CVE-2020-0688/web_cve_2020_0688_msexchange.yml b/rules-emerging-threats/2020/Exploits/CVE-2020-0688/web_cve_2020_0688_msexchange.yml index 6533e9cc082..1cddc0fb054 100644 --- a/rules-emerging-threats/2020/Exploits/CVE-2020-0688/web_cve_2020_0688_msexchange.yml +++ b/rules-emerging-threats/2020/Exploits/CVE-2020-0688/web_cve_2020_0688_msexchange.yml @@ -5,13 +5,13 @@ description: Detects the exploitation of Microsoft Exchange vulnerability as des references: - https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/ author: Florian Roth (Nextron Systems) -date: 2020/02/29 -modified: 2023/01/02 +date: 2020-02-29 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2020.0688 - - detection.emerging_threats + - cve.2020-0688 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2020/Exploits/CVE-2020-0688/win_vul_cve_2020_0688.yml b/rules-emerging-threats/2020/Exploits/CVE-2020-0688/win_vul_cve_2020_0688.yml index d44814f9436..0a67c50ae4f 100644 --- a/rules-emerging-threats/2020/Exploits/CVE-2020-0688/win_vul_cve_2020_0688.yml +++ b/rules-emerging-threats/2020/Exploits/CVE-2020-0688/win_vul_cve_2020_0688.yml @@ -6,13 +6,13 @@ references: - https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/ - https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/ author: Florian Roth (Nextron Systems), wagga -date: 2020/02/29 -modified: 2022/12/25 +date: 2020-02-29 +modified: 2022-12-25 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2020.0688 - - detection.emerging_threats + - cve.2020-0688 + - detection.emerging-threats logsource: product: windows service: application diff --git a/rules-emerging-threats/2020/Exploits/CVE-2020-10148/web_cve_2020_10148_solarwinds_exploit.yml b/rules-emerging-threats/2020/Exploits/CVE-2020-10148/web_cve_2020_10148_solarwinds_exploit.yml index eeec35e3768..6ddd9475d4a 100644 --- a/rules-emerging-threats/2020/Exploits/CVE-2020-10148/web_cve_2020_10148_solarwinds_exploit.yml +++ b/rules-emerging-threats/2020/Exploits/CVE-2020-10148/web_cve_2020_10148_solarwinds_exploit.yml @@ -5,13 +5,13 @@ description: Detects CVE-2020-10148 SolarWinds Orion API authentication bypass a references: - https://kb.cert.org/vuls/id/843464 author: Bhabesh Raj, Tim Shelton -date: 2020/12/27 -modified: 2023/01/02 +date: 2020-12-27 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2020.10148 - - detection.emerging_threats + - cve.2020-10148 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2020/Exploits/CVE-2020-10189/proc_creation_win_exploit_cve_2020_10189.yml b/rules-emerging-threats/2020/Exploits/CVE-2020-10189/proc_creation_win_exploit_cve_2020_10189.yml index 3978d45b80a..32ac98e6063 100644 --- a/rules-emerging-threats/2020/Exploits/CVE-2020-10189/proc_creation_win_exploit_cve_2020_10189.yml +++ b/rules-emerging-threats/2020/Exploits/CVE-2020-10189/proc_creation_win_exploit_cve_2020_10189.yml @@ -6,17 +6,17 @@ references: - https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html - https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224 author: Florian Roth (Nextron Systems) -date: 2020/03/25 -modified: 2023/01/21 +date: 2020-03-25 +modified: 2023-01-21 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - attack.execution - attack.t1059.001 - attack.t1059.003 - attack.s0190 - - cve.2020.10189 - - detection.emerging_threats + - cve.2020-10189 + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2020/Exploits/CVE-2020-1048/proc_creation_win_exploit_cve_2020_1048.yml b/rules-emerging-threats/2020/Exploits/CVE-2020-1048/proc_creation_win_exploit_cve_2020_1048.yml index e366ff2b7f0..8b696259f8f 100644 --- a/rules-emerging-threats/2020/Exploits/CVE-2020-1048/proc_creation_win_exploit_cve_2020_1048.yml +++ b/rules-emerging-threats/2020/Exploits/CVE-2020-1048/proc_creation_win_exploit_cve_2020_1048.yml @@ -5,14 +5,14 @@ description: Detects new commands that add new printer port which point to suspi references: - https://windows-internals.com/printdemon-cve-2020-1048/ author: EagleEye Team, Florian Roth -date: 2020/05/13 -modified: 2021/11/27 +date: 2020-05-13 +modified: 2021-11-27 tags: - attack.persistence - attack.execution - attack.t1059.001 - - cve.2020.1048 - - detection.emerging_threats + - cve.2020-1048 + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2020/Exploits/CVE-2020-1048/registry_set_exploit_cve_2020_1048_new_printer_port.yml b/rules-emerging-threats/2020/Exploits/CVE-2020-1048/registry_set_exploit_cve_2020_1048_new_printer_port.yml index 75fd58d90b5..ef6f23a21bc 100644 --- a/rules-emerging-threats/2020/Exploits/CVE-2020-1048/registry_set_exploit_cve_2020_1048_new_printer_port.yml +++ b/rules-emerging-threats/2020/Exploits/CVE-2020-1048/registry_set_exploit_cve_2020_1048_new_printer_port.yml @@ -7,14 +7,14 @@ description: | references: - https://windows-internals.com/printdemon-cve-2020-1048/ author: EagleEye Team, Florian Roth (Nextron Systems), NVISO -date: 2020/05/13 -modified: 2024/03/25 +date: 2020-05-13 +modified: 2024-03-25 tags: - attack.persistence - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 - - cve.2020.1048 + - cve.2020-1048 logsource: product: windows category: registry_set diff --git a/rules-emerging-threats/2020/Exploits/CVE-2020-1350/proc_creation_win_exploit_cve_2020_1350.yml b/rules-emerging-threats/2020/Exploits/CVE-2020-1350/proc_creation_win_exploit_cve_2020_1350.yml index 9f9435d3504..c92464cdb97 100644 --- a/rules-emerging-threats/2020/Exploits/CVE-2020-1350/proc_creation_win_exploit_cve_2020_1350.yml +++ b/rules-emerging-threats/2020/Exploits/CVE-2020-1350/proc_creation_win_exploit_cve_2020_1350.yml @@ -6,15 +6,15 @@ references: - https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/ - https://web.archive.org/web/20230329172447/https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html author: Florian Roth (Nextron Systems) -date: 2020/07/15 -modified: 2022/07/12 +date: 2020-07-15 +modified: 2022-07-12 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - attack.execution - attack.t1569.002 - - cve.2020.1350 - - detection.emerging_threats + - cve.2020-1350 + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2020/Exploits/CVE-2020-14882/web_cve_2020_14882_weblogic_exploit.yml b/rules-emerging-threats/2020/Exploits/CVE-2020-14882/web_cve_2020_14882_weblogic_exploit.yml index 7ef1b190cdf..71e2c1cdc0b 100644 --- a/rules-emerging-threats/2020/Exploits/CVE-2020-14882/web_cve_2020_14882_weblogic_exploit.yml +++ b/rules-emerging-threats/2020/Exploits/CVE-2020-14882/web_cve_2020_14882_weblogic_exploit.yml @@ -7,13 +7,13 @@ references: - https://twitter.com/jas502n/status/1321416053050667009?s=20 - https://twitter.com/sudo_sudoka/status/1323951871078223874 author: Florian Roth (Nextron Systems) -date: 2020/11/02 -modified: 2023/01/02 +date: 2020-11-02 +modified: 2023-01-02 tags: - attack.t1190 - - attack.initial_access - - cve.2020.14882 - - detection.emerging_threats + - attack.initial-access + - cve.2020-14882 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2020/Exploits/CVE-2020-28188/web_cve_2020_28188_terramaster_rce_exploit.yml b/rules-emerging-threats/2020/Exploits/CVE-2020-28188/web_cve_2020_28188_terramaster_rce_exploit.yml index 2532ee91fa4..74554a297f5 100644 --- a/rules-emerging-threats/2020/Exploits/CVE-2020-28188/web_cve_2020_28188_terramaster_rce_exploit.yml +++ b/rules-emerging-threats/2020/Exploits/CVE-2020-28188/web_cve_2020_28188_terramaster_rce_exploit.yml @@ -6,13 +6,13 @@ references: - https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ - https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/ author: Bhabesh Raj -date: 2021/01/25 -modified: 2023/01/02 +date: 2021-01-25 +modified: 2023-01-02 tags: - attack.t1190 - - attack.initial_access - - cve.2020.28188 - - detection.emerging_threats + - attack.initial-access + - cve.2020-28188 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2020/Exploits/CVE-2020-3452/web_cve_2020_3452_cisco_asa_ftd.yml b/rules-emerging-threats/2020/Exploits/CVE-2020-3452/web_cve_2020_3452_cisco_asa_ftd.yml index 631b14981de..9b228f6b139 100644 --- a/rules-emerging-threats/2020/Exploits/CVE-2020-3452/web_cve_2020_3452_cisco_asa_ftd.yml +++ b/rules-emerging-threats/2020/Exploits/CVE-2020-3452/web_cve_2020_3452_cisco_asa_ftd.yml @@ -6,13 +6,13 @@ references: - https://twitter.com/aboul3la/status/1286012324722155525 - https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter author: Florian Roth (Nextron Systems) -date: 2021/01/07 -modified: 2023/01/02 +date: 2021-01-07 +modified: 2023-01-02 tags: - attack.t1190 - - attack.initial_access - - cve.2020.3452 - - detection.emerging_threats + - attack.initial-access + - cve.2020-3452 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2020/Exploits/CVE-2020-5902/web_cve_2020_5902_f5_bigip.yml b/rules-emerging-threats/2020/Exploits/CVE-2020-5902/web_cve_2020_5902_f5_bigip.yml index 02eb6308523..50d48913ffa 100644 --- a/rules-emerging-threats/2020/Exploits/CVE-2020-5902/web_cve_2020_5902_f5_bigip.yml +++ b/rules-emerging-threats/2020/Exploits/CVE-2020-5902/web_cve_2020_5902_f5_bigip.yml @@ -8,13 +8,13 @@ references: - https://twitter.com/yorickkoster/status/1279709009151434754 - https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/ author: Florian Roth (Nextron Systems) -date: 2020/07/05 -modified: 2023/01/02 +date: 2020-07-05 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2020.5902 - - detection.emerging_threats + - cve.2020-5902 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2020/Exploits/CVE-2020-8193/web_cve_2020_8193_8195_citrix_exploit.yml b/rules-emerging-threats/2020/Exploits/CVE-2020-8193/web_cve_2020_8193_8195_citrix_exploit.yml index a0e6c7d38cf..7bb5e5cd591 100644 --- a/rules-emerging-threats/2020/Exploits/CVE-2020-8193/web_cve_2020_8193_8195_citrix_exploit.yml +++ b/rules-emerging-threats/2020/Exploits/CVE-2020-8193/web_cve_2020_8193_8195_citrix_exploit.yml @@ -7,14 +7,14 @@ references: - https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/ - https://dmaasland.github.io/posts/citrix.html author: Florian Roth (Nextron Systems) -date: 2020/07/10 -modified: 2023/01/02 +date: 2020-07-10 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2020.8193 - - cve.2020.8195 - - detection.emerging_threats + - cve.2020-8193 + - cve.2020-8195 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2020/Malware/Blue-Mockingbird/proc_creation_win_malware_blue_mockingbird.yml b/rules-emerging-threats/2020/Malware/Blue-Mockingbird/proc_creation_win_malware_blue_mockingbird.yml index 8dffd61b8fb..49aa7d15a71 100644 --- a/rules-emerging-threats/2020/Malware/Blue-Mockingbird/proc_creation_win_malware_blue_mockingbird.yml +++ b/rules-emerging-threats/2020/Malware/Blue-Mockingbird/proc_creation_win_malware_blue_mockingbird.yml @@ -8,13 +8,13 @@ description: Attempts to detect system changes made by Blue Mockingbird references: - https://redcanary.com/blog/blue-mockingbird-cryptominer/ author: Trent Liffick (@tliffick) -date: 2020/05/14 -modified: 2022/10/09 +date: 2020-05-14 +modified: 2022-10-09 tags: - attack.execution - attack.t1112 - attack.t1047 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2020/Malware/ComRAT/proxy_malware_comrat_network_indicators.yml b/rules-emerging-threats/2020/Malware/ComRAT/proxy_malware_comrat_network_indicators.yml index f346161c7c8..b4a1693f3d7 100644 --- a/rules-emerging-threats/2020/Malware/ComRAT/proxy_malware_comrat_network_indicators.yml +++ b/rules-emerging-threats/2020/Malware/ComRAT/proxy_malware_comrat_network_indicators.yml @@ -5,11 +5,11 @@ description: Detects Turla ComRAT network communication. references: - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf author: Florian Roth (Nextron Systems) -date: 2020/05/26 -modified: 2024/02/26 +date: 2020-05-26 +modified: 2024-02-26 tags: - - attack.defense_evasion - - attack.command_and_control + - attack.defense-evasion + - attack.command-and-control - attack.t1071.001 - attack.g0010 logsource: diff --git a/rules-emerging-threats/2020/Malware/Emotet/proc_creation_win_malware_emotet_rundll32_execution.yml b/rules-emerging-threats/2020/Malware/Emotet/proc_creation_win_malware_emotet_rundll32_execution.yml index 2c4388fc6e9..f807c753af0 100644 --- a/rules-emerging-threats/2020/Malware/Emotet/proc_creation_win_malware_emotet_rundll32_execution.yml +++ b/rules-emerging-threats/2020/Malware/Emotet/proc_creation_win_malware_emotet_rundll32_execution.yml @@ -6,12 +6,12 @@ references: - https://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html - https://cyber.wtf/2021/11/15/guess-whos-back/ author: FPT.EagleEye -date: 2020/12/25 -modified: 2023/02/21 +date: 2020-12-25 +modified: 2023-02-21 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2020/Malware/FlowCloud/registry_event_malware_flowcloud_markers.yml b/rules-emerging-threats/2020/Malware/FlowCloud/registry_event_malware_flowcloud_markers.yml index 242d1dfdbe2..bc4cca8e578 100644 --- a/rules-emerging-threats/2020/Malware/FlowCloud/registry_event_malware_flowcloud_markers.yml +++ b/rules-emerging-threats/2020/Malware/FlowCloud/registry_event_malware_flowcloud_markers.yml @@ -7,8 +7,8 @@ description: | references: - https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new author: NVISO -date: 2020/06/09 -modified: 2024/03/20 +date: 2020-06-09 +modified: 2024-03-20 tags: - attack.persistence - attack.t1112 diff --git a/rules-emerging-threats/2020/Malware/Ke3chang-TidePool/proc_creation_win_malware_ke3chang_tidepool.yml b/rules-emerging-threats/2020/Malware/Ke3chang-TidePool/proc_creation_win_malware_ke3chang_tidepool.yml index 58866ae9baa..adac2bf9584 100644 --- a/rules-emerging-threats/2020/Malware/Ke3chang-TidePool/proc_creation_win_malware_ke3chang_tidepool.yml +++ b/rules-emerging-threats/2020/Malware/Ke3chang-TidePool/proc_creation_win_malware_ke3chang_tidepool.yml @@ -6,13 +6,13 @@ references: - https://web.archive.org/web/20200618080300/https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf - https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/ author: Markus Neis, Swisscom -date: 2020/06/18 -modified: 2023/03/10 +date: 2020-06-18 +modified: 2023-03-10 tags: - attack.g0004 - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2020/Malware/Maze/proc_creation_win_malware_maze_ransomware.yml b/rules-emerging-threats/2020/Malware/Maze/proc_creation_win_malware_maze_ransomware.yml index 6d75822d024..54ceeb2470b 100644 --- a/rules-emerging-threats/2020/Malware/Maze/proc_creation_win_malware_maze_ransomware.yml +++ b/rules-emerging-threats/2020/Malware/Maze/proc_creation_win_malware_maze_ransomware.yml @@ -7,15 +7,15 @@ references: - https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/ - https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/ author: Florian Roth (Nextron Systems) -date: 2020/05/08 -modified: 2023/02/13 +date: 2020-05-08 +modified: 2023-02-13 tags: - attack.execution - attack.t1204.002 - attack.t1047 - attack.impact - attack.t1490 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2020/Malware/Trickbot/proc_creation_win_malware_trickbot_wermgr.yml b/rules-emerging-threats/2020/Malware/Trickbot/proc_creation_win_malware_trickbot_wermgr.yml index 7a4b3698fba..940bead7b82 100644 --- a/rules-emerging-threats/2020/Malware/Trickbot/proc_creation_win_malware_trickbot_wermgr.yml +++ b/rules-emerging-threats/2020/Malware/Trickbot/proc_creation_win_malware_trickbot_wermgr.yml @@ -9,12 +9,12 @@ references: - https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20 - https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/ author: Florian Roth (Nextron Systems) -date: 2020/11/26 -modified: 2021/11/27 +date: 2020-11-26 +modified: 2021-11-27 tags: - attack.execution - attack.t1559 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2020/TA/Evilnum/proc_creation_win_apt_evilnum_jul20.yml b/rules-emerging-threats/2020/TA/Evilnum/proc_creation_win_apt_evilnum_jul20.yml index 8abe44593d0..930f8267529 100644 --- a/rules-emerging-threats/2020/TA/Evilnum/proc_creation_win_apt_evilnum_jul20.yml +++ b/rules-emerging-threats/2020/TA/Evilnum/proc_creation_win_apt_evilnum_jul20.yml @@ -6,12 +6,12 @@ references: - https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/ - https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/ author: Florian Roth (Nextron Systems) -date: 2020/07/10 -modified: 2023/03/09 +date: 2020-07-10 +modified: 2023-03-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml b/rules-emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml index 02826244920..f9741258feb 100644 --- a/rules-emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml +++ b/rules-emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml @@ -6,15 +6,15 @@ references: - https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ - https://github.com/Azure/Azure-Sentinel/blob/a02ce85c96f162de6f8cc06f07a53b6525f0ff7f/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/GalliumIOCs.yaml author: Tim Burrell -date: 2020/02/07 -modified: 2023/03/09 +date: 2020-02-07 +modified: 2023-03-09 tags: - - attack.credential_access - - attack.command_and_control + - attack.credential-access + - attack.command-and-control - attack.t1212 - attack.t1071 - attack.g0093 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: process_creation diff --git a/rules-emerging-threats/2020/TA/GALLIUM/win_dns_analytic_apt_gallium.yml b/rules-emerging-threats/2020/TA/GALLIUM/win_dns_analytic_apt_gallium.yml index da9bd3b2fbc..1bb1cba27dd 100644 --- a/rules-emerging-threats/2020/TA/GALLIUM/win_dns_analytic_apt_gallium.yml +++ b/rules-emerging-threats/2020/TA/GALLIUM/win_dns_analytic_apt_gallium.yml @@ -9,13 +9,13 @@ references: - https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11) author: Tim Burrell -date: 2020/02/07 -modified: 2023/01/02 +date: 2020-02-07 +modified: 2023-01-02 tags: - - attack.credential_access - - attack.command_and_control + - attack.credential-access + - attack.command-and-control - attack.t1071 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows service: dns-server-analytic diff --git a/rules-emerging-threats/2020/TA/Greenbug/proc_creation_win_apt_greenbug_may20.yml b/rules-emerging-threats/2020/TA/Greenbug/proc_creation_win_apt_greenbug_may20.yml index b3860c4ddae..af71f84386d 100644 --- a/rules-emerging-threats/2020/TA/Greenbug/proc_creation_win_apt_greenbug_may20.yml +++ b/rules-emerging-threats/2020/TA/Greenbug/proc_creation_win_apt_greenbug_may20.yml @@ -5,17 +5,17 @@ description: Detects tools and process executions used by Greenbug in their May references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia author: Florian Roth (Nextron Systems) -date: 2020/05/20 -modified: 2023/03/09 +date: 2020-05-20 +modified: 2023-03-09 tags: - attack.g0049 - attack.execution - attack.t1059.001 - - attack.command_and_control + - attack.command-and-control - attack.t1105 - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.005 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2020/TA/Lazarus/proc_creation_win_apt_lazarus_group_activity.yml b/rules-emerging-threats/2020/TA/Lazarus/proc_creation_win_apt_lazarus_group_activity.yml index 5fe0e08cc3a..0019fe9b310 100644 --- a/rules-emerging-threats/2020/TA/Lazarus/proc_creation_win_apt_lazarus_group_activity.yml +++ b/rules-emerging-threats/2020/TA/Lazarus/proc_creation_win_apt_lazarus_group_activity.yml @@ -2,20 +2,20 @@ title: Lazarus Group Activity id: 24c4d154-05a4-4b99-b57d-9b977472443a related: - id: 7b49c990-4a9a-4e65-ba95-47c9cc448f6e - type: obsoletes + type: obsolete status: test description: Detects different process execution behaviors as described in various threat reports on Lazarus group activity references: - https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/ - https://www.hvs-consulting.de/lazarus-report/ author: Florian Roth (Nextron Systems), wagga -date: 2020/12/23 -modified: 2023/03/10 +date: 2020-12-23 +modified: 2023-03-10 tags: - attack.g0032 - attack.execution - attack.t1059 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2020/TA/Leviathan/registry_event_apt_leviathan.yml b/rules-emerging-threats/2020/TA/Leviathan/registry_event_apt_leviathan.yml index 52c4d55a351..da0ce128255 100644 --- a/rules-emerging-threats/2020/TA/Leviathan/registry_event_apt_leviathan.yml +++ b/rules-emerging-threats/2020/TA/Leviathan/registry_event_apt_leviathan.yml @@ -5,12 +5,12 @@ description: Detects registry key used by Leviathan APT in Malaysian focused cam references: - https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign author: Aidan Bracher -date: 2020/07/07 -modified: 2023/09/19 +date: 2020-07-07 +modified: 2023-09-19 tags: - attack.persistence - attack.t1547.001 - - detection.emerging_threats + - detection.emerging-threats logsource: category: registry_event product: windows diff --git a/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yml b/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yml index c383d3d1b90..3ae86ca4a96 100644 --- a/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yml +++ b/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yml @@ -5,12 +5,12 @@ description: Detects a specific process creation patterns as seen used by UNC245 references: - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ author: Florian Roth (Nextron Systems) -date: 2021/01/22 -modified: 2023/09/12 +date: 2021-01-22 +modified: 2023-09-12 tags: - attack.execution - attack.t1059.001 - - detection.emerging_threats + - detection.emerging-threats # - sunburst # - unc2452 logsource: diff --git a/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_ps.yml b/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_ps.yml index d4fdd2f6bbd..43bdcd5a055 100644 --- a/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_ps.yml +++ b/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_ps.yml @@ -7,13 +7,13 @@ references: - https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command author: Florian Roth (Nextron Systems) -date: 2021/01/20 -modified: 2022/10/09 +date: 2021-01-20 +modified: 2022-10-09 tags: - attack.execution - attack.t1059.001 - attack.t1047 - - detection.emerging_threats + - detection.emerging-threats # - sunburst logsource: category: process_creation diff --git a/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_vbscript_pattern.yml b/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_vbscript_pattern.yml index 099f44914a8..64db6e2a668 100644 --- a/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_vbscript_pattern.yml +++ b/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_vbscript_pattern.yml @@ -5,12 +5,12 @@ description: Detects suspicious inline VBScript keywords as used by UNC2452 references: - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ author: Florian Roth (Nextron Systems) -date: 2021/03/05 -modified: 2022/10/09 +date: 2021-03-05 +modified: 2022-10-09 tags: - attack.persistence - attack.t1547.001 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/web_solarwinds_supernova_webshell.yml b/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/web_solarwinds_supernova_webshell.yml index 6cb4f1ab618..4df6bafda30 100644 --- a/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/web_solarwinds_supernova_webshell.yml +++ b/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/web_solarwinds_supernova_webshell.yml @@ -6,12 +6,12 @@ references: - https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/ - https://www.anquanke.com/post/id/226029 author: Florian Roth (Nextron Systems) -date: 2020/12/17 -modified: 2023/01/02 +date: 2020-12-17 +modified: 2023-01-02 tags: - attack.persistence - attack.t1505.003 - - detection.emerging_threats + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2020/TA/TAIDOOR-RAT/proc_creation_win_apt_taidoor.yml b/rules-emerging-threats/2020/TA/TAIDOOR-RAT/proc_creation_win_apt_taidoor.yml index b22f9316058..389743136a4 100644 --- a/rules-emerging-threats/2020/TA/TAIDOOR-RAT/proc_creation_win_apt_taidoor.yml +++ b/rules-emerging-threats/2020/TA/TAIDOOR-RAT/proc_creation_win_apt_taidoor.yml @@ -5,12 +5,12 @@ description: Detects specific process characteristics of Chinese TAIDOOR RAT mal references: - https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a author: Florian Roth (Nextron Systems) -date: 2020/07/30 -modified: 2021/11/27 +date: 2020-07-30 +modified: 2021-11-27 tags: - attack.execution - attack.t1055.001 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_mal_hk_jan20.yml b/rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_mal_hk_jan20.yml index fef1944010b..ca664b055a8 100644 --- a/rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_mal_hk_jan20.yml +++ b/rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_mal_hk_jan20.yml @@ -5,13 +5,13 @@ description: Detects specific process characteristics of Winnti malware noticed references: - https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/ author: Florian Roth (Nextron Systems), Markus Neis -date: 2020/02/01 -modified: 2021/11/27 +date: 2020-02-01 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 - attack.g0044 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_pipemon.yml b/rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_pipemon.yml index 4bc4e518026..98bc54074b8 100644 --- a/rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_pipemon.yml +++ b/rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_pipemon.yml @@ -5,13 +5,13 @@ description: Detects specific process characteristics of Winnti Pipemon malware references: - https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/ author: Florian Roth (Nextron Systems), oscd.community -date: 2020/07/30 -modified: 2021/11/27 +date: 2020-07-30 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 - attack.g0044 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/av_printernightmare_cve_2021_34527.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/av_printernightmare_cve_2021_34527.yml index 6fb8305303b..672fda3460e 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/av_printernightmare_cve_2021_34527.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/av_printernightmare_cve_2021_34527.yml @@ -7,10 +7,10 @@ references: - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675 - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 author: Sittikorn S, Nuttakorn T, Tim Shelton -date: 2021/07/01 -modified: 2023/10/23 +date: 2021-07-01 +modified: 2023-10-23 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1055 logsource: category: antivirus diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/file_event_win_cve_2021_1675_printspooler.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/file_event_win_cve_2021_1675_printspooler.yml index 732e60b13cd..13082f6a4b0 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/file_event_win_cve_2021_1675_printspooler.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/file_event_win_cve_2021_1675_printspooler.yml @@ -7,15 +7,15 @@ references: - https://github.com/afwu/PrintNightmare - https://github.com/cube0x0/CVE-2021-1675 author: Florian Roth (Nextron Systems) -date: 2021/06/29 -modified: 2022/12/25 +date: 2021-06-29 +modified: 2022-12-25 tags: - attack.execution - - attack.privilege_escalation - - attack.resource_development + - attack.privilege-escalation + - attack.resource-development - attack.t1587 - - cve.2021.1675 - - detection.emerging_threats + - cve.2021-1675 + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler.yml index 316cbe81d02..008aa75f77f 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler.yml @@ -7,13 +7,13 @@ references: - https://github.com/afwu/PrintNightmare - https://twitter.com/fuzzyf10w/status/1410202370835898371 author: Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10w, Tim Shelton -date: 2021/06/30 -modified: 2022/11/15 +date: 2021-06-30 +modified: 2022-11-15 tags: - attack.execution - attack.t1569 - - cve.2021.1675 - - detection.emerging_threats + - cve.2021-1675 + - detection.emerging-threats logsource: product: windows service: printservice-admin diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler_operational.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler_operational.yml index 8acc1668bda..21eec5b9d2a 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler_operational.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler_operational.yml @@ -5,13 +5,13 @@ description: Detects driver load events print service operational log that are a references: - https://twitter.com/MalwareJake/status/1410421967463731200 author: Florian Roth (Nextron Systems) -date: 2021/07/01 -modified: 2022/10/09 +date: 2021-07-01 +modified: 2022-10-09 tags: - attack.execution - attack.t1569 - - cve.2021.1675 - - detection.emerging_threats + - cve.2021-1675 + - detection.emerging-threats logsource: product: windows service: printservice-operational diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_security_exploit_cve_2021_1675_printspooler_security.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_security_exploit_cve_2021_1675_printspooler_security.yml index ba211de2ffa..8d6ca93027d 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_security_exploit_cve_2021_1675_printspooler_security.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_security_exploit_cve_2021_1675_printspooler_security.yml @@ -5,14 +5,14 @@ description: Detects remote printer driver load from Detailed File Share in Secu references: - https://twitter.com/INIT_3/status/1410662463641731075 author: INIT_6 -date: 2021/07/02 -modified: 2022/10/05 +date: 2021-07-02 +modified: 2022-10-05 tags: - attack.execution - attack.t1569 - - cve.2021.1675 - - cve.2021.34527 - - detection.emerging_threats + - cve.2021-1675 + - cve.2021-34527 + - detection.emerging-threats logsource: product: windows service: security diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-2109/web_cve_2021_2109_weblogic_rce_exploit.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-2109/web_cve_2021_2109_weblogic_rce_exploit.yml index 07307428a61..f418142bf3e 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-2109/web_cve_2021_2109_weblogic_rce_exploit.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-2109/web_cve_2021_2109_weblogic_rce_exploit.yml @@ -6,13 +6,13 @@ references: - https://twitter.com/pyn3rd/status/1351696768065409026 - https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw author: Bhabesh Raj -date: 2021/01/20 -modified: 2023/01/02 +date: 2021-01-20 +modified: 2023-01-02 tags: - attack.t1190 - - attack.initial_access - - cve.2021.2109 - - detection.emerging_threats + - attack.initial-access + - cve.2021-2109 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-21972/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-21972/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml index 2d26b9c5223..9bf9b01ee8f 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-21972/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-21972/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml @@ -7,13 +7,13 @@ references: - https://f5.pm/go-59627.html - https://swarm.ptsecurity.com/unauth-rce-vmware author: Bhabesh Raj -date: 2021/02/24 -modified: 2023/01/02 +date: 2021-02-24 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2021.21972 - - detection.emerging_threats + - cve.2021-21972 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-21978/web_cve_2021_21978_vmware_view_planner_exploit.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-21978/web_cve_2021_21978_vmware_view_planner_exploit.yml index b98bf2ccb91..f2c25cdbd09 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-21978/web_cve_2021_21978_vmware_view_planner_exploit.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-21978/web_cve_2021_21978_vmware_view_planner_exploit.yml @@ -6,13 +6,13 @@ references: - https://twitter.com/wugeej/status/1369476795255320580 - https://paper.seebug.org/1495/ author: Bhabesh Raj -date: 2020/03/10 -modified: 2023/01/02 +date: 2020-03-10 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2021.21978 - - detection.emerging_threats + - cve.2021-21978 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-22005/web_cve_2021_22005_vmware_file_upload.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-22005/web_cve_2021_22005_vmware_file_upload.yml index 15ab5f0d55a..0c7f2e6f373 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-22005/web_cve_2021_22005_vmware_file_upload.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-22005/web_cve_2021_22005_vmware_file_upload.yml @@ -6,13 +6,13 @@ references: - https://kb.vmware.com/s/article/85717 - https://www.tenable.com/blog/cve-2021-22005-critical-file-upload-vulnerability-in-vmware-vcenter-server author: Sittikorn S -date: 2021/09/24 -modified: 2023/01/02 +date: 2021-09-24 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2021.22005 - - detection.emerging_threats + - cve.2021-22005 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-22123/web_cve_2021_22123_fortinet_exploit.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-22123/web_cve_2021_22123_fortinet_exploit.yml index d107b16fe65..f60a69b1a92 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-22123/web_cve_2021_22123_fortinet_exploit.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-22123/web_cve_2021_22123_fortinet_exploit.yml @@ -5,13 +5,13 @@ description: Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs references: - https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection author: Bhabesh Raj, Florian Roth -date: 2021/08/19 -modified: 2023/01/02 +date: 2021-08-19 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2021.22123 - - detection.emerging_threats + - cve.2021-22123 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-22893/web_cve_2021_22893_pulse_secure_rce_exploit.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-22893/web_cve_2021_22893_pulse_secure_rce_exploit.yml index 53596e987dd..6c7eac62f44 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-22893/web_cve_2021_22893_pulse_secure_rce_exploit.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-22893/web_cve_2021_22893_pulse_secure_rce_exploit.yml @@ -6,13 +6,13 @@ references: - https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html - https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784 author: Sittikorn S -date: 2021/06/29 -modified: 2023/01/02 +date: 2021-06-29 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2021.22893 - - detection.emerging_threats + - cve.2021-22893 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-26084/proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-26084/proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml index be9db9507e2..71253eea598 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-26084/proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-26084/proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml @@ -7,15 +7,15 @@ references: - https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html - https://github.com/h3v0x/CVE-2021-26084_Confluence author: Bhabesh Raj -date: 2021/09/08 -modified: 2023/02/13 +date: 2021-09-08 +modified: 2023-02-13 tags: - - attack.initial_access + - attack.initial-access - attack.execution - attack.t1190 - attack.t1059 - - cve.2021.26084 - - detection.emerging_threats + - cve.2021-26084 + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-26084/web_cve_2021_26084_confluence_rce_exploit.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-26084/web_cve_2021_26084_confluence_rce_exploit.yml index 38e74f8dca5..11b367f60f0 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-26084/web_cve_2021_26084_confluence_rce_exploit.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-26084/web_cve_2021_26084_confluence_rce_exploit.yml @@ -8,13 +8,13 @@ references: - https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html - https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/ author: Sittikorn S, Nuttakorn T -date: 2022/12/13 -modified: 2023/03/24 +date: 2022-12-13 +modified: 2023-03-24 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2021.26084 - - detection.emerging_threats + - cve.2021-26084 + - detection.emerging-threats logsource: category: webserver definition: 'Requirements: The POST request body data must be collected in order to make use of certain parts of this detection' diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-26814/web_cve_2021_26814_wzuh_rce.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-26814/web_cve_2021_26814_wzuh_rce.yml index 7fb0e85edfd..5b6579897b0 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-26814/web_cve_2021_26814_wzuh_rce.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-26814/web_cve_2021_26814_wzuh_rce.yml @@ -5,14 +5,14 @@ description: Detects the exploitation of the Wazuh RCE vulnerability described i references: - https://github.com/WickdDavid/CVE-2021-26814/blob/6a17355a10ec4db771d0f112cbe031e418d829d5/PoC.py author: Florian Roth (Nextron Systems) -date: 2021/05/22 -modified: 2023/01/02 +date: 2021-05-22 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2021.21978 - - cve.2021.26814 - - detection.emerging_threats + - cve.2021-21978 + - cve.2021-26814 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-26857/proc_creation_win_exploit_cve_2021_26857_msexchange.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-26857/proc_creation_win_exploit_cve_2021_26857_msexchange.yml index 2814b27485e..0e58b8333ac 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-26857/proc_creation_win_exploit_cve_2021_26857_msexchange.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-26857/proc_creation_win_exploit_cve_2021_26857_msexchange.yml @@ -5,13 +5,13 @@ description: Detects possible successful exploitation for vulnerability describe references: - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ author: Bhabesh Raj -date: 2021/03/03 -modified: 2023/02/07 +date: 2021-03-03 +modified: 2023-02-07 tags: - attack.t1203 - attack.execution - - cve.2021.26857 - - detection.emerging_threats + - cve.2021-26857 + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-26858/file_event_win_cve_2021_26858_msexchange.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-26858/file_event_win_cve_2021_26858_msexchange.yml index fb306ec5e9b..89f8abfb7ac 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-26858/file_event_win_cve_2021_26858_msexchange.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-26858/file_event_win_cve_2021_26858_msexchange.yml @@ -8,13 +8,13 @@ description: | references: - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ author: Bhabesh Raj -date: 2021/03/03 -modified: 2022/10/09 +date: 2021-03-03 +modified: 2022-10-09 tags: - attack.t1203 - attack.execution - - cve.2021.26858 - - detection.emerging_threats + - cve.2021-26858 + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-26858/web_cve_2021_26858_iis_rce.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-26858/web_cve_2021_26858_iis_rce.yml index d71abd00859..2c303cdb6e5 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-26858/web_cve_2021_26858_iis_rce.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-26858/web_cve_2021_26858_iis_rce.yml @@ -5,12 +5,12 @@ description: When exploiting this vulnerability with CVE-2021-26858, an SSRF att references: - https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c author: frack113 -date: 2021/08/10 -modified: 2023/05/08 +date: 2021-08-10 +modified: 2023-05-08 tags: - - cve.2021.26858 - - detection.emerging_threats - - attack.initial_access + - cve.2021-26858 + - detection.emerging-threats + - attack.initial-access - attack.t1190 logsource: category: webserver diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-27905/web_cve_2021_27905_apache_solr_exploit.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-27905/web_cve_2021_27905_apache_solr_exploit.yml index 137cb1afc0b..a543dbf50bf 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-27905/web_cve_2021_27905_apache_solr_exploit.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-27905/web_cve_2021_27905_apache_solr_exploit.yml @@ -9,13 +9,13 @@ references: - https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186 - https://github.com/murataydemir/CVE-2021-27905 author: '@gott_cyber' -date: 2022/12/11 -modified: 2023/03/24 +date: 2022-12-11 +modified: 2023-03-24 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2021.27905 - - detection.emerging_threats + - cve.2021-27905 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-28480/web_cve_2021_28480_exchange_exploit.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-28480/web_cve_2021_28480_exchange_exploit.yml index f0fa5faaf8b..71352079024 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-28480/web_cve_2021_28480_exchange_exploit.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-28480/web_cve_2021_28480_exchange_exploit.yml @@ -5,13 +5,13 @@ description: Detects successful exploitation of Exchange vulnerability as report references: - https://twitter.com/GossiTheDog/status/1392965209132871683?s=20 author: Florian Roth (Nextron Systems) -date: 2021/05/14 -modified: 2023/01/02 +date: 2021-05-14 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2021.28480 - - detection.emerging_threats + - cve.2021-28480 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-33766/web_cve_2021_33766_msexchange_proxytoken.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-33766/web_cve_2021_33766_msexchange_proxytoken.yml index 9412e771010..bfb33e8837c 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-33766/web_cve_2021_33766_msexchange_proxytoken.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-33766/web_cve_2021_33766_msexchange_proxytoken.yml @@ -5,13 +5,13 @@ description: Detects the exploitation of Microsoft Exchange ProxyToken vulnerabi references: - https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Christian Burkard (Nextron Systems) -date: 2021/08/30 -modified: 2023/01/02 +date: 2021-08-30 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2021.33766 - - detection.emerging_threats + - cve.2021-33766 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-35211/proc_creation_win_exploit_cve_2021_35211_servu.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-35211/proc_creation_win_exploit_cve_2021_35211_servu.yml index ae86571a4b8..d7170608132 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-35211/proc_creation_win_exploit_cve_2021_35211_servu.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-35211/proc_creation_win_exploit_cve_2021_35211_servu.yml @@ -5,13 +5,13 @@ description: Detects patterns as noticed in exploitation of Serv-U CVE-2021-3521 references: - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ author: Florian Roth (Nextron Systems) -date: 2021/07/14 -modified: 2022/12/18 +date: 2021-07-14 +modified: 2022-12-18 tags: - attack.persistence - attack.t1136.001 - - cve.2021.35211 - - detection.emerging_threats + - cve.2021-35211 + - detection.emerging-threats # - threat_group.DEV-0322 logsource: category: process_creation diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-40444/file_event_win_exploit_cve_2021_40444.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-40444/file_event_win_exploit_cve_2021_40444.yml index 5a93cde8583..7c89888a30c 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-40444/file_event_win_exploit_cve_2021_40444.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-40444/file_event_win_exploit_cve_2021_40444.yml @@ -6,12 +6,12 @@ references: - https://twitter.com/RonnyTNL/status/1436334640617373699?s=20 - https://twitter.com/vanitasnk/status/1437329511142420483?s=21 author: Florian Roth (Nextron Systems), Sittikorn S -date: 2021/09/10 -modified: 2023/06/22 +date: 2021-09-10 +modified: 2023-06-22 tags: - - attack.resource_development + - attack.resource-development - attack.t1587 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: file_event diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444.yml index 432db6d0f6b..b3aa1b846f4 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444.yml @@ -7,13 +7,13 @@ references: - https://twitter.com/neonprimetime/status/1435584010202255375 - https://www.joesandbox.com/analysis/476188/1/iochtml author: Florian Roth (Nextron Systems), @neonprimetime -date: 2021/09/08 -modified: 2023/02/04 +date: 2021-09-08 +modified: 2023-02-04 tags: - attack.execution - attack.t1059 - - cve.2021.40444 - - detection.emerging_threats + - cve.2021-40444 + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml index 286d33c8301..557ba1d39fa 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml @@ -7,13 +7,13 @@ references: - https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444 - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190 author: Christian Burkard (Nextron Systems), @SBousseaden (idea) -date: 2022/06/02 -modified: 2023/02/04 +date: 2022-06-02 +modified: 2023-02-04 tags: - attack.execution - - attack.defense_evasion - - cve.2021.40444 - - detection.emerging_threats + - attack.defense-evasion + - cve.2021-40444 + - detection.emerging-threats logsource: product: windows category: process_creation diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-40539/web_cve_2021_40539_adselfservice.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-40539/web_cve_2021_40539_adselfservice.yml index ced6e84b8a4..10bc4a142ce 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-40539/web_cve_2021_40539_adselfservice.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-40539/web_cve_2021_40539_adselfservice.yml @@ -5,12 +5,12 @@ description: Detects suspicious access to URLs that was noticed in cases in whic references: - https://us-cert.cisa.gov/ncas/alerts/aa21-259a author: Tobias Michalski (Nextron Systems), Max Altgelt (Nextron Systems) -date: 2021/09/20 -modified: 2023/01/02 +date: 2021-09-20 +modified: 2023-01-02 tags: - - cve.2021.40539 - - detection.emerging_threats - - attack.initial_access + - cve.2021-40539 + - detection.emerging-threats + - attack.initial-access - attack.t1190 logsource: category: webserver diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-40539/web_cve_2021_40539_manageengine_adselfservice_exploit.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-40539/web_cve_2021_40539_manageengine_adselfservice_exploit.yml index 01de77c1e77..675291f8d77 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-40539/web_cve_2021_40539_manageengine_adselfservice_exploit.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-40539/web_cve_2021_40539_manageengine_adselfservice_exploit.yml @@ -7,15 +7,15 @@ references: - https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html - https://us-cert.cisa.gov/ncas/alerts/aa21-259a author: Sittikorn S, Nuttakorn Tungpoonsup -date: 2021/09/10 -modified: 2023/01/02 +date: 2021-09-10 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - attack.persistence - attack.t1505.003 - - cve.2021.40539 - - detection.emerging_threats + - cve.2021-40539 + - detection.emerging-threats logsource: category: webserver definition: 'Must be collect log from \ManageEngine\ADSelfService Plus\logs' diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-41379/file_event_win_cve_2021_41379_msi_lpe.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-41379/file_event_win_cve_2021_41379_msi_lpe.yml index 435a65dfaf1..516c52d50cb 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-41379/file_event_win_cve_2021_41379_msi_lpe.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-41379/file_event_win_cve_2021_41379_msi_lpe.yml @@ -6,12 +6,12 @@ references: - https://github.com/klinix5/InstallerFileTakeOver - https://www.zerodayinitiative.com/advisories/ZDI-21-1308/ author: Florian Roth (Nextron Systems) -date: 2021/11/22 -modified: 2022/12/25 +date: 2021-11-22 +modified: 2022-12-25 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1068 - - detection.emerging_threats + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml index 7a0472f42cd..90b5fb8cbdb 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml @@ -8,13 +8,13 @@ references: - https://www.zerodayinitiative.com/advisories/ZDI-21-1308/ - https://www.logpoint.com/en/blog/detecting-privilege-escalation-zero-day-cve-2021-41379/ author: Florian Roth (Nextron Systems) -date: 2021/11/22 -modified: 2023/02/13 +date: 2021-11-22 +modified: 2023-02-13 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1068 - - cve.2021.41379 - - detection.emerging_threats + - cve.2021-41379 + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-41379/win_vul_cve_2021_41379.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-41379/win_vul_cve_2021_41379.yml index 797de7af30c..1b208b43e5f 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-41379/win_vul_cve_2021_41379.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-41379/win_vul_cve_2021_41379.yml @@ -5,12 +5,12 @@ description: Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379 references: - https://github.com/klinix5/InstallerFileTakeOver author: Florian Roth (Nextron Systems) -date: 2021/11/22 -modified: 2022/07/12 +date: 2021-11-22 +modified: 2022-07-12 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows service: application diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-41773/web_cve_2021_41773_apache_path_traversal.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-41773/web_cve_2021_41773_apache_path_traversal.yml index b9bec4de812..0abef9538e2 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-41773/web_cve_2021_41773_apache_path_traversal.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-41773/web_cve_2021_41773_apache_path_traversal.yml @@ -15,13 +15,13 @@ references: - https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/cves/2021/CVE-2021-41773.yaml - https://twitter.com/bl4sty/status/1445462677824761878 author: daffainfo, Florian Roth -date: 2021/10/05 -modified: 2023/01/02 +date: 2021-10-05 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2021.41773 - - detection.emerging_threats + - cve.2021-41773 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-42237/web_cve_2021_42237_sitecore_report_ashx.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-42237/web_cve_2021_42237_sitecore_report_ashx.yml index f0c139860da..3bc185978ce 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-42237/web_cve_2021_42237_sitecore_report_ashx.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-42237/web_cve_2021_42237_sitecore_report_ashx.yml @@ -6,13 +6,13 @@ references: - https://blog.assetnote.io/2021/11/02/sitecore-rce/ - https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776 author: Florian Roth (Nextron Systems) -date: 2021/11/17 -modified: 2023/01/02 +date: 2021-11-17 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2021.42237 - - detection.emerging_threats + - cve.2021-42237 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-42278/win_system_exploit_cve_2021_42278.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-42278/win_system_exploit_cve_2021_42278.yml index 13c9a2c6d8b..35cb6262bcd 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-42278/win_system_exploit_cve_2021_42278.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-42278/win_system_exploit_cve_2021_42278.yml @@ -11,13 +11,13 @@ description: | references: - https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/ author: frack113 -date: 2021/12/15 -modified: 2023/04/14 +date: 2021-12-15 +modified: 2023-04-14 tags: - - attack.credential_access + - attack.credential-access - attack.t1558.003 - - cve.2021.42278 - - detection.emerging_threats + - cve.2021-42278 + - detection.emerging-threats logsource: product: windows service: system diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-42287/win_security_samaccountname_spoofing_cve_2021_42287.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-42287/win_security_samaccountname_spoofing_cve_2021_42287.yml index 3e1920597c6..fb9a6778a28 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-42287/win_security_samaccountname_spoofing_cve_2021_42287.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-42287/win_security_samaccountname_spoofing_cve_2021_42287.yml @@ -5,12 +5,12 @@ description: Detects the renaming of an existing computer account to a account n references: - https://medium.com/@mvelazco/hunting-for-samaccountname-spoofing-cve-2021-42287-and-domain-controller-impersonation-f704513c8a45 author: Florian Roth (Nextron Systems) -date: 2021/12/22 -modified: 2022/12/25 +date: 2021-12-22 +modified: 2022-12-25 tags: - - cve.2021.42287 - - detection.emerging_threats - - attack.defense_evasion + - cve.2021-42287 + - detection.emerging-threats + - attack.defense-evasion - attack.persistence - attack.t1036 - attack.t1098 diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-43798/web_cve_2021_43798_grafana.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-43798/web_cve_2021_43798_grafana.yml index 7de10c0cc17..0aa78725964 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-43798/web_cve_2021_43798_grafana.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-43798/web_cve_2021_43798_grafana.yml @@ -6,13 +6,13 @@ references: - https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/ - https://github.com/search?q=CVE-2021-43798 author: Florian Roth (Nextron Systems) -date: 2021/12/08 -modified: 2023/01/02 +date: 2021-12-08 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2021.43798 - - detection.emerging_threats + - cve.2021-43798 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-44077/file_event_win_cve_2021_44077_poc_default_files.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-44077/file_event_win_cve_2021_44077_poc_default_files.yml index 579b9f5fb5d..ff82a21b5bb 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-44077/file_event_win_cve_2021_44077_poc_default_files.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-44077/file_event_win_cve_2021_44077_poc_default_files.yml @@ -6,11 +6,11 @@ references: - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/ - https://github.com/horizon3ai/CVE-2021-44077/blob/b7a48e25824e8ead95e028475c7fd0e107e6e6bf/exploit.py author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/06 +date: 2022-06-06 tags: - attack.execution - - cve.2021.44077 - - detection.emerging_threats + - cve.2021-44077 + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j.yml index 28a988627e8..4ca92e77352 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j.yml @@ -10,12 +10,12 @@ references: - https://github.com/YfryTchsGD/Log4jAttackSurface - https://twitter.com/shutingrz/status/1469255861394866177?s=21 author: Florian Roth (Nextron Systems) -date: 2021/12/10 -modified: 2022/02/06 +date: 2021-12-10 +modified: 2022-02-06 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - detection.emerging_threats + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j_fields.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j_fields.yml index 8707f74931c..f32e05d83c3 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j_fields.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j_fields.yml @@ -10,13 +10,13 @@ references: - https://github.com/YfryTchsGD/Log4jAttackSurface - https://twitter.com/shutingrz/status/1469255861394866177?s=21 author: Florian Roth (Nextron Systems) -date: 2021/12/10 -modified: 2023/01/02 +date: 2021-12-10 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2021.44228 - - detection.emerging_threats + - cve.2021-44228 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/Exploits/ProxyShell-Exploit/web_exchange_proxyshell.yml b/rules-emerging-threats/2021/Exploits/ProxyShell-Exploit/web_exchange_proxyshell.yml index b7ac162c2f2..d26e16850ea 100644 --- a/rules-emerging-threats/2021/Exploits/ProxyShell-Exploit/web_exchange_proxyshell.yml +++ b/rules-emerging-threats/2021/Exploits/ProxyShell-Exploit/web_exchange_proxyshell.yml @@ -7,12 +7,12 @@ references: - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1 author: Florian Roth (Nextron Systems), Rich Warren -date: 2021/08/07 -modified: 2023/01/02 +date: 2021-08-07 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - detection.emerging_threats + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/Exploits/ProxyShell-Exploit/web_exchange_proxyshell_successful.yml b/rules-emerging-threats/2021/Exploits/ProxyShell-Exploit/web_exchange_proxyshell_successful.yml index b0389a2d1cf..380619555d5 100644 --- a/rules-emerging-threats/2021/Exploits/ProxyShell-Exploit/web_exchange_proxyshell_successful.yml +++ b/rules-emerging-threats/2021/Exploits/ProxyShell-Exploit/web_exchange_proxyshell_successful.yml @@ -7,11 +7,11 @@ references: - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1 author: Florian Roth (Nextron Systems), Rich Warren -date: 2021/08/09 -modified: 2023/01/02 +date: 2021-08-09 +modified: 2023-01-02 tags: - - attack.initial_access - - detection.emerging_threats + - attack.initial-access + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml b/rules-emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml index 150db91d60c..e44c7aef98f 100644 --- a/rules-emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml +++ b/rules-emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml @@ -6,12 +6,12 @@ references: - https://twitter.com/j0nh4t/status/1429049506021138437 - https://streamable.com/q2dsji author: Florian Roth (Nextron Systems), Maxime Thiebaut -date: 2021/08/23 -modified: 2022/10/09 +date: 2021-08-23 +modified: 2022-10-09 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1553 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2021/Exploits/SystemNightmare-Exploit/proc_creation_win_exploit_other_systemnightmare.yml b/rules-emerging-threats/2021/Exploits/SystemNightmare-Exploit/proc_creation_win_exploit_other_systemnightmare.yml index 3cec35fb5c5..823044399a7 100644 --- a/rules-emerging-threats/2021/Exploits/SystemNightmare-Exploit/proc_creation_win_exploit_other_systemnightmare.yml +++ b/rules-emerging-threats/2021/Exploits/SystemNightmare-Exploit/proc_creation_win_exploit_other_systemnightmare.yml @@ -5,12 +5,12 @@ description: Detects an exploitation attempt of SystemNightmare in order to obta references: - https://github.com/GossiTheDog/SystemNightmare author: Florian Roth (Nextron Systems) -date: 2021/08/11 -modified: 2023/02/04 +date: 2021-08-11 +modified: 2023-02-04 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1068 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2021/Exploits/VisualDoor-Exploit/web_sonicwall_jarrewrite_exploit.yml b/rules-emerging-threats/2021/Exploits/VisualDoor-Exploit/web_sonicwall_jarrewrite_exploit.yml index 58e4efd6d7b..a477851bd9c 100644 --- a/rules-emerging-threats/2021/Exploits/VisualDoor-Exploit/web_sonicwall_jarrewrite_exploit.yml +++ b/rules-emerging-threats/2021/Exploits/VisualDoor-Exploit/web_sonicwall_jarrewrite_exploit.yml @@ -6,12 +6,12 @@ references: - https://web.archive.org/web/20210126045316/https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/ - https://github.com/darrenmartyn/VisualDoor author: Florian Roth (Nextron Systems) -date: 2021/01/25 -modified: 2023/04/27 +date: 2021-01-25 +modified: 2023-04-27 tags: - attack.t1190 - - attack.initial_access - - detection.emerging_threats + - attack.initial-access + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/Exploits/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml b/rules-emerging-threats/2021/Exploits/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml index f579a65b1ba..1fc3b0f0756 100644 --- a/rules-emerging-threats/2021/Exploits/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/rules-emerging-threats/2021/Exploits/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml @@ -6,15 +6,15 @@ references: - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/ author: Sittikorn S -date: 2021/07/16 -modified: 2022/10/09 +date: 2021-07-16 +modified: 2022-10-09 tags: - - attack.credential_access + - attack.credential-access - attack.t1566 - attack.t1203 - - cve.2021.33771 - - cve.2021.31979 - - detection.emerging_threats + - cve.2021-33771 + - cve.2021-31979 + - detection.emerging-threats # - threat_group.Sourgum logsource: product: windows diff --git a/rules-emerging-threats/2021/Exploits/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml b/rules-emerging-threats/2021/Exploits/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml index 5f241efdc07..16223daa0cd 100644 --- a/rules-emerging-threats/2021/Exploits/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/rules-emerging-threats/2021/Exploits/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml @@ -6,15 +6,15 @@ references: - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/ author: Sittikorn S, frack113 -date: 2021/07/16 -modified: 2023/08/17 +date: 2021-07-16 +modified: 2023-08-17 tags: - - attack.credential_access + - attack.credential-access - attack.t1566 - attack.t1203 - - cve.2021.33771 - - cve.2021.31979 - - detection.emerging_threats + - cve.2021-33771 + - cve.2021-31979 + - detection.emerging-threats # - threat_group.Sourgum logsource: product: windows diff --git a/rules-emerging-threats/2021/Exploits/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml b/rules-emerging-threats/2021/Exploits/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml index e60ac7f602d..5ededa21ae8 100644 --- a/rules-emerging-threats/2021/Exploits/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml +++ b/rules-emerging-threats/2021/Exploits/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml @@ -7,14 +7,14 @@ references: - https://www.tenable.com/security/research/tra-2021-13 - https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild author: Bhabesh Raj -date: 2021/08/24 -modified: 2023/01/02 +date: 2021-08-24 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2021.20090 - - cve.2021.20091 - - detection.emerging_threats + - cve.2021-20090 + - cve.2021-20091 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/Exploits/win_exchange_cve_2021_42321.yml b/rules-emerging-threats/2021/Exploits/win_exchange_cve_2021_42321.yml index d9a60810995..de165f3e921 100644 --- a/rules-emerging-threats/2021/Exploits/win_exchange_cve_2021_42321.yml +++ b/rules-emerging-threats/2021/Exploits/win_exchange_cve_2021_42321.yml @@ -5,12 +5,12 @@ description: Detects log entries that appear in exploitation attempts against MS references: - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321 author: 'Florian Roth (Nextron Systems), @testanull' -date: 2021/11/18 -modified: 2022/07/12 +date: 2021-11-18 +modified: 2022-07-12 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1210 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows service: msexchange-management diff --git a/rules-emerging-threats/2021/Malware/BlackByte/proc_creation_win_malware_blackbyte_ransomware.yml b/rules-emerging-threats/2021/Malware/BlackByte/proc_creation_win_malware_blackbyte_ransomware.yml index 2ad066df41e..e5cf9ef8ab1 100644 --- a/rules-emerging-threats/2021/Malware/BlackByte/proc_creation_win_malware_blackbyte_ransomware.yml +++ b/rules-emerging-threats/2021/Malware/BlackByte/proc_creation_win_malware_blackbyte_ransomware.yml @@ -5,12 +5,12 @@ description: Detects command line patterns used by BlackByte ransomware in diffe references: - https://redcanary.com/blog/blackbyte-ransomware/ author: Florian Roth (Nextron Systems) -date: 2022/02/25 -modified: 2023/02/08 +date: 2022-02-25 +modified: 2023-02-08 tags: - - detection.emerging_threats + - detection.emerging-threats - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.impact - attack.t1485 - attack.t1498 diff --git a/rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti.yml b/rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti.yml index 976f3b30286..5c8f564dcd2 100644 --- a/rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti.yml +++ b/rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti.yml @@ -6,11 +6,11 @@ references: - https://twitter.com/vxunderground/status/1423336151860002816?s=20 - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) -date: 2021/08/09 +date: 2021-08-09 tags: - attack.t1587.001 - - attack.resource_development - - detection.emerging_threats + - attack.resource-development + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_7zip.yml b/rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_7zip.yml index 2c2bf7a2055..db7fd1bbee7 100644 --- a/rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_7zip.yml +++ b/rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_7zip.yml @@ -6,12 +6,12 @@ references: - https://twitter.com/vxunderground/status/1423336151860002816?s=20 - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) -date: 2021/08/09 -modified: 2022/10/09 +date: 2021-08-09 +modified: 2022-10-09 tags: - attack.collection - attack.t1560 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_commands.yml b/rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_commands.yml index 20e375e635b..787152827e7 100644 --- a/rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_commands.yml +++ b/rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_commands.yml @@ -6,13 +6,13 @@ references: - https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/ - https://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19 author: frack113 -date: 2021/10/12 -modified: 2023/02/13 +date: 2021-10-12 +modified: 2023-02-13 tags: - attack.impact - attack.s0575 - attack.t1486 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_database_dump.yml b/rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_database_dump.yml index f8dc2143157..442bd20391d 100644 --- a/rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_database_dump.yml +++ b/rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_database_dump.yml @@ -7,12 +7,12 @@ references: - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection - https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15 author: frack113 -date: 2021/08/16 -modified: 2023/05/04 +date: 2021-08-16 +modified: 2023-05-04 tags: - attack.collection - attack.t1005 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2021/Malware/DarkSide/proc_creation_win_malware_darkside_ransomware.yml b/rules-emerging-threats/2021/Malware/DarkSide/proc_creation_win_malware_darkside_ransomware.yml index 57bf12bbe04..5950a1b1a0e 100644 --- a/rules-emerging-threats/2021/Malware/DarkSide/proc_creation_win_malware_darkside_ransomware.yml +++ b/rules-emerging-threats/2021/Malware/DarkSide/proc_creation_win_malware_darkside_ransomware.yml @@ -7,11 +7,11 @@ references: - https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/ - https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2 author: Florian Roth (Nextron Systems) -date: 2021/05/14 +date: 2021-05-14 tags: - attack.execution - attack.t1204 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2021/Malware/Devil-Bait/file_event_win_malware_devil_bait_script_drop.yml b/rules-emerging-threats/2021/Malware/Devil-Bait/file_event_win_malware_devil_bait_script_drop.yml index 63368bd53f0..2608a626942 100644 --- a/rules-emerging-threats/2021/Malware/Devil-Bait/file_event_win_malware_devil_bait_script_drop.yml +++ b/rules-emerging-threats/2021/Malware/Devil-Bait/file_event_win_malware_devil_bait_script_drop.yml @@ -5,10 +5,10 @@ description: Detects the creation of ".xml" and ".txt" files in folders of the " references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/15 +date: 2023-05-15 tags: - - attack.defense_evasion - - detection.emerging_threats + - attack.defense-evasion + - detection.emerging-threats logsource: product: windows category: file_event diff --git a/rules-emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml b/rules-emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml index b0c3624769e..d7c89048310 100644 --- a/rules-emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml +++ b/rules-emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml @@ -9,11 +9,11 @@ references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf - https://www.virustotal.com/gui/file/fa71eee906a7849ba3f4bab74edb577bd1f1f8397ca428591b4a9872ce1f1e9b/behavior author: Nasreddine Bencherchali (Nextron Systems), NCSC (Idea) -date: 2023/05/15 +date: 2023-05-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2021/Malware/Devil-Bait/proxy_malware_devil_bait_c2_communication.yml b/rules-emerging-threats/2021/Malware/Devil-Bait/proxy_malware_devil_bait_c2_communication.yml index a741e1530cf..9126575839e 100644 --- a/rules-emerging-threats/2021/Malware/Devil-Bait/proxy_malware_devil_bait_c2_communication.yml +++ b/rules-emerging-threats/2021/Malware/Devil-Bait/proxy_malware_devil_bait_c2_communication.yml @@ -5,11 +5,11 @@ description: Detects potential C2 communication related to Devil Bait malware references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/15 -modified: 2023/08/23 +date: 2023-05-15 +modified: 2023-08-23 tags: - - attack.command_and_control - - detection.emerging_threats + - attack.command-and-control + - detection.emerging-threats logsource: category: proxy detection: diff --git a/rules-emerging-threats/2021/Malware/FoggyWeb/image_load_malware_foggyweb_nobelium.yml b/rules-emerging-threats/2021/Malware/FoggyWeb/image_load_malware_foggyweb_nobelium.yml index 18c657f76d1..25f5f5fd5ca 100644 --- a/rules-emerging-threats/2021/Malware/FoggyWeb/image_load_malware_foggyweb_nobelium.yml +++ b/rules-emerging-threats/2021/Malware/FoggyWeb/image_load_malware_foggyweb_nobelium.yml @@ -5,12 +5,12 @@ description: Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb references: - https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/ author: Florian Roth (Nextron Systems) -date: 2021/09/27 -modified: 2022/12/09 +date: 2021-09-27 +modified: 2022-12-09 tags: - - attack.resource_development + - attack.resource-development - attack.t1587 - - detection.emerging_threats + - detection.emerging-threats logsource: category: image_load product: windows diff --git a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/file_event_win_malware_goofy_guineapig_file_indicators.yml b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/file_event_win_malware_goofy_guineapig_file_indicators.yml index a011d515529..65988e33261 100644 --- a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/file_event_win_malware_goofy_guineapig_file_indicators.yml +++ b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/file_event_win_malware_goofy_guineapig_file_indicators.yml @@ -5,11 +5,11 @@ description: Detects malicious indicators seen used by the Goofy Guineapig malwa references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/14 +date: 2023-05-14 tags: - attack.execution - - attack.defense_evasion - - detection.emerging_threats + - attack.defense-evasion + - detection.emerging-threats logsource: product: windows category: file_event diff --git a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yml b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yml index 1b60f29cf72..73d6976a29f 100644 --- a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yml +++ b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yml @@ -5,10 +5,10 @@ description: Detects a specific broken command that was used by Goofy-Guineapig references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf author: X__Junior (Nextron Systems) -date: 2023/05/14 +date: 2023-05-14 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml index b01465ca713..7cd983b2d59 100644 --- a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml +++ b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml @@ -5,10 +5,10 @@ description: Detects "GoogleUpdate.exe" spawning a new instance of itself in an references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/15 +date: 2023-05-15 tags: - - attack.defense_evasion - - detection.emerging_threats + - attack.defense-evasion + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proxy_malware_goofy_gunieapig_c2_communication.yml b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proxy_malware_goofy_gunieapig_c2_communication.yml index 56a12c8c75b..a41ba72d85f 100644 --- a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proxy_malware_goofy_gunieapig_c2_communication.yml +++ b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proxy_malware_goofy_gunieapig_c2_communication.yml @@ -5,10 +5,10 @@ description: Detects potential C2 communication related to Goofy Guineapig backd references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/14 +date: 2023-05-14 tags: - - attack.command_and_control - - detection.emerging_threats + - attack.command-and-control + - detection.emerging-threats logsource: category: proxy detection: diff --git a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/win_system_malware_goofy_guineapig_service_persistence.yml b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/win_system_malware_goofy_guineapig_service_persistence.yml index a4f6d9eef59..3775939eeb0 100644 --- a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/win_system_malware_goofy_guineapig_service_persistence.yml +++ b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/win_system_malware_goofy_guineapig_service_persistence.yml @@ -5,10 +5,10 @@ description: Detects service creation persistence used by the Goofy Guineapig ba references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/15 +date: 2023-05-15 tags: - attack.persistence - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows service: system diff --git a/rules-emerging-threats/2021/Malware/Moriya-Rootkit/file_event_win_moriya_rootkit.yml b/rules-emerging-threats/2021/Malware/Moriya-Rootkit/file_event_win_moriya_rootkit.yml index 3a0a1f288af..861eee5430c 100644 --- a/rules-emerging-threats/2021/Malware/Moriya-Rootkit/file_event_win_moriya_rootkit.yml +++ b/rules-emerging-threats/2021/Malware/Moriya-Rootkit/file_event_win_moriya_rootkit.yml @@ -8,13 +8,13 @@ description: Detects the creation of a file named "MoriyaStreamWatchmen.sys" in references: - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831 author: Bhabesh Raj -date: 2021/05/06 -modified: 2023/05/05 +date: 2021-05-06 +modified: 2023-05-05 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543.003 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: file_event diff --git a/rules-emerging-threats/2021/Malware/Pingback/file_event_win_malware_pingback_backdoor.yml b/rules-emerging-threats/2021/Malware/Pingback/file_event_win_malware_pingback_backdoor.yml index 743db3a5161..0abc66e0466 100644 --- a/rules-emerging-threats/2021/Malware/Pingback/file_event_win_malware_pingback_backdoor.yml +++ b/rules-emerging-threats/2021/Malware/Pingback/file_event_win_malware_pingback_backdoor.yml @@ -11,12 +11,12 @@ references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406 author: Bhabesh Raj -date: 2021/05/05 -modified: 2023/02/17 +date: 2021-05-05 +modified: 2023-02-17 tags: - attack.persistence - attack.t1574.001 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: file_event diff --git a/rules-emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yml b/rules-emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yml index ad9a1165aa5..8c00d5ef04b 100644 --- a/rules-emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yml +++ b/rules-emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yml @@ -11,12 +11,12 @@ references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406 author: Bhabesh Raj -date: 2021/05/05 -modified: 2023/02/17 +date: 2021-05-05 +modified: 2023-02-17 tags: - attack.persistence - attack.t1574.001 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: image_load diff --git a/rules-emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml b/rules-emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml index f928d1f1cd6..0e132ce404d 100644 --- a/rules-emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml +++ b/rules-emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml @@ -11,12 +11,12 @@ references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406 author: Bhabesh Raj -date: 2021/05/05 -modified: 2023/02/17 +date: 2021-05-05 +modified: 2023-02-17 tags: - attack.persistence - attack.t1574.001 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: process_creation diff --git a/rules-emerging-threats/2021/Malware/Small-Sieve/file_event_win_malware_small_sieve_evasion_typo.yml b/rules-emerging-threats/2021/Malware/Small-Sieve/file_event_win_malware_small_sieve_evasion_typo.yml index 69b13e62a02..291cfbe4d06 100644 --- a/rules-emerging-threats/2021/Malware/Small-Sieve/file_event_win_malware_small_sieve_evasion_typo.yml +++ b/rules-emerging-threats/2021/Malware/Small-Sieve/file_event_win_malware_small_sieve_evasion_typo.yml @@ -5,11 +5,11 @@ description: Detects filename indicators that contain a specific typo seen used references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) -date: 2023/05/19 +date: 2023-05-19 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.005 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: file_event diff --git a/rules-emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml b/rules-emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml index ed55aa604bd..086615fd328 100644 --- a/rules-emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml +++ b/rules-emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml @@ -5,11 +5,11 @@ description: Detects specific command line argument being passed to a binary as references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/19 +date: 2023-05-19 tags: - attack.persistence - attack.t1574.001 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: process_creation diff --git a/rules-emerging-threats/2021/Malware/Small-Sieve/proxy_malware_small_sieve_telegram_communication.yml b/rules-emerging-threats/2021/Malware/Small-Sieve/proxy_malware_small_sieve_telegram_communication.yml index 45e49e8d3ed..545a8be9807 100644 --- a/rules-emerging-threats/2021/Malware/Small-Sieve/proxy_malware_small_sieve_telegram_communication.yml +++ b/rules-emerging-threats/2021/Malware/Small-Sieve/proxy_malware_small_sieve_telegram_communication.yml @@ -5,10 +5,10 @@ description: Detects potential C2 communication related to Small Sieve malware references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/19 +date: 2023-05-19 tags: - - attack.command_and_control - - detection.emerging_threats + - attack.command-and-control + - detection.emerging-threats logsource: category: proxy detection: diff --git a/rules-emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml b/rules-emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml index 43c0d8a9f61..7b64efe9664 100644 --- a/rules-emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml +++ b/rules-emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml @@ -5,11 +5,11 @@ description: Detects registry value with specific intentional typo and strings s references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/19 -modified: 2023/08/17 +date: 2023-05-19 +modified: 2023-08-17 tags: - attack.persistence - - detection.emerging_threats + - detection.emerging-threats logsource: category: registry_set product: windows diff --git a/rules-emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml b/rules-emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml index 64f9681128e..df22ca9ee5a 100644 --- a/rules-emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml +++ b/rules-emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml @@ -9,14 +9,14 @@ references: - https://twitter.com/GadixCRK/status/1369313704869834753?s=20 - https://twitter.com/BleepinComputer/status/1372218235949617161 author: Florian Roth (Nextron Systems) -date: 2021/03/09 -modified: 2023/03/09 +date: 2021-03-09 +modified: 2023-03-09 tags: - attack.persistence - attack.t1546 - attack.t1053 - attack.g0125 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2021/TA/HAFNIUM/web_exchange_exploitation_hafnium.yml b/rules-emerging-threats/2021/TA/HAFNIUM/web_exchange_exploitation_hafnium.yml index d09df9fad37..7fe447f135e 100644 --- a/rules-emerging-threats/2021/TA/HAFNIUM/web_exchange_exploitation_hafnium.yml +++ b/rules-emerging-threats/2021/TA/HAFNIUM/web_exchange_exploitation_hafnium.yml @@ -6,13 +6,13 @@ references: - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ author: Florian Roth (Nextron Systems) -date: 2021/03/03 -modified: 2023/01/02 +date: 2021-03-03 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - attack.g0125 - - detection.emerging_threats + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2021/TA/Kaseya-Supply-Chain/proc_creation_win_apt_revil_kaseya.yml b/rules-emerging-threats/2021/TA/Kaseya-Supply-Chain/proc_creation_win_apt_revil_kaseya.yml index d03b4361dc1..94bb8647c6c 100644 --- a/rules-emerging-threats/2021/TA/Kaseya-Supply-Chain/proc_creation_win_apt_revil_kaseya.yml +++ b/rules-emerging-threats/2021/TA/Kaseya-Supply-Chain/proc_creation_win_apt_revil_kaseya.yml @@ -9,13 +9,13 @@ references: - https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/ - https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/ author: Florian Roth (Nextron Systems) -date: 2021/07/03 -modified: 2022/05/20 +date: 2021-07-03 +modified: 2022-05-20 tags: - attack.execution - attack.t1059 - attack.g0115 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2021/TA/PRIVATELOG/image_load_usp_svchost_clfsw32.yml b/rules-emerging-threats/2021/TA/PRIVATELOG/image_load_usp_svchost_clfsw32.yml index 445a5db8135..3e2f5523118 100644 --- a/rules-emerging-threats/2021/TA/PRIVATELOG/image_load_usp_svchost_clfsw32.yml +++ b/rules-emerging-threats/2021/TA/PRIVATELOG/image_load_usp_svchost_clfsw32.yml @@ -5,13 +5,13 @@ description: Detects an image load pattern as seen when a tool named PRIVATELOG references: - https://web.archive.org/web/20210901184449/https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html author: Florian Roth (Nextron Systems) -date: 2021/09/07 -modified: 2022/10/09 +date: 2021-09-07 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1055 - - detection.emerging_threats + - detection.emerging-threats logsource: category: image_load product: windows diff --git a/rules-emerging-threats/2021/TA/SOURGUM/proc_creation_win_apt_sourgrum.yml b/rules-emerging-threats/2021/TA/SOURGUM/proc_creation_win_apt_sourgrum.yml index 23ce3055ebc..51aba798f31 100644 --- a/rules-emerging-threats/2021/TA/SOURGUM/proc_creation_win_apt_sourgrum.yml +++ b/rules-emerging-threats/2021/TA/SOURGUM/proc_creation_win_apt_sourgrum.yml @@ -7,14 +7,14 @@ references: - https://github.com/Azure/Azure-Sentinel/blob/43e9be273dca321295190bfc4902858e009d4a35/Detections/MultipleDataSources/SOURGUM_IOC.yaml - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ author: MSTIC, FPT.EagleEye -date: 2021/06/15 -modified: 2022/10/09 +date: 2021-06-15 +modified: 2022-10-09 tags: - attack.t1546 - attack.t1546.015 - attack.persistence - - attack.privilege_escalation - - detection.emerging_threats + - attack.privilege-escalation + - detection.emerging-threats logsource: product: windows category: process_creation diff --git a/rules-emerging-threats/2021/TA/UNC2546/web_unc2546_dewmode_php_webshell.yml b/rules-emerging-threats/2021/TA/UNC2546/web_unc2546_dewmode_php_webshell.yml index 3dff842efb7..74cf3dfcb21 100644 --- a/rules-emerging-threats/2021/TA/UNC2546/web_unc2546_dewmode_php_webshell.yml +++ b/rules-emerging-threats/2021/TA/UNC2546/web_unc2546_dewmode_php_webshell.yml @@ -5,12 +5,12 @@ description: Detects access to DEWMODE webshell as described in FIREEYE report references: - https://www.mandiant.com/resources/blog/accellion-fta-exploited-for-data-theft-and-extortion author: Florian Roth (Nextron Systems) -date: 2021/02/22 -modified: 2023/01/02 +date: 2021-02-22 +modified: 2023-01-02 tags: - attack.persistence - attack.t1505.003 - - detection.emerging_threats + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-21554/proc_creation_win_exploit_cve_2023_21554_queuejumper.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-21554/proc_creation_win_exploit_cve_2023_21554_queuejumper.yml index 30168bc4ff5..9111b00b07b 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-21554/proc_creation_win_exploit_cve_2023_21554_queuejumper.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-21554/proc_creation_win_exploit_cve_2023_21554_queuejumper.yml @@ -5,12 +5,12 @@ description: Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumpe references: - https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/12 +date: 2023-04-12 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.execution - - cve.2023.21554 - - detection.emerging_threats + - cve.2023-21554 + - detection.emerging-threats logsource: product: windows category: process_creation diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-21587/web_cve_2022_21587_oracle_ebs.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-21587/web_cve_2022_21587_oracle_ebs.yml index c08e2900633..9deaf0c716b 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-21587/web_cve_2022_21587_oracle_ebs.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-21587/web_cve_2022_21587_oracle_ebs.yml @@ -8,12 +8,12 @@ references: - https://github.com/hieuminhnv/CVE-2022-21587-POC - https://blog.viettelcybersecurity.com/cve-2022-21587-oracle-e-business-suite-unauth-rce/ author: Isa Almannaei -date: 2023/02/13 +date: 2023-02-13 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2022.21587 - - detection.emerging_threats + - cve.2022-21587 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-24527/file_event_win_cve_2022_24527_lpe.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-24527/file_event_win_cve_2022_24527_lpe.yml index a1034de7429..de600e03baa 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-24527/file_event_win_cve_2022_24527_lpe.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-24527/file_event_win_cve_2022_24527_lpe.yml @@ -5,12 +5,12 @@ description: Detects files created during the local privilege exploitation of CV references: - https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/ author: Florian Roth (Nextron Systems) -date: 2022/04/13 +date: 2022-04-13 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1059.001 - - cve.2022.24527 - - detection.emerging_threats + - cve.2022-24527 + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-26809/proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-26809/proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml index 5c46a52bbec..3d5ee19a1f8 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-26809/proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-26809/proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml @@ -8,15 +8,15 @@ references: - https://twitter.com/cyb3rops/status/1514217991034097664 - https://www.securonix.com/blog/cve-2022-26809-remote-procedure-call-runtime-remote-code-execution-vulnerability-and-coverage/ author: Florian Roth (Nextron Systems) -date: 2022/04/13 -modified: 2023/02/03 +date: 2022-04-13 +modified: 2023-02-03 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - attack.execution - attack.t1569.002 - - cve.2022.26809 - - detection.emerging_threats + - cve.2022-26809 + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-27925/web_cve_2022_27925_exploit.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-27925/web_cve_2022_27925_exploit.yml index 8902fad19a0..fcd65df6e60 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-27925/web_cve_2022_27925_exploit.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-27925/web_cve_2022_27925_exploit.yml @@ -7,13 +7,13 @@ references: - https://www.yang99.top/index.php/archives/82/ - https://github.com/vnhacker1337/CVE-2022-27925-PoC author: '@gott_cyber' -date: 2022/08/17 -modified: 2023/01/02 +date: 2022-08-17 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2022.27925 - - detection.emerging_threats + - cve.2022-27925 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yml index 8cd0fe17492..dc5bd970f8f 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yml @@ -9,12 +9,12 @@ references: - https://github.com/kagancapar/CVE-2022-29072 - https://twitter.com/kagancapar/status/1515219358234161153 author: frack113 -date: 2022/04/17 -modified: 2023/02/07 +date: 2022-04-17 +modified: 2023-02-07 tags: - attack.execution - - cve.2022.29072 - - detection.emerging_threats + - cve.2022-29072 + - detection.emerging-threats logsource: product: windows category: process_creation diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-30190/registry_set_exploit_cve_2022_30190_msdt_follina.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-30190/registry_set_exploit_cve_2022_30190_msdt_follina.yml index debb9be8298..45b141547df 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-30190/registry_set_exploit_cve_2022_30190_msdt_follina.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-30190/registry_set_exploit_cve_2022_30190_msdt_follina.yml @@ -6,10 +6,10 @@ references: - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190 - https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/ author: Sittikorn S -date: 2020/05/31 -modified: 2023/08/17 +date: 2020-05-31 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1221 logsource: product: windows diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-31656/web_cve_2022_31656_auth_bypass.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-31656/web_cve_2022_31656_auth_bypass.yml index 051ba454096..b7d3bc82d72 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-31656/web_cve_2022_31656_auth_bypass.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-31656/web_cve_2022_31656_auth_bypass.yml @@ -8,13 +8,13 @@ description: | references: - https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/12 -modified: 2023/01/02 +date: 2022-08-12 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2022.31656 - - detection.emerging_threats + - cve.2022-31656 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-31659/web_cve_2022_31659_vmware_rce.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-31659/web_cve_2022_31659_vmware_rce.yml index 01ef72fc07d..02ddd4061e1 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-31659/web_cve_2022_31659_vmware_rce.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-31659/web_cve_2022_31659_vmware_rce.yml @@ -5,13 +5,13 @@ description: Detects possible exploitation of VMware Workspace ONE Access Admin references: - https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/12 -modified: 2023/01/02 +date: 2022-08-12 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2022.31659 - - detection.emerging_threats + - cve.2022-31659 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-33891/web_cve_2022_33891_spark_shell_command_injection.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-33891/web_cve_2022_33891_spark_shell_command_injection.yml index ec4286e571c..cd7829b9239 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-33891/web_cve_2022_33891_spark_shell_command_injection.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-33891/web_cve_2022_33891_spark_shell_command_injection.yml @@ -7,13 +7,13 @@ references: - https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html - https://github.com/apache/spark/pull/36315/files author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/19 -modified: 2023/01/02 +date: 2022-07-19 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2022.33891 - - detection.emerging_threats + - cve.2022-33891 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-36804/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-36804/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml index 161dd5a6a5c..5faef40266c 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-36804/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-36804/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml @@ -8,13 +8,13 @@ references: - https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html - https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/29 -modified: 2023/01/02 +date: 2022-09-29 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2022.36804 - - detection.emerging_threats + - cve.2022-36804 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-41082/proxy_cve_2022_36804_exchange_owassrf_exploitation.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-41082/proxy_cve_2022_36804_exchange_owassrf_exploitation.yml index 93a744cd75d..8fddcaa4268 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-41082/proxy_cve_2022_36804_exchange_owassrf_exploitation.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-41082/proxy_cve_2022_36804_exchange_owassrf_exploitation.yml @@ -6,9 +6,9 @@ references: - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/ - https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/22 +date: 2022-12-22 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: proxy diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-41082/proxy_cve_2022_36804_exchange_owassrf_poc_exploitation.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-41082/proxy_cve_2022_36804_exchange_owassrf_poc_exploitation.yml index bbfdda302a3..23f5815f794 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-41082/proxy_cve_2022_36804_exchange_owassrf_poc_exploitation.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-41082/proxy_cve_2022_36804_exchange_owassrf_poc_exploitation.yml @@ -7,9 +7,9 @@ references: - https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/ - https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/22 +date: 2022-12-22 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: proxy diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-41082/web_cve_2022_36804_exchange_owassrf_exploitation.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-41082/web_cve_2022_36804_exchange_owassrf_exploitation.yml index 89ef59b0358..7d7ee44df45 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-41082/web_cve_2022_36804_exchange_owassrf_exploitation.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-41082/web_cve_2022_36804_exchange_owassrf_exploitation.yml @@ -6,12 +6,12 @@ references: - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/ - https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/22 -modified: 2023/01/02 +date: 2022-12-22 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - detection.emerging_threats + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-41082/web_cve_2022_36804_exchange_owassrf_poc_exploitation.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-41082/web_cve_2022_36804_exchange_owassrf_poc_exploitation.yml index af04159771c..ccae761baff 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-41082/web_cve_2022_36804_exchange_owassrf_poc_exploitation.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-41082/web_cve_2022_36804_exchange_owassrf_poc_exploitation.yml @@ -7,12 +7,12 @@ references: - https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/ - https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/22 -modified: 2023/01/02 +date: 2022-12-22 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - detection.emerging_threats + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml index 0b02f74d85f..f0cf1fe2ee6 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml @@ -7,13 +7,13 @@ references: - https://twitter.com/filip_dragovic/status/1590052248260055041 - https://twitter.com/filip_dragovic/status/1590104354727436290 author: Florian Roth (Nextron Systems), Tim Shelton (fp werfault) -date: 2022/11/10 -modified: 2023/10/23 +date: 2022-11-10 +modified: 2023-10-23 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1068 - - cve.2022.41120 - - detection.emerging_threats + - cve.2022-41120 + - detection.emerging-threats logsource: product: windows category: process_creation diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-42475/fortios_sslvpnd_exploit_cve_2022_42475_exploitation_indicators.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-42475/fortios_sslvpnd_exploit_cve_2022_42475_exploitation_indicators.yml index 37f152df342..f483b6e47d1 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-42475/fortios_sslvpnd_exploit_cve_2022_42475_exploitation_indicators.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-42475/fortios_sslvpnd_exploit_cve_2022_42475_exploitation_indicators.yml @@ -8,11 +8,11 @@ references: - https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/ - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420 author: Nasreddine Bencherchali (Nextron Systems), Nilaa Maharjan, Douglasrose75 -date: 2024/02/08 +date: 2024-02-08 tags: - - attack.initial_access - - cve.2022.42475 - - detection.emerging_threats + - attack.initial-access + - cve.2022-42475 + - detection.emerging-threats logsource: product: fortios service: sslvpnd diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-44877/web_cve_2022_44877_exploitation_attempt.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-44877/web_cve_2022_44877_exploitation_attempt.yml index 9c1ef9ed6b1..675ac8c9d0e 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-44877/web_cve_2022_44877_exploitation_attempt.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-44877/web_cve_2022_44877_exploitation_attempt.yml @@ -6,12 +6,12 @@ references: - https://seclists.org/fulldisclosure/2023/Jan/1 - https://www.rapid7.com/blog/post/2023/01/19/etr-exploitation-of-control-web-panel-cve-2022-44877/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/20 +date: 2023-01-20 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2022.44877 - - detection.emerging_threats + - cve.2022-44877 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-46169/web_cve_2022_46169_cacti_exploitation_attempt.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-46169/web_cve_2022_46169_cacti_exploitation_attempt.yml index 649685829f5..a057ec3e30d 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-46169/web_cve_2022_46169_cacti_exploitation_attempt.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-46169/web_cve_2022_46169_cacti_exploitation_attempt.yml @@ -7,13 +7,13 @@ references: - https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf - https://github.com/rapid7/metasploit-framework/pull/17407 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/27 -modified: 2023/01/02 +date: 2022-12-27 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2022.46169 - - detection.emerging_threats + - cve.2022-46169 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml b/rules-emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml index e4c1f2d2600..ceb837f93a8 100644 --- a/rules-emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml +++ b/rules-emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml @@ -5,11 +5,11 @@ description: Detect access to files and shares with names and extensions used by references: - https://unit42.paloaltonetworks.com/bluesky-ransomware/ author: j4son -date: 2023/05/23 +date: 2023-05-23 tags: - attack.impact - attack.t1486 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows service: security diff --git a/rules-emerging-threats/2022/Malware/Bumblebee/create_remote_thread_win_malware_bumblebee.yml b/rules-emerging-threats/2022/Malware/Bumblebee/create_remote_thread_win_malware_bumblebee.yml index 0b71e049a6a..58e81dd9701 100644 --- a/rules-emerging-threats/2022/Malware/Bumblebee/create_remote_thread_win_malware_bumblebee.yml +++ b/rules-emerging-threats/2022/Malware/Bumblebee/create_remote_thread_win_malware_bumblebee.yml @@ -5,13 +5,13 @@ description: Detects remote thread injection events based on action seen used by references: - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/27 +date: 2022-09-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1218.011 - attack.t1059.001 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: create_remote_thread diff --git a/rules-emerging-threats/2022/Malware/Hermetic-Wiper/proc_creation_win_malware_hermetic_wiper_activity.yml b/rules-emerging-threats/2022/Malware/Hermetic-Wiper/proc_creation_win_malware_hermetic_wiper_activity.yml index 7abb433b491..6e387929610 100644 --- a/rules-emerging-threats/2022/Malware/Hermetic-Wiper/proc_creation_win_malware_hermetic_wiper_activity.yml +++ b/rules-emerging-threats/2022/Malware/Hermetic-Wiper/proc_creation_win_malware_hermetic_wiper_activity.yml @@ -5,13 +5,13 @@ description: Detects process execution patterns found in intrusions related to t references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia author: Florian Roth (Nextron Systems) -date: 2022/02/25 -modified: 2022/09/09 +date: 2022-02-25 +modified: 2022-09-09 tags: - attack.execution - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.001 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml b/rules-emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml index e8800536468..49395ce7dfe 100644 --- a/rules-emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml +++ b/rules-emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml @@ -5,11 +5,11 @@ description: Detects commandline containing reference to files ending with a "." author: Nasreddine Bencherchali (Nextron Systems) references: - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/ -date: 2022/10/28 -modified: 2023/02/05 +date: 2022-10-28 +modified: 2023-02-05 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2022/Malware/win_mssql_sp_maggie.yml b/rules-emerging-threats/2022/Malware/win_mssql_sp_maggie.yml index bbf92d0e55b..68638151073 100644 --- a/rules-emerging-threats/2022/Malware/win_mssql_sp_maggie.yml +++ b/rules-emerging-threats/2022/Malware/win_mssql_sp_maggie.yml @@ -5,12 +5,12 @@ description: This rule detects the execution of the extended storage procedure b references: - https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01 author: Denis Szadkowski, DIRT / DCSO CyTec -date: 2022/10/09 -modified: 2022/10/09 +date: 2022-10-09 +modified: 2022-10-09 tags: - attack.persistence - attack.t1546 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows service: application diff --git a/rules-emerging-threats/2022/TA/ACTINIUM/proc_creation_win_apt_actinium_persistence.yml b/rules-emerging-threats/2022/TA/ACTINIUM/proc_creation_win_apt_actinium_persistence.yml index bd763eebf38..d8f9daa99c2 100644 --- a/rules-emerging-threats/2022/TA/ACTINIUM/proc_creation_win_apt_actinium_persistence.yml +++ b/rules-emerging-threats/2022/TA/ACTINIUM/proc_creation_win_apt_actinium_persistence.yml @@ -5,13 +5,13 @@ description: Detects specific process parameters as used by ACTINIUM scheduled t references: - https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations author: Andreas Hunkeler (@Karneades) -date: 2022/02/07 -modified: 2023/03/18 +date: 2022-02-07 +modified: 2023-03-18 tags: - attack.persistence - attack.t1053 - attack.t1053.005 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2022/TA/MERCURY/proc_creation_win_apt_mercury.yml b/rules-emerging-threats/2022/TA/MERCURY/proc_creation_win_apt_mercury.yml index f2b09fcbdd2..6ba6df87dbf 100644 --- a/rules-emerging-threats/2022/TA/MERCURY/proc_creation_win_apt_mercury.yml +++ b/rules-emerging-threats/2022/TA/MERCURY/proc_creation_win_apt_mercury.yml @@ -5,13 +5,13 @@ description: Detects suspicious command line patterns seen being used by MERCURY references: - https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/ author: Florian Roth (Nextron Systems) -date: 2022/08/26 -modified: 2023/03/10 +date: 2022-08-26 +modified: 2023-03-10 tags: - attack.execution - attack.t1059.001 - attack.g0069 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-1389/proxy_exploit_cve_2023_1389_unauth_command_injection_tplink_archer_ax21.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-1389/proxy_exploit_cve_2023_1389_unauth_command_injection_tplink_archer_ax21.yml index 914e5b02c97..8740d34657b 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-1389/proxy_exploit_cve_2023_1389_unauth_command_injection_tplink_archer_ax21.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-1389/proxy_exploit_cve_2023_1389_unauth_command_injection_tplink_archer_ax21.yml @@ -8,12 +8,12 @@ references: - https://github.com/Voyag3r-Security/CVE-2023-1389/blob/4ecada7335b17bf543c0e33b2c9fb6b6215c09ae/archer-rev-shell.py - https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal author: Nasreddine Bencherchali (Nextron Systems), Rohit Jain -date: 2024/06/25 +date: 2024-06-25 tags: - - detection.emerging_threats - - attack.initial_access + - detection.emerging-threats + - attack.initial-access - attack.t1190 - - cve.2023.1389 + - cve.2023-1389 logsource: category: proxy detection: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-20198/cisco_syslog_cve_2023_20198_ios_xe_web_ui.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-20198/cisco_syslog_cve_2023_20198_ios_xe_web_ui.yml index 751e476b51d..435b685782f 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-20198/cisco_syslog_cve_2023_20198_ios_xe_web_ui.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-20198/cisco_syslog_cve_2023_20198_ios_xe_web_ui.yml @@ -6,11 +6,11 @@ references: - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z - https://www.thestack.technology/security-experts-call-for-incident-response-exercises-after-mass-cisco-device-exploitation/ author: Lars B. P. Frydenskov (Trifork Security) -date: 2023/10/20 +date: 2023-10-20 tags: - - attack.privilege_escalation - - attack.initial_access - - detection.emerging_threats + - attack.privilege-escalation + - attack.initial-access + - detection.emerging-threats logsource: product: cisco service: syslog diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_lnx_exploit_cve_2023_22518_confluence_java_child_proc.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_lnx_exploit_cve_2023_22518_confluence_java_child_proc.yml index 244cb6ae49f..f8536343146 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_lnx_exploit_cve_2023_22518_confluence_java_child_proc.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_lnx_exploit_cve_2023_22518_confluence_java_child_proc.yml @@ -11,14 +11,14 @@ references: - https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment - https://github.com/ForceFledgling/CVE-2023-22518 author: Andreas Braathen (mnemonic.io) -date: 2023/11/14 +date: 2023-11-14 tags: - - detection.emerging_threats + - detection.emerging-threats - attack.execution - attack.t1059 - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2023.22518 + - cve.2023-22518 logsource: category: process_creation product: linux diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml index 0177ca6d902..c4644193a21 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml @@ -11,14 +11,14 @@ references: - https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment - https://github.com/ForceFledgling/CVE-2023-22518 author: Andreas Braathen (mnemonic.io) -date: 2023/11/14 +date: 2023-11-14 tags: - - detection.emerging_threats + - detection.emerging-threats - attack.execution - attack.t1059 - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2023.22518 + - cve.2023-22518 logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proxy_exploit_cve_2023_22518_confluence_auth_bypass.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proxy_exploit_cve_2023_22518_confluence_auth_bypass.yml index 7abb0ab2c76..195eddee17d 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proxy_exploit_cve_2023_22518_confluence_auth_bypass.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proxy_exploit_cve_2023_22518_confluence_auth_bypass.yml @@ -11,12 +11,12 @@ references: - https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment - https://github.com/ForceFledgling/CVE-2023-22518 author: Andreas Braathen (mnemonic.io) -date: 2023/11/14 +date: 2023-11-14 tags: - - detection.emerging_threats - - attack.initial_access + - detection.emerging-threats + - attack.initial-access - attack.t1190 - - cve.2023.22518 + - cve.2023-22518 logsource: category: proxy detection: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-22518/web_exploit_cve_2023_22518_confluence_auth_bypass.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-22518/web_exploit_cve_2023_22518_confluence_auth_bypass.yml index 431dcd2e524..9d49404ce96 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-22518/web_exploit_cve_2023_22518_confluence_auth_bypass.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-22518/web_exploit_cve_2023_22518_confluence_auth_bypass.yml @@ -11,12 +11,12 @@ references: - https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment - https://github.com/ForceFledgling/CVE-2023-22518 author: Andreas Braathen (mnemonic.io) -date: 2023/11/14 +date: 2023-11-14 tags: - - detection.emerging_threats - - attack.initial_access + - detection.emerging-threats + - attack.initial-access - attack.t1190 - - cve.2023.22518 + - cve.2023-22518 logsource: category: webserver detection: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-2283/lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-2283/lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml index cc8c4871a88..b23322796e8 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-2283/lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-2283/lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml @@ -9,12 +9,12 @@ references: - https://www.blumira.com/cve-2023-2283/ - https://github.com/github/securitylab/tree/1786eaae7f90d87ce633c46bbaa0691d2f9bf449/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283 author: Florian Roth (Nextron Systems) -date: 2023/06/09 +date: 2023-06-09 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2023.2283 - - detection.emerging_threats + - cve.2023-2283 + - detection.emerging-threats logsource: product: linux service: sshd diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml index 0fa291b5da9..7692901a2f0 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml @@ -5,13 +5,13 @@ description: Detects changes to the registry values related to outlook that indi references: - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/05 -modified: 2023/08/17 +date: 2023-04-05 +modified: 2023-08-17 tags: - attack.persistence - attack.t1137 - - cve.2023.23397 - - detection.emerging_threats + - cve.2023-23397 + - detection.emerging-threats logsource: category: registry_set product: windows diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml index 339cf4adaa4..22d3d975120 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml @@ -3,15 +3,15 @@ id: 73c59189-6a6d-4b9f-a748-8f6f9bbed75c status: test description: Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation. author: Robert Lee @quantum_cookie -date: 2023/03/16 -modified: 2023/03/22 +date: 2023-03-16 +modified: 2023-03-22 references: - https://www.trustedsec.com/blog/critical-outlook-vulnerability-in-depth-technical-analysis-and-recommendations-cve-2023-23397/ tags: - - attack.credential_access - - attack.initial_access - - cve.2023.23397 - - detection.emerging_threats + - attack.credential-access + - attack.initial-access + - cve.2023-23397 + - detection.emerging-threats logsource: service: security product: windows diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml index 06a5f7e2c34..3f53e26b3ed 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml @@ -5,12 +5,12 @@ description: Detects (failed) outbound connection attempts to internet facing SM references: - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/05 -modified: 2024/03/13 +date: 2023-04-05 +modified: 2024-03-13 tags: - attack.exfiltration - - cve.2023.23397 - - detection.emerging_threats + - cve.2023-23397 + - detection.emerging-threats logsource: product: windows service: smbclient-connectivity diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-23752/web_cve_2023_23752_joomla_exploit_attempt.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-23752/web_cve_2023_23752_joomla_exploit_attempt.yml index 013f7bf3384..d49863552be 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-23752/web_cve_2023_23752_joomla_exploit_attempt.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-23752/web_cve_2023_23752_joomla_exploit_attempt.yml @@ -6,12 +6,12 @@ references: - https://xz.aliyun.com/t/12175 - https://twitter.com/momika233/status/1626464189261942786 author: Bhabesh Raj -date: 2023/02/23 +date: 2023-02-23 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2023.23752 - - detection.emerging_threats + - cve.2023-23752 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-25157/web_cve_2023_25157_geoserver_sql_injection.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-25157/web_cve_2023_25157_geoserver_sql_injection.yml index f925b9797df..50c0b08df2a 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-25157/web_cve_2023_25157_geoserver_sql_injection.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-25157/web_cve_2023_25157_geoserver_sql_injection.yml @@ -7,11 +7,11 @@ references: - https://twitter.com/parzel2/status/1665726454489915395 - https://github.com/advisories/GHSA-7g5f-wrx8-5ccf author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/14 +date: 2023-06-14 tags: - - attack.initial_access - - cve.2023.25157 - - detection.emerging_threats + - attack.initial-access + - cve.2023-25157 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-25717/web_cve_2023_25717_ruckus_wireless_admin_exploit_attempt.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-25717/web_cve_2023_25717_ruckus_wireless_admin_exploit_attempt.yml index 511b3e0cdbf..f48bbfe343d 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-25717/web_cve_2023_25717_ruckus_wireless_admin_exploit_attempt.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-25717/web_cve_2023_25717_ruckus_wireless_admin_exploit_attempt.yml @@ -5,12 +5,12 @@ description: Detects a potential exploitation attempt of CVE-2023-25717 a Remote references: - https://cybir.com/2023/cve/proof-of-concept-ruckus-wireless-admin-10-4-unauthenticated-remote-code-execution-csrf-ssrf/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/30 +date: 2023-05-30 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2023.25717 - - detection.emerging_threats + - cve.2023-25717 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-27363/file_event_win_cve_2023_27363_foxit_rce.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-27363/file_event_win_cve_2023_27363_foxit_rce.yml index 730fecf86da..72a6705ec73 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-27363/file_event_win_cve_2023_27363_foxit_rce.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-27363/file_event_win_cve_2023_27363_foxit_rce.yml @@ -7,12 +7,12 @@ references: - https://www.zerodayinitiative.com/advisories/ZDI-23-491/ - https://www.tarlogic.com/blog/cve-2023-27363-foxit-reader/ author: Gregory -date: 2023/10/11 +date: 2023-10-11 tags: - attack.persistence - attack.t1505.001 - - cve.2023.27363 - - detection.emerging_threats + - cve.2023-27363 + - detection.emerging-threats logsource: product: windows category: file_event diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-27997/web_cve_2023_27997_pre_authentication_rce.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-27997/web_cve_2023_27997_pre_authentication_rce.yml index 2aea39b1520..043bf3705f4 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-27997/web_cve_2023_27997_pre_authentication_rce.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-27997/web_cve_2023_27997_pre_authentication_rce.yml @@ -10,12 +10,12 @@ references: - https://research.kudelskisecurity.com/2023/06/12/cve-2023-27997-fortigate-ssl-vpn/ - https://labs.watchtowr.com/xortigate-or-cve-2023-27997/ author: Sergio Palacios Dominguez, Nasreddine Bencherchali (Nextron Systems) -date: 2023/07/28 +date: 2023-07-28 tags: - - cve.2023.27997 - - attack.initial_access + - cve.2023-27997 + - attack.initial-access - attack.t1190 - - detection.emerging_threats + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yml index d4a4760be1d..6836e626d87 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yml @@ -8,13 +8,13 @@ references: - https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/ - https://www.reddit.com/r/sysadmin/comments/13wxuej/comment/jmhdg55/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/01 -modified: 2023/06/03 +date: 2023-06-01 +modified: 2023-06-03 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2023.34362 - - detection.emerging_threats + - cve.2023-34362 + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/web_cve_2023_34362_known_payload_request.yml.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/web_cve_2023_34362_known_payload_request.yml.yml index b445db95cee..5c4f047e579 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/web_cve_2023_34362_known_payload_request.yml.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/web_cve_2023_34362_known_payload_request.yml.yml @@ -6,11 +6,11 @@ references: - https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023 - https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/03 -modified: 2023/07/28 +date: 2023-06-03 +modified: 2023-07-28 tags: - - cve.2023.34362 - - detection.emerging_threats + - cve.2023-34362 + - detection.emerging-threats - attack.persistence - attack.t1505.003 logsource: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_report_creation.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_report_creation.yml index f965e14bb59..e961d5c116c 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_report_creation.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_report_creation.yml @@ -6,11 +6,11 @@ references: - https://github.com/Wh04m1001/CVE-2023-36874 - https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/23 +date: 2023-08-23 tags: - attack.execution - - cve.2023.36874 - - detection.emerging_threats + - cve.2023-36874 + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation.yml index 74a0f7cc8d4..4cf28f65147 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation.yml @@ -6,12 +6,12 @@ references: - https://github.com/Wh04m1001/CVE-2023-36874 - https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/23 -modified: 2023/10/08 +date: 2023-08-23 +modified: 2023-10-08 tags: - attack.execution - - cve.2023.36874 - - detection.emerging_threats + - cve.2023-36874 + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36874/proc_creation_win_exploit_cve_2023_36874_fake_wermgr.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36874/proc_creation_win_exploit_cve_2023_36874_fake_wermgr.yml index f1715309151..1fc4c9b19d8 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36874/proc_creation_win_exploit_cve_2023_36874_fake_wermgr.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36874/proc_creation_win_exploit_cve_2023_36874_fake_wermgr.yml @@ -6,11 +6,11 @@ references: - https://github.com/Wh04m1001/CVE-2023-36874 - https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/23 +date: 2023-08-23 tags: - attack.execution - - cve.2023.36874 - - detection.emerging_threats + - cve.2023-36874 + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml index 34a52fafcb9..f8d0f70beab 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml @@ -7,12 +7,12 @@ references: - https://twitter.com/wdormann/status/1679184475677130755 - https://twitter.com/r00tbsd/status/1679042071477338114/photo/1 author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) -date: 2023/07/13 +date: 2023-07-13 tags: - attack.persistence - - attack.defense_evasion - - cve.2023.36884 - - detection.emerging_threats + - attack.defense-evasion + - cve.2023-36884 + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce.yml index 50d2ed37735..30552f7eb8c 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce.yml @@ -5,11 +5,11 @@ description: Detects a unique pattern seen being used by RomCom potentially expl references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit author: X__Junior -date: 2023/07/12 +date: 2023-07-12 tags: - - attack.command_and_control - - cve.2023.36884 - - detection.emerging_threats + - attack.command-and-control + - cve.2023-36884 + - detection.emerging-threats logsource: category: proxy detection: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_extenstion_ip_pattern_traffic.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_extenstion_ip_pattern_traffic.yml index 302f27643e6..40618ff9cbe 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_extenstion_ip_pattern_traffic.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_extenstion_ip_pattern_traffic.yml @@ -5,11 +5,11 @@ description: Detects a specific URL pattern containing a specific extension and references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit author: X__Junior -date: 2023/07/12 +date: 2023-07-12 tags: - - attack.command_and_control - - cve.2023.36884 - - detection.emerging_threats + - attack.command-and-control + - cve.2023-36884 + - detection.emerging-threats logsource: category: proxy detection: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_traffic.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_traffic.yml index 17582b026ad..44598677c2e 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_traffic.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_traffic.yml @@ -5,11 +5,11 @@ description: Detects files seen being requested by RomCom while potentially expl references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit author: X__Junior -date: 2023/07/12 +date: 2023-07-12 tags: - - attack.command_and_control - - cve.2023.36884 - - detection.emerging_threats + - attack.command-and-control + - cve.2023-36884 + - detection.emerging-threats logsource: category: proxy detection: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_url_marker_traffic.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_url_marker_traffic.yml index a0423c78b6e..2c72bb5e206 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_url_marker_traffic.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_url_marker_traffic.yml @@ -5,11 +5,11 @@ description: Detects a unique URL marker seen being used by RomCom potentially e references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit author: X__Junior -date: 2023/07/12 +date: 2023-07-12 tags: - - attack.command_and_control - - cve.2023.36884 - - detection.emerging_threats + - attack.command-and-control + - cve.2023-36884 + - detection.emerging-threats logsource: category: proxy detection: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml index ba5cc73c9c1..5a83f9fbb2b 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml @@ -5,11 +5,11 @@ description: Detects access to a file share with a naming schema seen being used references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/07/13 +date: 2023-07-13 tags: - - attack.command_and_control - - cve.2023.36884 - - detection.emerging_threats + - attack.command-and-control + - cve.2023-36884 + - detection.emerging-threats logsource: product: windows service: security diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-38831/file_event_win_exploit_cve_2023_38331_winrar_susp_double_ext.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-38831/file_event_win_exploit_cve_2023_38331_winrar_susp_double_ext.yml index 11f214495db..c2b3a4a44b0 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-38831/file_event_win_exploit_cve_2023_38331_winrar_susp_double_ext.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-38831/file_event_win_exploit_cve_2023_38331_winrar_susp_double_ext.yml @@ -9,11 +9,11 @@ references: - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ - https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/30 +date: 2023-08-30 tags: - attack.execution - - cve.2023.38331 - - detection.emerging_threats + - cve.2023-38331 + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml index 8a952a8f0d6..c097cace1af 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml @@ -9,13 +9,13 @@ references: - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ - https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md author: Nasreddine Bencherchali (Nextron Systems), Andreas Braathen (mnemonic.io) -date: 2023/08/30 -modified: 2024/01/22 +date: 2023-08-30 +modified: 2024-01-22 tags: - - detection.emerging_threats + - detection.emerging-threats - attack.execution - attack.t1203 - - cve.2023.38331 + - cve.2023-38331 logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-40477/file_event_win_exploit_cve_2023_40477_winrar_rev_file_abuse.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-40477/file_event_win_exploit_cve_2023_40477_winrar_rev_file_abuse.yml index dc4e8d698c5..b17649a195f 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-40477/file_event_win_exploit_cve_2023_40477_winrar_rev_file_abuse.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-40477/file_event_win_exploit_cve_2023_40477_winrar_rev_file_abuse.yml @@ -7,11 +7,11 @@ references: - https://github.com/wildptr-io/Winrar-CVE-2023-40477-POC - https://www.rarlab.com/vuln_rev3_names.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/31 +date: 2023-08-31 tags: - attack.execution - - cve.2023.40477 - - detection.emerging_threats + - cve.2023-40477 + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-40477/win_application_exploit_cve_2023_40477_winrar_crash.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-40477/win_application_exploit_cve_2023_40477_winrar_crash.yml index 753faf9dd2a..f3935c39176 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-40477/win_application_exploit_cve_2023_40477_winrar_crash.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-40477/win_application_exploit_cve_2023_40477_winrar_crash.yml @@ -7,11 +7,11 @@ references: - https://github.com/wildptr-io/Winrar-CVE-2023-40477-POC - https://www.rarlab.com/vuln_rev3_names.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/31 +date: 2023-08-31 tags: - attack.execution - - cve.2023.40477 - - detection.emerging_threats + - cve.2023-40477 + - detection.emerging-threats logsource: product: windows service: application diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-43261/proxy_exploit_cve_2023_43261_milesight_information_disclosure.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-43261/proxy_exploit_cve_2023_43261_milesight_information_disclosure.yml index cf6ec6475c5..6c52dc6757f 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-43261/proxy_exploit_cve_2023_43261_milesight_information_disclosure.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-43261/proxy_exploit_cve_2023_43261_milesight_information_disclosure.yml @@ -12,13 +12,13 @@ references: - https://github.com/win3zz/CVE-2023-43261 - https://vulncheck.com/blog/real-world-cve-2023-43261 author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo -date: 2023/10/20 -modified: 2023/10/30 +date: 2023-10-20 +modified: 2023-10-30 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2023.43621 - - detection.emerging_threats + - cve.2023-43621 + - detection.emerging-threats logsource: category: proxy detection: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-43261/web_exploit_cve_2023_43261_milesight_information_disclosure.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-43261/web_exploit_cve_2023_43261_milesight_information_disclosure.yml index bf74e77f8d4..159fc6365b5 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-43261/web_exploit_cve_2023_43261_milesight_information_disclosure.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-43261/web_exploit_cve_2023_43261_milesight_information_disclosure.yml @@ -12,13 +12,13 @@ references: - https://github.com/win3zz/CVE-2023-43261 - https://vulncheck.com/blog/real-world-cve-2023-43261 author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo -date: 2023/10/20 -modified: 2023/10/30 +date: 2023-10-20 +modified: 2023-10-30 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2023.43621 - - detection.emerging_threats + - cve.2023-43621 + - detection.emerging-threats logsource: category: webserver definition: 'Requirements: In order for this detection to trigger, access logs of the router must be collected.' diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise.yml index 91662b74cfc..874de100c01 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise.yml @@ -11,12 +11,12 @@ references: - https://blog.hrncirik.net/cve-2023-46214-analysis - https://advisory.splunk.com/advisories/SVD-2023-1104 author: Nasreddine Bencherchali (Nextron Systems), Bhavin Patel (STRT) -date: 2023/11/27 +date: 2023-11-27 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1210 - - cve.2023.46214 - - detection.emerging_threats + - cve.2023-46214 + - detection.emerging-threats logsource: category: webserver detection: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise_poc.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise_poc.yml index d6836d181ff..afa5ecccf93 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise_poc.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise_poc.yml @@ -11,11 +11,11 @@ references: - https://blog.hrncirik.net/cve-2023-46214-analysis - https://advisory.splunk.com/advisories/SVD-2023-1104 author: Lars B. P. Frydenskov(Trifork Security) -date: 2023/11/27 +date: 2023-11-27 tags: - - cve.2023.46214 - - detection.emerging_threats - - attack.lateral_movement + - cve.2023-46214 + - detection.emerging-threats + - attack.lateral-movement - attack.t1210 logsource: category: webserver diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-46747/proxy_cve_2023_46747_f5_remote_code_execution.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-46747/proxy_cve_2023_46747_f5_remote_code_execution.yml index 2f0091f14c7..b41777dbd84 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-46747/proxy_cve_2023_46747_f5_remote_code_execution.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-46747/proxy_cve_2023_46747_f5_remote_code_execution.yml @@ -11,12 +11,12 @@ references: - https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg - https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/11/08 +date: 2023-11-08 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - detection.emerging_threats - - cve.2023.46747 + - detection.emerging-threats + - cve.2023-46747 logsource: category: proxy definition: 'Requirements: The POST request body data must be collected in order to make use of this detection' diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-46747/web_cve_2023_46747_f5_remote_code_execution.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-46747/web_cve_2023_46747_f5_remote_code_execution.yml index e839e5e08dd..5877736d0b1 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-46747/web_cve_2023_46747_f5_remote_code_execution.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-46747/web_cve_2023_46747_f5_remote_code_execution.yml @@ -11,12 +11,12 @@ references: - https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg - https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/11/08 +date: 2023-11-08 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - detection.emerging_threats - - cve.2023.46747 + - detection.emerging-threats + - cve.2023-46747 logsource: category: webserver definition: 'Requirements: The POST request body data must be collected in order to make use of this detection' diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-4966/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-4966/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml index d0be325218d..7631cdfa2d3 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-4966/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-4966/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml @@ -16,12 +16,12 @@ references: - https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 - https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/11/28 +date: 2023-11-28 tags: - - detection.emerging_threats - - attack.initial_access + - detection.emerging-threats + - attack.initial-access - attack.t1190 - - cve.2023.4966 + - cve.2023-4966 logsource: category: proxy detection: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-4966/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-4966/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml index 2c5ec469558..3112cb17a52 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-4966/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-4966/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml @@ -16,12 +16,12 @@ references: - https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 - https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966 author: Nasreddine Bencherchali (Nextron Systems), Michael Haag (STRT) -date: 2023/11/28 +date: 2023-11-28 tags: - - detection.emerging_threats - - attack.initial_access + - detection.emerging-threats + - attack.initial-access - attack.t1190 - - cve.2023.4966 + - cve.2023-4966 logsource: category: proxy detection: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-4966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-4966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml index 9c2798d65ed..54c0337e717 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-4966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-4966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml @@ -16,12 +16,12 @@ references: - https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 - https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966 author: Nasreddine Bencherchali (Nextron Systems), Michael Haag (STRT) -date: 2023/11/28 +date: 2023-11-28 tags: - - detection.emerging_threats - - attack.initial_access + - detection.emerging-threats + - attack.initial-access - attack.t1190 - - cve.2023.4966 + - cve.2023-4966 logsource: category: webserver detection: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-4966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-4966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml index 45babdc0274..fa3d4a59ffa 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-4966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-4966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml @@ -16,12 +16,12 @@ references: - https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 - https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/11/28 +date: 2023-11-28 tags: - - detection.emerging_threats - - attack.initial_access + - detection.emerging-threats + - attack.initial-access - attack.t1190 - - cve.2023.4966 + - cve.2023-4966 logsource: category: webserver detection: diff --git a/rules-emerging-threats/2023/Exploits/Windows-Server-Unknown-Exploit/proc_creation_win_exploit_other_win_server_undocumented_rce.yml b/rules-emerging-threats/2023/Exploits/Windows-Server-Unknown-Exploit/proc_creation_win_exploit_other_win_server_undocumented_rce.yml index 2febe5e8b1a..52e4e0e6bdd 100644 --- a/rules-emerging-threats/2023/Exploits/Windows-Server-Unknown-Exploit/proc_creation_win_exploit_other_win_server_undocumented_rce.yml +++ b/rules-emerging-threats/2023/Exploits/Windows-Server-Unknown-Exploit/proc_creation_win_exploit_other_win_server_undocumented_rce.yml @@ -6,10 +6,10 @@ references: - https://github.com/SigmaHQ/sigma/pull/3946 - https://twitter.com/hackerfantastic/status/1616455335203438592?s=20 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali -date: 2023/01/21 +date: 2023-01-21 tags: - - detection.emerging_threats - - attack.initial_access + - detection.emerging-threats + - attack.initial-access - attack.t1190 logsource: category: process_creation diff --git a/rules-emerging-threats/2023/Exploits/win_msmq_corrupted_packet.yml b/rules-emerging-threats/2023/Exploits/win_msmq_corrupted_packet.yml index 43a2e2704ee..f5844d8b643 100644 --- a/rules-emerging-threats/2023/Exploits/win_msmq_corrupted_packet.yml +++ b/rules-emerging-threats/2023/Exploits/win_msmq_corrupted_packet.yml @@ -5,10 +5,10 @@ description: Detects corrupted packets sent to the MSMQ service. Could potential references: - https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/21 +date: 2023-04-21 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows service: application diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_renamed_cmd.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_renamed_cmd.yml index 41b37aa3756..354176b8cb0 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_renamed_cmd.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_renamed_cmd.yml @@ -5,11 +5,11 @@ description: Detects the creation of a file named "dllhost.exe" in the "C:\users references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/30 +date: 2023-04-30 tags: - attack.persistence - - attack.defense_evasion - - detection.emerging_threats + - attack.defense-evasion + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_service_dll_creation.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_service_dll_creation.yml index f148f5f4254..a9297e71015 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_service_dll_creation.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_service_dll_creation.yml @@ -5,11 +5,11 @@ description: Detects the creation of a file in a specific location and with a sp references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf author: X__Junior (Nextron Systems) -date: 2023/04/30 +date: 2023-04-30 tags: - attack.persistence - - attack.defense_evasion - - detection.emerging_threats + - attack.defense-evasion + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/image_load_malware_coldsteel_persistence_service_dll.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/image_load_malware_coldsteel_persistence_service_dll.yml index de1b29d530e..2cc5fefcdaf 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/image_load_malware_coldsteel_persistence_service_dll.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/image_load_malware_coldsteel_persistence_service_dll.yml @@ -6,11 +6,11 @@ description: | references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/02 +date: 2023-05-02 tags: - attack.persistence - - attack.defense_evasion - - detection.emerging_threats + - attack.defense-evasion + - detection.emerging-threats logsource: product: windows category: image_load diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml index ced5e608d53..a515c593106 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml @@ -5,11 +5,11 @@ description: Detects the creation of a process executing as user called "ANONYMO references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/30 +date: 2023-04-30 tags: - attack.persistence - - attack.defense_evasion - - detection.emerging_threats + - attack.defense-evasion + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_cleanup.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_cleanup.yml index 904cd08149e..769328190a0 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_cleanup.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_cleanup.yml @@ -5,11 +5,11 @@ description: Detects the creation of a "rundll32" process from the ColdSteel per references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/30 +date: 2023-04-30 tags: - attack.persistence - - attack.defense_evasion - - detection.emerging_threats + - attack.defense-evasion + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yml index 3f68e1c21b0..26d3eb27bbb 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yml @@ -5,11 +5,11 @@ description: Detects the creation of an "svchost" process with specific command references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf author: X__Junior (Nextron Systems) -date: 2023/04/30 +date: 2023-04-30 tags: - attack.persistence - - attack.defense_evasion - - detection.emerging_threats + - attack.defense-evasion + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/registry_set_malware_coldsteel_created_users.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/registry_set_malware_coldsteel_created_users.yml index 3a5ccd60164..c64fb7ca07c 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/registry_set_malware_coldsteel_created_users.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/registry_set_malware_coldsteel_created_users.yml @@ -5,11 +5,11 @@ description: Detects creation of a new user profile with a specific username, se references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/02 -modified: 2023/08/17 +date: 2023-05-02 +modified: 2023-08-17 tags: - attack.persistence - - detection.emerging_threats + - detection.emerging-threats logsource: category: registry_set product: windows diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/win_system_malware_coldsteel_persistence_service.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/win_system_malware_coldsteel_persistence_service.yml index 2b9ee8af61a..8e73e21373d 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/win_system_malware_coldsteel_persistence_service.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/win_system_malware_coldsteel_persistence_service.yml @@ -5,11 +5,11 @@ description: Detects the creation of new services potentially related to COLDSTE references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/02 +date: 2023-05-02 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows service: system diff --git a/rules-emerging-threats/2023/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_binary_creation.yml b/rules-emerging-threats/2023/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_binary_creation.yml index 47840068341..991c48dbd0d 100644 --- a/rules-emerging-threats/2023/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_binary_creation.yml +++ b/rules-emerging-threats/2023/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_binary_creation.yml @@ -11,13 +11,13 @@ references: - https://www.kroll.com/en/insights/publications/cyber/microsoft-teams-used-as-initial-access-for-darkgate-malware - https://github.com/pr0xylife/DarkGate/tree/main author: Micah Babinski -date: 2023/10/15 +date: 2023-10-15 tags: - - attack.command_and_control + - attack.command-and-control - attack.execution - attack.t1105 - attack.t1059 - - detection.emerging_threats + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml b/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml index efe050924bf..54553892cde 100644 --- a/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml +++ b/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml @@ -10,11 +10,11 @@ references: - https://www.kroll.com/en/insights/publications/cyber/microsoft-teams-used-as-initial-access-for-darkgate-malware - https://github.com/pr0xylife/DarkGate/tree/main author: Micah Babinski -date: 2023/10/15 +date: 2023-10-15 tags: - attack.execution - attack.t1059 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_net_user_creation.yml b/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_net_user_creation.yml index 25677494056..bf34f3a418f 100644 --- a/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_net_user_creation.yml +++ b/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_net_user_creation.yml @@ -5,12 +5,12 @@ description: Detects creation of local users via the net.exe command with the na references: - Internal Research author: X__Junior (Nextron Systems) -date: 2023/08/27 -modified: 2023/10/15 +date: 2023-08-27 +modified: 2023-10-15 tags: - attack.persistence - attack.t1136.001 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/Malware/Griffon/proc_creation_win_malware_griffon_patterns.yml b/rules-emerging-threats/2023/Malware/Griffon/proc_creation_win_malware_griffon_patterns.yml index 5704ee15534..4c7e7da940f 100644 --- a/rules-emerging-threats/2023/Malware/Griffon/proc_creation_win_malware_griffon_patterns.yml +++ b/rules-emerging-threats/2023/Malware/Griffon/proc_creation_win_malware_griffon_patterns.yml @@ -5,10 +5,10 @@ description: Detects process execution patterns related to Griffon malware as re references: - https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/09 +date: 2023-03-09 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml b/rules-emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml index 8e62c81b525..66474ffbbd7 100644 --- a/rules-emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml +++ b/rules-emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml @@ -6,11 +6,11 @@ references: - https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/ - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/31 +date: 2023-08-31 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/Malware/Pikabot/net_connection_win_malware_pikabot_rundll32_activity.yml b/rules-emerging-threats/2023/Malware/Pikabot/net_connection_win_malware_pikabot_rundll32_activity.yml index 947b1c75024..ae214147a61 100644 --- a/rules-emerging-threats/2023/Malware/Pikabot/net_connection_win_malware_pikabot_rundll32_activity.yml +++ b/rules-emerging-threats/2023/Malware/Pikabot/net_connection_win_malware_pikabot_rundll32_activity.yml @@ -9,12 +9,12 @@ references: - https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_06.12.2023.txt author: Andreas Braathen (mnemonic.io) -date: 2023/10/27 -modified: 2024/01/26 +date: 2023-10-27 +modified: 2024-01-26 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1573 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: network_connection diff --git a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml index fec001ba329..b20001764f2 100644 --- a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml +++ b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml @@ -9,13 +9,13 @@ references: - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_30.10.2023.txt - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_22.12.2023.txt author: Alejandro Houspanossian ('@lekz86') -date: 2024/01/02 +date: 2024-01-02 tags: - attack.execution - attack.t1059.003 - attack.t1105 - attack.t1218 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: process_creation diff --git a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_discovery.yml b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_discovery.yml index 44d235606c5..d9b56e2f14a 100644 --- a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_discovery.yml +++ b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_discovery.yml @@ -8,14 +8,14 @@ references: - https://www.virustotal.com/gui/file/72f1a5476a845ea02344c9b7edecfe399f64b52409229edaf856fcb9535e3242 - https://tria.ge/231023-lpw85she57/behavioral2 author: Andreas Braathen (mnemonic.io) -date: 2023/10/27 -modified: 2024/01/26 +date: 2023-10-27 +modified: 2024-01-26 tags: - attack.discovery - attack.t1016 - attack.t1049 - attack.t1087 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: process_creation diff --git a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml index 902fdf7ca5b..05bbad68d24 100644 --- a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml +++ b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml @@ -9,12 +9,12 @@ references: - https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_06.12.2023.txt author: Andreas Braathen (mnemonic.io) -date: 2023/10/27 -modified: 2024/01/26 +date: 2023-10-27 +modified: 2024-01-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1055.012 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: process_creation diff --git a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_uncommon_extension.yml b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_uncommon_extension.yml index 9fe2c92419f..67a0f2aed3b 100644 --- a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_uncommon_extension.yml +++ b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_uncommon_extension.yml @@ -9,10 +9,10 @@ references: - https://www.virustotal.com/gui/file/56db0c4842a63234ab7fe2dda6eeb63aa7bb68f9a456985b519122f74dea37e2/behavior - https://tria.ge/231212-r1bpgaefar/behavioral2 author: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) -date: 2024/01/26 +date: 2024-01-26 tags: - - detection.emerging_threats - - attack.defense_evasion + - detection.emerging-threats + - attack.defense-evasion - attack.execution logsource: product: windows diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml index 20e56a1c975..76bc58c80e4 100644 --- a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml @@ -5,12 +5,12 @@ description: Detects a specific command line of "regsvr32" where the "calc" keyw references: - https://github.com/pr0xylife/Qakbot/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/26 -modified: 2024/03/05 +date: 2023-05-26 +modified: 2024-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: process_creation diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml index e5c57fe7b3e..99d65ad5b5c 100644 --- a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml @@ -5,11 +5,11 @@ description: Detects specific process tree behavior of a "rundll32" execution of references: - https://github.com/pr0xylife/Qakbot/ author: X__Junior (Nextron Systems) -date: 2023/05/24 +date: 2023-05-24 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: process_creation diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml index 24689638426..181cee7774c 100644 --- a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml @@ -5,12 +5,12 @@ description: Detects specific process tree behavior of a "rundll32" execution wi references: - https://github.com/pr0xylife/Qakbot/ author: X__Junior (Nextron Systems) -date: 2023/05/24 -modified: 2023/05/30 +date: 2023-05-24 +modified: 2023-05-30 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: process_creation diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml index 710a5c5b10c..68ab9c99807 100644 --- a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml @@ -5,11 +5,11 @@ description: Detects specific process tree behavior of a "rundll32" execution wh references: - https://github.com/pr0xylife/Qakbot/ author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/24 +date: 2023-05-24 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: process_creation diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml index f5a066ee698..ae0ba2bc3a4 100644 --- a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml @@ -7,10 +7,10 @@ references: - https://www.virustotal.com/gui/file/7cdee5a583eacf24b1f142413aabb4e556ccf4ef3a4764ad084c1526cc90e117/community - https://www.virustotal.com/gui/file/fab408536aa37c4abc8be97ab9c1f86cb33b63923d423fdc2859eb9d63fa8ea0/community author: Florian Roth (Nextron Systems) -date: 2023/08/31 -modified: 2023/09/01 +date: 2023-08-31 +modified: 2023-09-01 tags: - - detection.emerging_threats + - detection.emerging-threats - attack.execution logsource: category: process_creation diff --git a/rules-emerging-threats/2023/Malware/Rhadamanthys/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml b/rules-emerging-threats/2023/Malware/Rhadamanthys/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml index 4ecc9b1098a..4ff2340751b 100644 --- a/rules-emerging-threats/2023/Malware/Rhadamanthys/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml +++ b/rules-emerging-threats/2023/Malware/Rhadamanthys/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml @@ -8,12 +8,12 @@ references: - https://www.joesandbox.com/analysis/790122/0/html - https://twitter.com/anfam17/status/1607477672057208835 author: TropChaud -date: 2023/01/26 -modified: 2023/02/05 +date: 2023-01-26 +modified: 2023-02-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml b/rules-emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml index a180ce93495..ad65e967c10 100644 --- a/rules-emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml +++ b/rules-emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml @@ -5,14 +5,14 @@ description: Detects Rorschach ransomware execution activity references: - https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/ author: X__Junior (Nextron Systems) -date: 2023/04/04 -modified: 2023/04/22 +date: 2023-04-04 +modified: 2023-04-22 tags: - attack.execution - attack.t1059.003 - attack.t1059.001 - - attack.defense_evasion - - detection.emerging_threats + - attack.defense-evasion + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_encrypted_payload_ioc.yml b/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_encrypted_payload_ioc.yml index d29e486f37f..c051e16a117 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_encrypted_payload_ioc.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_encrypted_payload_ioc.yml @@ -5,10 +5,10 @@ description: Detects SNAKE malware kernel driver file indicator references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/10 +date: 2023-05-10 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_installers_ioc.yml b/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_installers_ioc.yml index 879097f9e42..91da1017b05 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_installers_ioc.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_installers_ioc.yml @@ -5,10 +5,10 @@ description: Detects filename indicators associated with the SNAKE malware as re references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/10 +date: 2023-05-10 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_werfault_creation.yml b/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_werfault_creation.yml index 1c4baed9fa0..9cba0dfc38e 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_werfault_creation.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_werfault_creation.yml @@ -5,11 +5,11 @@ description: Detects the creation of a file named "WerFault.exe" in the WinSxS d references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/10 -modified: 2023/05/18 +date: 2023-05-10 +modified: 2023-05-18 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_cli_args.yml b/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_cli_args.yml index 1983488b525..7690ec1d875 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_cli_args.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_cli_args.yml @@ -5,10 +5,10 @@ description: Detects a specific command line arguments sequence seen used by SNA references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/04 +date: 2023-05-04 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_exec.yml b/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_exec.yml index 0d8c2309408..c22c9e38fb4 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_exec.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_exec.yml @@ -5,10 +5,10 @@ description: Detects a specific binary name seen used by SNAKE malware during it references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/04 +date: 2023-05-04 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_service_execution.yml b/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_service_execution.yml index 6041bf8a868..5f0581111c9 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_service_execution.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_service_execution.yml @@ -5,10 +5,10 @@ description: Detects a specific child/parent process relationship indicative of references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/04 +date: 2023-05-04 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml b/rules-emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml index ceb6ccb75d8..e79887aec69 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml @@ -5,10 +5,10 @@ description: Detects any registry event that targets the key 'SECURITY\Policy\Se references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/11 +date: 2023-05-11 tags: - attack.persistence - - detection.emerging_threats + - detection.emerging-threats logsource: category: registry_event product: windows diff --git a/rules-emerging-threats/2023/Malware/SNAKE/registry_set_malware_snake_encrypted_key.yml b/rules-emerging-threats/2023/Malware/SNAKE/registry_set_malware_snake_encrypted_key.yml index 6641eb5bcf3..8aed60de56a 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/registry_set_malware_snake_encrypted_key.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/registry_set_malware_snake_encrypted_key.yml @@ -5,11 +5,11 @@ description: Detects the creation of a registry value in the ".wav\OpenWithProgI references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/10 -modified: 2023/08/17 +date: 2023-05-10 +modified: 2023-08-17 tags: - attack.persistence - - detection.emerging_threats + - detection.emerging-threats logsource: category: registry_set product: windows diff --git a/rules-emerging-threats/2023/Malware/SNAKE/win_system_malware_snake_persistence_service.yml b/rules-emerging-threats/2023/Malware/SNAKE/win_system_malware_snake_persistence_service.yml index c6788a232ba..bb74ac415ef 100644 --- a/rules-emerging-threats/2023/Malware/SNAKE/win_system_malware_snake_persistence_service.yml +++ b/rules-emerging-threats/2023/Malware/SNAKE/win_system_malware_snake_persistence_service.yml @@ -5,10 +5,10 @@ description: Detects the creation of a service named "WerFaultSvc" which seems t references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/10 +date: 2023-05-10 tags: - attack.persistence - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows service: system diff --git a/rules-emerging-threats/2023/Malware/dns_query_win_malware_socgholish_second_stage_c2.yml b/rules-emerging-threats/2023/Malware/dns_query_win_malware_socgholish_second_stage_c2.yml index b9df2c515a4..ae2fe2e10e0 100644 --- a/rules-emerging-threats/2023/Malware/dns_query_win_malware_socgholish_second_stage_c2.yml +++ b/rules-emerging-threats/2023/Malware/dns_query_win_malware_socgholish_second_stage_c2.yml @@ -7,11 +7,11 @@ references: - https://www.virustotal.com/gui/file/d5661009c461a8b20e1ad22f48609cc84dd90aee9182e026659dde4d46aaf25e/relations - https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update author: Dusty Miller -date: 2023/02/23 +date: 2023-02-23 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: dns_query diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/dns_query_win_malware_3cx_compromise.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/dns_query_win_malware_3cx_compromise.yml index c2f3cf3d95c..ccbaa307c7e 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/dns_query_win_malware_3cx_compromise.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/dns_query_win_malware_3cx_compromise.yml @@ -20,11 +20,11 @@ description: Detects potential beaconing activity to domains related to 3CX 3CXD references: - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/29 -modified: 2023/03/31 +date: 2023-03-29 +modified: 2023-03-31 tags: - - attack.command_and_control - - detection.emerging_threats + - attack.command-and-control + - detection.emerging-threats logsource: category: dns_query product: windows diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml index bc018e9a87b..05341bdc13f 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml @@ -20,10 +20,10 @@ description: Detects DLL load activity of known compromised DLLs used in by the references: - https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/31 +date: 2023-03-31 tags: - - attack.defense_evasion - - detection.emerging_threats + - attack.defense-evasion + - detection.emerging-threats logsource: category: image_load product: windows diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/net_connection_win_malware_3cx_compromise_beaconing_activity.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/net_connection_win_malware_3cx_compromise_beaconing_activity.yml index bc4c7360b09..4e91a26420b 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/net_connection_win_malware_3cx_compromise_beaconing_activity.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/net_connection_win_malware_3cx_compromise_beaconing_activity.yml @@ -20,11 +20,11 @@ description: Detects potential beaconing activity to domains related to 3CX 3CXD references: - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/29 -modified: 2023/03/31 +date: 2023-03-29 +modified: 2023-03-31 tags: - - attack.command_and_control - - detection.emerging_threats + - attack.command-and-control + - detection.emerging-threats logsource: category: network_connection product: windows diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml index 6c87274d4f7..187e04614a6 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml @@ -20,13 +20,13 @@ description: Detects execution of known compromised version of 3CXDesktopApp references: - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/29 -modified: 2023/03/31 +date: 2023-03-29 +modified: 2023-03-31 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml index 30679a9b6eb..f0967eb28b7 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml @@ -21,12 +21,12 @@ references: - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ - https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/29 +date: 2023-03-29 tags: - - attack.command_and_control + - attack.command-and-control - attack.execution - attack.t1218 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_update.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_update.yml index ea8e3ef0151..001f09e3250 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_update.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_update.yml @@ -21,12 +21,12 @@ references: - https://www.linkedin.com/feed/update/urn:li:activity:7047435754834198529/ - https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/29 +date: 2023-03-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proxy_malware_3cx_compromise_c2_beacon_activity.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proxy_malware_3cx_compromise_c2_beacon_activity.yml index 4e915b81f18..aa471628feb 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proxy_malware_3cx_compromise_c2_beacon_activity.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proxy_malware_3cx_compromise_c2_beacon_activity.yml @@ -20,11 +20,11 @@ description: Detects potential beaconing activity to domains related to 3CX 3CXD references: - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/29 -modified: 2023/05/18 +date: 2023-03-29 +modified: 2023-05-18 tags: - - attack.command_and_control - - detection.emerging_threats + - attack.command-and-control + - detection.emerging-threats logsource: category: proxy detection: diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proxy_malware_3cx_compromise_susp_ico_requests.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proxy_malware_3cx_compromise_susp_ico_requests.yml index 08f6fa5a93d..29b654f517c 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proxy_malware_3cx_compromise_susp_ico_requests.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proxy_malware_3cx_compromise_susp_ico_requests.yml @@ -21,10 +21,10 @@ references: - https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/ - https://www.linkedin.com/feed/update/urn:li:activity:7047435754834198529/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/31 +date: 2023-03-31 tags: - - attack.command_and_control - - detection.emerging_threats + - attack.command-and-control + - detection.emerging-threats logsource: category: proxy detection: diff --git a/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml b/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml index 6d466fe3e1f..228682aaf7c 100644 --- a/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml +++ b/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml @@ -5,9 +5,9 @@ description: Hunts known SVR-specific DLL names. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a author: CISA -date: 2023/12/18 +date: 2023-12-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 logsource: category: image_load diff --git a/rules-emerging-threats/2023/TA/Cozy-Bear/win_security_apt_cozy_bear_scheduled_tasks_name.yml b/rules-emerging-threats/2023/TA/Cozy-Bear/win_security_apt_cozy_bear_scheduled_tasks_name.yml index 7bc11682ecb..e7fcf0f10d3 100644 --- a/rules-emerging-threats/2023/TA/Cozy-Bear/win_security_apt_cozy_bear_scheduled_tasks_name.yml +++ b/rules-emerging-threats/2023/TA/Cozy-Bear/win_security_apt_cozy_bear_scheduled_tasks_name.yml @@ -8,7 +8,7 @@ description: Hunts for known SVR-specific scheduled task names author: CISA references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a -date: 2023/12/18 +date: 2023-12-18 tags: - attack.persistence logsource: diff --git a/rules-emerging-threats/2023/TA/Cozy-Bear/win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml b/rules-emerging-threats/2023/TA/Cozy-Bear/win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml index 0afd02e2418..19c8867bc35 100644 --- a/rules-emerging-threats/2023/TA/Cozy-Bear/win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml +++ b/rules-emerging-threats/2023/TA/Cozy-Bear/win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml @@ -8,7 +8,7 @@ description: Hunts for known SVR-specific scheduled task names author: CISA references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a -date: 2023/12/18 +date: 2023-12-18 tags: - attack.persistence logsource: diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/dns_query_win_apt_diamond_steel_indicators.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/dns_query_win_apt_diamond_steel_indicators.yml index dd8eea66367..60363ca0947 100644 --- a/rules-emerging-threats/2023/TA/Diamond-Sleet/dns_query_win_apt_diamond_steel_indicators.yml +++ b/rules-emerging-threats/2023/TA/Diamond-Sleet/dns_query_win_apt_diamond_steel_indicators.yml @@ -5,10 +5,10 @@ description: Detects DNS queries related to Diamond Sleet APT activity references: - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/10/24 +date: 2023-10-24 tags: - - attack.command_and_control - - detection.emerging_threats + - attack.command-and-control + - detection.emerging-threats logsource: product: windows category: dns_query diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/file_event_win_apt_diamond_sleet_indicators.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/file_event_win_apt_diamond_sleet_indicators.yml index 6c3bc997cc8..11959b9cbdc 100644 --- a/rules-emerging-threats/2023/TA/Diamond-Sleet/file_event_win_apt_diamond_sleet_indicators.yml +++ b/rules-emerging-threats/2023/TA/Diamond-Sleet/file_event_win_apt_diamond_sleet_indicators.yml @@ -5,10 +5,10 @@ description: Detects file creation activity that is related to Diamond Sleet APT references: - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/10/24 +date: 2023-10-24 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/image_load_apt_diamond_sleet_side_load.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/image_load_apt_diamond_sleet_side_load.yml index feed15f302b..d4d0bac8baf 100644 --- a/rules-emerging-threats/2023/TA/Diamond-Sleet/image_load_apt_diamond_sleet_side_load.yml +++ b/rules-emerging-threats/2023/TA/Diamond-Sleet/image_load_apt_diamond_sleet_side_load.yml @@ -5,11 +5,11 @@ description: Detects DLL sideloading activity seen used by Diamond Sleet APT references: - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/10/24 +date: 2023-10-24 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: image_load diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml index c1bbf8fb41f..5d98be1edc5 100644 --- a/rules-emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml +++ b/rules-emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml @@ -5,10 +5,10 @@ description: Detects process creation activity indicators related to Diamond Sle references: - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/10/24 +date: 2023-10-24 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml index 583e61a8a76..1cb6ea199db 100644 --- a/rules-emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml +++ b/rules-emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml @@ -6,11 +6,11 @@ description: | references: - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/10/24 +date: 2023-10-24 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: registry_event diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/win_security_apt_diamond_sleet_scheduled_task.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/win_security_apt_diamond_sleet_scheduled_task.yml index 7f9df765bd0..7a3d5065765 100644 --- a/rules-emerging-threats/2023/TA/Diamond-Sleet/win_security_apt_diamond_sleet_scheduled_task.yml +++ b/rules-emerging-threats/2023/TA/Diamond-Sleet/win_security_apt_diamond_sleet_scheduled_task.yml @@ -6,13 +6,13 @@ description: | references: - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/10/24 +date: 2023-10-24 tags: - attack.execution - - attack.privilege_escalation + - attack.privilege-escalation - attack.persistence - attack.t1053.005 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows service: security diff --git a/rules-emerging-threats/2023/TA/EquationGroup/net_dns_apt_equation_group_triangulation_c2_coms.yml b/rules-emerging-threats/2023/TA/EquationGroup/net_dns_apt_equation_group_triangulation_c2_coms.yml index d1df8163926..b30c5d55872 100644 --- a/rules-emerging-threats/2023/TA/EquationGroup/net_dns_apt_equation_group_triangulation_c2_coms.yml +++ b/rules-emerging-threats/2023/TA/EquationGroup/net_dns_apt_equation_group_triangulation_c2_coms.yml @@ -9,11 +9,11 @@ references: - https://securelist.com/operation-triangulation/109842/ - https://www-fsb-ru.translate.goog/fsb/press/message/single.htm!id=10439739@fsbMessage.html?_x_tr_sch=http&_x_tr_sl=ru&_x_tr_tl=en&_x_tr_hl=de&_x_tr_pto=wapp author: Florian Roth (Nextron Systems) -date: 2023/06/01 +date: 2023-06-01 tags: - - attack.command_and_control + - attack.command-and-control - attack.g0020 - - detection.emerging_threats + - detection.emerging-threats logsource: category: dns detection: diff --git a/rules-emerging-threats/2023/TA/EquationGroup/proxy_apt_equation_group_triangulation_c2_coms.yml b/rules-emerging-threats/2023/TA/EquationGroup/proxy_apt_equation_group_triangulation_c2_coms.yml index 9279b1cfdef..163b164cbbe 100644 --- a/rules-emerging-threats/2023/TA/EquationGroup/proxy_apt_equation_group_triangulation_c2_coms.yml +++ b/rules-emerging-threats/2023/TA/EquationGroup/proxy_apt_equation_group_triangulation_c2_coms.yml @@ -9,11 +9,11 @@ references: - https://securelist.com/operation-triangulation/109842/ - https://www-fsb-ru.translate.goog/fsb/press/message/single.htm!id=10439739@fsbMessage.html?_x_tr_sch=http&_x_tr_sl=ru&_x_tr_tl=en&_x_tr_hl=de&_x_tr_pto=wapp author: Florian Roth (Nextron Systems) -date: 2023/06/01 +date: 2023-06-01 tags: - - attack.command_and_control + - attack.command-and-control - attack.g0020 - - detection.emerging_threats + - detection.emerging-threats logsource: category: proxy detection: diff --git a/rules-emerging-threats/2023/TA/FIN7/file_event_win_apt_fin7_powershell_scripts_naming_convention.yml b/rules-emerging-threats/2023/TA/FIN7/file_event_win_apt_fin7_powershell_scripts_naming_convention.yml index bd534689ce1..a8b110e331f 100644 --- a/rules-emerging-threats/2023/TA/FIN7/file_event_win_apt_fin7_powershell_scripts_naming_convention.yml +++ b/rules-emerging-threats/2023/TA/FIN7/file_event_win_apt_fin7_powershell_scripts_naming_convention.yml @@ -5,11 +5,11 @@ description: Detects PowerShell script file creation with specific name or suffi references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/04 +date: 2023-05-04 tags: - attack.execution - attack.g0046 - - detection.emerging_threats + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powerhold.yml b/rules-emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powerhold.yml index dd4828d7aca..80482f9d987 100644 --- a/rules-emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powerhold.yml +++ b/rules-emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powerhold.yml @@ -5,12 +5,12 @@ description: Detects execution of the POWERHOLD script seen used by FIN7 as repo references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/04 +date: 2023-05-04 tags: - attack.execution - attack.t1059.001 - attack.g0046 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: ps_script diff --git a/rules-emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powertrash_execution.yml b/rules-emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powertrash_execution.yml index 38519e2c8c2..295d4537e47 100644 --- a/rules-emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powertrash_execution.yml +++ b/rules-emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powertrash_execution.yml @@ -5,12 +5,12 @@ description: Detects potential execution of the PowerShell script POWERTRASH references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/04 +date: 2023-05-04 tags: - attack.execution - attack.t1059.001 - attack.g0046 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: ps_script diff --git a/rules-emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml b/rules-emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml index 7e74903f581..75aea2f00fb 100644 --- a/rules-emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml +++ b/rules-emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml @@ -7,11 +7,11 @@ references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers/jcr:content/root/responsivegrid/responsivegrid/responsivegrid/image_253944286.img.png/1682500394900.png - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/04 +date: 2023-05-04 tags: - attack.execution - attack.g0046 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/TA/Lace-Tempest/file_event_win_apt_lace_tempest_indicators.yml b/rules-emerging-threats/2023/TA/Lace-Tempest/file_event_win_apt_lace_tempest_indicators.yml index 3d2ac26c8d2..39229e476a7 100644 --- a/rules-emerging-threats/2023/TA/Lace-Tempest/file_event_win_apt_lace_tempest_indicators.yml +++ b/rules-emerging-threats/2023/TA/Lace-Tempest/file_event_win_apt_lace_tempest_indicators.yml @@ -5,10 +5,10 @@ description: Detects PowerShell script file creation with specific names or suff references: - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/11/09 +date: 2023-11-09 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_eraser_script.yml b/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_eraser_script.yml index 7a8a8ddfdc6..daaf4621f61 100644 --- a/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_eraser_script.yml +++ b/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_eraser_script.yml @@ -6,11 +6,11 @@ description: | references: - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/11/09 +date: 2023-11-09 tags: - attack.execution - attack.t1059.001 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: ps_script diff --git a/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_malware_launcher.yml b/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_malware_launcher.yml index a8cb343ff01..1bbdcdf8a1b 100644 --- a/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_malware_launcher.yml +++ b/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_malware_launcher.yml @@ -6,11 +6,11 @@ description: | references: - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/11/09 +date: 2023-11-09 tags: - attack.execution - attack.t1059.001 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: ps_script diff --git a/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml b/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml index c6e118e5ef8..2668b724493 100644 --- a/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml +++ b/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml @@ -5,10 +5,10 @@ description: Detects specific command line execution used by Lace Tempest to dow references: - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/11/09 +date: 2023-11-09 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml b/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml index 911078ce8fb..2f090535868 100644 --- a/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml +++ b/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml @@ -5,10 +5,10 @@ description: Detects execution of a specific binary based on filename and hash u references: - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/11/09 +date: 2023-11-09 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml b/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml index c9323758cf8..b9bbfecc6ef 100644 --- a/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml +++ b/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml @@ -6,14 +6,14 @@ references: - https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/ - https://www.bleepingcomputer.com/news/security/lazarus-hackers-breach-aerospace-firm-with-new-lightlesscan-malware/ author: Thurein Oo, Nasreddine Bencherchali (Nextron Systems) -date: 2023/10/18 +date: 2023-10-18 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 - attack.g0032 - - detection.emerging_threats + - detection.emerging-threats logsource: product: windows category: image_load diff --git a/rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml b/rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml index 1763ac602e8..e5b7683d993 100644 --- a/rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml +++ b/rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml @@ -5,11 +5,11 @@ description: Detects suspicious execution from AsperaFaspex as seen used by Mint references: - https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/ author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea) -date: 2023/04/20 -modified: 2023/04/25 +date: 2023-04-20 +modified: 2023-04-25 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_log4j_wstomcat_execution.yml b/rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_log4j_wstomcat_execution.yml index 9cee8be1793..d9b9c1b1cf8 100644 --- a/rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_log4j_wstomcat_execution.yml +++ b/rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_log4j_wstomcat_execution.yml @@ -5,11 +5,11 @@ description: Detects Log4J Wstomcat process execution as seen in Mint Sandstorm references: - https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/ author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea) -date: 2023/04/20 -modified: 2023/11/29 +date: 2023-04-20 +modified: 2023-11-29 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml b/rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml index 06ca88def73..80939e29eec 100644 --- a/rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml +++ b/rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml @@ -5,11 +5,11 @@ description: Detects suspicious execution from ManageEngine as seen used by Mint references: - https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/ author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea) -date: 2023/04/20 -modified: 2023/04/25 +date: 2023-04-20 +modified: 2023-04-25 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml b/rules-emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml index 57898277171..0c11ac921ff 100644 --- a/rules-emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml +++ b/rules-emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml @@ -5,11 +5,11 @@ description: Detects specific command line execution used by Mustang Panda in a references: - https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/15 +date: 2023-05-15 tags: - attack.execution - attack.g0129 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/TA/Okta-Support-System-Breach/okta_apt_suspicious_user_creation.yml b/rules-emerging-threats/2023/TA/Okta-Support-System-Breach/okta_apt_suspicious_user_creation.yml index b7fa0d1b57e..5db5d4e613a 100644 --- a/rules-emerging-threats/2023/TA/Okta-Support-System-Breach/okta_apt_suspicious_user_creation.yml +++ b/rules-emerging-threats/2023/TA/Okta-Support-System-Breach/okta_apt_suspicious_user_creation.yml @@ -5,13 +5,13 @@ description: | Detects new user account creation or activation with specific names related to the Okta Support System 2023 breach. This rule can be enhanced by filtering out known and legitimate username used in your environnement. author: Muhammad Faisal (@faisalusuf) -date: 2023/10/25 +date: 2023-10-25 references: - https://www.beyondtrust.com/blog/entry/okta-support-unit-breach - https://developer.okta.com/docs/reference/api/event-types/ tags: - - attack.credential_access - - detection.emerging_threats + - attack.credential-access + - detection.emerging-threats logsource: service: okta product: okta diff --git a/rules-emerging-threats/2023/TA/Onyx-Sleet/file_event_win_apt_onyx_sleet_indicators.yml b/rules-emerging-threats/2023/TA/Onyx-Sleet/file_event_win_apt_onyx_sleet_indicators.yml index 078b4e92ba2..953359270b3 100644 --- a/rules-emerging-threats/2023/TA/Onyx-Sleet/file_event_win_apt_onyx_sleet_indicators.yml +++ b/rules-emerging-threats/2023/TA/Onyx-Sleet/file_event_win_apt_onyx_sleet_indicators.yml @@ -5,10 +5,10 @@ description: Detects file creation activity that is related to Onyx Sleet APT ac references: - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/10/24 +date: 2023-10-24 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_indicators.yml b/rules-emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_indicators.yml index c0e3e34bc7e..61e79ebaaa2 100644 --- a/rules-emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_indicators.yml +++ b/rules-emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_indicators.yml @@ -6,10 +6,10 @@ references: - https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software - https://www.papercut.com/kb/Main/PO-1216-and-PO-1219 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/25 +date: 2023-04-25 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_pc_app.yml b/rules-emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_pc_app.yml index 1e99819736c..7d79e5bba31 100644 --- a/rules-emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_pc_app.yml +++ b/rules-emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_pc_app.yml @@ -6,11 +6,11 @@ references: - https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software - https://github.com/huntresslabs/threat-intel/blob/main/2023/2023-04/20-PaperCut/win_susp_papercut_code_execution.yml author: Nasreddine Bencherchali (Nextron Systems), Huntress DE&TH Team (idea) -date: 2023/04/20 -modified: 2023/04/25 +date: 2023-04-20 +modified: 2023-04-25 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/TA/Peach-Sandstorm/proc_creation_win_apt_peach_sandstorm_indicators.yml b/rules-emerging-threats/2023/TA/Peach-Sandstorm/proc_creation_win_apt_peach_sandstorm_indicators.yml index b1b7387747f..48d394c3a12 100644 --- a/rules-emerging-threats/2023/TA/Peach-Sandstorm/proc_creation_win_apt_peach_sandstorm_indicators.yml +++ b/rules-emerging-threats/2023/TA/Peach-Sandstorm/proc_creation_win_apt_peach_sandstorm_indicators.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/MsftSecIntel/status/1737895710169628824 - https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details author: X__Junior (Nextron Systems) -date: 2024/01/15 +date: 2024-01-15 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/TA/Peach-Sandstorm/proxy_apt_peach_sandstorm_falsefont_backdoor_c2_coms.yml b/rules-emerging-threats/2023/TA/Peach-Sandstorm/proxy_apt_peach_sandstorm_falsefont_backdoor_c2_coms.yml index 8c1f71408a3..3bcb089e9ba 100644 --- a/rules-emerging-threats/2023/TA/Peach-Sandstorm/proxy_apt_peach_sandstorm_falsefont_backdoor_c2_coms.yml +++ b/rules-emerging-threats/2023/TA/Peach-Sandstorm/proxy_apt_peach_sandstorm_falsefont_backdoor_c2_coms.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/MsftSecIntel/status/1737895710169628824 - https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details author: X__Junior (Nextron Systems) -date: 2024/01/15 +date: 2024-01-15 tags: - - attack.command_and_control - - detection.emerging_threats + - attack.command-and-control + - detection.emerging-threats logsource: category: proxy detection: diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_exfil_mail_pattern.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_exfil_mail_pattern.yml index d9679eec399..23aae15e271 100644 --- a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_exfil_mail_pattern.yml +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_exfil_mail_pattern.yml @@ -5,12 +5,12 @@ description: Detects filename pattern of email related data used by UNC4841 for references: - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/16 +date: 2023-06-16 tags: - attack.execution - attack.persistence - - attack.defense_evasion - - detection.emerging_threats + - attack.defense-evasion + - detection.emerging-threats logsource: product: linux category: file_event diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_file_indicators.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_file_indicators.yml index 03a3fc7e7b7..5de541d7870 100644 --- a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_file_indicators.yml +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_file_indicators.yml @@ -5,12 +5,12 @@ description: Detects file indicators as seen used by UNC4841 during their Barrac references: - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/16 +date: 2023-06-16 tags: - attack.execution - attack.persistence - - attack.defense_evasion - - detection.emerging_threats + - attack.defense-evasion + - detection.emerging-threats logsource: product: linux category: file_event diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_openssl_connection.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_openssl_connection.yml index 8d310102575..d00c1ce2a33 100644 --- a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_openssl_connection.yml +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_openssl_connection.yml @@ -5,11 +5,11 @@ description: Detects the execution of "openssl" to connect to an IP address. Thi references: - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/16 +date: 2023-06-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1140 - - detection.emerging_threats + - detection.emerging-threats logsource: product: linux category: process_creation diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_compressed_file_tmep_sh.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_compressed_file_tmep_sh.yml index 797ffe90f9a..e5d4acd43f2 100644 --- a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_compressed_file_tmep_sh.yml +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_compressed_file_tmep_sh.yml @@ -5,11 +5,11 @@ description: Detects execution of "wget" to download a ".zip" or ".rar" files fr references: - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/16 +date: 2023-06-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1140 - - detection.emerging_threats + - detection.emerging-threats logsource: product: linux category: process_creation diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml index d66d14c1ef7..5bd1f1def1c 100644 --- a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml @@ -5,11 +5,11 @@ description: Detects execution of "wget" to download a "tar" from an IP address references: - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/16 +date: 2023-06-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1140 - - detection.emerging_threats + - detection.emerging-threats logsource: product: linux category: process_creation diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_atp_unc4841_seaspy_execution.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_atp_unc4841_seaspy_execution.yml index 26a0081f9f5..8ffcc201014 100644 --- a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_atp_unc4841_seaspy_execution.yml +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_atp_unc4841_seaspy_execution.yml @@ -5,10 +5,10 @@ description: Detects execution of specific named binaries which were used by UNC references: - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/16 +date: 2023-06-16 tags: - attack.execution - - detection.emerging_threats + - detection.emerging-threats logsource: product: linux category: process_creation diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-1212/web_exploit_cve_2024_1212_.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-1212/web_exploit_cve_2024_1212_.yml index 58206c36b95..55bceb4ee5b 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-1212/web_exploit_cve_2024_1212_.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-1212/web_exploit_cve_2024_1212_.yml @@ -8,10 +8,10 @@ references: - https://github.com/RhinoSecurityLabs/CVEs/blob/15cf4d86c83daa57b59eaa2542a0ed47ad3dc32d/CVE-2024-1212/CVE-2024-1212.py - https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/03/20 +date: 2024-03-20 tags: - - attack.initial_access - - cve.2024.1212 + - attack.initial-access + - cve.2024-1212 logsource: category: webserver detection: diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-1708/file_event_win_exploit_cve_2024_1708_screenconnect.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-1708/file_event_win_exploit_cve_2024_1708_screenconnect.yml index 9650c830550..51d4f2d343f 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-1708/file_event_win_exploit_cve_2024_1708_screenconnect.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-1708/file_event_win_exploit_cve_2024_1708_screenconnect.yml @@ -11,10 +11,10 @@ references: - https://www.cve.org/CVERecord?id=CVE-2024-1709 - https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass author: Matt Anderson, Andrew Schwartz, Caleb Stewart, Huntress -date: 2024/02/21 +date: 2024-02-21 tags: - attack.persistence - - cve.2024.1708 + - cve.2024-1708 logsource: product: windows category: file_event diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-1708/win_security_exploit_cve_2024_1708_screenconnect.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-1708/win_security_exploit_cve_2024_1708_screenconnect.yml index df61cf549b1..a5b7c079d12 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-1708/win_security_exploit_cve_2024_1708_screenconnect.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-1708/win_security_exploit_cve_2024_1708_screenconnect.yml @@ -12,11 +12,11 @@ references: - https://www.cve.org/CVERecord?id=CVE-2024-1708 - https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass author: Matt Anderson, Caleb Stewart, Huntress -date: 2024/02/20 +date: 2024-02-20 tags: - - attack.initial_access + - attack.initial-access - attack.persistence - - cve.2024.1708 + - cve.2024-1708 logsource: product: windows service: security diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-1709/file_event_win_exploit_cve_2024_1709_user_database_modification_screenconnect.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-1709/file_event_win_exploit_cve_2024_1709_user_database_modification_screenconnect.yml index 928b3d6ac6f..651a9363f40 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-1709/file_event_win_exploit_cve_2024_1709_user_database_modification_screenconnect.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-1709/file_event_win_exploit_cve_2024_1709_user_database_modification_screenconnect.yml @@ -12,10 +12,10 @@ references: - https://www.cve.org/CVERecord?id=CVE-2024-1709 - https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass author: Matt Anderson, Andrew Schwartz, Caleb Stewart, Huntress -date: 2024/02/21 +date: 2024-02-21 tags: - attack.persistence - - cve.2024.1709 + - cve.2024-1709 logsource: product: windows category: file_event diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-1709/web_exploit_cve_2024_1709_screenconnect.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-1709/web_exploit_cve_2024_1709_screenconnect.yml index f3a15c5519a..4914ee493d8 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-1709/web_exploit_cve_2024_1709_screenconnect.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-1709/web_exploit_cve_2024_1709_screenconnect.yml @@ -8,11 +8,11 @@ references: - https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass - https://www.cve.org/CVERecord?id=CVE-2024-1709 author: Matt Anderson, Huntress -date: 2024/02/20 +date: 2024-02-20 tags: - - attack.initial_access + - attack.initial-access - attack.persistence - - cve.2024.1709 + - cve.2024-1709 logsource: category: webserver detection: diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-1709/win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-1709/win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml index 3e62f8f6011..f63b2547f00 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-1709/win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-1709/win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml @@ -13,10 +13,10 @@ references: - https://www.cve.org/CVERecord?id=CVE-2024-1709 - https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass author: Matt Anderson, Kris Luzadre, Andrew Schwartz, Huntress -date: 2024/02/20 +date: 2024-02-20 tags: - - attack.defense_evasion - - cve.2024.1709 + - attack.defense-evasion + - cve.2024-1709 logsource: product: windows service: security diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-3094/proc_creation_lnx_exploit_cve_2024_3094_sshd_child_process.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-3094/proc_creation_lnx_exploit_cve_2024_3094_sshd_child_process.yml index 3b408e84614..cc851977685 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-3094/proc_creation_lnx_exploit_cve_2024_3094_sshd_child_process.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-3094/proc_creation_lnx_exploit_cve_2024_3094_sshd_child_process.yml @@ -6,11 +6,11 @@ description: | references: - https://github.com/amlweems/xzbot?tab=readme-ov-file#backdoor-demo author: Arnim Rupp, Nasreddine Bencherchali, Thomas Patzke -date: 2024/04/01 -modified: 2024/07/03 +date: 2024-04-01 +modified: 2024-07-03 tags: - attack.execution - - cve.2024.3094 + - cve.2024-3094 logsource: category: process_creation product: linux diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-3400/file_event_paloalto_globalprotect_exploit_cve_2024_3400_command_inject_file_creation.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-3400/file_event_paloalto_globalprotect_exploit_cve_2024_3400_command_inject_file_creation.yml index 395c65bdc71..b8ecc548b07 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-3400/file_event_paloalto_globalprotect_exploit_cve_2024_3400_command_inject_file_creation.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-3400/file_event_paloalto_globalprotect_exploit_cve_2024_3400_command_inject_file_creation.yml @@ -8,11 +8,11 @@ references: - https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/ - https://nvd.nist.gov/vuln/detail/CVE-2024-3400 author: Andreas Braathen (mnemonic.io) -date: 2024/04/25 +date: 2024-04-25 tags: - attack.execution - - cve.2024.3400 - - detection.emerging_threats + - cve.2024-3400 + - detection.emerging-threats logsource: product: paloalto service: globalprotect diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-3400/paloalto_globalprotect_exploit_cve_2024_3400_command_injection.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-3400/paloalto_globalprotect_exploit_cve_2024_3400_command_injection.yml index 8be57e3bb69..310b73120b2 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-3400/paloalto_globalprotect_exploit_cve_2024_3400_command_injection.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-3400/paloalto_globalprotect_exploit_cve_2024_3400_command_injection.yml @@ -9,14 +9,14 @@ references: - https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/ - https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/04/18 -modified: 2024/04/25 +date: 2024-04-18 +modified: 2024-04-25 tags: - - attack.initial_access + - attack.initial-access - attack.persistence - - attack.privilege_escalation - - attack.defense_evasion - - cve.2024.3400 + - attack.privilege-escalation + - attack.defense-evasion + - cve.2024-3400 logsource: category: appliance product: paloalto diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-37085/proc_creation_win_exploit_cve_2024_37085_esxi_admins_group_creation.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-37085/proc_creation_win_exploit_cve_2024_37085_esxi_admins_group_creation.yml index 2fb7fdbe5da..5837c6fd54a 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-37085/proc_creation_win_exploit_cve_2024_37085_esxi_admins_group_creation.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-37085/proc_creation_win_exploit_cve_2024_37085_esxi_admins_group_creation.yml @@ -8,11 +8,11 @@ description: | references: - https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/ author: frack113 -date: 2024/07/29 +date: 2024-07-29 tags: - attack.execution - - cve.2024.37085 - - detection.emerging_threats + - cve.2024-37085 + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-37085/win_security_exploit_cve_2024_37085_esxi_admins_group.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-37085/win_security_exploit_cve_2024_37085_esxi_admins_group.yml index 34f6f3578e2..5523d8faff8 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-37085/win_security_exploit_cve_2024_37085_esxi_admins_group.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-37085/win_security_exploit_cve_2024_37085_esxi_admins_group.yml @@ -8,11 +8,11 @@ description: | references: - https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/07/30 +date: 2024-07-30 tags: - attack.execution - - cve.2024.37085 - - detection.emerging_threats + - cve.2024-37085 + - detection.emerging-threats logsource: product: windows service: security diff --git a/rules-emerging-threats/2024/Malware/CSharp-Streamer/image_load_malware_csharp_streamer_dotnet_load.yml b/rules-emerging-threats/2024/Malware/CSharp-Streamer/image_load_malware_csharp_streamer_dotnet_load.yml index fd3ed84cede..f4f11c950a4 100644 --- a/rules-emerging-threats/2024/Malware/CSharp-Streamer/image_load_malware_csharp_streamer_dotnet_load.yml +++ b/rules-emerging-threats/2024/Malware/CSharp-Streamer/image_load_malware_csharp_streamer_dotnet_load.yml @@ -7,9 +7,9 @@ references: - https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections - https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/ author: Luca Di Bartolomeo -date: 2024/06/22 +date: 2024-06-22 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: category: image_load diff --git a/rules-emerging-threats/2024/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_save_temp.yml b/rules-emerging-threats/2024/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_save_temp.yml index 27ebc10bae4..20cbb7c4ed9 100644 --- a/rules-emerging-threats/2024/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_save_temp.yml +++ b/rules-emerging-threats/2024/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_save_temp.yml @@ -6,7 +6,7 @@ references: - https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/ - https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html author: Tomasz Dyduch, Josh Nickels -date: 2024/05/31 +date: 2024-05-31 tags: - attack.execution - attack.t1059 diff --git a/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_lnk_lure_execution.yml b/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_lnk_lure_execution.yml index 426ca1fe832..fdedc59a001 100644 --- a/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_lnk_lure_execution.yml +++ b/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_lnk_lure_execution.yml @@ -7,11 +7,11 @@ description: | references: - https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/ author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) -date: 2024/03/22 +date: 2024-03-22 tags: - attack.execution - attack.t1059 - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_schtasks_persistence.yml b/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_schtasks_persistence.yml index 1d4b78007d3..2f7e2ac822a 100644 --- a/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_schtasks_persistence.yml +++ b/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_schtasks_persistence.yml @@ -8,10 +8,10 @@ references: - https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/ - https://tria.ge/240123-rapteaahhr/behavioral1 author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) -date: 2024/03/22 +date: 2024-03-22 tags: - attack.persistence - - detection.emerging_threats + - detection.emerging-threats logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2024/Malware/KamiKakaBot/registry_set_malware_kamikakabot_winlogon_persistence.yml b/rules-emerging-threats/2024/Malware/KamiKakaBot/registry_set_malware_kamikakabot_winlogon_persistence.yml index 23b7ee21d9e..8db60f70e9c 100644 --- a/rules-emerging-threats/2024/Malware/KamiKakaBot/registry_set_malware_kamikakabot_winlogon_persistence.yml +++ b/rules-emerging-threats/2024/Malware/KamiKakaBot/registry_set_malware_kamikakabot_winlogon_persistence.yml @@ -6,11 +6,11 @@ description: | references: - https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/ author: Nasreddine Bencherchali (Nextron Systems), X__Junior -date: 2024/03/22 +date: 2024-03-22 tags: - attack.persistence - attack.t1547.001 - - detection.emerging_threats + - detection.emerging-threats logsource: category: registry_set product: windows diff --git a/rules-emerging-threats/2024/Malware/Raspberry-Robin/image_load_malware_raspberry_robin_side_load_aclui_oleview.yml b/rules-emerging-threats/2024/Malware/Raspberry-Robin/image_load_malware_raspberry_robin_side_load_aclui_oleview.yml index 5bf32408bc7..62e73b4fd28 100644 --- a/rules-emerging-threats/2024/Malware/Raspberry-Robin/image_load_malware_raspberry_robin_side_load_aclui_oleview.yml +++ b/rules-emerging-threats/2024/Malware/Raspberry-Robin/image_load_malware_raspberry_robin_side_load_aclui_oleview.yml @@ -10,11 +10,11 @@ references: - https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ - https://strontic.github.io/xcyclopedia/library/aclui.dll-F883E9CA757B622B032FDCA5BF33D0DF.html author: Swachchhanda Shrawan Poudel -date: 2024/07/31 +date: 2024-07-31 tags: - - detection.emerging_threats - - attack.defense_evasion - - attack.privilege_escalation + - detection.emerging-threats + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules-emerging-threats/2024/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_rundll32_shell32_cpl_exection.yml b/rules-emerging-threats/2024/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_rundll32_shell32_cpl_exection.yml index a261d6924cd..24eb3cbda42 100644 --- a/rules-emerging-threats/2024/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_rundll32_shell32_cpl_exection.yml +++ b/rules-emerging-threats/2024/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_rundll32_shell32_cpl_exection.yml @@ -8,10 +8,10 @@ references: - https://tria.ge/240226-fhbe7sdc39/behavioral1 - https://bazaar.abuse.ch/browse/signature/RaspberryRobin/ author: Swachchhanda Shrawan Poudel -date: 2024/03/07 +date: 2024-03-07 tags: - - detection.emerging_threats - - attack.defense_evasion + - detection.emerging-threats + - attack.defense-evasion - attack.execution - attack.t1218.011 logsource: diff --git a/rules-emerging-threats/2024/Malware/Raspberry-Robin/registry_set_malware_raspberry_robin_internet_settings_zonemap_tamper.yml b/rules-emerging-threats/2024/Malware/Raspberry-Robin/registry_set_malware_raspberry_robin_internet_settings_zonemap_tamper.yml index 15515594952..2128bcd2113 100644 --- a/rules-emerging-threats/2024/Malware/Raspberry-Robin/registry_set_malware_raspberry_robin_internet_settings_zonemap_tamper.yml +++ b/rules-emerging-threats/2024/Malware/Raspberry-Robin/registry_set_malware_raspberry_robin_internet_settings_zonemap_tamper.yml @@ -13,11 +13,11 @@ references: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::SecurityPage_AutoDetect - https://bazaar.abuse.ch/browse/signature/RaspberryRobin/ author: Swachchhanda Shrawan Poudel -date: 2024/07/31 +date: 2024-07-31 tags: - - detection.emerging_threats + - detection.emerging-threats - attack.t1112 - - attack.defense_evasion + - attack.defense-evasion logsource: category: registry_set product: windows diff --git a/rules-emerging-threats/2024/Malware/kapeka/file_event_win_malware_kapeka_backdoor_indicators.yml b/rules-emerging-threats/2024/Malware/kapeka/file_event_win_malware_kapeka_backdoor_indicators.yml index c5b7d837afc..572df19c08a 100644 --- a/rules-emerging-threats/2024/Malware/kapeka/file_event_win_malware_kapeka_backdoor_indicators.yml +++ b/rules-emerging-threats/2024/Malware/kapeka/file_event_win_malware_kapeka_backdoor_indicators.yml @@ -8,9 +8,9 @@ references: - https://labs.withsecure.com/publications/kapeka - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ author: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) -date: 2024/07/03 +date: 2024-07-03 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2024/Malware/kapeka/image_load_malware_kapeka_backdoor_wll.yml b/rules-emerging-threats/2024/Malware/kapeka/image_load_malware_kapeka_backdoor_wll.yml index cccf6173d51..5bfcf91899e 100644 --- a/rules-emerging-threats/2024/Malware/kapeka/image_load_malware_kapeka_backdoor_wll.yml +++ b/rules-emerging-threats/2024/Malware/kapeka/image_load_malware_kapeka_backdoor_wll.yml @@ -8,11 +8,11 @@ references: - https://labs.withsecure.com/publications/kapeka - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ author: Swachchhanda Shrawan Poudel -date: 2024/07/03 +date: 2024-07-03 tags: - attack.execution - attack.t1204.002 - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 logsource: category: image_load diff --git a/rules-emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_persistence.yml b/rules-emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_persistence.yml index 6b75fe377d9..72c97eb8060 100644 --- a/rules-emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_persistence.yml +++ b/rules-emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_persistence.yml @@ -12,7 +12,7 @@ references: - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ - https://www.virustotal.com/gui/file/bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f/behavior author: Swachchhanda Shrawan Poudel -date: 2024/07/03 +date: 2024-07-03 tags: - attack.persistence - attack.t1053.005 diff --git a/rules-emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_rundll32_execution.yml b/rules-emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_rundll32_execution.yml index 6c70a28848f..26ae013395d 100644 --- a/rules-emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_rundll32_execution.yml +++ b/rules-emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_rundll32_execution.yml @@ -7,9 +7,9 @@ references: - https://labs.withsecure.com/publications/kapeka - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ author: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) -date: 2024/07/03 +date: 2024-07-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 logsource: category: process_creation diff --git a/rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_autorun_persistence.yml b/rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_autorun_persistence.yml index 612cd9611ae..b51438407a5 100644 --- a/rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_autorun_persistence.yml +++ b/rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_autorun_persistence.yml @@ -9,7 +9,7 @@ references: - https://labs.withsecure.com/publications/kapeka - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ author: Swachchhanda Shrawan Poudel -date: 2024/07/03 +date: 2024-07-03 tags: - attack.persistence - attack.t1547.001 diff --git a/rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_configuration.yml b/rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_configuration.yml index 75b4f0bb5ad..b5b3550af4a 100644 --- a/rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_configuration.yml +++ b/rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_configuration.yml @@ -8,10 +8,10 @@ references: - https://labs.withsecure.com/publications/kapeka - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ author: Swachchhanda Shrawan Poudel -date: 2024/07/03 +date: 2024-07-03 tags: - attack.persistence - - attack.defense_evasion + - attack.defense-evasion - attack.t1553.003 logsource: category: registry_set diff --git a/rules-emerging-threats/2024/Malware/kapeka/win_security_malware_kapeka_backdoor_scheduled_task_creation.yml b/rules-emerging-threats/2024/Malware/kapeka/win_security_malware_kapeka_backdoor_scheduled_task_creation.yml index f620fe2ef04..ed29411f078 100644 --- a/rules-emerging-threats/2024/Malware/kapeka/win_security_malware_kapeka_backdoor_scheduled_task_creation.yml +++ b/rules-emerging-threats/2024/Malware/kapeka/win_security_malware_kapeka_backdoor_scheduled_task_creation.yml @@ -11,10 +11,10 @@ references: - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ - https://www.virustotal.com/gui/file/bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f/behavior author: Swachchhanda Shrawan Poudel -date: 2024/07/03 +date: 2024-07-03 tags: - attack.execution - - attack.privilege_escalation + - attack.privilege-escalation - attack.persistence - attack.t1053.005 logsource: diff --git a/rules-emerging-threats/2024/TA/DPRK/dns_query_win_apt_dprk_malicious_domains.yml b/rules-emerging-threats/2024/TA/DPRK/dns_query_win_apt_dprk_malicious_domains.yml index 7e65cbc748a..e40426947ff 100644 --- a/rules-emerging-threats/2024/TA/DPRK/dns_query_win_apt_dprk_malicious_domains.yml +++ b/rules-emerging-threats/2024/TA/DPRK/dns_query_win_apt_dprk_malicious_domains.yml @@ -5,10 +5,10 @@ description: Detects DNS queries for C2 domains used by DPRK Threat actors. references: - https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2 author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/02/20 +date: 2024-02-20 tags: - - attack.command_and_control - - detection.emerging_threats + - attack.command-and-control + - detection.emerging-threats logsource: product: windows category: dns_query diff --git a/rules-emerging-threats/2024/TA/FIN7/proc_creation_win_apt_fin7_exploitation_indicators.yml b/rules-emerging-threats/2024/TA/FIN7/proc_creation_win_apt_fin7_exploitation_indicators.yml index c1ab0cd151a..d6820aac86e 100644 --- a/rules-emerging-threats/2024/TA/FIN7/proc_creation_win_apt_fin7_exploitation_indicators.yml +++ b/rules-emerging-threats/2024/TA/FIN7/proc_creation_win_apt_fin7_exploitation_indicators.yml @@ -7,7 +7,7 @@ description: | references: - https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/ author: Alex Walston (@4ayymm) -date: 2024/07/29 +date: 2024-07-29 tags: - attack.execution - attack.t1059.001 diff --git a/rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_activity.yml b/rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_activity.yml index 25f916ae77c..aa08309b718 100644 --- a/rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_activity.yml +++ b/rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_activity.yml @@ -7,10 +7,10 @@ description: | references: - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/04/23 -modified: 2024/07/11 +date: 2024-04-23 +modified: 2024-07-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.002 logsource: category: file_event diff --git a/rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_constrained_js.yml b/rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_constrained_js.yml index 1e64dedad52..a7ff6dd5fc4 100644 --- a/rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_constrained_js.yml +++ b/rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_constrained_js.yml @@ -7,9 +7,9 @@ description: | references: - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/04/23 +date: 2024-04-23 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.002 logsource: category: file_event diff --git a/rules-emerging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml b/rules-emerging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml index f3ed7fd446b..840901fde94 100644 --- a/rules-emerging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml +++ b/rules-emerging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml @@ -7,10 +7,10 @@ description: | references: - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/04/23 -modified: 2024/05/11 +date: 2024-04-23 +modified: 2024-05-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution logsource: category: process_creation diff --git a/rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler.yml b/rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler.yml index 07a673e6ac7..5c473b1cae9 100644 --- a/rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler.yml +++ b/rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler.yml @@ -7,7 +7,7 @@ description: | references: - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/04/23 +date: 2024-04-23 tags: - attack.persistence - attack.t1547.001 diff --git a/rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler_dll.yml b/rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler_dll.yml index d1de35a7a38..d4c6b548fa8 100644 --- a/rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler_dll.yml +++ b/rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler_dll.yml @@ -7,7 +7,7 @@ description: | references: - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/04/23 +date: 2024-04-23 tags: - attack.persistence - attack.t1547.001 diff --git a/rules-emerging-threats/2024/TA/SlashAndGrab-Exploitation-In-Wild/file_event_win_apt_unknown_exploitation_indicators.yml b/rules-emerging-threats/2024/TA/SlashAndGrab-Exploitation-In-Wild/file_event_win_apt_unknown_exploitation_indicators.yml index 01dcb6a5c96..f4d21e4595a 100644 --- a/rules-emerging-threats/2024/TA/SlashAndGrab-Exploitation-In-Wild/file_event_win_apt_unknown_exploitation_indicators.yml +++ b/rules-emerging-threats/2024/TA/SlashAndGrab-Exploitation-In-Wild/file_event_win_apt_unknown_exploitation_indicators.yml @@ -6,9 +6,9 @@ description: | references: - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/02/23 +date: 2024-02-23 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: file_event diff --git a/rules-placeholder/cloud/azure/azure_ad_account_created_deleted_nonapproved_user.yml b/rules-placeholder/cloud/azure/azure_ad_account_created_deleted_nonapproved_user.yml index 72d0d3b1773..f0b367d0490 100644 --- a/rules-placeholder/cloud/azure/azure_ad_account_created_deleted_nonapproved_user.yml +++ b/rules-placeholder/cloud/azure/azure_ad_account_created_deleted_nonapproved_user.yml @@ -5,10 +5,10 @@ description: Detects accounts that are created or deleted by non-approved users. references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1' -date: 2022/08/11 -modified: 2023/12/15 +date: 2022-08-11 +modified: 2023-12-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1078 logsource: product: azure diff --git a/rules-placeholder/cloud/azure/azure_ad_account_signin_outside_hours.yml b/rules-placeholder/cloud/azure/azure_ad_account_signin_outside_hours.yml index 283feef536f..1705bafb17d 100644 --- a/rules-placeholder/cloud/azure/azure_ad_account_signin_outside_hours.yml +++ b/rules-placeholder/cloud/azure/azure_ad_account_signin_outside_hours.yml @@ -5,8 +5,8 @@ description: Detects user signs ins outside of normal business hours. references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1' -date: 2022/08/11 -modified: 2023/12/15 +date: 2022-08-11 +modified: 2023-12-15 tags: - attack.persistence - attack.t1078 diff --git a/rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml b/rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml index 1c27a3645ac..6a5c87b898d 100644 --- a/rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml +++ b/rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml @@ -5,11 +5,11 @@ description: Detects failed sign-in from a PAW or SAW device references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' -date: 2022/08/11 -modified: 2023/12/15 +date: 2022-08-11 +modified: 2023-12-15 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1078 logsource: product: azure diff --git a/rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml b/rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml index 4171d33299e..a9e85a7862a 100644 --- a/rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml +++ b/rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml @@ -5,10 +5,10 @@ description: Detects failed sign-in due to user not meeting expected controls fo references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' -date: 2022/08/11 -modified: 2023/12/15 +date: 2022-08-11 +modified: 2023-12-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1078 logsource: product: azure diff --git a/rules-placeholder/cloud/azure/azure_privileged_account_signin_outside_hours.yml b/rules-placeholder/cloud/azure/azure_privileged_account_signin_outside_hours.yml index 8845899de8f..86c1029e676 100644 --- a/rules-placeholder/cloud/azure/azure_privileged_account_signin_outside_hours.yml +++ b/rules-placeholder/cloud/azure/azure_privileged_account_signin_outside_hours.yml @@ -5,8 +5,8 @@ description: Detects account sign ins outside of normal hours or uncommon locati references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' -date: 2022/08/11 -modified: 2023/12/15 +date: 2022-08-11 +modified: 2023-12-15 tags: - attack.persistence - attack.t1078 diff --git a/rules-placeholder/windows/builtin/security/win_security_admin_logon.yml b/rules-placeholder/windows/builtin/security/win_security_admin_logon.yml index e045b0a3f1f..a2e3a718001 100644 --- a/rules-placeholder/windows/builtin/security/win_security_admin_logon.yml +++ b/rules-placeholder/windows/builtin/security/win_security_admin_logon.yml @@ -7,12 +7,12 @@ references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672 - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964 author: frack113 -date: 2022/10/14 -modified: 2023/12/14 +date: 2022-10-14 +modified: 2023-12-14 tags: - - attack.defense_evasion - - attack.lateral_movement - - attack.credential_access + - attack.defense-evasion + - attack.lateral-movement + - attack.credential-access - attack.t1558 - attack.t1649 - attack.t1550 diff --git a/rules-placeholder/windows/builtin/security/win_security_exploit_cve_2020_1472.yml b/rules-placeholder/windows/builtin/security/win_security_exploit_cve_2020_1472.yml index 744f8f53154..4a34b31f900 100644 --- a/rules-placeholder/windows/builtin/security/win_security_exploit_cve_2020_1472.yml +++ b/rules-placeholder/windows/builtin/security/win_security_exploit_cve_2020_1472.yml @@ -6,12 +6,12 @@ references: - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 - https://www.logpoint.com/en/blog/detecting-zerologon-vulnerability-in-logpoint/ author: Aleksandr Akhremchik, @aleqs4ndr, ocsd.community -date: 2020/10/15 -modified: 2023/12/15 +date: 2020-10-15 +modified: 2023-12-15 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1068 - - cve.2020.1472 + - cve.2020-1472 logsource: product: windows service: security diff --git a/rules-placeholder/windows/builtin/security/win_security_potential_pass_the_hash.yml b/rules-placeholder/windows/builtin/security/win_security_potential_pass_the_hash.yml index b8d9399d598..b1bce3bb40a 100644 --- a/rules-placeholder/windows/builtin/security/win_security_potential_pass_the_hash.yml +++ b/rules-placeholder/windows/builtin/security/win_security_potential_pass_the_hash.yml @@ -5,10 +5,10 @@ description: Detects the attack technique pass the hash which is used to move la references: - https://github.com/nsacyber/Event-Forwarding-Guidance/tree/6e92d622fa33da911f79e7633da4263d632f9624/Events author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method) -date: 2017/03/08 -modified: 2023/12/15 +date: 2017-03-08 +modified: 2023-12-15 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1550.002 - car.2016-04-004 logsource: diff --git a/rules-placeholder/windows/builtin/security/win_security_remote_registry_management_via_reg.yml b/rules-placeholder/windows/builtin/security/win_security_remote_registry_management_via_reg.yml index 76f300a1120..a76fd16a654 100644 --- a/rules-placeholder/windows/builtin/security/win_security_remote_registry_management_via_reg.yml +++ b/rules-placeholder/windows/builtin/security/win_security_remote_registry_management_via_reg.yml @@ -5,11 +5,11 @@ description: Remote registry management using REG utility from non-admin worksta references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment author: Teymur Kheirkhabarov, oscd.community -date: 2019/10/22 -modified: 2023/12/15 +date: 2019-10-22 +modified: 2023-12-15 tags: - - attack.credential_access - - attack.defense_evasion + - attack.credential-access + - attack.defense-evasion - attack.discovery - attack.s0075 - attack.t1012 diff --git a/rules-placeholder/windows/builtin/security/win_security_susp_interactive_logons.yml b/rules-placeholder/windows/builtin/security/win_security_susp_interactive_logons.yml index 13a8d1c7a81..165e78f1d0f 100644 --- a/rules-placeholder/windows/builtin/security/win_security_susp_interactive_logons.yml +++ b/rules-placeholder/windows/builtin/security/win_security_susp_interactive_logons.yml @@ -5,10 +5,10 @@ description: Detects interactive console logons to Server Systems references: - Internal Research author: Florian Roth (Nextron Systems) -date: 2017/03/17 -modified: 2023/12/15 +date: 2017-03-17 +modified: 2023-12-15 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1078 logsource: product: windows diff --git a/rules-placeholder/windows/network_connection/net_connection_win_susp_rdp_from_domain_controller.yml b/rules-placeholder/windows/network_connection/net_connection_win_susp_rdp_from_domain_controller.yml index 20927bb4ac4..977b73b8d6d 100644 --- a/rules-placeholder/windows/network_connection/net_connection_win_susp_rdp_from_domain_controller.yml +++ b/rules-placeholder/windows/network_connection/net_connection_win_susp_rdp_from_domain_controller.yml @@ -5,9 +5,9 @@ description: Detects an RDP connection originating from a domain controller. references: - Internal Research author: Josh Nickels -date: 2024/05/10 +date: 2024-05-10 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021 logsource: product: windows diff --git a/rules-placeholder/windows/process_creation/proc_creation_win_userdomain_variable_enumeration.yml b/rules-placeholder/windows/process_creation/proc_creation_win_userdomain_variable_enumeration.yml index 54f3f4c898f..1457ba277af 100644 --- a/rules-placeholder/windows/process_creation/proc_creation_win_userdomain_variable_enumeration.yml +++ b/rules-placeholder/windows/process_creation/proc_creation_win_userdomain_variable_enumeration.yml @@ -6,8 +6,8 @@ references: - https://www.arxiv-vanity.com/papers/2008.04676/ - https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/ author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io' -date: 2023/02/09 -modified: 2024/08/01 +date: 2023-02-09 +modified: 2024-08-01 tags: - attack.discovery - attack.t1016 diff --git a/rules-threat-hunting/cloud/m365/audit/microsoft365_susp_email_forwarding_activity.yml b/rules-threat-hunting/cloud/m365/audit/microsoft365_susp_email_forwarding_activity.yml index 9f11571c9d3..0fb920cc85b 100644 --- a/rules-threat-hunting/cloud/m365/audit/microsoft365_susp_email_forwarding_activity.yml +++ b/rules-threat-hunting/cloud/m365/audit/microsoft365_susp_email_forwarding_activity.yml @@ -5,11 +5,11 @@ description: Detects email forwarding or redirecting acitivty in O365 Audit logs references: - https://redcanary.com/blog/email-forwarding-rules/ author: RedCanary Team (idea), Harjot Singh @cyb3rjy0t -date: 2023/10/11 +date: 2023-10-11 tags: - attack.exfiltration - attack.t1020 - - detection.threat_hunting + - detection.threat-hunting logsource: service: audit product: m365 diff --git a/rules-threat-hunting/cloud/okta/okta_password_health_report_query.yml b/rules-threat-hunting/cloud/okta/okta_password_health_report_query.yml index 66a7163e071..7adda976246 100644 --- a/rules-threat-hunting/cloud/okta/okta_password_health_report_query.yml +++ b/rules-threat-hunting/cloud/okta/okta_password_health_report_query.yml @@ -7,10 +7,10 @@ description: | references: - https://www.beyondtrust.com/blog/entry/okta-support-unit-breach author: Muhammad Faisal (@faisalusuf) -date: 2023/10/25 +date: 2023-10-25 tags: - - attack.credential_access - - detection.threat_hunting + - attack.credential-access + - detection.threat-hunting logsource: service: okta product: okta diff --git a/rules-threat-hunting/linux/file/file_event/file_event_lnx_python_path_configuration_files.yml b/rules-threat-hunting/linux/file/file_event/file_event_lnx_python_path_configuration_files.yml index 7d95de42e64..7f4375995bc 100644 --- a/rules-threat-hunting/linux/file/file_event/file_event_lnx_python_path_configuration_files.yml +++ b/rules-threat-hunting/linux/file/file_event/file_event_lnx_python_path_configuration_files.yml @@ -15,11 +15,11 @@ references: - https://www.virustotal.com/gui/file/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac - https://docs.python.org/3/library/site.html author: Andreas Braathen (mnemonic.io) -date: 2024/04/25 +date: 2024-04-25 tags: - attack.execution - attack.t1059.006 - - detection.threat_hunting + - detection.threat-hunting logsource: product: linux category: file_event diff --git a/rules-threat-hunting/macos/file/file_event/file_event_macos_python_path_configuration_files.yml b/rules-threat-hunting/macos/file/file_event/file_event_macos_python_path_configuration_files.yml index 911eb0d6940..bca41a94b95 100644 --- a/rules-threat-hunting/macos/file/file_event/file_event_macos_python_path_configuration_files.yml +++ b/rules-threat-hunting/macos/file/file_event/file_event_macos_python_path_configuration_files.yml @@ -15,11 +15,11 @@ references: - https://www.virustotal.com/gui/file/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac - https://docs.python.org/3/library/site.html author: Andreas Braathen (mnemonic.io) -date: 2024/04/25 +date: 2024-04-25 tags: - attack.execution - attack.t1059.006 - - detection.threat_hunting + - detection.threat-hunting logsource: product: macos category: file_event diff --git a/rules-threat-hunting/macos/process_creation/proc_creation_macos_pbpaste_execution.yml b/rules-threat-hunting/macos/process_creation/proc_creation_macos_pbpaste_execution.yml index 875b285279c..8e9e4a13f82 100644 --- a/rules-threat-hunting/macos/process_creation/proc_creation_macos_pbpaste_execution.yml +++ b/rules-threat-hunting/macos/process_creation/proc_creation_macos_pbpaste_execution.yml @@ -12,12 +12,12 @@ references: - https://medium.com/@NullByteWht/hacking-macos-how-to-dump-1password-keepassx-lastpass-passwords-in-plaintext-723c5b1c311b - https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF author: Daniel Cortez -date: 2024/07/30 +date: 2024-07-30 tags: - attack.collection - - attack.credential_access + - attack.credential-access - attack.t1115 - - detection.threat_hunting + - detection.threat-hunting logsource: product: macos category: process_creation diff --git a/rules-threat-hunting/web/proxy_generic/proxy_susp_class_extension_request.yml b/rules-threat-hunting/web/proxy_generic/proxy_susp_class_extension_request.yml index 9b912cc0280..42d0b02d1fc 100644 --- a/rules-threat-hunting/web/proxy_generic/proxy_susp_class_extension_request.yml +++ b/rules-threat-hunting/web/proxy_generic/proxy_susp_class_extension_request.yml @@ -7,11 +7,11 @@ description: | references: - https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/ author: Andreas Hunkeler (@Karneades) -date: 2021/12/21 -modified: 2024/02/26 +date: 2021-12-21 +modified: 2024-02-26 tags: - - attack.initial_access - - detection.threat_hunting + - attack.initial-access + - detection.threat-hunting logsource: category: proxy detection: diff --git a/rules-threat-hunting/windows/builtin/firewall_as/win_firewall_as_change_rule.yml b/rules-threat-hunting/windows/builtin/firewall_as/win_firewall_as_change_rule.yml index be353c24051..f2c55c45ce8 100644 --- a/rules-threat-hunting/windows/builtin/firewall_as/win_firewall_as_change_rule.yml +++ b/rules-threat-hunting/windows/builtin/firewall_as/win_firewall_as_change_rule.yml @@ -5,12 +5,12 @@ description: Detects when a rule has been modified in the Windows firewall excep references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 -date: 2022/02/19 -modified: 2024/01/22 +date: 2022-02-19 +modified: 2024-01-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows service: firewall-as diff --git a/rules-threat-hunting/windows/builtin/security/win_security_scheduled_task_deletion.yml b/rules-threat-hunting/windows/builtin/security/win_security_scheduled_task_deletion.yml index 48dc06bc9e2..3c0619b8ba7 100644 --- a/rules-threat-hunting/windows/builtin/security/win_security_scheduled_task_deletion.yml +++ b/rules-threat-hunting/windows/builtin/security/win_security_scheduled_task_deletion.yml @@ -6,14 +6,14 @@ references: - https://twitter.com/matthewdunwoody/status/1352356685982146562 - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699 author: David Strassegger, Tim Shelton -date: 2021/01/22 -modified: 2023/01/20 +date: 2021-01-22 +modified: 2023-01-20 tags: - attack.execution - - attack.privilege_escalation + - attack.privilege-escalation - car.2013-08-001 - attack.t1053.005 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows service: security diff --git a/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml b/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml index 60bc3502b8d..da7b5d252fb 100644 --- a/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml +++ b/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml @@ -5,12 +5,12 @@ description: Detects potential use of CreateRemoteThread api and LoadLibrary fun references: - https://threathunterplaybook.com/hunts/windows/180719-DLLProcessInjectionCreateRemoteThread/notebook.html author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/08/11 -modified: 2024/01/22 +date: 2019-08-11 +modified: 2024-01-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1055.001 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: create_remote_thread diff --git a/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_powershell_generic.yml b/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_powershell_generic.yml index e147ca2d5ad..fa2e37e1e93 100644 --- a/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_powershell_generic.yml +++ b/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_powershell_generic.yml @@ -8,12 +8,12 @@ description: Detects the creation of a remote thread from a Powershell process t references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: Nikita Nazarov, oscd.community -date: 2020/10/06 -modified: 2023/11/10 +date: 2020-10-06 +modified: 2023-11-10 tags: - attack.execution - attack.t1059.001 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: create_remote_thread diff --git a/rules-threat-hunting/windows/file/file_access/file_access_win_browsers_chromium_sensitive_files.yml b/rules-threat-hunting/windows/file/file_access/file_access_win_browsers_chromium_sensitive_files.yml index 87580e5f0a8..a6091aabc79 100644 --- a/rules-threat-hunting/windows/file/file_access/file_access_win_browsers_chromium_sensitive_files.yml +++ b/rules-threat-hunting/windows/file/file_access/file_access_win_browsers_chromium_sensitive_files.yml @@ -7,11 +7,11 @@ description: | references: - Internal Research author: X__Junior (Nextron Systems) -date: 2024/07/29 +date: 2024-07-29 tags: - attack.t1003 - - attack.credential_access - - detection.threat_hunting + - attack.credential-access + - detection.threat-hunting logsource: category: file_access product: windows diff --git a/rules-threat-hunting/windows/file/file_access/file_access_win_browsers_credential.yml b/rules-threat-hunting/windows/file/file_access/file_access_win_browsers_credential.yml index 3774dd6163c..8172b8be016 100644 --- a/rules-threat-hunting/windows/file/file_access/file_access_win_browsers_credential.yml +++ b/rules-threat-hunting/windows/file/file_access/file_access_win_browsers_credential.yml @@ -9,12 +9,12 @@ references: - https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users - https://github.com/lclevy/firepwd author: frack113, X__Junior (Nextron Systems) -date: 2022/04/09 -modified: 2024/07/29 +date: 2022-04-09 +modified: 2024-07-29 tags: - attack.t1003 - - attack.credential_access - - detection.threat_hunting + - attack.credential-access + - detection.threat-hunting logsource: category: file_access product: windows diff --git a/rules-threat-hunting/windows/file/file_access/file_access_win_office_outlook_mail_credential.yml b/rules-threat-hunting/windows/file/file_access/file_access_win_office_outlook_mail_credential.yml index 4372c24f694..c5c62f3a420 100644 --- a/rules-threat-hunting/windows/file/file_access/file_access_win_office_outlook_mail_credential.yml +++ b/rules-threat-hunting/windows/file/file_access/file_access_win_office_outlook_mail_credential.yml @@ -9,12 +9,12 @@ references: - https://darkdefender.medium.com/windows-10-mail-app-forensics-39025f5418d2 - https://github.com/redcanaryco/atomic-red-team/blob/58496ee3306e6e42a7054d36a94e6eb561ee3081/atomics/T1070.008/T1070.008.md#atomic-test-4---copy-and-modify-mailbox-data-on-windows author: frack113 -date: 2024/05/10 -modified: 2024/07/29 +date: 2024-05-10 +modified: 2024-07-29 tags: - attack.t1070.008 - - attack.defense_evasion - - detection.threat_hunting + - attack.defense-evasion + - detection.threat-hunting logsource: category: file_access product: windows diff --git a/rules-threat-hunting/windows/file/file_access/file_access_win_susp_gpo_access_uncommon_process.yml b/rules-threat-hunting/windows/file/file_access/file_access_win_susp_gpo_access_uncommon_process.yml index 6397395d01a..316a0d08b08 100644 --- a/rules-threat-hunting/windows/file/file_access/file_access_win_susp_gpo_access_uncommon_process.yml +++ b/rules-threat-hunting/windows/file/file_access/file_access_win_susp_gpo_access_uncommon_process.yml @@ -5,11 +5,11 @@ description: Detects file access requests to the Windows Sysvol Policies Share b references: - https://github.com/vletoux/pingcastle author: frack113 -date: 2023/12/21 +date: 2023-12-21 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.006 - - detection.threat_hunting + - detection.threat-hunting logsource: category: file_access product: windows diff --git a/rules-threat-hunting/windows/file/file_access/file_access_win_susp_reg_and_hive.yml b/rules-threat-hunting/windows/file/file_access/file_access_win_susp_reg_and_hive.yml index 8c33a42b71c..05bfeb77572 100644 --- a/rules-threat-hunting/windows/file/file_access/file_access_win_susp_reg_and_hive.yml +++ b/rules-threat-hunting/windows/file/file_access/file_access_win_susp_reg_and_hive.yml @@ -5,12 +5,12 @@ description: Detects file access requests to files ending with either the ".hive references: - https://github.com/tccontre/Reg-Restore-Persistence-Mole author: frack113 -date: 2023/09/15 -modified: 2024/07/29 +date: 2023-09-15 +modified: 2024-07-29 tags: - attack.t1112 - - attack.defense_evasion - - detection.threat_hunting + - attack.defense-evasion + - detection.threat-hunting logsource: category: file_access product: windows diff --git a/rules-threat-hunting/windows/file/file_access/file_access_win_susp_unattend_xml.yml b/rules-threat-hunting/windows/file/file_access/file_access_win_susp_unattend_xml.yml index 1233f841c1d..f59209aaed2 100644 --- a/rules-threat-hunting/windows/file/file_access/file_access_win_susp_unattend_xml.yml +++ b/rules-threat-hunting/windows/file/file_access/file_access_win_susp_unattend_xml.yml @@ -7,11 +7,11 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md author: frack113 -date: 2024/07/22 +date: 2024-07-22 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.001 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: file_access diff --git a/rules-threat-hunting/windows/file/file_delete/file_delete_win_zone_identifier_ads.yml b/rules-threat-hunting/windows/file/file_delete/file_delete_win_zone_identifier_ads.yml index b2a1b53419f..be652cdc842 100644 --- a/rules-threat-hunting/windows/file/file_delete/file_delete_win_zone_identifier_ads.yml +++ b/rules-threat-hunting/windows/file/file_delete/file_delete_win_zone_identifier_ads.yml @@ -8,11 +8,11 @@ description: Detects the deletion of the "Zone.Identifier" ADS. Attackers can le references: - https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/ author: frack113 -date: 2023/09/04 +date: 2023-09-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.004 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: file_delete diff --git a/rules-threat-hunting/windows/file/file_event/file_event_win_dump_file_creation.yml b/rules-threat-hunting/windows/file/file_event/file_event_win_dump_file_creation.yml index 79e5c0ffa2f..cb40910c2ea 100644 --- a/rules-threat-hunting/windows/file/file_event/file_event_win_dump_file_creation.yml +++ b/rules-threat-hunting/windows/file/file_event/file_event_win_dump_file_creation.yml @@ -5,10 +5,10 @@ description: Detects the creation of a file with the ".dmp"/".hdmp" extension. O references: - https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/09/07 +date: 2023-09-07 tags: - - attack.defense_evasion - - detection.threat_hunting + - attack.defense-evasion + - detection.threat-hunting logsource: category: file_event product: windows diff --git a/rules-threat-hunting/windows/file/file_event/file_event_win_python_path_configuration_files.yml b/rules-threat-hunting/windows/file/file_event/file_event_win_python_path_configuration_files.yml index b693a1cda35..b226767514b 100644 --- a/rules-threat-hunting/windows/file/file_event/file_event_win_python_path_configuration_files.yml +++ b/rules-threat-hunting/windows/file/file_event/file_event_win_python_path_configuration_files.yml @@ -15,11 +15,11 @@ references: - https://www.virustotal.com/gui/file/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac - https://docs.python.org/3/library/site.html author: Andreas Braathen (mnemonic.io), Nasreddine Bencherchali (Nextron Systems) -date: 2024/04/25 +date: 2024-04-25 tags: - attack.execution - attack.t1059.006 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: file_event diff --git a/rules-threat-hunting/windows/file/file_event/file_event_win_scheduled_task_creation.yml b/rules-threat-hunting/windows/file/file_event/file_event_win_scheduled_task_creation.yml index 14cb6421963..8917061fcff 100644 --- a/rules-threat-hunting/windows/file/file_event/file_event_win_scheduled_task_creation.yml +++ b/rules-threat-hunting/windows/file/file_event/file_event_win_scheduled_task_creation.yml @@ -6,15 +6,15 @@ references: - https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/task_scheduling/ - https://posts.specterops.io/abstracting-scheduled-tasks-3b6451f6a1c5 author: Center for Threat Informed Defense (CTID) Summiting the Pyramid Team -date: 2023/09/27 +date: 2023-09-27 tags: - attack.execution - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1053.005 - attack.s0111 - car.2013-08-001 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: file_event diff --git a/rules-threat-hunting/windows/file/file_event/file_event_win_susp_binary_dropper.yml b/rules-threat-hunting/windows/file/file_event/file_event_win_susp_binary_dropper.yml index 606322b7ee1..9ecf86a3d8b 100644 --- a/rules-threat-hunting/windows/file/file_event/file_event_win_susp_binary_dropper.yml +++ b/rules-threat-hunting/windows/file/file_event/file_event_win_susp_binary_dropper.yml @@ -5,12 +5,12 @@ description: Detects the creation of an executable by another executable. references: - Internal Research author: frack113 -date: 2022/03/09 -modified: 2023/11/06 +date: 2022-03-09 +modified: 2023-11-06 tags: - - attack.resource_development + - attack.resource-development - attack.t1587.001 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: file_event diff --git a/rules-threat-hunting/windows/file/file_event/file_event_win_vscode_tunnel_indicators.yml b/rules-threat-hunting/windows/file/file_event/file_event_win_vscode_tunnel_indicators.yml index b535650171c..6eb4fcc37b4 100644 --- a/rules-threat-hunting/windows/file/file_event/file_event_win_vscode_tunnel_indicators.yml +++ b/rules-threat-hunting/windows/file/file_event/file_event_win_vscode_tunnel_indicators.yml @@ -7,10 +7,10 @@ references: - https://ipfyx.fr/post/visual-studio-code-tunnel/ - https://badoption.eu/blog/2023/01/31/code_c2.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/10/25 +date: 2023-10-25 tags: - - attack.command_and_control - - detection.threat_hunting + - attack.command-and-control + - detection.threat-hunting logsource: category: file_event product: windows diff --git a/rules-threat-hunting/windows/file/file_event/file_event_win_webdav_tmpfile_creation.yml b/rules-threat-hunting/windows/file/file_event/file_event_win_webdav_tmpfile_creation.yml index 4f0a3c60c47..696765cc497 100644 --- a/rules-threat-hunting/windows/file/file_event/file_event_win_webdav_tmpfile_creation.yml +++ b/rules-threat-hunting/windows/file/file_event/file_event_win_webdav_tmpfile_creation.yml @@ -10,12 +10,12 @@ references: - https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462 - https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4 author: Micah Babinski -date: 2023/08/21 +date: 2023-08-21 tags: - - attack.initial_access + - attack.initial-access - attack.t1584 - attack.t1566 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: file_event diff --git a/rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml b/rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml index 1f663fc292c..6db891ec2f8 100644 --- a/rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml +++ b/rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml @@ -7,12 +7,12 @@ references: - https://twitter.com/ffforward/status/1481672378639912960 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location author: frack113 -date: 2022/02/19 -modified: 2023/11/11 +date: 2022-02-19 +modified: 2023-11-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.008 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: file_rename diff --git a/rules-threat-hunting/windows/image_load/image_load_dll_amsi_uncommon_process.yml b/rules-threat-hunting/windows/image_load/image_load_dll_amsi_uncommon_process.yml index f407340e9ab..f2f7a0b5745 100644 --- a/rules-threat-hunting/windows/image_load/image_load_dll_amsi_uncommon_process.yml +++ b/rules-threat-hunting/windows/image_load/image_load_dll_amsi_uncommon_process.yml @@ -7,13 +7,13 @@ references: - https://github.com/TheD1rkMtr/AMSI_patch - https://github.com/surya-dev-singh/AmsiBypass-OpenSession author: frack113 -date: 2023/03/12 -modified: 2023/12/18 +date: 2023-03-12 +modified: 2023-12-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.impact - attack.t1490 - - detection.threat_hunting + - detection.threat-hunting logsource: category: image_load product: windows diff --git a/rules-threat-hunting/windows/image_load/image_load_dll_dbghelp_dbgcore_susp_load.yml b/rules-threat-hunting/windows/image_load/image_load_dll_dbghelp_dbgcore_susp_load.yml index aaa0a894725..545605a972b 100644 --- a/rules-threat-hunting/windows/image_load/image_load_dll_dbghelp_dbgcore_susp_load.yml +++ b/rules-threat-hunting/windows/image_load/image_load_dll_dbghelp_dbgcore_susp_load.yml @@ -14,12 +14,12 @@ references: - https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html - https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6 author: Perez Diego (@darkquassar), oscd.community, Ecco -date: 2019/10/27 -modified: 2024/03/01 +date: 2019-10-27 +modified: 2024-03-01 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 - - detection.threat_hunting + - detection.threat-hunting logsource: category: image_load product: windows diff --git a/rules-threat-hunting/windows/image_load/image_load_dll_system_drawing_load.yml b/rules-threat-hunting/windows/image_load/image_load_dll_system_drawing_load.yml index a7988aaaacb..b8e96e32988 100644 --- a/rules-threat-hunting/windows/image_load/image_load_dll_system_drawing_load.yml +++ b/rules-threat-hunting/windows/image_load/image_load_dll_system_drawing_load.yml @@ -6,12 +6,12 @@ references: - https://github.com/OTRF/detection-hackathon-apt29/issues/16 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.md author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/05/02 -modified: 2023/02/22 +date: 2020-05-02 +modified: 2023-02-22 tags: - attack.collection - attack.t1113 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: image_load diff --git a/rules-threat-hunting/windows/image_load/image_load_office_excel_xll_load.yml b/rules-threat-hunting/windows/image_load/image_load_office_excel_xll_load.yml index aeb45f6b292..37f47cd15a9 100644 --- a/rules-threat-hunting/windows/image_load/image_load_office_excel_xll_load.yml +++ b/rules-threat-hunting/windows/image_load/image_load_office_excel_xll_load.yml @@ -5,11 +5,11 @@ description: Detects Microsoft Excel loading an Add-In (.xll) file references: - https://www.mandiant.com/resources/blog/lnk-between-browsers author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/12 +date: 2023-05-12 tags: - attack.execution - attack.t1204.002 - - detection.threat_hunting + - detection.threat-hunting logsource: category: image_load product: windows diff --git a/rules-threat-hunting/windows/image_load/image_load_office_word_wll_load.yml b/rules-threat-hunting/windows/image_load/image_load_office_word_wll_load.yml index ca3d39063bc..83216e9d32e 100644 --- a/rules-threat-hunting/windows/image_load/image_load_office_word_wll_load.yml +++ b/rules-threat-hunting/windows/image_load/image_load_office_word_wll_load.yml @@ -7,11 +7,11 @@ references: - https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence - https://nored0x.github.io/red-teaming/office-persistence/#what-is-a-wll-file author: Steffen Rogge (dr0pd34d) -date: 2024/07/10 +date: 2024-07-10 tags: - attack.execution - attack.t1204.002 - - detection.threat_hunting + - detection.threat-hunting logsource: category: image_load product: windows diff --git a/rules-threat-hunting/windows/image_load/image_load_wmi_module_load_by_uncommon_process.yml b/rules-threat-hunting/windows/image_load/image_load_wmi_module_load_by_uncommon_process.yml index d8ff52fd177..5ee453754c4 100644 --- a/rules-threat-hunting/windows/image_load/image_load_wmi_module_load_by_uncommon_process.yml +++ b/rules-threat-hunting/windows/image_load/image_load_wmi_module_load_by_uncommon_process.yml @@ -5,12 +5,12 @@ description: Detects WMI modules being loaded by an uncommon process references: - https://threathunterplaybook.com/hunts/windows/190811-WMIModuleLoad/notebook.html author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/08/10 -modified: 2023/12/11 +date: 2019-08-10 +modified: 2023-12-11 tags: - attack.execution - attack.t1047 - - detection.threat_hunting + - detection.threat-hunting logsource: category: image_load product: windows diff --git a/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_non_local_ip.yml b/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_non_local_ip.yml index 81398e3364d..9ed2da51da6 100644 --- a/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_non_local_ip.yml +++ b/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_non_local_ip.yml @@ -5,12 +5,12 @@ description: Detects network connections from "dfsvc.exe" used to handled ClickO references: - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/12 -modified: 2024/03/12 +date: 2023-06-12 +modified: 2024-03-12 tags: - attack.execution - attack.t1203 - - detection.threat_hunting + - detection.threat-hunting logsource: category: network_connection product: windows diff --git a/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_uncommon_ports.yml b/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_uncommon_ports.yml index f1c77fe1e04..8e4edf95401 100644 --- a/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_uncommon_ports.yml +++ b/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_uncommon_ports.yml @@ -5,8 +5,8 @@ description: Detects an initiated network connection over uncommon ports from "d references: - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/12 -modified: 2024/01/31 +date: 2023-06-12 +modified: 2024-01-31 tags: - attack.execution - attack.t1203 diff --git a/rules-threat-hunting/windows/network_connection/net_connection_win_dllhost_non_local_ip.yml b/rules-threat-hunting/windows/network_connection/net_connection_win_dllhost_non_local_ip.yml index 844c7f35293..2c2ddb189d5 100644 --- a/rules-threat-hunting/windows/network_connection/net_connection_win_dllhost_non_local_ip.yml +++ b/rules-threat-hunting/windows/network_connection/net_connection_win_dllhost_non_local_ip.yml @@ -9,14 +9,14 @@ references: - https://redcanary.com/blog/child-processes/ - https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08 author: bartblaze -date: 2020/07/13 -modified: 2024/07/16 +date: 2020-07-13 +modified: 2024-07-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.execution - attack.t1559.001 - - detection.threat_hunting + - detection.threat-hunting logsource: category: network_connection product: windows diff --git a/rules-threat-hunting/windows/network_connection/net_connection_win_hh_http_connection.yml b/rules-threat-hunting/windows/network_connection/net_connection_win_hh_http_connection.yml index 0f7387bf59c..5bdef359f8f 100644 --- a/rules-threat-hunting/windows/network_connection/net_connection_win_hh_http_connection.yml +++ b/rules-threat-hunting/windows/network_connection/net_connection_win_hh_http_connection.yml @@ -10,11 +10,11 @@ references: - https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html - https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/05 +date: 2022-10-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.001 - - detection.threat_hunting + - detection.threat-hunting logsource: category: network_connection product: windows diff --git a/rules-threat-hunting/windows/network_connection/net_connection_win_msiexec_http.yml b/rules-threat-hunting/windows/network_connection/net_connection_win_msiexec_http.yml index 245440121c2..a3a3c54f74a 100644 --- a/rules-threat-hunting/windows/network_connection/net_connection_win_msiexec_http.yml +++ b/rules-threat-hunting/windows/network_connection/net_connection_win_msiexec_http.yml @@ -9,12 +9,12 @@ references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md author: frack113 -date: 2022/01/16 -modified: 2024/07/16 +date: 2022-01-16 +modified: 2024-07-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.007 - - detection.threat_hunting + - detection.threat-hunting logsource: category: network_connection product: windows diff --git a/rules-threat-hunting/windows/network_connection/net_connection_win_powershell_network_connection.yml b/rules-threat-hunting/windows/network_connection/net_connection_win_powershell_network_connection.yml index ead5c6ac5f5..cfc045bbef7 100644 --- a/rules-threat-hunting/windows/network_connection/net_connection_win_powershell_network_connection.yml +++ b/rules-threat-hunting/windows/network_connection/net_connection_win_powershell_network_connection.yml @@ -8,12 +8,12 @@ description: | references: - https://www.youtube.com/watch?v=DLtJTxMWZ2o author: Florian Roth (Nextron Systems) -date: 2017/03/13 -modified: 2024/03/13 +date: 2017-03-13 +modified: 2024-03-13 tags: - attack.execution - attack.t1059.001 - - detection.threat_hunting + - detection.threat-hunting logsource: category: network_connection product: windows diff --git a/rules-threat-hunting/windows/network_connection/net_connection_win_susp_initaited_public_folder.yml b/rules-threat-hunting/windows/network_connection/net_connection_win_susp_initaited_public_folder.yml index a92a8775c15..310c78f6cb1 100644 --- a/rules-threat-hunting/windows/network_connection/net_connection_win_susp_initaited_public_folder.yml +++ b/rules-threat-hunting/windows/network_connection/net_connection_win_susp_initaited_public_folder.yml @@ -11,11 +11,11 @@ description: | references: - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo author: Florian Roth (Nextron Systems) -date: 2024/05/31 +date: 2024-05-31 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 - - detection.threat_hunting + - detection.threat-hunting logsource: category: network_connection product: windows diff --git a/rules-threat-hunting/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe.yml b/rules-threat-hunting/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe.yml index f62db34d5dc..6e4e46fafb8 100644 --- a/rules-threat-hunting/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe.yml +++ b/rules-threat-hunting/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe.yml @@ -9,13 +9,13 @@ references: - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - https://jpcertcc.github.io/ToolAnalysisResultSheet author: Thomas Patzke -date: 2017/06/12 -modified: 2022/10/09 +date: 2017-06-12 +modified: 2022-10-09 tags: - attack.execution - attack.t1569.002 - attack.s0029 - - detection.threat_hunting + - detection.threat-hunting logsource: category: pipe_created product: windows diff --git a/rules-threat-hunting/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml b/rules-threat-hunting/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml index 5e3a69fe669..2dc975bf377 100644 --- a/rules-threat-hunting/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml +++ b/rules-threat-hunting/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml @@ -8,12 +8,12 @@ description: Detects alternate PowerShell hosts potentially bypassing detections references: - https://threathunterplaybook.com/hunts/windows/190815-RemoteServiceInstallation/notebook.html author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/08/11 -modified: 2023/12/11 +date: 2019-08-11 +modified: 2023-12-11 tags: - attack.execution - attack.t1059.001 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: ps_classic_start diff --git a/rules-threat-hunting/windows/powershell/powershell_module/posh_pm_susp_netfirewallrule_recon.yml b/rules-threat-hunting/windows/powershell/powershell_module/posh_pm_susp_netfirewallrule_recon.yml index 26f140e6631..97ca3b61d96 100644 --- a/rules-threat-hunting/windows/powershell/powershell_module/posh_pm_susp_netfirewallrule_recon.yml +++ b/rules-threat-hunting/windows/powershell/powershell_module/posh_pm_susp_netfirewallrule_recon.yml @@ -6,9 +6,9 @@ references: - https://learn.microsoft.com/en-us/powershell/module/netsecurity/get-netfirewallrule?view=windowsserver2022-ps - https://learn.microsoft.com/en-us/powershell/module/netsecurity/show-netfirewallrule?view=windowsserver2022-ps author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io -date: 2023/07/13 +date: 2023-07-13 tags: - - detection.threat_hunting + - detection.threat-hunting - attack.discovery - attack.t1518.001 - attack.t1016 diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_compress_archive_usage.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_compress_archive_usage.yml index cb5b748326e..8fa81f9354c 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_compress_archive_usage.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_compress_archive_usage.yml @@ -7,12 +7,12 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560/T1560.md author: Timur Zinniatullin, oscd.community -date: 2019/10/21 -modified: 2023/12/15 +date: 2019-10-21 +modified: 2023-12-15 tags: - attack.exfiltration - attack.t1560 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: ps_script diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_mailbox_access.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_mailbox_access.yml index 3ee22df0d29..3246a0de376 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_mailbox_access.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_mailbox_access.yml @@ -5,11 +5,11 @@ description: Detects PowerShell scripts that try to access the default Windows M references: - https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1070.008/T1070.008.md author: frack113 -date: 2023/07/08 +date: 2023-07-08 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.008 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: ps_script diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_new_netfirewallrule_allow.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_new_netfirewallrule_allow.yml index 17227ee720a..bee60950fa0 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_new_netfirewallrule_allow.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_new_netfirewallrule_allow.yml @@ -11,11 +11,11 @@ references: - https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170 - https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/ author: frack113 -date: 2024/05/10 +date: 2024-05-10 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: ps_script diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_new_smbmapping_quic.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_new_smbmapping_quic.yml index ffb78320303..c2e172a7e65 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_new_smbmapping_quic.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_new_smbmapping_quic.yml @@ -10,11 +10,11 @@ references: - https://learn.microsoft.com/en-us/powershell/module/smbshare/new-smbmapping?view=windowsserver2022-ps - https://www.trustedsec.com/blog/making-smb-accessible-with-ntlmquic/ author: frack113 -date: 2023/07/21 +date: 2023-07-21 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1570 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: ps_script diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml index e1c0d42dc99..98c60418a3e 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml @@ -8,12 +8,12 @@ description: Detects PowerShell scripts with potential registry reconnaissance c references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md author: frack113 -date: 2023/07/02 +date: 2023-07-02 tags: - attack.discovery - attack.t1012 - attack.t1007 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: ps_script diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_remove_item_path.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_remove_item_path.yml index 589b0c165b5..19dbde591bf 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_remove_item_path.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_remove_item_path.yml @@ -6,12 +6,12 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7 author: frack113 -date: 2022/01/15 -modified: 2022/03/17 +date: 2022-01-15 +modified: 2022-03-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.004 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: ps_script diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_functions_access.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_functions_access.yml index 0c77e186ae1..a46eaaf1e77 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_functions_access.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_functions_access.yml @@ -12,12 +12,12 @@ description: Detects calls to WinAPI libraries from PowerShell scripts. Attacker references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2023/07/21 +date: 2023-07-21 tags: - attack.execution - attack.t1059.001 - attack.t1106 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: ps_script diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_library_access.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_library_access.yml index 1cda9898eff..0a7df5b9ca3 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_library_access.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_library_access.yml @@ -12,12 +12,12 @@ description: Detects calls to WinAPI functions from PowerShell scripts. Attacker references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2023/07/21 +date: 2023-07-21 tags: - attack.execution - attack.t1059.001 - attack.t1106 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: ps_script diff --git a/rules-threat-hunting/windows/process_access/proc_access_win_lsass_powershell_access.yml b/rules-threat-hunting/windows/process_access/proc_access_win_lsass_powershell_access.yml index bbf75c211f7..203d037826a 100644 --- a/rules-threat-hunting/windows/process_access/proc_access_win_lsass_powershell_access.yml +++ b/rules-threat-hunting/windows/process_access/proc_access_win_lsass_powershell_access.yml @@ -2,7 +2,7 @@ title: Potential Credential Dumping Attempt Via PowerShell id: 0f920ebe-7aea-4c54-b202-9aa0c609cfe5 related: - id: 3f07b9d1-2082-4c56-9277-613a621983cc - type: obsoletes + type: obsolete - id: fb656378-f909-47c1-8747-278bf09f4f4f type: similar status: test @@ -10,12 +10,12 @@ description: Detects a PowerShell process requesting access to "lsass.exe", whic references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: oscd.community, Natalia Shornikova -date: 2020/10/06 -modified: 2023/11/28 +date: 2020-10-06 +modified: 2023-11-28 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: process_access diff --git a/rules-threat-hunting/windows/process_access/proc_access_win_lsass_susp_source_process.yml b/rules-threat-hunting/windows/process_access/proc_access_win_lsass_susp_source_process.yml index 8176e25aee1..76ca3d3d8f1 100644 --- a/rules-threat-hunting/windows/process_access/proc_access_win_lsass_susp_source_process.yml +++ b/rules-threat-hunting/windows/process_access/proc_access_win_lsass_susp_source_process.yml @@ -9,10 +9,10 @@ references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf author: Florian Roth (Nextron Systems) -date: 2021/11/27 -modified: 2023/12/06 +date: 2021-11-27 +modified: 2023-12-06 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 - attack.s0002 logsource: diff --git a/rules-threat-hunting/windows/process_access/proc_access_win_lsass_uncommon_access_flag.yml b/rules-threat-hunting/windows/process_access/proc_access_win_lsass_uncommon_access_flag.yml index a29743a9c21..e66a60230a0 100644 --- a/rules-threat-hunting/windows/process_access/proc_access_win_lsass_uncommon_access_flag.yml +++ b/rules-threat-hunting/windows/process_access/proc_access_win_lsass_uncommon_access_flag.yml @@ -2,7 +2,7 @@ title: Uncommon GrantedAccess Flags On LSASS id: 678dfc63-fefb-47a5-a04c-26bcf8cc9f65 related: - id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d - type: obsoletes + type: obsolete status: test description: Detects process access to LSASS memory with uncommon access flags 0x410 and 0x01410 references: @@ -12,13 +12,13 @@ references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf author: Florian Roth (Nextron Systems) -date: 2022/03/13 -modified: 2023/11/30 +date: 2022-03-13 +modified: 2023-11-30 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 - attack.s0002 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_access product: windows diff --git a/rules-threat-hunting/windows/process_access/proc_access_win_susp_potential_shellcode_injection.yml b/rules-threat-hunting/windows/process_access/proc_access_win_susp_potential_shellcode_injection.yml index b7ec400670f..9d5f38714ba 100644 --- a/rules-threat-hunting/windows/process_access/proc_access_win_susp_potential_shellcode_injection.yml +++ b/rules-threat-hunting/windows/process_access/proc_access_win_susp_potential_shellcode_injection.yml @@ -5,13 +5,13 @@ description: Detects potential shellcode injection as seen used by tools such as references: - https://github.com/EmpireProject/PSInject author: Bhabesh Raj -date: 2022/03/11 -modified: 2024/07/02 +date: 2022-03-11 +modified: 2024-07-02 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1055 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_access product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_7zip_password_extraction.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_7zip_password_extraction.yml index d09b0e94f04..4d594d4bcc6 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_7zip_password_extraction.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_7zip_password_extraction.yml @@ -5,12 +5,12 @@ description: Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to ex references: - https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/10 -modified: 2024/07/16 +date: 2023-03-10 +modified: 2024-07-16 tags: - attack.collection - attack.t1560.001 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_attrib_system.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_attrib_system.yml index 8bd8375afd3..91b43c38600 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_attrib_system.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_attrib_system.yml @@ -10,12 +10,12 @@ references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib - https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/ author: frack113 -date: 2022/02/04 -modified: 2023/03/14 +date: 2022-02-04 +modified: 2023-03-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.001 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_boinc_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_boinc_execution.yml index b0a227f3759..b2778eabe94 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_boinc_execution.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_boinc_execution.yml @@ -8,10 +8,10 @@ references: - https://boinc.berkeley.edu/ - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software author: Matt Anderson (Huntress) -date: 2024/07/23 +date: 2024-07-23 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1553 logsource: category: process_creation diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_cmd_redirect.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_cmd_redirect.yml index aa6c72620f7..55f6e988c49 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_cmd_redirect.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_cmd_redirect.yml @@ -10,12 +10,12 @@ description: | references: - https://ss64.com/nt/syntax-redirection.html author: frack113 -date: 2022/01/22 -modified: 2024/03/19 +date: 2022-01-22 +modified: 2024-03-19 tags: - attack.discovery - attack.t1082 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_conhost_headless_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_conhost_headless_execution.yml index e3a10f28f4e..d87ce4179d1 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_conhost_headless_execution.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_conhost_headless_execution.yml @@ -10,9 +10,9 @@ description: | references: - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/07/23 +date: 2024-07-23 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1059.001 - attack.t1059.003 logsource: diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_csc_compilation.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_csc_compilation.yml index bfcd0d25495..68dd42702d0 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_csc_compilation.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_csc_compilation.yml @@ -11,11 +11,11 @@ references: - https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/ - https://twitter.com/gN3mes1s/status/1206874118282448897 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/02 +date: 2023-08-02 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027.004 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_download.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_download.yml index ae6d38c1586..11a02e00f0b 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_download.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_download.yml @@ -10,12 +10,12 @@ description: Detects file download using curl.exe references: - https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464 author: Florian Roth (Nextron Systems) -date: 2022/07/05 -modified: 2023/02/21 +date: 2022-07-05 +modified: 2023-02-21 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_execution.yml index 204c7c21985..5199f389052 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_execution.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_execution.yml @@ -8,12 +8,12 @@ description: Detects a curl process start on Windows, which could indicates a fi references: - https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464 author: Florian Roth (Nextron Systems) -date: 2022/07/05 -modified: 2023/02/21 +date: 2022-07-05 +modified: 2023-02-21 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_fileupload.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_fileupload.yml index 62673a95f60..98ad58c77a4 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_fileupload.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_fileupload.yml @@ -8,13 +8,13 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file - https://curl.se/docs/manpage.html author: Florian Roth (Nextron Systems), Cedric MAURUGEON (Update) -date: 2020/07/03 -modified: 2023/05/02 +date: 2020-07-03 +modified: 2023-05-02 tags: - attack.exfiltration - attack.t1567 - attack.t1105 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_useragent.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_useragent.yml index 0822c3f4dc9..639d1767eb0 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_useragent.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_curl_useragent.yml @@ -6,12 +6,12 @@ references: - https://curl.se/docs/manpage.html - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#atomic-test-2---malicious-user-agents---cmd author: frack113 -date: 2022/01/23 -modified: 2023/02/21 +date: 2022-01-23 +modified: 2023-02-21 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_dfsvc_child_processes.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_dfsvc_child_processes.yml index c9a79e1f3fd..8b60e8d805b 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_dfsvc_child_processes.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_dfsvc_child_processes.yml @@ -5,11 +5,11 @@ description: Detects child processes of "dfsvc" which indicates a ClickOnce depl references: - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/12 +date: 2023-06-12 tags: - attack.execution - - attack.defense_evasion - - detection.threat_hunting + - attack.defense-evasion + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_child_process.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_child_process.yml index 1ab85af2c8a..153e3b3c4b4 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_child_process.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_child_process.yml @@ -17,12 +17,12 @@ references: - https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4 - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow author: Harjot Singh @cyb3rjy0t -date: 2023/09/15 +date: 2023-09-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.execution - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_script_mode.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_script_mode.yml index a37c0af1407..baf4ce03af2 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_script_mode.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_script_mode.yml @@ -18,13 +18,13 @@ references: - https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4 - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow author: Ivan Dyachkov, oscd.community -date: 2020/10/07 -modified: 2024/03/13 +date: 2020-10-07 +modified: 2024-03-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.execution - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_explorer_child_of_shell_process.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_explorer_child_of_shell_process.yml index f6c3175fafc..3d52b839a36 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_explorer_child_of_shell_process.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_explorer_child_of_shell_process.yml @@ -10,12 +10,12 @@ references: - https://twitter.com/CyberRaiju/status/1273597319322058752 - https://app.any.run/tasks/9a8fd563-4c54-4d0a-9ad8-1fe08339cbc3/ author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative -date: 2020/10/05 -modified: 2024/06/21 +date: 2020-10-05 +modified: 2024-06-21 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_findstr_password_recon.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_findstr_password_recon.yml index ad3536933bd..a35cec479a8 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_findstr_password_recon.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_findstr_password_recon.yml @@ -6,11 +6,11 @@ references: - https://steflan-security.com/windows-privilege-escalation-credential-harvesting/ - https://adsecurity.org/?p=2288 author: Josh Nickels -date: 2023/05/18 +date: 2023-05-18 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.001 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_iexpress_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_iexpress_execution.yml index 2587e50c187..f8d49065d19 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_iexpress_execution.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_iexpress_execution.yml @@ -11,11 +11,11 @@ references: - https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ - https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2024/02/05 +date: 2024-02-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_mode_codepage_change.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_mode_codepage_change.yml index 3a74bf6392b..9857b40668f 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_mode_codepage_change.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_mode_codepage_change.yml @@ -13,11 +13,11 @@ references: - https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html - https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior author: Nasreddine Bencherchali (Nextron Systems), Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2024/01/19 +date: 2024-01-19 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml index c365ccaeaa7..91204396735 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml @@ -9,8 +9,8 @@ references: - https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements) -date: 2019/01/16 -modified: 2022/07/11 +date: 2019-01-16 +modified: 2022-07-11 tags: - attack.discovery - attack.t1007 @@ -22,10 +22,10 @@ tags: - attack.t1069.002 - attack.t1087.001 - attack.t1087.002 - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 - attack.s0039 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_net_quic.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_net_quic.yml index 3dc27858d88..3e4ecb4313d 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_net_quic.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_net_quic.yml @@ -9,11 +9,11 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1570/T1570.md - https://www.trustedsec.com/blog/making-smb-accessible-with-ntlmquic/ author: frack113 -date: 2023/07/21 +date: 2023-07-21 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1570 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_office_svchost_parent.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_office_svchost_parent.yml index dfc1a5c21ae..6846eb04ba7 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_office_svchost_parent.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_office_svchost_parent.yml @@ -8,12 +8,12 @@ references: - https://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic - https://github.com/med0x2e/vba2clr author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/13 -modified: 2023/12/19 +date: 2022-10-13 +modified: 2023-12-19 tags: - attack.execution - - attack.defense_evasion - - detection.threat_hunting + - attack.defense-evasion + - detection.threat-hunting logsource: product: windows category: process_creation diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_abnormal_commandline_size.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_abnormal_commandline_size.yml index 15b6d4dcc4f..c6e7bd3f6f6 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_abnormal_commandline_size.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_abnormal_commandline_size.yml @@ -5,12 +5,12 @@ description: Detects unusually long PowerShell command lines with a length of 10 references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: oscd.community, Natalia Shornikova -date: 2020/10/06 -modified: 2023/04/14 +date: 2020-10-06 +modified: 2023-04-14 tags: - attack.execution - attack.t1059.001 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_crypto_namespace.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_crypto_namespace.yml index 141304cc4dd..0c086f5f2b5 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_crypto_namespace.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_crypto_namespace.yml @@ -10,12 +10,12 @@ references: - https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html - https://www.virustotal.com/gui/file/39102fb7bb6a74a9c8cb6d46419f9015b381199ea8524c1376672b30fffd69d2 author: Andreas Braathen (mnemonic.io) -date: 2023/12/01 +date: 2023-12-01 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1059.001 - attack.t1027.010 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: process_creation diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml index 2779d662318..d5881c60f7c 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml @@ -6,11 +6,11 @@ references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/import-module?view=powershell-7.3 - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/import-module?view=powershell-5.1 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/09 -modified: 2023/12/01 +date: 2023-05-09 +modified: 2023-12-01 tags: - attack.execution - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: process_creation diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_new_netfirewallrule_allow.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_new_netfirewallrule_allow.yml index 26a029b1658..cdec6d92c52 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_new_netfirewallrule_allow.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_new_netfirewallrule_allow.yml @@ -11,7 +11,7 @@ references: - https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170 - https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/ author: frack113 -date: 2024/05/03 +date: 2024-05-03 logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml index 36105803233..33c15cca9c8 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml @@ -7,12 +7,12 @@ description: | references: - https://twitter.com/ankit_anubhav/status/1518835408502620162 author: Florian Roth (Nextron Systems), Tim Shelton -date: 2022/04/26 -modified: 2024/07/16 +date: 2022-04-26 +modified: 2024-07-16 tags: - attack.execution - attack.t1059.001 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml index 3acfdf49847..599882c5b24 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml @@ -13,11 +13,11 @@ references: - https://learn.microsoft.com/en-us/windows/win32/api/olectl/nf-olectl-dllregisterserver - https://ss64.com/nt/regsvr32.html author: Andreas Braathen (mnemonic.io), Nasreddine Bencherchali (Nextron Systems) -date: 2023/10/17 +date: 2023-10-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_child_proc.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_child_proc.yml index 957437465c7..432593f2bdd 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_child_proc.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_child_proc.yml @@ -12,11 +12,11 @@ description: | references: - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/02/23 -modified: 2024/02/26 +date: 2024-02-23 +modified: 2024-02-26 tags: - attack.execution - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml index bf4274cce00..2ad6fc2d477 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml @@ -8,12 +8,12 @@ references: - https://twitter.com/cyb3rops/status/1186631731543236608 - https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/ author: Florian Roth (Nextron Systems) -date: 2019/10/22 -modified: 2024/07/16 +date: 2019-10-22 +modified: 2024-07-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_dllregisterserver.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_dllregisterserver.yml index f38872e0767..7fa3c27662c 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_dllregisterserver.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_dllregisterserver.yml @@ -11,11 +11,11 @@ references: - https://www.virustotal.com/gui/file/94816439312563db982cd038cf77cbc5ef4c7003e3edee86e2b0f99e675ed4ed/behavior - https://learn.microsoft.com/en-us/windows/win32/api/olectl/nf-olectl-dllregisterserver author: Andreas Braathen (mnemonic.io) -date: 2023/10/17 +date: 2023-10-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_sc_query.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_sc_query.yml index 39b21139e76..0e521cbb888 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_sc_query.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_sc_query.yml @@ -5,12 +5,12 @@ description: Detects execution of "sc.exe" to query information about registered references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-1---system-service-discovery author: frack113 -date: 2021/12/06 -modified: 2024/02/08 +date: 2021-12-06 +modified: 2024-02-08 tags: - attack.discovery - attack.t1007 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_schtasks_creation_from_susp_parent.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_schtasks_creation_from_susp_parent.yml index fb27e0f1c2a..647f988983d 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_schtasks_creation_from_susp_parent.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_schtasks_creation_from_susp_parent.yml @@ -7,12 +7,12 @@ description: | references: - https://app.any.run/tasks/649e7b46-9bec-4d05-98a5-dfa9a13eaae5/ author: Florian Roth (Nextron Systems) -date: 2022/02/23 -modified: 2024/05/13 +date: 2022-02-23 +modified: 2024-05-13 tags: - attack.execution - attack.t1053.005 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: process_creation diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_compression_params.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_compression_params.yml index 271528a27a9..17d10b745f7 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_compression_params.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_compression_params.yml @@ -5,12 +5,12 @@ description: Detects potentially suspicious command line arguments of common dat references: - https://twitter.com/SBousseaden/status/1184067445612535811 author: Florian Roth (Nextron Systems), Samir Bousseaden -date: 2019/10/15 -modified: 2023/08/29 +date: 2019-10-15 +modified: 2023-08-29 tags: - attack.collection - attack.t1560.001 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml index 1f7e0e41f74..90c97d973d5 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml @@ -9,13 +9,13 @@ description: | references: - https://github.com/Wh04m1001/SysmonEoP author: Nasreddine Bencherchali (Nextron Systems), frack113 -date: 2023/11/23 +date: 2023-11-23 tags: - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.execution - attack.t1059 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: process_creation diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_event_log_query.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_event_log_query.yml index b6b6ca91c8a..7f5a1827a69 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_event_log_query.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_event_log_query.yml @@ -12,12 +12,12 @@ references: - http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/ - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil author: Ali Alwashali, Nasreddine Bencherchali (Nextron Systems) -date: 2023/11/20 -modified: 2024/01/24 +date: 2023-11-20 +modified: 2024-01-24 tags: - attack.t1552 - - attack.credential_access - - detection.threat_hunting + - attack.credential-access + - detection.threat-hunting logsource: product: windows category: process_creation diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml index bd178338a5f..0aa29848166 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml @@ -7,12 +7,12 @@ description: | references: - https://twitter.com/Kostastsale/status/1565257924204986369 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/01 -modified: 2023/03/02 +date: 2022-09-01 +modified: 2023-03-02 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml index a6069d00a68..e367284d8a6 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml @@ -6,12 +6,12 @@ description: | references: - Internal Research author: Florian Roth (Nextron Systems) -date: 2019/01/16 -modified: 2024/01/18 +date: 2019-01-16 +modified: 2024-01-18 tags: - attack.persistence - attack.t1505.003 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml index be399292008..d9bf88a93ab 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml @@ -5,15 +5,15 @@ description: Detects the execution of well known tools that can be abused for da author: Daniil Yugoslavskiy, oscd.community references: - https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/ -date: 2019/10/24 -modified: 2024/01/18 +date: 2019-10-24 +modified: 2024-01-18 tags: - attack.exfiltration - - attack.command_and_control + - attack.command-and-control - attack.t1041 - attack.t1572 - attack.t1071.001 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml index 09435200619..b65cefdc208 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml @@ -7,12 +7,12 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11) - https://github.com/swagkarna/Defeat-Defender-V1.2.0 author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2019/10/23 -modified: 2023/11/21 +date: 2019-10-23 +modified: 2023-11-21 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1222.001 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml index 6a1d451ff79..cd49e96d9ea 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml @@ -7,12 +7,12 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1489/T1489.md#atomic-test-3---windows---stop-service-by-killing-process author: frack113 -date: 2021/12/26 -modified: 2023/11/06 +date: 2021-12-26 +modified: 2023-11-06 tags: - attack.impact - attack.t1489 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_tasklist_basic_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_tasklist_basic_execution.yml index 03c3bcec0fc..3d64fc060e8 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_tasklist_basic_execution.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_tasklist_basic_execution.yml @@ -5,12 +5,12 @@ description: Adversaries may attempt to get information about running processes references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-2---process-discovery---tasklist author: frack113 -date: 2021/12/11 -modified: 2022/12/25 +date: 2021-12-11 +modified: 2022-12-25 tags: - attack.discovery - attack.t1057 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_wmic_recon_system_info.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_wmic_recon_system_info.yml index ebf0769598d..0821f2af420 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_wmic_recon_system_info.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_wmic_recon_system_info.yml @@ -16,12 +16,12 @@ references: - https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/ - https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2023/12/19 +date: 2023-12-19 updated: 2024/01/15 tags: - attack.discovery - attack.t1082 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml index d8f7b21ddfc..949c14dd827 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml @@ -2,7 +2,7 @@ title: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript id: 1e33157c-53b1-41ad-bbcc-780b80b58288 related: - id: 23250293-eed5-4c39-b57a-841c8933a57d - type: obsoletes + type: obsolete - id: cea72823-df4d-4567-950c-0b579eaf0846 type: derived status: test @@ -11,13 +11,13 @@ references: - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/ - https://redcanary.com/blog/gootloader/ author: Michael Haag -date: 2019/01/16 -modified: 2023/05/15 +date: 2019-01-16 +modified: 2023-05-15 tags: - attack.execution - attack.t1059.005 - attack.t1059.007 - - detection.threat_hunting + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/registry/registry_event/registry_event_scheduled_task_creation.yml b/rules-threat-hunting/windows/registry/registry_event/registry_event_scheduled_task_creation.yml index 9a73274ebc2..bafbd689edb 100644 --- a/rules-threat-hunting/windows/registry/registry_event/registry_event_scheduled_task_creation.yml +++ b/rules-threat-hunting/windows/registry/registry_event/registry_event_scheduled_task_creation.yml @@ -6,15 +6,15 @@ references: - https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/task_scheduling/ - https://posts.specterops.io/abstracting-scheduled-tasks-3b6451f6a1c5 author: Center for Threat Informed Defense (CTID) Summiting the Pyramid Team -date: 2023/09/27 +date: 2023-09-27 tags: - attack.execution - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.s0111 - attack.t1053.005 - car.2013-08-001 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: registry_event diff --git a/rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml b/rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml index aae279cb70e..3d0365a1218 100644 --- a/rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml +++ b/rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml @@ -8,12 +8,12 @@ description: Detects changes to the registry keys related to "Trusted Location" references: - https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/21 -modified: 2023/08/17 +date: 2023-06-21 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 - - detection.threat_hunting + - detection.threat-hunting logsource: category: registry_set product: windows diff --git a/rules-threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml b/rules-threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml index 843ab1db2fa..9dcd72d35a9 100644 --- a/rules-threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml +++ b/rules-threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml @@ -9,13 +9,13 @@ references: - https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography?view=net-8.0 - https://squiblydoo.blog/2023/11/07/october-2023-solarmarker/ author: Andreas Braathen (mnemonic.io) -date: 2023/12/01 +date: 2023-12-01 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1059.001 - attack.t1027.010 - attack.t1547.001 - - detection.threat_hunting + - detection.threat-hunting logsource: product: windows category: registry_set diff --git a/rules-threat-hunting/windows/registry/registry_set/registry_set_service_image_path_user_controlled_folder.yml b/rules-threat-hunting/windows/registry/registry_set/registry_set_service_image_path_user_controlled_folder.yml index 57b81304175..3ec4f793b5b 100644 --- a/rules-threat-hunting/windows/registry/registry_set/registry_set_service_image_path_user_controlled_folder.yml +++ b/rules-threat-hunting/windows/registry/registry_set/registry_set_service_image_path_user_controlled_folder.yml @@ -2,7 +2,7 @@ title: Service Binary in User Controlled Folder id: 277dc340-0540-42e7-8efb-5ff460045e07 related: - id: 277dc340-0540-42e7-8efb-5ff460045e07 - type: obsoletes + type: obsolete status: experimental description: | Detects the setting of the "ImagePath" value of a service registry key to a path controlled by a non-administrator user such as "\AppData\" or "\ProgramData\". @@ -12,12 +12,12 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) -date: 2022/05/02 -modified: 2024/03/25 +date: 2022-05-02 +modified: 2024-03-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 - - detection.threat_hunting + - detection.threat-hunting logsource: category: registry_set product: windows diff --git a/rules-threat-hunting/windows/registry/registry_set/registry_set_shell_context_menu_tampering.yml b/rules-threat-hunting/windows/registry/registry_set/registry_set_shell_context_menu_tampering.yml index c563c2cfc20..138f44b31d7 100644 --- a/rules-threat-hunting/windows/registry/registry_set/registry_set_shell_context_menu_tampering.yml +++ b/rules-threat-hunting/windows/registry/registry_set/registry_set_shell_context_menu_tampering.yml @@ -5,10 +5,10 @@ description: Detects changes to shell context menu commands. Use this rule to hu references: - https://mrd0x.com/sentinelone-persistence-via-menu-context/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/03/06 +date: 2024-03-06 tags: - attack.persistence - - detection.threat_hunting + - detection.threat-hunting logsource: category: registry_set product: windows diff --git a/rules/application/django/appframework_django_exceptions.yml b/rules/application/django/appframework_django_exceptions.yml index 8042c1fb8c4..6b6b08ca2c3 100644 --- a/rules/application/django/appframework_django_exceptions.yml +++ b/rules/application/django/appframework_django_exceptions.yml @@ -6,10 +6,10 @@ references: - https://docs.djangoproject.com/en/1.11/ref/exceptions/ - https://docs.djangoproject.com/en/1.11/topics/logging/#django-security author: Thomas Patzke -date: 2017/08/05 -modified: 2020/09/01 +date: 2017-08-05 +modified: 2020-09-01 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: application diff --git a/rules/application/jvm/java_jndi_injection_exploitation_attempt.yml b/rules/application/jvm/java_jndi_injection_exploitation_attempt.yml index 7a2cc3b397e..27eed567755 100644 --- a/rules/application/jvm/java_jndi_injection_exploitation_attempt.yml +++ b/rules/application/jvm/java_jndi_injection_exploitation_attempt.yml @@ -6,9 +6,9 @@ references: - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs - https://secariolabs.com/research/analysing-and-reproducing-poc-for-log4j-2-15-0 author: Moti Harmats -date: 2023/02/11 +date: 2023-02-11 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: application diff --git a/rules/application/jvm/java_local_file_read.yml b/rules/application/jvm/java_local_file_read.yml index c271a0fe2a2..ef1d8ae886b 100644 --- a/rules/application/jvm/java_local_file_read.yml +++ b/rules/application/jvm/java_local_file_read.yml @@ -7,9 +7,9 @@ description: | references: - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs author: Moti Harmats -date: 2023/02/11 +date: 2023-02-11 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: application diff --git a/rules/application/jvm/java_ognl_injection_exploitation_attempt.yml b/rules/application/jvm/java_ognl_injection_exploitation_attempt.yml index 9154fb000da..2e833a53c82 100644 --- a/rules/application/jvm/java_ognl_injection_exploitation_attempt.yml +++ b/rules/application/jvm/java_ognl_injection_exploitation_attempt.yml @@ -8,12 +8,12 @@ description: | references: - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs author: Moti Harmats -date: 2023/02/11 +date: 2023-02-11 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2017.5638 - - cve.2022.26134 + - cve.2017-5638 + - cve.2022-26134 logsource: category: application product: jvm diff --git a/rules/application/jvm/java_rce_exploitation_attempt.yml b/rules/application/jvm/java_rce_exploitation_attempt.yml index 3d122585c71..88de8c22b21 100644 --- a/rules/application/jvm/java_rce_exploitation_attempt.yml +++ b/rules/application/jvm/java_rce_exploitation_attempt.yml @@ -5,9 +5,9 @@ description: Detects process execution related exceptions in JVM based apps, oft references: - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs author: Moti Harmats -date: 2023/02/11 +date: 2023-02-11 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: application diff --git a/rules/application/jvm/java_xxe_exploitation_attempt.yml b/rules/application/jvm/java_xxe_exploitation_attempt.yml index 95689d5aa3e..2049fdfd3b4 100644 --- a/rules/application/jvm/java_xxe_exploitation_attempt.yml +++ b/rules/application/jvm/java_xxe_exploitation_attempt.yml @@ -7,9 +7,9 @@ references: - https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs author: Moti Harmats -date: 2023/02/11 +date: 2023-02-11 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: application diff --git a/rules/application/kubernetes/audit/kubernetes_audit_change_admission_controller.yml b/rules/application/kubernetes/audit/kubernetes_audit_change_admission_controller.yml index eaae8522036..49a30944206 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_change_admission_controller.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_change_admission_controller.yml @@ -10,11 +10,11 @@ references: - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ - https://security.padok.fr/en/blog/kubernetes-webhook-attackers author: kelnage -date: 2024/07/11 +date: 2024-07-11 tags: - attack.persistence - attack.t1078 - - attack.credential_access + - attack.credential-access - attack.t1552 - attack.t1552.007 logsource: diff --git a/rules/application/kubernetes/audit/kubernetes_audit_cronjob_modification.yml b/rules/application/kubernetes/audit/kubernetes_audit_cronjob_modification.yml index b36ff1d3055..bba85418986 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_cronjob_modification.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_cronjob_modification.yml @@ -12,10 +12,10 @@ references: - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ - https://www.redhat.com/en/blog/protecting-kubernetes-against-mitre-attck-persistence#technique-33-kubernetes-cronjob author: kelnage -date: 2024/07/11 +date: 2024-07-11 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.execution logsource: product: kubernetes diff --git a/rules/application/kubernetes/audit/kubernetes_audit_deployment_deleted.yml b/rules/application/kubernetes/audit/kubernetes_audit_deployment_deleted.yml index 09a4e75db4b..4663c8029aa 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_deployment_deleted.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_deployment_deleted.yml @@ -7,7 +7,7 @@ description: | references: - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Data%20destruction/ author: Leo Tsaousis (@laripping) -date: 2024/03/26 +date: 2024-03-26 tags: - attack.t1498 logsource: diff --git a/rules/application/kubernetes/audit/kubernetes_audit_events_deleted.yml b/rules/application/kubernetes/audit/kubernetes_audit_events_deleted.yml index 0bf5fc60a9f..d7dafc6eb7a 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_events_deleted.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_events_deleted.yml @@ -10,7 +10,7 @@ description: | references: - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/ author: Leo Tsaousis (@laripping) -date: 2024/03/26 +date: 2024-03-26 tags: - attack.t1070 logsource: diff --git a/rules/application/kubernetes/audit/kubernetes_audit_exec_into_container.yml b/rules/application/kubernetes/audit/kubernetes_audit_exec_into_container.yml index 1e4b37253a9..8c6ca815397 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_exec_into_container.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_exec_into_container.yml @@ -6,7 +6,7 @@ description: | references: - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exec%20into%20container/ author: Leo Tsaousis (@laripping) -date: 2024/03/26 +date: 2024-03-26 tags: - attack.t1609 logsource: diff --git a/rules/application/kubernetes/audit/kubernetes_audit_hostpath_mount.yml b/rules/application/kubernetes/audit/kubernetes_audit_hostpath_mount.yml index f4b074a18e2..fe9e05c30ef 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_hostpath_mount.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_hostpath_mount.yml @@ -9,7 +9,7 @@ references: - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount/ - https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216 author: Leo Tsaousis (@laripping) -date: 2024/03/26 +date: 2024-03-26 tags: - attack.t1611 logsource: diff --git a/rules/application/kubernetes/audit/kubernetes_audit_pod_in_system_namespace.yml b/rules/application/kubernetes/audit/kubernetes_audit_pod_in_system_namespace.yml index dc9877f1ed9..512c0e2fba8 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_pod_in_system_namespace.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_pod_in_system_namespace.yml @@ -9,7 +9,7 @@ description: | references: - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Pod%20or%20container%20name%20similarily/ author: Leo Tsaousis (@laripping) -date: 2024/03/26 +date: 2024-03-26 tags: - attack.t1036.005 logsource: diff --git a/rules/application/kubernetes/audit/kubernetes_audit_privileged_pod_creation.yml b/rules/application/kubernetes/audit/kubernetes_audit_privileged_pod_creation.yml index ccdcff12f63..a9a04702bed 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_privileged_pod_creation.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_privileged_pod_creation.yml @@ -11,7 +11,7 @@ references: - https://www.elastic.co/guide/en/security/current/kubernetes-pod-created-with-hostnetwork.html - https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html author: Leo Tsaousis (@laripping) -date: 2024/03/26 +date: 2024-03-26 tags: - attack.t1611 logsource: diff --git a/rules/application/kubernetes/audit/kubernetes_audit_rbac_permisions_listing.yml b/rules/application/kubernetes/audit/kubernetes_audit_rbac_permisions_listing.yml index 0e41fb7c2d9..cefd4c4b86c 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_rbac_permisions_listing.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_rbac_permisions_listing.yml @@ -9,7 +9,7 @@ description: | references: - https://www.elastic.co/guide/en/security/current/kubernetes-suspicious-self-subject-review.html author: Leo Tsaousis (@laripping) -date: 2024/03/26 +date: 2024-03-26 tags: - attack.t1069.003 - attack.t1087.004 diff --git a/rules/application/kubernetes/audit/kubernetes_audit_rolebinding_modification.yml b/rules/application/kubernetes/audit/kubernetes_audit_rolebinding_modification.yml index 04d6a861ff8..d1f141b0c86 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_rolebinding_modification.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_rolebinding_modification.yml @@ -10,9 +10,9 @@ references: - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ - https://medium.com/@seifeddinerajhi/kubernetes-rbac-privilege-escalation-exploits-and-mitigations-26c07629eeab author: kelnage -date: 2024/07/11 +date: 2024-07-11 tags: - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: kubernetes service: audit diff --git a/rules/application/kubernetes/audit/kubernetes_audit_secrets_enumeration.yml b/rules/application/kubernetes/audit/kubernetes_audit_secrets_enumeration.yml index 6dc529595c0..0dc2b66d1af 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_secrets_enumeration.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_secrets_enumeration.yml @@ -8,7 +8,7 @@ description: Detects enumeration of Kubernetes secrets. references: - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/ author: Leo Tsaousis (@laripping) -date: 2024/03/26 +date: 2024-03-26 tags: - attack.t1552.007 logsource: diff --git a/rules/application/kubernetes/audit/kubernetes_audit_secrets_modified_or_deleted.yml b/rules/application/kubernetes/audit/kubernetes_audit_secrets_modified_or_deleted.yml index 822e7ce27da..2dda1ef23b8 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_secrets_modified_or_deleted.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_secrets_modified_or_deleted.yml @@ -10,9 +10,9 @@ references: - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ - https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/ author: kelnage -date: 2024/07/11 +date: 2024-07-11 tags: - - attack.credential_access + - attack.credential-access logsource: product: kubernetes service: audit diff --git a/rules/application/kubernetes/audit/kubernetes_audit_serviceaccount_creation.yml b/rules/application/kubernetes/audit/kubernetes_audit_serviceaccount_creation.yml index 7316b841069..6c41efac815 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_serviceaccount_creation.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_serviceaccount_creation.yml @@ -9,7 +9,7 @@ description: | references: - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/ author: Leo Tsaousis (@laripping) -date: 2024/03/26 +date: 2024-03-26 tags: - attack.t1136 logsource: diff --git a/rules/application/kubernetes/audit/kubernetes_audit_sidecar_injection.yml b/rules/application/kubernetes/audit/kubernetes_audit_sidecar_injection.yml index e2bdefd17e3..4ff32df2898 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_sidecar_injection.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_sidecar_injection.yml @@ -10,7 +10,7 @@ references: - https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/ author: Leo Tsaousis (@laripping) -date: 2024/03/26 +date: 2024-03-26 tags: - attack.t1609 logsource: diff --git a/rules/application/kubernetes/audit/kubernetes_audit_unauthorized_unauthenticated_actions.yml b/rules/application/kubernetes/audit/kubernetes_audit_unauthorized_unauthenticated_actions.yml index da021782b3c..a564e870815 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_unauthorized_unauthenticated_actions.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_unauthorized_unauthenticated_actions.yml @@ -8,9 +8,9 @@ references: - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ - https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues author: kelnage -date: 2024/04/12 +date: 2024-04-12 tags: - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: kubernetes service: audit diff --git a/rules/application/nodejs/nodejs_rce_exploitation_attempt.yml b/rules/application/nodejs/nodejs_rce_exploitation_attempt.yml index 95f812860ac..f9956d91dd5 100644 --- a/rules/application/nodejs/nodejs_rce_exploitation_attempt.yml +++ b/rules/application/nodejs/nodejs_rce_exploitation_attempt.yml @@ -5,9 +5,9 @@ description: Detects process execution related errors in NodeJS. If the exceptio references: - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs author: Moti Harmats -date: 2023/02/11 +date: 2023-02-11 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: application diff --git a/rules/application/opencanary/opencanary_ftp_login_attempt.yml b/rules/application/opencanary/opencanary_ftp_login_attempt.yml index 5de2b206d2e..46632d2320b 100644 --- a/rules/application/opencanary/opencanary_ftp_login_attempt.yml +++ b/rules/application/opencanary/opencanary_ftp_login_attempt.yml @@ -6,9 +6,9 @@ references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 author: Security Onion Solutions -date: 2024/03/08 +date: 2024-03-08 tags: - - attack.initial_access + - attack.initial-access - attack.exfiltration - attack.t1190 - attack.t1021 diff --git a/rules/application/opencanary/opencanary_git_clone_request.yml b/rules/application/opencanary/opencanary_git_clone_request.yml index f361cc86adb..cb928c35577 100644 --- a/rules/application/opencanary/opencanary_git_clone_request.yml +++ b/rules/application/opencanary/opencanary_git_clone_request.yml @@ -6,7 +6,7 @@ references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 author: Security Onion Solutions -date: 2024/03/08 +date: 2024-03-08 tags: - attack.collection - attack.t1213 diff --git a/rules/application/opencanary/opencanary_http_get.yml b/rules/application/opencanary/opencanary_http_get.yml index 11886a7e915..c65cc666337 100644 --- a/rules/application/opencanary/opencanary_http_get.yml +++ b/rules/application/opencanary/opencanary_http_get.yml @@ -6,9 +6,9 @@ references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 author: Security Onion Solutions -date: 2024/03/08 +date: 2024-03-08 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: application diff --git a/rules/application/opencanary/opencanary_http_post_login_attempt.yml b/rules/application/opencanary/opencanary_http_post_login_attempt.yml index bf5d4a219ba..1bc99bf01aa 100644 --- a/rules/application/opencanary/opencanary_http_post_login_attempt.yml +++ b/rules/application/opencanary/opencanary_http_post_login_attempt.yml @@ -7,9 +7,9 @@ references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 author: Security Onion Solutions -date: 2024/03/08 +date: 2024-03-08 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: application diff --git a/rules/application/opencanary/opencanary_httpproxy_login_attempt.yml b/rules/application/opencanary/opencanary_httpproxy_login_attempt.yml index 93ee36d5990..20693573c29 100644 --- a/rules/application/opencanary/opencanary_httpproxy_login_attempt.yml +++ b/rules/application/opencanary/opencanary_httpproxy_login_attempt.yml @@ -7,10 +7,10 @@ references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 author: Security Onion Solutions -date: 2024/03/08 +date: 2024-03-08 tags: - - attack.initial_access - - attack.defense_evasion + - attack.initial-access + - attack.defense-evasion - attack.t1090 logsource: category: application diff --git a/rules/application/opencanary/opencanary_mssql_login_sqlauth.yml b/rules/application/opencanary/opencanary_mssql_login_sqlauth.yml index 045feea7a18..66e236c2620 100644 --- a/rules/application/opencanary/opencanary_mssql_login_sqlauth.yml +++ b/rules/application/opencanary/opencanary_mssql_login_sqlauth.yml @@ -7,9 +7,9 @@ references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 author: Security Onion Solutions -date: 2024/03/08 +date: 2024-03-08 tags: - - attack.credential_access + - attack.credential-access - attack.collection - attack.t1003 - attack.t1213 diff --git a/rules/application/opencanary/opencanary_mssql_login_winauth.yml b/rules/application/opencanary/opencanary_mssql_login_winauth.yml index af3443b4153..a731303ab90 100644 --- a/rules/application/opencanary/opencanary_mssql_login_winauth.yml +++ b/rules/application/opencanary/opencanary_mssql_login_winauth.yml @@ -7,9 +7,9 @@ references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 author: Security Onion Solutions -date: 2024/03/08 +date: 2024-03-08 tags: - - attack.credential_access + - attack.credential-access - attack.collection - attack.t1003 - attack.t1213 diff --git a/rules/application/opencanary/opencanary_mysql_login_attempt.yml b/rules/application/opencanary/opencanary_mysql_login_attempt.yml index 17185498044..405c03c8604 100644 --- a/rules/application/opencanary/opencanary_mysql_login_attempt.yml +++ b/rules/application/opencanary/opencanary_mysql_login_attempt.yml @@ -6,9 +6,9 @@ references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 author: Security Onion Solutions -date: 2024/03/08 +date: 2024-03-08 tags: - - attack.credential_access + - attack.credential-access - attack.collection - attack.t1003 - attack.t1213 diff --git a/rules/application/opencanary/opencanary_ntp_monlist.yml b/rules/application/opencanary/opencanary_ntp_monlist.yml index 403d4f58f76..e6ae4e0d9ba 100644 --- a/rules/application/opencanary/opencanary_ntp_monlist.yml +++ b/rules/application/opencanary/opencanary_ntp_monlist.yml @@ -6,7 +6,7 @@ references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 author: Security Onion Solutions -date: 2024/03/08 +date: 2024-03-08 tags: - attack.impact - attack.t1498 diff --git a/rules/application/opencanary/opencanary_redis_command.yml b/rules/application/opencanary/opencanary_redis_command.yml index 8f72baca5d9..9a18bee4af8 100644 --- a/rules/application/opencanary/opencanary_redis_command.yml +++ b/rules/application/opencanary/opencanary_redis_command.yml @@ -6,9 +6,9 @@ references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 author: Security Onion Solutions -date: 2024/03/08 +date: 2024-03-08 tags: - - attack.credential_access + - attack.credential-access - attack.collection - attack.t1003 - attack.t1213 diff --git a/rules/application/opencanary/opencanary_sip_request.yml b/rules/application/opencanary/opencanary_sip_request.yml index 12388c79be8..56f71242ab1 100644 --- a/rules/application/opencanary/opencanary_sip_request.yml +++ b/rules/application/opencanary/opencanary_sip_request.yml @@ -6,7 +6,7 @@ references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 author: Security Onion Solutions -date: 2024/03/08 +date: 2024-03-08 tags: - attack.collection - attack.t1123 diff --git a/rules/application/opencanary/opencanary_smb_file_open.yml b/rules/application/opencanary/opencanary_smb_file_open.yml index 543a490d3e8..7c12e2563e2 100644 --- a/rules/application/opencanary/opencanary_smb_file_open.yml +++ b/rules/application/opencanary/opencanary_smb_file_open.yml @@ -6,9 +6,9 @@ references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 author: Security Onion Solutions -date: 2024/03/08 +date: 2024-03-08 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.collection - attack.t1021 - attack.t1005 diff --git a/rules/application/opencanary/opencanary_snmp_cmd.yml b/rules/application/opencanary/opencanary_snmp_cmd.yml index 26a207ce5ff..deb9ee93584 100644 --- a/rules/application/opencanary/opencanary_snmp_cmd.yml +++ b/rules/application/opencanary/opencanary_snmp_cmd.yml @@ -6,10 +6,10 @@ references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 author: Security Onion Solutions -date: 2024/03/08 +date: 2024-03-08 tags: - attack.discovery - - attack.lateral_movement + - attack.lateral-movement - attack.t1016 - attack.t1021 logsource: diff --git a/rules/application/opencanary/opencanary_ssh_login_attempt.yml b/rules/application/opencanary/opencanary_ssh_login_attempt.yml index 1e7a6691c5a..431b5fe18eb 100644 --- a/rules/application/opencanary/opencanary_ssh_login_attempt.yml +++ b/rules/application/opencanary/opencanary_ssh_login_attempt.yml @@ -6,10 +6,10 @@ references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 author: Security Onion Solutions -date: 2024/03/08 +date: 2024-03-08 tags: - - attack.initial_access - - attack.lateral_movement + - attack.initial-access + - attack.lateral-movement - attack.persistence - attack.t1133 - attack.t1021 diff --git a/rules/application/opencanary/opencanary_ssh_new_connection.yml b/rules/application/opencanary/opencanary_ssh_new_connection.yml index eba6b2a9ede..223bcd0e1c5 100644 --- a/rules/application/opencanary/opencanary_ssh_new_connection.yml +++ b/rules/application/opencanary/opencanary_ssh_new_connection.yml @@ -6,10 +6,10 @@ references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 author: Security Onion Solutions -date: 2024/03/08 +date: 2024-03-08 tags: - - attack.initial_access - - attack.lateral_movement + - attack.initial-access + - attack.lateral-movement - attack.persistence - attack.t1133 - attack.t1021 diff --git a/rules/application/opencanary/opencanary_telnet_login_attempt.yml b/rules/application/opencanary/opencanary_telnet_login_attempt.yml index c3f853d7199..f3bb08fabd8 100644 --- a/rules/application/opencanary/opencanary_telnet_login_attempt.yml +++ b/rules/application/opencanary/opencanary_telnet_login_attempt.yml @@ -6,10 +6,10 @@ references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 author: Security Onion Solutions -date: 2024/03/08 +date: 2024-03-08 tags: - - attack.initial_access - - attack.command_and_control + - attack.initial-access + - attack.command-and-control - attack.t1133 - attack.t1078 logsource: diff --git a/rules/application/opencanary/opencanary_tftp_request.yml b/rules/application/opencanary/opencanary_tftp_request.yml index 0d35635ed7c..dfd59599810 100644 --- a/rules/application/opencanary/opencanary_tftp_request.yml +++ b/rules/application/opencanary/opencanary_tftp_request.yml @@ -6,7 +6,7 @@ references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 author: Security Onion Solutions -date: 2024/03/08 +date: 2024-03-08 tags: - attack.exfiltration - attack.t1041 diff --git a/rules/application/opencanary/opencanary_vnc_connection_attempt.yml b/rules/application/opencanary/opencanary_vnc_connection_attempt.yml index 03255b07398..b9b99a2e106 100644 --- a/rules/application/opencanary/opencanary_vnc_connection_attempt.yml +++ b/rules/application/opencanary/opencanary_vnc_connection_attempt.yml @@ -6,9 +6,9 @@ references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 author: Security Onion Solutions -date: 2024/03/08 +date: 2024-03-08 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021 logsource: category: application diff --git a/rules/application/python/app_python_sql_exceptions.yml b/rules/application/python/app_python_sql_exceptions.yml index 2dcda667973..3747365940a 100644 --- a/rules/application/python/app_python_sql_exceptions.yml +++ b/rules/application/python/app_python_sql_exceptions.yml @@ -5,10 +5,10 @@ description: Generic rule for SQL exceptions in Python according to PEP 249 references: - https://www.python.org/dev/peps/pep-0249/#exceptions author: Thomas Patzke -date: 2017/08/12 -modified: 2020/09/01 +date: 2017-08-12 +modified: 2020-09-01 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: application diff --git a/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml index 72daaa379c2..6ac53cc75e2 100644 --- a/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml @@ -8,10 +8,10 @@ references: - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ author: Sagie Dulce, Dekel Paz -date: 2022/01/01 -modified: 2022/01/01 +date: 2022-01-01 +modified: 2022-01-01 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1053 - attack.t1053.002 logsource: diff --git a/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml b/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml index 02bbc17b410..a1ba2edcdee 100644 --- a/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml @@ -8,8 +8,8 @@ references: - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ author: Sagie Dulce, Dekel Paz -date: 2022/01/01 -modified: 2022/01/01 +date: 2022-01-01 +modified: 2022-01-01 tags: - attack.discovery logsource: diff --git a/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml b/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml index eacca06307f..d9cc4500419 100644 --- a/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml +++ b/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml @@ -8,8 +8,8 @@ references: - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ author: Sagie Dulce, Dekel Paz -date: 2022/01/01 -modified: 2022/01/01 +date: 2022-01-01 +modified: 2022-01-01 tags: - attack.t1033 - attack.discovery diff --git a/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml b/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml index d201aed3de8..6dc013cb5f5 100644 --- a/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml +++ b/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml @@ -8,10 +8,10 @@ references: - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ author: Sagie Dulce, Dekel Paz -date: 2022/01/01 -modified: 2022/01/01 +date: 2022-01-01 +modified: 2022-01-01 tags: - - attack.lateral_movement + - attack.lateral-movement logsource: product: rpc_firewall category: application diff --git a/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml b/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml index 34dba98f064..5e771c2258b 100644 --- a/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml @@ -6,8 +6,8 @@ references: - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ author: Sagie Dulce, Dekel Paz -date: 2022/01/01 -modified: 2022/01/01 +date: 2022-01-01 +modified: 2022-01-01 tags: - attack.discovery logsource: diff --git a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml index 4fc39008f49..23bc57ec4f4 100644 --- a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml @@ -8,10 +8,10 @@ references: - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ author: Sagie Dulce, Dekel Paz -date: 2022/01/01 -modified: 2022/01/01 +date: 2022-01-01 +modified: 2022-01-01 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1053 - attack.t1053.002 logsource: diff --git a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml index da9c85a62d2..c9fc1fe4960 100644 --- a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml @@ -8,8 +8,8 @@ references: - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ author: Sagie Dulce, Dekel Paz -date: 2022/01/01 -modified: 2022/01/01 +date: 2022-01-01 +modified: 2022-01-01 tags: - attack.discovery logsource: diff --git a/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml index 7421bda6001..c1c333d017b 100644 --- a/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml @@ -10,10 +10,10 @@ references: - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ author: Sagie Dulce, Dekel Paz -date: 2022/01/01 -modified: 2022/01/01 +date: 2022-01-01 +modified: 2022-01-01 tags: - - attack.lateral_movement + - attack.lateral-movement logsource: product: rpc_firewall category: application diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml b/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml index 7183cad1b6a..63f73572096 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml @@ -7,10 +7,10 @@ references: - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ author: Sagie Dulce, Dekel Paz -date: 2022/01/01 -modified: 2022/01/01 +date: 2022-01-01 +modified: 2022-01-01 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.003 - attack.t1047 logsource: diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml index da5006fabf0..ecc7d1d5fff 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml @@ -8,10 +8,10 @@ references: - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ author: Sagie Dulce, Dekel Paz -date: 2022/01/01 -modified: 2022/01/01 +date: 2022-01-01 +modified: 2022-01-01 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1112 logsource: product: rpc_firewall diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml b/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml index 2d759374551..bed30e219c6 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml @@ -8,8 +8,8 @@ references: - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ author: Sagie Dulce, Dekel Paz -date: 2022/01/01 -modified: 2022/01/01 +date: 2022-01-01 +modified: 2022-01-01 tags: - attack.discovery logsource: diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml b/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml index b1d115149d3..035ec3c18b1 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml @@ -8,10 +8,10 @@ references: - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ author: Sagie Dulce, Dekel Paz -date: 2022/01/01 -modified: 2022/01/01 +date: 2022-01-01 +modified: 2022-01-01 tags: - - attack.lateral_movement + - attack.lateral-movement logsource: product: rpc_firewall category: application diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml index e081565981a..5c0fb86f55e 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml @@ -8,10 +8,10 @@ references: - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ author: Sagie Dulce, Dekel Paz -date: 2022/01/01 -modified: 2022/01/01 +date: 2022-01-01 +modified: 2022-01-01 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1569.002 logsource: product: rpc_firewall diff --git a/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml index ce90a2426cb..8480cab760a 100644 --- a/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml @@ -8,10 +8,10 @@ references: - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ author: Sagie Dulce, Dekel Paz -date: 2022/01/01 -modified: 2022/01/01 +date: 2022-01-01 +modified: 2022-01-01 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1053 - attack.t1053.002 logsource: diff --git a/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml b/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml index a9eb4ff1525..68bd6857196 100644 --- a/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml @@ -8,8 +8,8 @@ references: - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ author: Sagie Dulce, Dekel Paz -date: 2022/01/01 -modified: 2022/11/17 +date: 2022-01-01 +modified: 2022-11-17 tags: - attack.discovery logsource: diff --git a/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml b/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml index 075d48fe4ce..82ee574386a 100644 --- a/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml +++ b/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml @@ -8,8 +8,8 @@ references: - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ author: Sagie Dulce, Dekel Paz -date: 2022/01/01 -modified: 2022/01/01 +date: 2022-01-01 +modified: 2022-01-01 tags: - attack.t1087 - attack.discovery diff --git a/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml b/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml index 46dcb6b7097..b5de4dddaee 100644 --- a/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml +++ b/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml @@ -8,8 +8,8 @@ references: - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ author: Sagie Dulce, Dekel Paz -date: 2022/01/01 -modified: 2022/01/01 +date: 2022-01-01 +modified: 2022-01-01 tags: - attack.t1033 logsource: diff --git a/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml b/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml index 661780aff01..16ad53536bf 100644 --- a/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml +++ b/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml @@ -8,10 +8,10 @@ references: - https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception - https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb author: Thomas Patzke -date: 2017/08/06 -modified: 2020/09/01 +date: 2017-08-06 +modified: 2020-09-01 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: application diff --git a/rules/application/spring/spring_application_exceptions.yml b/rules/application/spring/spring_application_exceptions.yml index d6020c98ac5..69140660d7f 100644 --- a/rules/application/spring/spring_application_exceptions.yml +++ b/rules/application/spring/spring_application_exceptions.yml @@ -5,10 +5,10 @@ description: Detects suspicious Spring framework exceptions that could indicate references: - https://docs.spring.io/spring-security/site/docs/current/api/overview-tree.html author: Thomas Patzke -date: 2017/08/06 -modified: 2020/09/01 +date: 2017-08-06 +modified: 2020-09-01 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: application diff --git a/rules/application/spring/spring_spel_injection.yml b/rules/application/spring/spring_spel_injection.yml index 4f021ab7e40..ac5414705e9 100644 --- a/rules/application/spring/spring_spel_injection.yml +++ b/rules/application/spring/spring_spel_injection.yml @@ -6,9 +6,9 @@ references: - https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs author: Moti Harmats -date: 2023/02/11 +date: 2023-02-11 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: application diff --git a/rules/application/sql/app_sqlinjection_errors.yml b/rules/application/sql/app_sqlinjection_errors.yml index f7447aefb48..9f287245cec 100644 --- a/rules/application/sql/app_sqlinjection_errors.yml +++ b/rules/application/sql/app_sqlinjection_errors.yml @@ -5,10 +5,10 @@ description: Detects SQL error messages that indicate probing for an injection a references: - http://www.sqlinjection.net/errors author: Bjoern Kimminich -date: 2017/11/27 -modified: 2023/02/12 +date: 2017-11-27 +modified: 2023-02-12 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: application diff --git a/rules/application/velocity/velocity_ssti_injection.yml b/rules/application/velocity/velocity_ssti_injection.yml index b8dbea1c7b8..f5c4674054f 100644 --- a/rules/application/velocity/velocity_ssti_injection.yml +++ b/rules/application/velocity/velocity_ssti_injection.yml @@ -6,9 +6,9 @@ references: - https://antgarsil.github.io/posts/velocity/ - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs author: Moti Harmats -date: 2023/02/11 +date: 2023-02-11 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: application diff --git a/rules/category/antivirus/av_exploiting.yml b/rules/category/antivirus/av_exploiting.yml index 78b08f72cc7..f5a4c1a949e 100644 --- a/rules/category/antivirus/av_exploiting.yml +++ b/rules/category/antivirus/av_exploiting.yml @@ -8,12 +8,12 @@ references: - https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424 - https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466 author: Florian Roth (Nextron Systems), Arnim Rupp -date: 2018/09/09 -modified: 2024/07/17 +date: 2018-09-09 +modified: 2024-07-17 tags: - attack.execution - attack.t1203 - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: category: antivirus diff --git a/rules/category/antivirus/av_hacktool.yml b/rules/category/antivirus/av_hacktool.yml index a98e084ed92..154a63e98a8 100644 --- a/rules/category/antivirus/av_hacktool.yml +++ b/rules/category/antivirus/av_hacktool.yml @@ -6,8 +6,8 @@ references: - https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/ - https://www.nextron-systems.com/?s=antivirus author: Florian Roth (Nextron Systems), Arnim Rupp -date: 2021/08/16 -modified: 2024/07/17 +date: 2021-08-16 +modified: 2024-07-17 tags: - attack.execution - attack.t1204 diff --git a/rules/category/antivirus/av_password_dumper.yml b/rules/category/antivirus/av_password_dumper.yml index a8f289522bb..3e8454bdc0f 100644 --- a/rules/category/antivirus/av_password_dumper.yml +++ b/rules/category/antivirus/av_password_dumper.yml @@ -7,10 +7,10 @@ references: - https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619 - https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448 author: Florian Roth (Nextron Systems) -date: 2018/09/09 -modified: 2024/07/17 +date: 2018-09-09 +modified: 2024-07-17 tags: - - attack.credential_access + - attack.credential-access - attack.t1003 - attack.t1558 - attack.t1003.001 diff --git a/rules/category/antivirus/av_ransomware.yml b/rules/category/antivirus/av_ransomware.yml index f8c4ea8d51b..b4fa40e1a20 100644 --- a/rules/category/antivirus/av_ransomware.yml +++ b/rules/category/antivirus/av_ransomware.yml @@ -10,8 +10,8 @@ references: - https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d - https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c author: Florian Roth (Nextron Systems), Arnim Rupp -date: 2022/05/12 -modified: 2023/02/03 +date: 2022-05-12 +modified: 2023-02-03 tags: - attack.t1486 logsource: diff --git a/rules/category/antivirus/av_relevant_files.yml b/rules/category/antivirus/av_relevant_files.yml index da78ffe2371..eaa8530204b 100644 --- a/rules/category/antivirus/av_relevant_files.yml +++ b/rules/category/antivirus/av_relevant_files.yml @@ -5,10 +5,10 @@ description: Detects an Antivirus alert in a highly relevant file path or with a references: - https://www.nextron-systems.com/?s=antivirus author: Florian Roth (Nextron Systems), Arnim Rupp -date: 2018/09/09 -modified: 2024/07/17 +date: 2018-09-09 +modified: 2024-07-17 tags: - - attack.resource_development + - attack.resource-development - attack.t1588 logsource: category: antivirus diff --git a/rules/category/antivirus/av_webshell.yml b/rules/category/antivirus/av_webshell.yml index 3df9c71ed3a..bd756b6fa5c 100644 --- a/rules/category/antivirus/av_webshell.yml +++ b/rules/category/antivirus/av_webshell.yml @@ -16,8 +16,8 @@ references: - https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection - https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection author: Florian Roth (Nextron Systems), Arnim Rupp -date: 2018/09/09 -modified: 2024/07/17 +date: 2018-09-09 +modified: 2024-07-17 tags: - attack.persistence - attack.t1505.003 diff --git a/rules/category/database/db_anomalous_query.yml b/rules/category/database/db_anomalous_query.yml index 2810e8541a4..d0c416958a2 100644 --- a/rules/category/database/db_anomalous_query.yml +++ b/rules/category/database/db_anomalous_query.yml @@ -3,13 +3,13 @@ id: d84c0ded-edd7-4123-80ed-348bb3ccc4d5 status: test description: Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields author: '@juju4' -date: 2022/12/27 +date: 2022-12-27 references: - https://github.com/sqlmapproject/sqlmap tags: - attack.exfiltration - - attack.initial_access - - attack.privilege_escalation + - attack.initial-access + - attack.privilege-escalation - attack.t1190 - attack.t1505.001 logsource: diff --git a/rules/cloud/aws/cloudtrail/aws_attached_malicious_lambda_layer.yml b/rules/cloud/aws/cloudtrail/aws_attached_malicious_lambda_layer.yml index 783dceb324e..2f6237ee89d 100644 --- a/rules/cloud/aws/cloudtrail/aws_attached_malicious_lambda_layer.yml +++ b/rules/cloud/aws/cloudtrail/aws_attached_malicious_lambda_layer.yml @@ -7,10 +7,10 @@ description: | references: - https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html author: Austin Songer -date: 2021/09/23 -modified: 2022/10/09 +date: 2021-09-23 +modified: 2022-10-09 tags: - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: aws service: cloudtrail diff --git a/rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml b/rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml index eeae3dc7ac5..2d3a442468d 100644 --- a/rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml +++ b/rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml @@ -5,10 +5,10 @@ description: Detects disabling, deleting and updating of a Trail references: - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html author: vitaliy0x1 -date: 2020/01/21 -modified: 2022/10/09 +date: 2020-01-21 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml b/rules/cloud/aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml index c57c3fa03d0..9cd318eba44 100644 --- a/rules/cloud/aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml +++ b/rules/cloud/aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml @@ -9,10 +9,10 @@ references: - https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/ - https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things author: jamesc-grafana -date: 2024/07/11 +date: 2024-07-11 tags: - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.t1078 - attack.t1078.002 logsource: diff --git a/rules/cloud/aws/cloudtrail/aws_cloudtrail_new_acl_entries.yml b/rules/cloud/aws/cloudtrail/aws_cloudtrail_new_acl_entries.yml index 73f3f9d2c36..0cf8446e3ee 100644 --- a/rules/cloud/aws/cloudtrail/aws_cloudtrail_new_acl_entries.yml +++ b/rules/cloud/aws/cloudtrail/aws_cloudtrail_new_acl_entries.yml @@ -6,9 +6,9 @@ description: | references: - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/ author: jamesc-grafana -date: 2024/07/11 +date: 2024-07-11 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_cloudtrail_new_route_added.yml b/rules/cloud/aws/cloudtrail/aws_cloudtrail_new_route_added.yml index c252e5a8ff7..fde37df276c 100644 --- a/rules/cloud/aws/cloudtrail/aws_cloudtrail_new_route_added.yml +++ b/rules/cloud/aws/cloudtrail/aws_cloudtrail_new_route_added.yml @@ -6,9 +6,9 @@ description: | references: - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/ author: jamesc-grafana -date: 2024/07/11 +date: 2024-07-11 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_ingress_egress.yml b/rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_ingress_egress.yml index f82383259b9..def7e7acee9 100644 --- a/rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_ingress_egress.yml +++ b/rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_ingress_egress.yml @@ -7,9 +7,9 @@ description: | references: - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/ author: jamesc-grafana -date: 2024/07/11 +date: 2024-07-11 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_loadbalancer.yml b/rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_loadbalancer.yml index 66697f617a8..e12ccff9cf8 100644 --- a/rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_loadbalancer.yml +++ b/rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_loadbalancer.yml @@ -7,9 +7,9 @@ description: | references: - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/ author: jamesc-grafana -date: 2024/07/11 +date: 2024-07-11 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_rds.yml b/rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_rds.yml index a552c03badb..fee5d6d7a6b 100644 --- a/rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_rds.yml +++ b/rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_rds.yml @@ -7,9 +7,9 @@ description: | references: - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/ author: jamesc-grafana -date: 2024/07/11 +date: 2024-07-11 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_cloudtrail_ssm_malicious_usage.yml b/rules/cloud/aws/cloudtrail/aws_cloudtrail_ssm_malicious_usage.yml index cefc201e17e..26a01f517d6 100644 --- a/rules/cloud/aws/cloudtrail/aws_cloudtrail_ssm_malicious_usage.yml +++ b/rules/cloud/aws/cloudtrail/aws_cloudtrail_ssm_malicious_usage.yml @@ -6,9 +6,9 @@ description: | references: - https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/initial_access_via_system_manager.toml author: jamesc-grafana -date: 2024/07/11 +date: 2024-07-11 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1566 - attack.t1566.002 logsource: diff --git a/rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml b/rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml index ea3d2e7b330..b35bff7e39b 100644 --- a/rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml +++ b/rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml @@ -5,10 +5,10 @@ description: Detects AWS Config Service disabling references: - https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-log-files-for-aws-config.html author: vitaliy0x1 -date: 2020/01/21 -modified: 2022/10/09 +date: 2020-01-21 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml b/rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml index 8e70b1e852d..0cd347efae5 100644 --- a/rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml +++ b/rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml @@ -8,9 +8,9 @@ references: - https://github.com/NetSPI/aws_consoler - https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/ author: Chester Le Bron (@123Le_Bron) -date: 2024/02/26 +date: 2024-02-26 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.007 - attack.t1550.001 logsource: diff --git a/rules/cloud/aws/cloudtrail/aws_delete_identity.yml b/rules/cloud/aws/cloudtrail/aws_delete_identity.yml index c52d5975b10..b4109e543a9 100644 --- a/rules/cloud/aws/cloudtrail/aws_delete_identity.yml +++ b/rules/cloud/aws/cloudtrail/aws_delete_identity.yml @@ -5,10 +5,10 @@ description: Detects an instance of an SES identity being deleted via the "Delet references: - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ author: Janantha Marasinghe -date: 2022/12/13 -modified: 2022/12/28 +date: 2022-12-13 +modified: 2022-12-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_disable_bucket_versioning.yml b/rules/cloud/aws/cloudtrail/aws_disable_bucket_versioning.yml index e3694277be0..ec6e805d955 100644 --- a/rules/cloud/aws/cloudtrail/aws_disable_bucket_versioning.yml +++ b/rules/cloud/aws/cloudtrail/aws_disable_bucket_versioning.yml @@ -5,7 +5,7 @@ description: Detects when S3 bucket versioning is disabled. Threat actors use th references: - https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82 author: Sean Johnstone | Unit 42 -date: 2023/10/28 +date: 2023-10-28 tags: - attack.impact - attack.t1490 diff --git a/rules/cloud/aws/cloudtrail/aws_ec2_disable_encryption.yml b/rules/cloud/aws/cloudtrail/aws_ec2_disable_encryption.yml index ff2d9cd140e..a57f6d4d364 100644 --- a/rules/cloud/aws/cloudtrail/aws_ec2_disable_encryption.yml +++ b/rules/cloud/aws/cloudtrail/aws_ec2_disable_encryption.yml @@ -7,8 +7,8 @@ description: | references: - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html author: Sittikorn S -date: 2021/06/29 -modified: 2021/08/20 +date: 2021-06-29 +modified: 2021-08-20 tags: - attack.impact - attack.t1486 diff --git a/rules/cloud/aws/cloudtrail/aws_ec2_startup_script_change.yml b/rules/cloud/aws/cloudtrail/aws_ec2_startup_script_change.yml index 8a171545438..82996a92447 100644 --- a/rules/cloud/aws/cloudtrail/aws_ec2_startup_script_change.yml +++ b/rules/cloud/aws/cloudtrail/aws_ec2_startup_script_change.yml @@ -5,8 +5,8 @@ description: Detects changes to the EC2 instance startup script. The shell scrip references: - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__startup_shell_script/main.py#L9 author: faloker -date: 2020/02/12 -modified: 2022/06/07 +date: 2020-02-12 +modified: 2022-06-07 tags: - attack.execution - attack.t1059.001 diff --git a/rules/cloud/aws/cloudtrail/aws_ec2_vm_export_failure.yml b/rules/cloud/aws/cloudtrail/aws_ec2_vm_export_failure.yml index 7b4a0e5da6c..5c216ee4c75 100644 --- a/rules/cloud/aws/cloudtrail/aws_ec2_vm_export_failure.yml +++ b/rules/cloud/aws/cloudtrail/aws_ec2_vm_export_failure.yml @@ -5,8 +5,8 @@ description: An attempt to export an AWS EC2 instance has been detected. A VM Ex references: - https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance author: Diogo Braz -date: 2020/04/16 -modified: 2022/10/05 +date: 2020-04-16 +modified: 2022-10-05 tags: - attack.collection - attack.t1005 diff --git a/rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml b/rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml index 09eac93acd0..8e83279b5d7 100644 --- a/rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml +++ b/rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml @@ -9,8 +9,8 @@ references: - https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html author: Darin Smith -date: 2022/06/07 -modified: 2023/04/24 +date: 2022-06-07 +modified: 2023-04-24 tags: - attack.persistence - attack.t1525 diff --git a/rules/cloud/aws/cloudtrail/aws_efs_fileshare_modified_or_deleted.yml b/rules/cloud/aws/cloudtrail/aws_efs_fileshare_modified_or_deleted.yml index d4df9c3cf24..cc63f74c68f 100644 --- a/rules/cloud/aws/cloudtrail/aws_efs_fileshare_modified_or_deleted.yml +++ b/rules/cloud/aws/cloudtrail/aws_efs_fileshare_modified_or_deleted.yml @@ -8,8 +8,8 @@ description: | references: - https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html author: Austin Songer @austinsonger -date: 2021/08/15 -modified: 2022/10/09 +date: 2021-08-15 +modified: 2022-10-09 tags: - attack.impact logsource: diff --git a/rules/cloud/aws/cloudtrail/aws_efs_fileshare_mount_modified_or_deleted.yml b/rules/cloud/aws/cloudtrail/aws_efs_fileshare_mount_modified_or_deleted.yml index da66ea29aac..989ecd5a689 100644 --- a/rules/cloud/aws/cloudtrail/aws_efs_fileshare_mount_modified_or_deleted.yml +++ b/rules/cloud/aws/cloudtrail/aws_efs_fileshare_mount_modified_or_deleted.yml @@ -5,8 +5,8 @@ description: Detects when a EFS Fileshare Mount is modified or deleted. An adver references: - https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html author: Austin Songer @austinsonger -date: 2021/08/15 -modified: 2022/10/09 +date: 2021-08-15 +modified: 2022-10-09 tags: - attack.impact - attack.t1485 diff --git a/rules/cloud/aws/cloudtrail/aws_eks_cluster_created_or_deleted.yml b/rules/cloud/aws/cloudtrail/aws_eks_cluster_created_or_deleted.yml index 24183547577..4ddccd00256 100644 --- a/rules/cloud/aws/cloudtrail/aws_eks_cluster_created_or_deleted.yml +++ b/rules/cloud/aws/cloudtrail/aws_eks_cluster_created_or_deleted.yml @@ -5,8 +5,8 @@ description: Identifies when an EKS cluster is created or deleted. references: - https://any-api.com/amazonaws_com/eks/docs/API_Description author: Austin Songer -date: 2021/08/16 -modified: 2022/10/09 +date: 2021-08-16 +modified: 2022-10-09 tags: - attack.impact - attack.t1485 diff --git a/rules/cloud/aws/cloudtrail/aws_elasticache_security_group_created.yml b/rules/cloud/aws/cloudtrail/aws_elasticache_security_group_created.yml index 415f69cb17b..84368ab44d8 100644 --- a/rules/cloud/aws/cloudtrail/aws_elasticache_security_group_created.yml +++ b/rules/cloud/aws/cloudtrail/aws_elasticache_security_group_created.yml @@ -5,8 +5,8 @@ description: Detects when an ElastiCache security group has been created. references: - https://github.com/elastic/detection-rules/blob/598f3d7e0a63221c0703ad9a0ea7e22e7bc5961e/rules/integrations/aws/persistence_elasticache_security_group_creation.toml author: Austin Songer @austinsonger -date: 2021/07/24 -modified: 2022/10/09 +date: 2021-07-24 +modified: 2022-10-09 tags: - attack.persistence - attack.t1136 diff --git a/rules/cloud/aws/cloudtrail/aws_elasticache_security_group_modified_or_deleted.yml b/rules/cloud/aws/cloudtrail/aws_elasticache_security_group_modified_or_deleted.yml index 8c162d317e8..a842e1da5a3 100644 --- a/rules/cloud/aws/cloudtrail/aws_elasticache_security_group_modified_or_deleted.yml +++ b/rules/cloud/aws/cloudtrail/aws_elasticache_security_group_modified_or_deleted.yml @@ -5,8 +5,8 @@ description: Identifies when an ElastiCache security group has been modified or references: - https://github.com/elastic/detection-rules/blob/7d5efd68603f42be5e125b5a6a503b2ef3ac0f4e/rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml author: Austin Songer @austinsonger -date: 2021/07/24 -modified: 2022/10/09 +date: 2021-07-24 +modified: 2022-10-09 tags: - attack.impact - attack.t1531 diff --git a/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml b/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml index 4287c4a8c7a..237441fcd25 100644 --- a/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml +++ b/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml @@ -10,8 +10,8 @@ references: - https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html - https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/ author: Christopher Peacock @securepeacock, SCYTHE @scythe_io -date: 2023/01/06 -modified: 2024/07/10 +date: 2023-01-06 +modified: 2024-07-10 tags: - attack.discovery - attack.t1580 diff --git a/rules/cloud/aws/cloudtrail/aws_guardduty_disruption.yml b/rules/cloud/aws/cloudtrail/aws_guardduty_disruption.yml index b81f188c40b..cfa960aa093 100644 --- a/rules/cloud/aws/cloudtrail/aws_guardduty_disruption.yml +++ b/rules/cloud/aws/cloudtrail/aws_guardduty_disruption.yml @@ -5,10 +5,10 @@ description: Detects updates of the GuardDuty list of trusted IPs, perhaps to di references: - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/guardduty__whitelist_ip/main.py#L9 author: faloker -date: 2020/02/11 -modified: 2022/10/09 +date: 2020-02-11 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_iam_backdoor_users_keys.yml b/rules/cloud/aws/cloudtrail/aws_iam_backdoor_users_keys.yml index 085d768cfa1..e3734e6a985 100644 --- a/rules/cloud/aws/cloudtrail/aws_iam_backdoor_users_keys.yml +++ b/rules/cloud/aws/cloudtrail/aws_iam_backdoor_users_keys.yml @@ -8,8 +8,8 @@ description: | references: - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam__backdoor_users_keys/main.py author: faloker -date: 2020/02/12 -modified: 2022/10/09 +date: 2020-02-12 +modified: 2022-10-09 tags: - attack.persistence - attack.t1098 diff --git a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml index d21df2190e4..ca9d50ae7ac 100644 --- a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml +++ b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml @@ -5,7 +5,7 @@ description: Detects S3 Browser utility performing reconnaissance looking for ex references: - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor author: daniel.bohannon@permiso.io (@danielhbohannon) -date: 2023/05/17 +date: 2023-05-17 tags: - attack.execution - attack.persistence diff --git a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml index abb9586eabe..a31499f9715 100644 --- a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml +++ b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml @@ -5,8 +5,8 @@ description: Detects S3 browser utility creating Inline IAM policy containing de references: - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor author: daniel.bohannon@permiso.io (@danielhbohannon) -date: 2023/05/17 -modified: 2023/05/17 +date: 2023-05-17 +modified: 2023-05-17 tags: - attack.execution - attack.t1059.009 diff --git a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml index 1fd5582964c..fd4bf7a39a3 100644 --- a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml +++ b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml @@ -5,7 +5,7 @@ description: Detects S3 Browser utility creating IAM User or AccessKey. references: - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor author: daniel.bohannon@permiso.io (@danielhbohannon) -date: 2023/05/17 +date: 2023-05-17 tags: - attack.execution - attack.persistence diff --git a/rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml b/rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml index f7b05b387ed..bf87bd659dd 100644 --- a/rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml +++ b/rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml @@ -6,10 +6,10 @@ references: - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ - https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html author: Austin Songer @austinsonger -date: 2021/10/03 -modified: 2022/12/18 +date: 2021-10-03 +modified: 2022-12-18 tags: - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: aws service: cloudtrail diff --git a/rules/cloud/aws/cloudtrail/aws_rds_change_master_password.yml b/rules/cloud/aws/cloudtrail/aws_rds_change_master_password.yml index c3b990d9df2..db15a891261 100644 --- a/rules/cloud/aws/cloudtrail/aws_rds_change_master_password.yml +++ b/rules/cloud/aws/cloudtrail/aws_rds_change_master_password.yml @@ -5,8 +5,8 @@ description: Detects the change of database master password. It may be a part of references: - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py author: faloker -date: 2020/02/12 -modified: 2022/10/05 +date: 2020-02-12 +modified: 2022-10-05 tags: - attack.exfiltration - attack.t1020 diff --git a/rules/cloud/aws/cloudtrail/aws_rds_public_db_restore.yml b/rules/cloud/aws/cloudtrail/aws_rds_public_db_restore.yml index 597a66a6f06..56ad8e88e63 100644 --- a/rules/cloud/aws/cloudtrail/aws_rds_public_db_restore.yml +++ b/rules/cloud/aws/cloudtrail/aws_rds_public_db_restore.yml @@ -5,8 +5,8 @@ description: Detects the recovery of a new public database instance from a snaps references: - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py author: faloker -date: 2020/02/12 -modified: 2022/10/09 +date: 2020-02-12 +modified: 2022-10-09 tags: - attack.exfiltration - attack.t1020 diff --git a/rules/cloud/aws/cloudtrail/aws_root_account_usage.yml b/rules/cloud/aws/cloudtrail/aws_root_account_usage.yml index 5470622d771..0127c7b60d7 100644 --- a/rules/cloud/aws/cloudtrail/aws_root_account_usage.yml +++ b/rules/cloud/aws/cloudtrail/aws_root_account_usage.yml @@ -5,10 +5,10 @@ description: Detects AWS root account usage references: - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html author: vitaliy0x1 -date: 2020/01/21 -modified: 2022/10/09 +date: 2020-01-21 +modified: 2022-10-09 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1078.004 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml b/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml index bf738eff0b3..4e809335422 100644 --- a/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml +++ b/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml @@ -7,11 +7,11 @@ references: - https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html - https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html author: Elastic, Austin Songer @austinsonger -date: 2021/07/22 -modified: 2022/10/09 +date: 2021-07-22 +modified: 2022-10-09 tags: - attack.persistence - - attack.credential_access + - attack.credential-access - attack.t1098 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_to_another_account.yml b/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_to_another_account.yml index 599badbcdc6..9bfe871a868 100644 --- a/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_to_another_account.yml +++ b/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_to_another_account.yml @@ -5,11 +5,11 @@ description: Detects when a request has been made to transfer a Route 53 domain references: - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml author: Elastic, Austin Songer @austinsonger -date: 2021/07/22 -modified: 2022/10/09 +date: 2021-07-22 +modified: 2022-10-09 tags: - attack.persistence - - attack.credential_access + - attack.credential-access - attack.t1098 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_s3_data_management_tampering.yml b/rules/cloud/aws/cloudtrail/aws_s3_data_management_tampering.yml index 393dbbc73b3..c99611b0752 100644 --- a/rules/cloud/aws/cloudtrail/aws_s3_data_management_tampering.yml +++ b/rules/cloud/aws/cloudtrail/aws_s3_data_management_tampering.yml @@ -11,8 +11,8 @@ references: - https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html - https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html author: Austin Songer @austinsonger -date: 2021/07/24 -modified: 2022/10/09 +date: 2021-07-24 +modified: 2022-10-09 tags: - attack.exfiltration - attack.t1537 diff --git a/rules/cloud/aws/cloudtrail/aws_securityhub_finding_evasion.yml b/rules/cloud/aws/cloudtrail/aws_securityhub_finding_evasion.yml index a32ca648666..d92a071d8fb 100644 --- a/rules/cloud/aws/cloudtrail/aws_securityhub_finding_evasion.yml +++ b/rules/cloud/aws/cloudtrail/aws_securityhub_finding_evasion.yml @@ -5,9 +5,9 @@ description: Detects the modification of the findings on SecurityHub. references: - https://docs.aws.amazon.com/cli/latest/reference/securityhub/ author: Sittikorn S -date: 2021/06/28 +date: 2021-06-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_snapshot_backup_exfiltration.yml b/rules/cloud/aws/cloudtrail/aws_snapshot_backup_exfiltration.yml index ced4493a53f..eb714338491 100644 --- a/rules/cloud/aws/cloudtrail/aws_snapshot_backup_exfiltration.yml +++ b/rules/cloud/aws/cloudtrail/aws_snapshot_backup_exfiltration.yml @@ -5,8 +5,8 @@ description: Detects the modification of an EC2 snapshot's permissions to enable references: - https://www.justice.gov/file/1080281/download author: Darin Smith -date: 2021/05/17 -modified: 2021/08/19 +date: 2021-05-17 +modified: 2021-08-19 tags: - attack.exfiltration - attack.t1537 diff --git a/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml b/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml index b9963f627b8..1bb277fc1eb 100644 --- a/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml +++ b/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml @@ -9,7 +9,7 @@ references: - https://docs.aws.amazon.com/singlesignon/latest/userguide/sso-info-in-cloudtrail.html - https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-on.html author: Michael McIntyre @wtfender -date: 2023/09/27 +date: 2023-09-27 tags: - attack.persistence - attack.t1556 diff --git a/rules/cloud/aws/cloudtrail/aws_sts_assumerole_misuse.yml b/rules/cloud/aws/cloudtrail/aws_sts_assumerole_misuse.yml index bc0615dcfc9..88ce08bd6d3 100644 --- a/rules/cloud/aws/cloudtrail/aws_sts_assumerole_misuse.yml +++ b/rules/cloud/aws/cloudtrail/aws_sts_assumerole_misuse.yml @@ -6,11 +6,11 @@ references: - https://github.com/elastic/detection-rules/pull/1214 - https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html author: Austin Songer @austinsonger -date: 2021/07/24 -modified: 2022/10/09 +date: 2021-07-24 +modified: 2022-10-09 tags: - - attack.lateral_movement - - attack.privilege_escalation + - attack.lateral-movement + - attack.privilege-escalation - attack.t1548 - attack.t1550 - attack.t1550.001 diff --git a/rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml b/rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml index 817c97a064f..a0dece9ed56 100644 --- a/rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml +++ b/rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml @@ -6,11 +6,11 @@ references: - https://github.com/elastic/detection-rules/pull/1213 - https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html author: Austin Songer @austinsonger -date: 2021/07/24 -modified: 2022/10/09 +date: 2021-07-24 +modified: 2022-10-09 tags: - - attack.lateral_movement - - attack.privilege_escalation + - attack.lateral-movement + - attack.privilege-escalation - attack.t1548 - attack.t1550 - attack.t1550.001 diff --git a/rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml b/rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml index 531596e17d2..2d60672a72f 100644 --- a/rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml +++ b/rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml @@ -6,14 +6,14 @@ references: - https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html - https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html author: Austin Songer -date: 2021/09/22 -modified: 2022/12/18 +date: 2021-09-22 +modified: 2022-12-18 tags: - - attack.initial_access + - attack.initial-access - attack.t1078 - - attack.lateral_movement + - attack.lateral-movement - attack.t1548 - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1550 - attack.t1550.001 logsource: diff --git a/rules/cloud/aws/cloudtrail/aws_update_login_profile.yml b/rules/cloud/aws/cloudtrail/aws_update_login_profile.yml index 7c7698b451d..7e9abb1baec 100644 --- a/rules/cloud/aws/cloudtrail/aws_update_login_profile.yml +++ b/rules/cloud/aws/cloudtrail/aws_update_login_profile.yml @@ -7,8 +7,8 @@ description: | references: - https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation author: toffeebr33k -date: 2021/08/09 -modified: 2024/04/26 +date: 2021-08-09 +modified: 2024-04-26 tags: - attack.persistence - attack.t1098 diff --git a/rules/cloud/azure/activity_logs/azure_aadhybridhealth_adfs_new_server.yml b/rules/cloud/azure/activity_logs/azure_aadhybridhealth_adfs_new_server.yml index 3305905355f..6decf5e45c4 100644 --- a/rules/cloud/azure/activity_logs/azure_aadhybridhealth_adfs_new_server.yml +++ b/rules/cloud/azure/activity_logs/azure_aadhybridhealth_adfs_new_server.yml @@ -8,10 +8,10 @@ description: | references: - https://o365blog.com/post/hybridhealthagent/ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC -date: 2021/08/26 -modified: 2023/10/11 +date: 2021-08-26 +modified: 2023-10-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1578 logsource: product: azure diff --git a/rules/cloud/azure/activity_logs/azure_aadhybridhealth_adfs_service_delete.yml b/rules/cloud/azure/activity_logs/azure_aadhybridhealth_adfs_service_delete.yml index e3b8547b6bb..992e7deff3f 100644 --- a/rules/cloud/azure/activity_logs/azure_aadhybridhealth_adfs_service_delete.yml +++ b/rules/cloud/azure/activity_logs/azure_aadhybridhealth_adfs_service_delete.yml @@ -8,10 +8,10 @@ description: | references: - https://o365blog.com/post/hybridhealthagent/ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC -date: 2021/08/26 -modified: 2023/10/11 +date: 2021-08-26 +modified: 2023-10-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1578.003 logsource: product: azure diff --git a/rules/cloud/azure/activity_logs/azure_ad_user_added_to_admin_role.yml b/rules/cloud/azure/activity_logs/azure_ad_user_added_to_admin_role.yml index cb49283056b..cbd52eb85d3 100644 --- a/rules/cloud/azure/activity_logs/azure_ad_user_added_to_admin_role.yml +++ b/rules/cloud/azure/activity_logs/azure_ad_user_added_to_admin_role.yml @@ -5,11 +5,11 @@ description: User Added to an Administrator's Azure AD Role references: - https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/ author: Raphaël CALVET, @MetallicHack -date: 2021/10/04 -modified: 2022/10/09 +date: 2021-10-04 +modified: 2022-10-09 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1098.003 - attack.t1078 logsource: diff --git a/rules/cloud/azure/activity_logs/azure_app_credential_modification.yml b/rules/cloud/azure/activity_logs/azure_app_credential_modification.yml index 4bc842cffc7..e38f45ef8f3 100644 --- a/rules/cloud/azure/activity_logs/azure_app_credential_modification.yml +++ b/rules/cloud/azure/activity_logs/azure_app_credential_modification.yml @@ -5,8 +5,8 @@ description: Identifies when a application credential is modified. references: - https://www.cloud-architekt.net/auditing-of-msi-and-service-principals/ author: Austin Songer @austinsonger -date: 2021/09/02 -modified: 2022/10/09 +date: 2021-09-02 +modified: 2022-10-09 tags: - attack.impact logsource: diff --git a/rules/cloud/azure/activity_logs/azure_application_deleted.yml b/rules/cloud/azure/activity_logs/azure_application_deleted.yml index 13d25e102cd..40ca452bdd0 100644 --- a/rules/cloud/azure/activity_logs/azure_application_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_application_deleted.yml @@ -5,10 +5,10 @@ description: Identifies when a application is deleted in Azure. references: - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy author: Austin Songer @austinsonger -date: 2021/09/03 -modified: 2022/10/09 +date: 2021-09-03 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.impact - attack.t1489 logsource: diff --git a/rules/cloud/azure/activity_logs/azure_application_gateway_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_application_gateway_modified_or_deleted.yml index be418b360ff..f99ed2b5f86 100644 --- a/rules/cloud/azure/activity_logs/azure_application_gateway_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_application_gateway_modified_or_deleted.yml @@ -5,8 +5,8 @@ description: Identifies when a application gateway is modified or deleted. references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer -date: 2021/08/16 -modified: 2022/08/23 +date: 2021-08-16 +modified: 2022-08-23 tags: - attack.impact logsource: diff --git a/rules/cloud/azure/activity_logs/azure_application_security_group_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_application_security_group_modified_or_deleted.yml index a4b509a239d..8e118979094 100644 --- a/rules/cloud/azure/activity_logs/azure_application_security_group_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_application_security_group_modified_or_deleted.yml @@ -5,8 +5,8 @@ description: Identifies when a application security group is modified or deleted references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer -date: 2021/08/16 -modified: 2022/08/23 +date: 2021-08-16 +modified: 2022-08-23 tags: - attack.impact logsource: diff --git a/rules/cloud/azure/activity_logs/azure_container_registry_created_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_container_registry_created_or_deleted.yml index 34cd7abe561..ee1d5ea334f 100644 --- a/rules/cloud/azure/activity_logs/azure_container_registry_created_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_container_registry_created_or_deleted.yml @@ -9,8 +9,8 @@ references: - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - https://attack.mitre.org/matrices/enterprise/cloud/ author: Austin Songer @austinsonger -date: 2021/08/07 -modified: 2022/08/23 +date: 2021-08-07 +modified: 2022-08-23 tags: - attack.impact logsource: diff --git a/rules/cloud/azure/activity_logs/azure_creating_number_of_resources_detection.yml b/rules/cloud/azure/activity_logs/azure_creating_number_of_resources_detection.yml index e7363dca4b1..895337e6f62 100644 --- a/rules/cloud/azure/activity_logs/azure_creating_number_of_resources_detection.yml +++ b/rules/cloud/azure/activity_logs/azure_creating_number_of_resources_detection.yml @@ -5,8 +5,8 @@ description: Number of VM creations or deployment activities occur in Azure via references: - https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml author: sawwinnnaung -date: 2020/05/07 -modified: 2023/10/11 +date: 2020-05-07 +modified: 2023-10-11 tags: - attack.persistence - attack.t1098 diff --git a/rules/cloud/azure/activity_logs/azure_device_no_longer_managed_or_compliant.yml b/rules/cloud/azure/activity_logs/azure_device_no_longer_managed_or_compliant.yml index 52becf2010c..670cbb9dc03 100644 --- a/rules/cloud/azure/activity_logs/azure_device_no_longer_managed_or_compliant.yml +++ b/rules/cloud/azure/activity_logs/azure_device_no_longer_managed_or_compliant.yml @@ -5,8 +5,8 @@ description: Identifies when a device in azure is no longer managed or compliant references: - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory author: Austin Songer @austinsonger -date: 2021/09/03 -modified: 2022/10/09 +date: 2021-09-03 +modified: 2022-10-09 tags: - attack.impact logsource: diff --git a/rules/cloud/azure/activity_logs/azure_device_or_configuration_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_device_or_configuration_modified_or_deleted.yml index 4ffcf901f26..af364619f3d 100644 --- a/rules/cloud/azure/activity_logs/azure_device_or_configuration_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_device_or_configuration_modified_or_deleted.yml @@ -5,8 +5,8 @@ description: Identifies when a device or device configuration in azure is modifi references: - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory author: Austin Songer @austinsonger -date: 2021/09/03 -modified: 2022/10/09 +date: 2021-09-03 +modified: 2022-10-09 tags: - attack.impact - attack.t1485 diff --git a/rules/cloud/azure/activity_logs/azure_dns_zone_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_dns_zone_modified_or_deleted.yml index fcc37df0998..7b84ea6e554 100644 --- a/rules/cloud/azure/activity_logs/azure_dns_zone_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_dns_zone_modified_or_deleted.yml @@ -5,8 +5,8 @@ description: Identifies when DNS zone is modified or deleted. references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes author: Austin Songer @austinsonger -date: 2021/08/08 -modified: 2022/08/23 +date: 2021-08-08 +modified: 2022-08-23 tags: - attack.impact - attack.t1565.001 diff --git a/rules/cloud/azure/activity_logs/azure_firewall_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_firewall_modified_or_deleted.yml index bd484ffe455..308a2ddf426 100644 --- a/rules/cloud/azure/activity_logs/azure_firewall_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_firewall_modified_or_deleted.yml @@ -5,11 +5,11 @@ description: Identifies when a firewall is created, modified, or deleted. references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger -date: 2021/08/08 -modified: 2022/08/23 +date: 2021-08-08 +modified: 2022-08-23 tags: - attack.impact - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: product: azure diff --git a/rules/cloud/azure/activity_logs/azure_firewall_rule_collection_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_firewall_rule_collection_modified_or_deleted.yml index 2f1f7eb4e53..aa4959357c5 100644 --- a/rules/cloud/azure/activity_logs/azure_firewall_rule_collection_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_firewall_rule_collection_modified_or_deleted.yml @@ -5,11 +5,11 @@ description: Identifies when Rule Collections (Application, NAT, and Network) is references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger -date: 2021/08/08 -modified: 2022/08/23 +date: 2021-08-08 +modified: 2022-08-23 tags: - attack.impact - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: product: azure diff --git a/rules/cloud/azure/activity_logs/azure_granting_permission_detection.yml b/rules/cloud/azure/activity_logs/azure_granting_permission_detection.yml index 58cb33d52f5..db30c8f5810 100644 --- a/rules/cloud/azure/activity_logs/azure_granting_permission_detection.yml +++ b/rules/cloud/azure/activity_logs/azure_granting_permission_detection.yml @@ -5,8 +5,8 @@ description: Identifies IPs from which users grant access to other users on azur references: - https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml author: sawwinnnaung -date: 2020/05/07 -modified: 2023/10/11 +date: 2020-05-07 +modified: 2023-10-11 tags: - attack.persistence - attack.t1098.003 diff --git a/rules/cloud/azure/activity_logs/azure_keyvault_key_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_keyvault_key_modified_or_deleted.yml index c30cf660a40..1af0486fe0a 100644 --- a/rules/cloud/azure/activity_logs/azure_keyvault_key_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_keyvault_key_modified_or_deleted.yml @@ -5,11 +5,11 @@ description: Identifies when a Keyvault Key is modified or deleted in Azure. references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger -date: 2021/08/16 -modified: 2022/08/23 +date: 2021-08-16 +modified: 2022-08-23 tags: - attack.impact - - attack.credential_access + - attack.credential-access - attack.t1552 - attack.t1552.001 logsource: diff --git a/rules/cloud/azure/activity_logs/azure_keyvault_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_keyvault_modified_or_deleted.yml index 0d2a7fc7258..2adb90bfaf8 100644 --- a/rules/cloud/azure/activity_logs/azure_keyvault_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_keyvault_modified_or_deleted.yml @@ -5,11 +5,11 @@ description: Identifies when a key vault is modified or deleted. references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger -date: 2021/08/16 -modified: 2022/08/23 +date: 2021-08-16 +modified: 2022-08-23 tags: - attack.impact - - attack.credential_access + - attack.credential-access - attack.t1552 - attack.t1552.001 logsource: diff --git a/rules/cloud/azure/activity_logs/azure_keyvault_secrets_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_keyvault_secrets_modified_or_deleted.yml index 1024e04c96e..7f60999b8b0 100644 --- a/rules/cloud/azure/activity_logs/azure_keyvault_secrets_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_keyvault_secrets_modified_or_deleted.yml @@ -5,11 +5,11 @@ description: Identifies when secrets are modified or deleted in Azure. references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger -date: 2021/08/16 -modified: 2022/08/23 +date: 2021-08-16 +modified: 2022-08-23 tags: - attack.impact - - attack.credential_access + - attack.credential-access - attack.t1552 - attack.t1552.001 logsource: diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_admission_controller.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_admission_controller.yml index 2693117bbe9..0576c63b9c0 100644 --- a/rules/cloud/azure/activity_logs/azure_kubernetes_admission_controller.yml +++ b/rules/cloud/azure/activity_logs/azure_kubernetes_admission_controller.yml @@ -12,12 +12,12 @@ description: | references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes author: Austin Songer @austinsonger -date: 2021/11/25 -modified: 2022/12/18 +date: 2021-11-25 +modified: 2022-12-18 tags: - attack.persistence - attack.t1078 - - attack.credential_access + - attack.credential-access - attack.t1552 - attack.t1552.007 logsource: diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_cluster_created_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_cluster_created_or_deleted.yml index e0d9f688041..d32a1e46e1b 100644 --- a/rules/cloud/azure/activity_logs/azure_kubernetes_cluster_created_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_kubernetes_cluster_created_or_deleted.yml @@ -9,8 +9,8 @@ references: - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - https://attack.mitre.org/matrices/enterprise/cloud/ author: Austin Songer @austinsonger -date: 2021/08/07 -modified: 2022/08/23 +date: 2021-08-07 +modified: 2022-08-23 tags: - attack.impact logsource: diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_cronjob.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_cronjob.yml index 98d46a71d93..c2a773f661a 100644 --- a/rules/cloud/azure/activity_logs/azure_kubernetes_cronjob.yml +++ b/rules/cloud/azure/activity_logs/azure_kubernetes_cronjob.yml @@ -11,12 +11,12 @@ references: - https://kubernetes.io/docs/concepts/workloads/controllers/job/ - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ author: Austin Songer @austinsonger -date: 2021/11/22 -modified: 2022/12/18 +date: 2021-11-22 +modified: 2022-12-18 tags: - attack.persistence - attack.t1053.003 - - attack.privilege_escalation + - attack.privilege-escalation - attack.execution logsource: product: azure diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_events_deleted.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_events_deleted.yml index 4b8f5a9ab48..d62ee0cd530 100644 --- a/rules/cloud/azure/activity_logs/azure_kubernetes_events_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_kubernetes_events_deleted.yml @@ -6,10 +6,10 @@ references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml author: Austin Songer @austinsonger -date: 2021/07/24 -modified: 2022/08/23 +date: 2021-07-24 +modified: 2022-08-23 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562 - attack.t1562.001 logsource: diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_network_policy_change.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_network_policy_change.yml index 969204b0807..c17c51eef07 100644 --- a/rules/cloud/azure/activity_logs/azure_kubernetes_network_policy_change.yml +++ b/rules/cloud/azure/activity_logs/azure_kubernetes_network_policy_change.yml @@ -9,11 +9,11 @@ references: - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - https://attack.mitre.org/matrices/enterprise/cloud/ author: Austin Songer @austinsonger -date: 2021/08/07 -modified: 2022/08/23 +date: 2021-08-07 +modified: 2022-08-23 tags: - attack.impact - - attack.credential_access + - attack.credential-access logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_pods_deleted.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_pods_deleted.yml index 51dc1ba1556..a23378299d9 100644 --- a/rules/cloud/azure/activity_logs/azure_kubernetes_pods_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_kubernetes_pods_deleted.yml @@ -6,8 +6,8 @@ references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml author: Austin Songer @austinsonger -date: 2021/07/24 -modified: 2022/08/23 +date: 2021-07-24 +modified: 2022-08-23 tags: - attack.impact logsource: diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_role_access.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_role_access.yml index c6c2d6f0efe..0c45a88e088 100644 --- a/rules/cloud/azure/activity_logs/azure_kubernetes_role_access.yml +++ b/rules/cloud/azure/activity_logs/azure_kubernetes_role_access.yml @@ -9,8 +9,8 @@ references: - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - https://attack.mitre.org/matrices/enterprise/cloud/ author: Austin Songer @austinsonger -date: 2021/08/07 -modified: 2022/08/23 +date: 2021-08-07 +modified: 2022-08-23 tags: - attack.impact logsource: diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_rolebinding_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_rolebinding_modified_or_deleted.yml index 14603bdfcf7..d0a2f82fd63 100644 --- a/rules/cloud/azure/activity_logs/azure_kubernetes_rolebinding_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_kubernetes_rolebinding_modified_or_deleted.yml @@ -9,11 +9,11 @@ references: - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - https://attack.mitre.org/matrices/enterprise/cloud/ author: Austin Songer @austinsonger -date: 2021/08/07 -modified: 2022/08/23 +date: 2021-08-07 +modified: 2022-08-23 tags: - attack.impact - - attack.credential_access + - attack.credential-access logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_secret_or_config_object_access.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_secret_or_config_object_access.yml index d13ce24c0ef..b396303cd74 100644 --- a/rules/cloud/azure/activity_logs/azure_kubernetes_secret_or_config_object_access.yml +++ b/rules/cloud/azure/activity_logs/azure_kubernetes_secret_or_config_object_access.yml @@ -9,8 +9,8 @@ references: - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - https://attack.mitre.org/matrices/enterprise/cloud/ author: Austin Songer @austinsonger -date: 2021/08/07 -modified: 2022/08/23 +date: 2021-08-07 +modified: 2022-08-23 tags: - attack.impact logsource: diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_service_account_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_service_account_modified_or_deleted.yml index 31158d90953..da26074fbe8 100644 --- a/rules/cloud/azure/activity_logs/azure_kubernetes_service_account_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_kubernetes_service_account_modified_or_deleted.yml @@ -9,8 +9,8 @@ references: - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - https://attack.mitre.org/matrices/enterprise/cloud/ author: Austin Songer @austinsonger -date: 2021/08/07 -modified: 2022/08/23 +date: 2021-08-07 +modified: 2022-08-23 tags: - attack.impact - attack.t1531 diff --git a/rules/cloud/azure/activity_logs/azure_mfa_disabled.yml b/rules/cloud/azure/activity_logs/azure_mfa_disabled.yml index 2287dcb5956..09ffe08efc1 100644 --- a/rules/cloud/azure/activity_logs/azure_mfa_disabled.yml +++ b/rules/cloud/azure/activity_logs/azure_mfa_disabled.yml @@ -5,7 +5,7 @@ description: Detection for when multi factor authentication has been disabled, w references: - https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates author: '@ionsor' -date: 2022/02/08 +date: 2022-02-08 tags: - attack.persistence - attack.t1556 diff --git a/rules/cloud/azure/activity_logs/azure_network_firewall_policy_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_network_firewall_policy_modified_or_deleted.yml index f9340d105a3..41b8038b32a 100644 --- a/rules/cloud/azure/activity_logs/azure_network_firewall_policy_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_network_firewall_policy_modified_or_deleted.yml @@ -5,11 +5,11 @@ description: Identifies when a Firewall Policy is Modified or Deleted. references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger -date: 2021/09/02 -modified: 2022/08/23 +date: 2021-09-02 +modified: 2022-08-23 tags: - attack.impact - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.007 logsource: product: azure diff --git a/rules/cloud/azure/activity_logs/azure_network_firewall_rule_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_network_firewall_rule_modified_or_deleted.yml index 72af9a29df5..36d7c17311f 100644 --- a/rules/cloud/azure/activity_logs/azure_network_firewall_rule_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_network_firewall_rule_modified_or_deleted.yml @@ -5,8 +5,8 @@ description: Identifies when a Firewall Rule Configuration is Modified or Delete references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger -date: 2021/08/08 -modified: 2022/08/23 +date: 2021-08-08 +modified: 2022-08-23 tags: - attack.impact logsource: diff --git a/rules/cloud/azure/activity_logs/azure_network_p2s_vpn_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_network_p2s_vpn_modified_or_deleted.yml index 20895725c5d..2f9513e01e5 100644 --- a/rules/cloud/azure/activity_logs/azure_network_p2s_vpn_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_network_p2s_vpn_modified_or_deleted.yml @@ -5,8 +5,8 @@ description: Identifies when a Point-to-site VPN is Modified or Deleted. references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger -date: 2021/08/08 -modified: 2022/08/23 +date: 2021-08-08 +modified: 2022-08-23 tags: - attack.impact logsource: diff --git a/rules/cloud/azure/activity_logs/azure_network_security_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_network_security_modified_or_deleted.yml index 100be5dd1f8..d2a20104767 100644 --- a/rules/cloud/azure/activity_logs/azure_network_security_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_network_security_modified_or_deleted.yml @@ -5,8 +5,8 @@ description: Identifies when a network security configuration is modified or del references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger -date: 2021/08/08 -modified: 2022/08/23 +date: 2021-08-08 +modified: 2022-08-23 tags: - attack.impact logsource: diff --git a/rules/cloud/azure/activity_logs/azure_network_virtual_device_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_network_virtual_device_modified_or_deleted.yml index 41d8c4301dc..147b364d4f8 100644 --- a/rules/cloud/azure/activity_logs/azure_network_virtual_device_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_network_virtual_device_modified_or_deleted.yml @@ -7,8 +7,8 @@ description: | references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger -date: 2021/08/08 -modified: 2022/08/23 +date: 2021-08-08 +modified: 2022-08-23 tags: - attack.impact logsource: diff --git a/rules/cloud/azure/activity_logs/azure_new_cloudshell_created.yml b/rules/cloud/azure/activity_logs/azure_new_cloudshell_created.yml index 3f05939c959..9107020bc5d 100644 --- a/rules/cloud/azure/activity_logs/azure_new_cloudshell_created.yml +++ b/rules/cloud/azure/activity_logs/azure_new_cloudshell_created.yml @@ -5,8 +5,8 @@ description: Identifies when a new cloudshell is created inside of Azure portal. references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer -date: 2021/09/21 -modified: 2022/08/23 +date: 2021-09-21 +modified: 2022-08-23 tags: - attack.execution - attack.t1059 diff --git a/rules/cloud/azure/activity_logs/azure_owner_removed_from_application_or_service_principal.yml b/rules/cloud/azure/activity_logs/azure_owner_removed_from_application_or_service_principal.yml index 62c8df70e9e..7f2bf081c95 100644 --- a/rules/cloud/azure/activity_logs/azure_owner_removed_from_application_or_service_principal.yml +++ b/rules/cloud/azure/activity_logs/azure_owner_removed_from_application_or_service_principal.yml @@ -5,10 +5,10 @@ description: Identifies when a owner is was removed from a application or servic references: - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy author: Austin Songer @austinsonger -date: 2021/09/03 -modified: 2022/10/09 +date: 2021-09-03 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/activity_logs/azure_rare_operations.yml b/rules/cloud/azure/activity_logs/azure_rare_operations.yml index f7776cf79ba..6572248daca 100644 --- a/rules/cloud/azure/activity_logs/azure_rare_operations.yml +++ b/rules/cloud/azure/activity_logs/azure_rare_operations.yml @@ -5,8 +5,8 @@ description: Identifies IPs from which users grant access to other users on azur references: - https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/RareOperations.yaml author: sawwinnnaung -date: 2020/05/07 -modified: 2023/10/11 +date: 2020-05-07 +modified: 2023-10-11 tags: - attack.t1003 logsource: diff --git a/rules/cloud/azure/activity_logs/azure_service_principal_created.yml b/rules/cloud/azure/activity_logs/azure_service_principal_created.yml index 559276da933..a1827b78be4 100644 --- a/rules/cloud/azure/activity_logs/azure_service_principal_created.yml +++ b/rules/cloud/azure/activity_logs/azure_service_principal_created.yml @@ -5,10 +5,10 @@ description: Identifies when a service principal is created in Azure. references: - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy author: Austin Songer @austinsonger -date: 2021/09/02 -modified: 2022/10/09 +date: 2021-09-02 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/activity_logs/azure_service_principal_removed.yml b/rules/cloud/azure/activity_logs/azure_service_principal_removed.yml index f7e74e449a1..66b134d7ade 100644 --- a/rules/cloud/azure/activity_logs/azure_service_principal_removed.yml +++ b/rules/cloud/azure/activity_logs/azure_service_principal_removed.yml @@ -5,10 +5,10 @@ description: Identifies when a service principal was removed in Azure. references: - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy author: Austin Songer @austinsonger -date: 2021/09/03 -modified: 2022/10/09 +date: 2021-09-03 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/activity_logs/azure_subscription_permissions_elevation_via_activitylogs.yml b/rules/cloud/azure/activity_logs/azure_subscription_permissions_elevation_via_activitylogs.yml index 6e22ea3190f..b646976e511 100644 --- a/rules/cloud/azure/activity_logs/azure_subscription_permissions_elevation_via_activitylogs.yml +++ b/rules/cloud/azure/activity_logs/azure_subscription_permissions_elevation_via_activitylogs.yml @@ -8,10 +8,10 @@ description: | references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization author: Austin Songer @austinsonger -date: 2021/11/26 -modified: 2022/08/23 +date: 2021-11-26 +modified: 2022-08-23 tags: - - attack.initial_access + - attack.initial-access - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/activity_logs/azure_suppression_rule_created.yml b/rules/cloud/azure/activity_logs/azure_suppression_rule_created.yml index 6b232786868..b775471f5c2 100644 --- a/rules/cloud/azure/activity_logs/azure_suppression_rule_created.yml +++ b/rules/cloud/azure/activity_logs/azure_suppression_rule_created.yml @@ -5,8 +5,8 @@ description: Identifies when a suppression rule is created in Azure. Adversary's references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer -date: 2021/08/16 -modified: 2022/08/23 +date: 2021-08-16 +modified: 2022-08-23 tags: - attack.impact logsource: diff --git a/rules/cloud/azure/activity_logs/azure_virtual_network_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_virtual_network_modified_or_deleted.yml index ecc062e157a..91808642ad1 100644 --- a/rules/cloud/azure/activity_logs/azure_virtual_network_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_virtual_network_modified_or_deleted.yml @@ -5,8 +5,8 @@ description: Identifies when a Virtual Network is modified or deleted in Azure. references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger -date: 2021/08/08 -modified: 2022/08/23 +date: 2021-08-08 +modified: 2022-08-23 tags: - attack.impact logsource: diff --git a/rules/cloud/azure/activity_logs/azure_vpn_connection_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_vpn_connection_modified_or_deleted.yml index 6357240331b..e5ba58eac4b 100644 --- a/rules/cloud/azure/activity_logs/azure_vpn_connection_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_vpn_connection_modified_or_deleted.yml @@ -5,8 +5,8 @@ description: Identifies when a VPN connection is modified or deleted. references: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger -date: 2021/08/08 -modified: 2022/08/23 +date: 2021-08-08 +modified: 2022-08-23 tags: - attack.impact logsource: diff --git a/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_removedby_bad_actor.yml b/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_removedby_bad_actor.yml index 3e51384d7e5..a7872f2d1c6 100644 --- a/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_removedby_bad_actor.yml +++ b/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_removedby_bad_actor.yml @@ -5,9 +5,9 @@ description: Monitor and alert on conditional access changes where non approved references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access author: Corissa Koopmans, '@corissalea' -date: 2022/07/19 +date: 2022-07-19 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1548 - attack.t1556 diff --git a/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_updatedby_bad_actor.yml b/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_updatedby_bad_actor.yml index 7abe79baa58..09903cbc1c9 100644 --- a/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_updatedby_bad_actor.yml +++ b/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_updatedby_bad_actor.yml @@ -5,10 +5,10 @@ description: Monitor and alert on conditional access changes. Is Initiated by (a references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access author: Corissa Koopmans, '@corissalea' -date: 2022/07/19 -modified: 2024/05/28 +date: 2022-07-19 +modified: 2024-05-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1548 - attack.t1556 diff --git a/rules/cloud/azure/audit_logs/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml b/rules/cloud/azure/audit_logs/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml index dda18e6ce72..6ad71d86ce8 100644 --- a/rules/cloud/azure/audit_logs/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml +++ b/rules/cloud/azure/audit_logs/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml @@ -5,9 +5,9 @@ description: Monitor and alert on conditional access changes. references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure author: Corissa Koopmans, '@corissalea' -date: 2022/07/18 +date: 2022-07-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1548 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_ad_account_created_deleted.yml b/rules/cloud/azure/audit_logs/azure_ad_account_created_deleted.yml index c4fc2281a9a..87506b737e8 100644 --- a/rules/cloud/azure/audit_logs/azure_ad_account_created_deleted.yml +++ b/rules/cloud/azure/audit_logs/azure_ad_account_created_deleted.yml @@ -5,10 +5,10 @@ description: Detects when an account was created and deleted in a short period o references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton -date: 2022/08/11 -modified: 2022/08/18 +date: 2022-08-11 +modified: 2022-08-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1078 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_ad_bitlocker_key_retrieval.yml b/rules/cloud/azure/audit_logs/azure_ad_bitlocker_key_retrieval.yml index 33a2a6516b2..f6dddd75104 100644 --- a/rules/cloud/azure/audit_logs/azure_ad_bitlocker_key_retrieval.yml +++ b/rules/cloud/azure/audit_logs/azure_ad_bitlocker_key_retrieval.yml @@ -5,9 +5,9 @@ description: Monitor and alert for Bitlocker key retrieval. references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval author: Michael Epping, '@mepples21' -date: 2022/06/28 +date: 2022-06-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_ad_certificate_based_authencation_enabled.yml b/rules/cloud/azure/audit_logs/azure_ad_certificate_based_authencation_enabled.yml index 257183afa30..109fbc699c0 100644 --- a/rules/cloud/azure/audit_logs/azure_ad_certificate_based_authencation_enabled.yml +++ b/rules/cloud/azure/audit_logs/azure_ad_certificate_based_authencation_enabled.yml @@ -6,10 +6,10 @@ references: - https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f - https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/ author: Harjot Shah Singh, '@cyb3rjy0t' -date: 2024/03/26 +date: 2024-03-26 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1556 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_ad_device_registration_policy_changes.yml b/rules/cloud/azure/audit_logs/azure_ad_device_registration_policy_changes.yml index 1c179fb9bed..a1b25eac8a6 100644 --- a/rules/cloud/azure/audit_logs/azure_ad_device_registration_policy_changes.yml +++ b/rules/cloud/azure/audit_logs/azure_ad_device_registration_policy_changes.yml @@ -5,10 +5,10 @@ description: Monitor and alert for changes to the device registration policy. references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-registrations-and-joins-outside-policy author: Michael Epping, '@mepples21' -date: 2022/06/28 +date: 2022-06-28 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1484 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml b/rules/cloud/azure/audit_logs/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml index caf50500ba7..4191de418b6 100644 --- a/rules/cloud/azure/audit_logs/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml +++ b/rules/cloud/azure/audit_logs/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml @@ -5,9 +5,9 @@ description: Detects guest users being invited to tenant by non-approved inviter references: - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins author: MikeDuddington, '@dudders1' -date: 2022/07/28 +date: 2022-07-28 tags: - - attack.initial_access + - attack.initial-access - attack.t1078 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_ad_new_root_ca_added.yml b/rules/cloud/azure/audit_logs/azure_ad_new_root_ca_added.yml index f659142a4f3..e440d33a786 100644 --- a/rules/cloud/azure/audit_logs/azure_ad_new_root_ca_added.yml +++ b/rules/cloud/azure/audit_logs/azure_ad_new_root_ca_added.yml @@ -6,10 +6,10 @@ references: - https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f - https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/ author: Harjot Shah Singh, '@cyb3rjy0t' -date: 2024/03/26 +date: 2024-03-26 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1556 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_ad_users_added_to_device_admin_roles.yml b/rules/cloud/azure/audit_logs/azure_ad_users_added_to_device_admin_roles.yml index ed7877ba335..6e78827ae02 100644 --- a/rules/cloud/azure/audit_logs/azure_ad_users_added_to_device_admin_roles.yml +++ b/rules/cloud/azure/audit_logs/azure_ad_users_added_to_device_admin_roles.yml @@ -5,10 +5,10 @@ description: Monitor and alert for users added to device admin roles. references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-administrator-roles author: Michael Epping, '@mepples21' -date: 2022/06/28 +date: 2022-06-28 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_app_appid_uri_changes.yml b/rules/cloud/azure/audit_logs/azure_app_appid_uri_changes.yml index ee212875e3b..778913cd8d1 100644 --- a/rules/cloud/azure/audit_logs/azure_app_appid_uri_changes.yml +++ b/rules/cloud/azure/audit_logs/azure_app_appid_uri_changes.yml @@ -5,11 +5,11 @@ description: Detects when a configuration change is made to an applications AppI references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' -date: 2022/06/02 +date: 2022-06-02 tags: - attack.persistence - - attack.credential_access - - attack.privilege_escalation + - attack.credential-access + - attack.privilege-escalation - attack.t1552 - attack.t1078.004 logsource: diff --git a/rules/cloud/azure/audit_logs/azure_app_credential_added.yml b/rules/cloud/azure/audit_logs/azure_app_credential_added.yml index cbbc388db32..b9493d2d4b7 100644 --- a/rules/cloud/azure/audit_logs/azure_app_credential_added.yml +++ b/rules/cloud/azure/audit_logs/azure_app_credential_added.yml @@ -5,7 +5,7 @@ description: Detects when a new credential is added to an existing application. references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' -date: 2022/05/26 +date: 2022-05-26 tags: - attack.t1098.001 - attack.persistence diff --git a/rules/cloud/azure/audit_logs/azure_app_delegated_permissions_all_users.yml b/rules/cloud/azure/audit_logs/azure_app_delegated_permissions_all_users.yml index dce9b89e0ef..ad000b060c0 100644 --- a/rules/cloud/azure/audit_logs/azure_app_delegated_permissions_all_users.yml +++ b/rules/cloud/azure/audit_logs/azure_app_delegated_permissions_all_users.yml @@ -5,9 +5,9 @@ description: Detects when highly privileged delegated permissions are granted on references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' -date: 2022/07/28 +date: 2022-07-28 tags: - - attack.credential_access + - attack.credential-access - attack.t1528 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_app_end_user_consent.yml b/rules/cloud/azure/audit_logs/azure_app_end_user_consent.yml index 1a9ec243fe5..17c03d79e69 100644 --- a/rules/cloud/azure/audit_logs/azure_app_end_user_consent.yml +++ b/rules/cloud/azure/audit_logs/azure_app_end_user_consent.yml @@ -5,9 +5,9 @@ description: Detects when an end user consents to an application references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#end-user-consent author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' -date: 2022/07/28 +date: 2022-07-28 tags: - - attack.credential_access + - attack.credential-access - attack.t1528 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_app_end_user_consent_blocked.yml b/rules/cloud/azure/audit_logs/azure_app_end_user_consent_blocked.yml index 667f6ef72d9..3fe5ceeaecf 100644 --- a/rules/cloud/azure/audit_logs/azure_app_end_user_consent_blocked.yml +++ b/rules/cloud/azure/audit_logs/azure_app_end_user_consent_blocked.yml @@ -5,9 +5,9 @@ description: Detects when end user consent is blocked due to risk-based consent. references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#end-user-stopped-due-to-risk-based-consent author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' -date: 2022/07/10 +date: 2022-07-10 tags: - - attack.credential_access + - attack.credential-access - attack.t1528 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_app_owner_added.yml b/rules/cloud/azure/audit_logs/azure_app_owner_added.yml index a02e561928c..d539f840d87 100644 --- a/rules/cloud/azure/audit_logs/azure_app_owner_added.yml +++ b/rules/cloud/azure/audit_logs/azure_app_owner_added.yml @@ -5,10 +5,10 @@ description: Detects when a new owner is added to an application. This gives tha references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#new-owner author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' -date: 2022/06/02 +date: 2022-06-02 tags: - attack.t1552 - - attack.credential_access + - attack.credential-access logsource: product: azure service: auditlogs diff --git a/rules/cloud/azure/audit_logs/azure_app_permissions_msft.yml b/rules/cloud/azure/audit_logs/azure_app_permissions_msft.yml index f6522e4053d..3af593fc388 100644 --- a/rules/cloud/azure/audit_logs/azure_app_permissions_msft.yml +++ b/rules/cloud/azure/audit_logs/azure_app_permissions_msft.yml @@ -5,9 +5,9 @@ description: Detects when an application is granted delegated or app role permis references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' -date: 2022/07/10 +date: 2022-07-10 tags: - - attack.credential_access + - attack.credential-access - attack.t1528 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_app_privileged_permissions.yml b/rules/cloud/azure/audit_logs/azure_app_privileged_permissions.yml index c58eae3b78f..d1a4e8af499 100644 --- a/rules/cloud/azure/audit_logs/azure_app_privileged_permissions.yml +++ b/rules/cloud/azure/audit_logs/azure_app_privileged_permissions.yml @@ -2,17 +2,17 @@ title: App Granted Privileged Delegated Or App Permissions id: 5aecf3d5-f8a0-48e7-99be-3a759df7358f related: - id: ba2a7c80-027b-460f-92e2-57d113897dbc - type: obsoletes + type: obsolete status: test description: Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' -date: 2022/07/28 -modified: 2023/03/29 +date: 2022-07-28 +modified: 2023-03-29 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1098.003 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_app_role_added.yml b/rules/cloud/azure/audit_logs/azure_app_role_added.yml index 6cf587b1eb1..acfa45c0fd6 100644 --- a/rules/cloud/azure/audit_logs/azure_app_role_added.yml +++ b/rules/cloud/azure/audit_logs/azure_app_role_added.yml @@ -5,10 +5,10 @@ description: Detects when an app is assigned Azure AD roles, such as global admi references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' -date: 2022/07/19 +date: 2022-07-19 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1098.003 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_app_uri_modifications.yml b/rules/cloud/azure/audit_logs/azure_app_uri_modifications.yml index 957d11f6d99..1913528e04e 100644 --- a/rules/cloud/azure/audit_logs/azure_app_uri_modifications.yml +++ b/rules/cloud/azure/audit_logs/azure_app_uri_modifications.yml @@ -7,13 +7,13 @@ description: | references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' -date: 2022/06/02 +date: 2022-06-02 tags: - attack.t1528 - attack.t1078.004 - attack.persistence - - attack.credential_access - - attack.privilege_escalation + - attack.credential-access + - attack.privilege-escalation logsource: product: azure service: auditlogs diff --git a/rules/cloud/azure/audit_logs/azure_auditlogs_laps_credential_dumping.yml b/rules/cloud/azure/audit_logs/azure_auditlogs_laps_credential_dumping.yml index d5e821568e6..f01c64bc323 100644 --- a/rules/cloud/azure/audit_logs/azure_auditlogs_laps_credential_dumping.yml +++ b/rules/cloud/azure/audit_logs/azure_auditlogs_laps_credential_dumping.yml @@ -7,7 +7,7 @@ references: - https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/ - https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487 author: andrewdanis -date: 2024/06/26 +date: 2024-06-26 tags: - attack.t1098.005 logsource: diff --git a/rules/cloud/azure/audit_logs/azure_change_to_authentication_method.yml b/rules/cloud/azure/audit_logs/azure_change_to_authentication_method.yml index ede8166bdca..65c1be6c9b2 100644 --- a/rules/cloud/azure/audit_logs/azure_change_to_authentication_method.yml +++ b/rules/cloud/azure/audit_logs/azure_change_to_authentication_method.yml @@ -5,13 +5,13 @@ description: Change to authentication method could be an indicator of an attacke references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts author: AlertIQ -date: 2021/10/10 -modified: 2022/12/25 +date: 2021-10-10 +modified: 2022-12-25 tags: - - attack.credential_access + - attack.credential-access - attack.t1556 - attack.persistence - - attack.defense_evasion + - attack.defense-evasion - attack.t1098 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_federation_modified.yml b/rules/cloud/azure/audit_logs/azure_federation_modified.yml index 65b7e669e68..ce6330749a8 100644 --- a/rules/cloud/azure/audit_logs/azure_federation_modified.yml +++ b/rules/cloud/azure/audit_logs/azure_federation_modified.yml @@ -5,10 +5,10 @@ description: Identifies when an user or application modified the federation sett references: - https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes author: Austin Songer -date: 2021/09/06 -modified: 2022/06/08 +date: 2021-09-06 +modified: 2022-06-08 tags: - - attack.initial_access + - attack.initial-access - attack.t1078 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_group_user_addition_ca_modification.yml b/rules/cloud/azure/audit_logs/azure_group_user_addition_ca_modification.yml index 398b777843f..89d51accc4b 100644 --- a/rules/cloud/azure/audit_logs/azure_group_user_addition_ca_modification.yml +++ b/rules/cloud/azure/audit_logs/azure_group_user_addition_ca_modification.yml @@ -5,9 +5,9 @@ description: Monitor and alert on group membership additions of groups that have references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access author: Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner' -date: 2022/08/04 +date: 2022-08-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1548 - attack.t1556 diff --git a/rules/cloud/azure/audit_logs/azure_group_user_removal_ca_modification.yml b/rules/cloud/azure/audit_logs/azure_group_user_removal_ca_modification.yml index 5b610b73b1f..8b8d5506875 100644 --- a/rules/cloud/azure/audit_logs/azure_group_user_removal_ca_modification.yml +++ b/rules/cloud/azure/audit_logs/azure_group_user_removal_ca_modification.yml @@ -5,9 +5,9 @@ description: Monitor and alert on group membership removal of groups that have C references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access author: Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner' -date: 2022/08/04 +date: 2022-08-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1548 - attack.t1556 diff --git a/rules/cloud/azure/audit_logs/azure_guest_invite_failure.yml b/rules/cloud/azure/audit_logs/azure_guest_invite_failure.yml index e6dc35bc102..5e9d2abde0b 100644 --- a/rules/cloud/azure/audit_logs/azure_guest_invite_failure.yml +++ b/rules/cloud/azure/audit_logs/azure_guest_invite_failure.yml @@ -5,10 +5,10 @@ description: Detects when a user that doesn't have permissions to invite a guest references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#things-to-monitor author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' -date: 2022/08/10 +date: 2022-08-10 tags: - attack.persistence - - attack.defense_evasion + - attack.defense-evasion - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_guest_to_member.yml b/rules/cloud/azure/audit_logs/azure_guest_to_member.yml index dc5561d700f..63d4ca7c664 100644 --- a/rules/cloud/azure/audit_logs/azure_guest_to_member.yml +++ b/rules/cloud/azure/audit_logs/azure_guest_to_member.yml @@ -5,10 +5,10 @@ description: Detects the change of user type from "Guest" to "Member" for potent references: - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins author: MikeDuddington, '@dudders1' -date: 2022/06/30 +date: 2022-06-30 tags: - - attack.privilege_escalation - - attack.initial_access + - attack.privilege-escalation + - attack.initial-access - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_pim_activation_approve_deny.yml b/rules/cloud/azure/audit_logs/azure_pim_activation_approve_deny.yml index 790dbae1c68..3a55d20216e 100644 --- a/rules/cloud/azure/audit_logs/azure_pim_activation_approve_deny.yml +++ b/rules/cloud/azure/audit_logs/azure_pim_activation_approve_deny.yml @@ -5,9 +5,9 @@ description: Detects when a PIM elevation is approved or denied. Outside of norm references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' -date: 2022/08/09 +date: 2022-08-09 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_pim_alerts_disabled.yml b/rules/cloud/azure/audit_logs/azure_pim_alerts_disabled.yml index 8803800ae11..b12ef942497 100644 --- a/rules/cloud/azure/audit_logs/azure_pim_alerts_disabled.yml +++ b/rules/cloud/azure/audit_logs/azure_pim_alerts_disabled.yml @@ -5,10 +5,10 @@ description: Detects when PIM alerts are set to disabled. references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' -date: 2022/08/09 +date: 2022-08-09 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1078 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_pim_change_settings.yml b/rules/cloud/azure/audit_logs/azure_pim_change_settings.yml index 0c70fec2b3e..1f3db29d25f 100644 --- a/rules/cloud/azure/audit_logs/azure_pim_change_settings.yml +++ b/rules/cloud/azure/audit_logs/azure_pim_change_settings.yml @@ -5,9 +5,9 @@ description: Detects when changes are made to PIM roles references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' -date: 2022/08/09 +date: 2022-08-09 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.persistence - attack.t1078.004 logsource: diff --git a/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_add.yml b/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_add.yml index 45826985cfc..31c4513202f 100644 --- a/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_add.yml +++ b/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_add.yml @@ -5,10 +5,10 @@ description: Detects when a user is added to a privileged role. references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' -date: 2022/08/06 +date: 2022-08-06 tags: - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_bulk_change.yml b/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_bulk_change.yml index 9e01f26d04a..6ce06e8eece 100644 --- a/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_bulk_change.yml +++ b/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_bulk_change.yml @@ -5,7 +5,7 @@ description: Detects when a user is removed from a privileged role. Bulk changes references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' -date: 2022/08/05 +date: 2022-08-05 tags: - attack.persistence - attack.t1098 diff --git a/rules/cloud/azure/audit_logs/azure_privileged_account_creation.yml b/rules/cloud/azure/audit_logs/azure_privileged_account_creation.yml index e216fc0d120..faf5fcfb0ae 100644 --- a/rules/cloud/azure/audit_logs/azure_privileged_account_creation.yml +++ b/rules/cloud/azure/audit_logs/azure_privileged_account_creation.yml @@ -5,11 +5,11 @@ description: Detects when a new admin is created. references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#changes-to-privileged-accounts author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H', Tim Shelton -date: 2022/08/11 -modified: 2022/08/16 +date: 2022-08-11 +modified: 2022-08-16 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_subscription_permissions_elevation_via_auditlogs.yml b/rules/cloud/azure/audit_logs/azure_subscription_permissions_elevation_via_auditlogs.yml index 2b89508d928..0f545eee16f 100644 --- a/rules/cloud/azure/audit_logs/azure_subscription_permissions_elevation_via_auditlogs.yml +++ b/rules/cloud/azure/audit_logs/azure_subscription_permissions_elevation_via_auditlogs.yml @@ -8,10 +8,10 @@ description: | references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation author: Austin Songer @austinsonger -date: 2021/11/26 -modified: 2022/12/25 +date: 2021-11-26 +modified: 2022-12-25 tags: - - attack.initial_access + - attack.initial-access - attack.t1078 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_tap_added.yml b/rules/cloud/azure/audit_logs/azure_tap_added.yml index a2c1c700e31..7bf89b16413 100644 --- a/rules/cloud/azure/audit_logs/azure_tap_added.yml +++ b/rules/cloud/azure/audit_logs/azure_tap_added.yml @@ -5,7 +5,7 @@ description: Detects when a temporary access pass (TAP) is added to an account. references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#changes-to-privileged-accounts author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' -date: 2022/08/10 +date: 2022-08-10 tags: - attack.persistence - attack.t1078.004 diff --git a/rules/cloud/azure/audit_logs/azure_user_password_change.yml b/rules/cloud/azure/audit_logs/azure_user_password_change.yml index 48e9c96e65c..6b51691ac37 100644 --- a/rules/cloud/azure/audit_logs/azure_user_password_change.yml +++ b/rules/cloud/azure/audit_logs/azure_user_password_change.yml @@ -5,10 +5,10 @@ description: Detect when a user has reset their password in Azure AD references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts author: YochanaHenderson, '@Yochana-H' -date: 2022/08/03 +date: 2022-08-03 tags: - attack.persistence - - attack.credential_access + - attack.credential-access - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_token.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_token.yml index b5e041b58f0..03b51c9574d 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_token.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_token.yml @@ -6,10 +6,10 @@ references: - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow' -date: 2023/08/07 +date: 2023-08-07 tags: - attack.t1528 - - attack.credential_access + - attack.credential-access logsource: product: azure service: riskdetection diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml index 8cc25c64131..e20d60d2cb5 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml @@ -6,7 +6,7 @@ references: - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-user-activity - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/03 +date: 2023-09-03 tags: - attack.t1098 - attack.persistence diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml index a8749edfb7f..e4e45b83f1c 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml @@ -6,13 +6,13 @@ references: - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/03 +date: 2023-09-03 tags: - attack.t1078 - attack.persistence - - attack.defense_evasion - - attack.privilege_escalation - - attack.initial_access + - attack.defense-evasion + - attack.privilege-escalation + - attack.initial-access logsource: product: azure service: riskdetection diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_address.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_address.yml index 556bdc52cdf..baabd5b53c8 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_address.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_address.yml @@ -6,10 +6,10 @@ references: - https://learn.microsoft.com/en-us/graph/api/resources/riskdetection?view=graph-rest-1.0 - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address author: Gloria Lee, '@gleeiamglo' -date: 2023/08/22 +date: 2023-08-22 tags: - attack.t1528 - - attack.credential_access + - attack.credential-access logsource: product: azure service: riskdetection diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml index 2c01f60d955..43a9039f344 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml @@ -6,13 +6,13 @@ references: - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/03 +date: 2023-09-03 tags: - attack.t1078 - attack.persistence - - attack.defense_evasion - - attack.privilege_escalation - - attack.initial_access + - attack.defense-evasion + - attack.privilege-escalation + - attack.initial-access logsource: product: azure service: riskdetection diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml index 31eec3df3d1..97ca81fa424 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml @@ -6,13 +6,13 @@ references: - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/03 +date: 2023-09-03 tags: - attack.t1078 - attack.persistence - - attack.defense_evasion - - attack.privilege_escalation - - attack.initial_access + - attack.defense-evasion + - attack.privilege-escalation + - attack.initial-access logsource: product: azure service: riskdetection diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml index 7fb671c20b4..616f344b628 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml @@ -6,10 +6,10 @@ references: - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/03 +date: 2023-09-03 tags: - attack.t1140 - - attack.defense_evasion + - attack.defense-evasion logsource: product: azure service: riskdetection diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml index d2e8b849d61..9969d55f7f4 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml @@ -6,10 +6,10 @@ references: - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/03 +date: 2023-09-03 tags: - attack.t1140 - - attack.defense_evasion + - attack.defense-evasion logsource: product: azure service: riskdetection diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml index 34aa974f361..f1f25a93222 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml @@ -6,7 +6,7 @@ references: - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#leaked-credentials - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/03 +date: 2023-09-03 tags: - attack.t1589 - attack.reconnaissance diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address.yml index 7221d8ad3a0..bf5ad5d1168 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address.yml @@ -6,10 +6,10 @@ references: - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/07 +date: 2023-09-07 tags: - attack.t1090 - - attack.command_and_control + - attack.command-and-control logsource: product: azure service: riskdetection diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address_suspicious.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address_suspicious.yml index 064c2f24473..0b9b6ddc314 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address_suspicious.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address_suspicious.yml @@ -6,10 +6,10 @@ references: - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/07 +date: 2023-09-07 tags: - attack.t1090 - - attack.command_and_control + - attack.command-and-control logsource: product: azure service: riskdetection diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml index 29c83729a89..f1fe92abf4d 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml @@ -6,10 +6,10 @@ references: - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/03 +date: 2023-09-03 tags: - attack.t1090 - - attack.command_and_control + - attack.command-and-control logsource: product: azure service: riskdetection diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml index d2739ae6649..4e6c6bc87e6 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml @@ -6,13 +6,13 @@ references: - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/03 +date: 2023-09-03 tags: - attack.t1078 - attack.persistence - - attack.defense_evasion - - attack.privilege_escalation - - attack.initial_access + - attack.defense-evasion + - attack.privilege-escalation + - attack.initial-access logsource: product: azure service: riskdetection diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_password_spray.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_password_spray.yml index dd01d4ffea9..0ecf9fbacea 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_password_spray.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_password_spray.yml @@ -6,10 +6,10 @@ references: - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/03 +date: 2023-09-03 tags: - attack.t1110 - - attack.credential_access + - attack.credential-access logsource: product: azure service: riskdetection diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_prt_access.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_prt_access.yml index 76e38687e4a..fa3110b0a1f 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_prt_access.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_prt_access.yml @@ -6,10 +6,10 @@ references: - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/07 +date: 2023-09-07 tags: - attack.t1528 - - attack.credential_access + - attack.credential-access logsource: product: azure service: riskdetection diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml index 1e437ccb62e..7f1ba0cb15c 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml @@ -6,13 +6,13 @@ references: - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-browser - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/03 +date: 2023-09-03 tags: - attack.t1078 - attack.persistence - - attack.defense_evasion - - attack.privilege_escalation - - attack.initial_access + - attack.defense-evasion + - attack.privilege-escalation + - attack.initial-access logsource: product: azure service: riskdetection diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml index 1180430554d..f8d49a138fd 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml @@ -7,13 +7,13 @@ references: - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/07 +date: 2023-09-07 tags: - attack.t1078 - attack.persistence - - attack.defense_evasion - - attack.privilege_escalation - - attack.initial_access + - attack.defense-evasion + - attack.privilege-escalation + - attack.initial-access logsource: product: azure service: riskdetection diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml index a1a71314321..9549ab00822 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml @@ -6,10 +6,10 @@ references: - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#token-issuer-anomaly - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/03 +date: 2023-09-03 tags: - attack.t1606 - - attack.credential_access + - attack.credential-access logsource: product: azure service: riskdetection diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml index dc27a47744c..d4f00afca9c 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml @@ -6,13 +6,13 @@ references: - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#unfamiliar-sign-in-properties - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/03 +date: 2023-09-03 tags: - attack.t1078 - attack.persistence - - attack.defense_evasion - - attack.privilege_escalation - - attack.initial_access + - attack.defense-evasion + - attack.privilege-escalation + - attack.initial-access logsource: product: azure service: riskdetection diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml index 57ff7fd7d28..c6bf45cc8aa 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml @@ -5,11 +5,11 @@ description: Identifies when an account hasn't signed in during the past n numbe references: - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/14 +date: 2023-09-14 tags: - attack.t1078 - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: azure service: pim diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml index 46e06757aaa..dfcef1f54ff 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml @@ -5,11 +5,11 @@ description: Identifies when an organization doesn't have the proper license for references: - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#the-organization-doesnt-have-microsoft-entra-premium-p2-or-microsoft-entra-id-governance author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/14 +date: 2023-09-14 tags: - attack.t1078 - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: azure service: pim diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml index 1563eda0694..33f0d647f8b 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml @@ -5,11 +5,11 @@ description: Identifies when a privilege role assignment has taken place outside references: - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/14 +date: 2023-09-14 tags: - attack.t1078 - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: azure service: pim diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml index 3064e61c8a9..ae57b20f480 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml @@ -5,11 +5,11 @@ description: Identifies when the same privilege role has multiple activations by references: - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/14 +date: 2023-09-14 tags: - attack.t1078 - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: azure service: pim diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml index 7bb31ea202e..eda10ef3b1d 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml @@ -5,11 +5,11 @@ description: Identifies when a privilege role can be activated without performin references: - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/14 +date: 2023-09-14 tags: - attack.t1078 - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: azure service: pim diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml index e0cfcc5b344..066bc8cc74f 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml @@ -5,11 +5,11 @@ description: Identifies when a user has been assigned a privilege role and are n references: - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/14 +date: 2023-09-14 tags: - attack.t1078 - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: azure service: pim diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml index 06e46b94262..4d783c3397f 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml @@ -5,11 +5,11 @@ description: Identifies an event where there are there are too many accounts ass references: - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' -date: 2023/09/14 +date: 2023-09-14 tags: - attack.t1078 - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: azure service: pim diff --git a/rules/cloud/azure/signin_logs/azure_account_lockout.yml b/rules/cloud/azure/signin_logs/azure_account_lockout.yml index d5b0cda9b65..f1c58e59b67 100644 --- a/rules/cloud/azure/signin_logs/azure_account_lockout.yml +++ b/rules/cloud/azure/signin_logs/azure_account_lockout.yml @@ -5,10 +5,10 @@ description: Identifies user account which has been locked because the user trie references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts author: AlertIQ -date: 2021/10/10 -modified: 2022/12/25 +date: 2021-10-10 +modified: 2022-12-25 tags: - - attack.credential_access + - attack.credential-access - attack.t1110 logsource: product: azure diff --git a/rules/cloud/azure/signin_logs/azure_ad_auth_failure_increase.yml b/rules/cloud/azure/signin_logs/azure_ad_auth_failure_increase.yml index 1ea9bb1fa28..79f8cd90b97 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_auth_failure_increase.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_auth_failure_increase.yml @@ -5,9 +5,9 @@ description: Detects when sign-ins increased by 10% or greater. references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1' -date: 2022/08/11 +date: 2022-08-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1078 logsource: product: azure diff --git a/rules/cloud/azure/signin_logs/azure_ad_auth_sucess_increase.yml b/rules/cloud/azure/signin_logs/azure_ad_auth_sucess_increase.yml index 22453a187b2..3655641d13d 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_auth_sucess_increase.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_auth_sucess_increase.yml @@ -5,10 +5,10 @@ description: Detects when successful sign-ins increased by 10% or greater. references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton -date: 2022/08/11 -modified: 2022/08/18 +date: 2022-08-11 +modified: 2022-08-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1078 logsource: product: azure diff --git a/rules/cloud/azure/signin_logs/azure_ad_auth_to_important_apps_using_single_factor_auth.yml b/rules/cloud/azure/signin_logs/azure_ad_auth_to_important_apps_using_single_factor_auth.yml index 7988b73e239..218170dec84 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_auth_to_important_apps_using_single_factor_auth.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_auth_to_important_apps_using_single_factor_auth.yml @@ -5,9 +5,9 @@ description: Detect when authentications to important application(s) only requir references: - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts author: MikeDuddington, '@dudders1' -date: 2022/07/28 +date: 2022-07-28 tags: - - attack.initial_access + - attack.initial-access - attack.t1078 logsource: product: azure diff --git a/rules/cloud/azure/signin_logs/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml b/rules/cloud/azure/signin_logs/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml index 7cfc4496e72..3232199473c 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml @@ -5,10 +5,10 @@ description: Detect successful authentications from countries you do not operate references: - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts author: MikeDuddington, '@dudders1' -date: 2022/07/28 +date: 2022-07-28 tags: - - attack.initial_access - - attack.credential_access + - attack.initial-access + - attack.credential-access - attack.t1078.004 - attack.t1110 logsource: diff --git a/rules/cloud/azure/signin_logs/azure_ad_azurehound_discovery.yml b/rules/cloud/azure/signin_logs/azure_ad_azurehound_discovery.yml index 0974584320d..75f55928e55 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_azurehound_discovery.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_azurehound_discovery.yml @@ -5,7 +5,7 @@ description: Detects AzureHound (A BloodHound data collector for Microsoft Azure references: - https://github.com/BloodHoundAD/AzureHound author: Janantha Marasinghe -date: 2022/11/27 +date: 2022-11-27 tags: - attack.discovery - attack.t1087.004 diff --git a/rules/cloud/azure/signin_logs/azure_ad_device_registration_or_join_without_mfa.yml b/rules/cloud/azure/signin_logs/azure_ad_device_registration_or_join_without_mfa.yml index 23b4c37e798..53ebb0788e3 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_device_registration_or_join_without_mfa.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_device_registration_or_join_without_mfa.yml @@ -5,9 +5,9 @@ description: Monitor and alert for device registration or join events where MFA references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-registrations-and-joins-outside-policy author: Michael Epping, '@mepples21' -date: 2022/06/28 +date: 2022-06-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/signin_logs/azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml b/rules/cloud/azure/signin_logs/azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml index 50e3c2939f3..45ffc7ed427 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml @@ -5,10 +5,10 @@ description: Detect failed authentications from countries you do not operate out references: - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts author: MikeDuddington, '@dudders1' -date: 2022/07/28 +date: 2022-07-28 tags: - - attack.initial_access - - attack.credential_access + - attack.initial-access + - attack.credential-access - attack.t1078.004 - attack.t1110 logsource: diff --git a/rules/cloud/azure/signin_logs/azure_ad_only_single_factor_auth_required.yml b/rules/cloud/azure/signin_logs/azure_ad_only_single_factor_auth_required.yml index 94f1d0dcc63..ef13cded4fe 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_only_single_factor_auth_required.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_only_single_factor_auth_required.yml @@ -5,10 +5,10 @@ description: Detect when users are authenticating without MFA being required. references: - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts author: MikeDuddington, '@dudders1' -date: 2022/07/27 +date: 2022-07-27 tags: - - attack.initial_access - - attack.credential_access + - attack.initial-access + - attack.credential-access - attack.t1078.004 - attack.t1556.006 logsource: diff --git a/rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml b/rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml index b170e8edc51..8acdaf59657 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml @@ -5,9 +5,9 @@ description: Detects risky authentication from a non AD registered device withou references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in author: Harjot Singh, '@cyb3rjy0t' -date: 2023/01/10 +date: 2023-01-10 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1078 logsource: product: azure diff --git a/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_noncompliant_devices.yml b/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_noncompliant_devices.yml index a1ae251b735..1d3d97c9ee3 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_noncompliant_devices.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_noncompliant_devices.yml @@ -5,9 +5,9 @@ description: Monitor and alert for sign-ins where the device was non-compliant. references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in author: Michael Epping, '@mepples21' -date: 2022/06/28 +date: 2022-06-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_unknown_devices.yml b/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_unknown_devices.yml index 661bbf4ae46..3b48259961e 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_unknown_devices.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_unknown_devices.yml @@ -5,10 +5,10 @@ description: Monitor and alert for Sign-ins by unknown devices from non-Trusted references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in author: Michael Epping, '@mepples21' -date: 2022/06/28 -modified: 2022/10/05 +date: 2022-06-28 +modified: 2022-10-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml b/rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml index a906a4fd304..f09a59aadee 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml @@ -6,10 +6,10 @@ references: - https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022 - https://www.microsoft.com/en-us/security/blog/2021/10/26/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations/ author: Harjot Singh, '@cyb3rjy0t' -date: 2023/03/20 +date: 2023-03-20 tags: - - attack.initial_access - - attack.credential_access + - attack.initial-access + - attack.credential-access - attack.t1078.004 - attack.t1110 logsource: diff --git a/rules/cloud/azure/signin_logs/azure_app_device_code_authentication.yml b/rules/cloud/azure/signin_logs/azure_app_device_code_authentication.yml index b8bbb76d5c6..7341517eb24 100644 --- a/rules/cloud/azure/signin_logs/azure_app_device_code_authentication.yml +++ b/rules/cloud/azure/signin_logs/azure_app_device_code_authentication.yml @@ -8,13 +8,13 @@ description: | references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' -date: 2022/06/01 +date: 2022-06-01 tags: - attack.t1078 - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation - - attack.initial_access + - attack.privilege-escalation + - attack.initial-access logsource: product: azure service: signinlogs diff --git a/rules/cloud/azure/signin_logs/azure_app_ropc_authentication.yml b/rules/cloud/azure/signin_logs/azure_app_ropc_authentication.yml index 46fb9933b0e..a7430a81f0e 100644 --- a/rules/cloud/azure/signin_logs/azure_app_ropc_authentication.yml +++ b/rules/cloud/azure/signin_logs/azure_app_ropc_authentication.yml @@ -7,13 +7,13 @@ description: | references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' -date: 2022/06/01 +date: 2022-06-01 tags: - attack.t1078 - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation - - attack.initial_access + - attack.privilege-escalation + - attack.initial-access logsource: product: azure service: signinlogs diff --git a/rules/cloud/azure/signin_logs/azure_blocked_account_attempt.yml b/rules/cloud/azure/signin_logs/azure_blocked_account_attempt.yml index 93840374755..d648bff0b6d 100644 --- a/rules/cloud/azure/signin_logs/azure_blocked_account_attempt.yml +++ b/rules/cloud/azure/signin_logs/azure_blocked_account_attempt.yml @@ -5,9 +5,9 @@ description: Detects when an account is disabled or blocked for sign in but trie references: - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts author: Yochana Henderson, '@Yochana-H' -date: 2022/06/17 +date: 2022-06-17 tags: - - attack.initial_access + - attack.initial-access - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/signin_logs/azure_conditional_access_failure.yml b/rules/cloud/azure/signin_logs/azure_conditional_access_failure.yml index bbe017c0899..5cb94a415b1 100644 --- a/rules/cloud/azure/signin_logs/azure_conditional_access_failure.yml +++ b/rules/cloud/azure/signin_logs/azure_conditional_access_failure.yml @@ -5,10 +5,10 @@ description: Define a baseline threshold for failed sign-ins due to Conditional references: - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts author: Yochana Henderson, '@Yochana-H' -date: 2022/06/01 +date: 2022-06-01 tags: - - attack.initial_access - - attack.credential_access + - attack.initial-access + - attack.credential-access - attack.t1110 - attack.t1078.004 logsource: diff --git a/rules/cloud/azure/signin_logs/azure_legacy_authentication_protocols.yml b/rules/cloud/azure/signin_logs/azure_legacy_authentication_protocols.yml index d0b1d6fb4fe..271bcdb9896 100644 --- a/rules/cloud/azure/signin_logs/azure_legacy_authentication_protocols.yml +++ b/rules/cloud/azure/signin_logs/azure_legacy_authentication_protocols.yml @@ -5,10 +5,10 @@ description: Alert on when legacy authentication has been used on an account references: - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts author: Yochana Henderson, '@Yochana-H' -date: 2022/06/17 +date: 2022-06-17 tags: - - attack.initial_access - - attack.credential_access + - attack.initial-access + - attack.credential-access - attack.t1078.004 - attack.t1110 logsource: diff --git a/rules/cloud/azure/signin_logs/azure_login_to_disabled_account.yml b/rules/cloud/azure/signin_logs/azure_login_to_disabled_account.yml index d62152f5f85..009484b495f 100644 --- a/rules/cloud/azure/signin_logs/azure_login_to_disabled_account.yml +++ b/rules/cloud/azure/signin_logs/azure_login_to_disabled_account.yml @@ -5,10 +5,10 @@ description: Detect failed attempts to sign in to disabled accounts. references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts author: AlertIQ -date: 2021/10/10 -modified: 2022/12/25 +date: 2021-10-10 +modified: 2022-12-25 tags: - - attack.initial_access + - attack.initial-access - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/signin_logs/azure_mfa_denies.yml b/rules/cloud/azure/signin_logs/azure_mfa_denies.yml index 975236d4525..189524079f5 100644 --- a/rules/cloud/azure/signin_logs/azure_mfa_denies.yml +++ b/rules/cloud/azure/signin_logs/azure_mfa_denies.yml @@ -5,10 +5,10 @@ description: User has indicated they haven't instigated the MFA prompt and could references: - https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/ author: AlertIQ -date: 2022/03/24 +date: 2022-03-24 tags: - - attack.initial_access - - attack.credential_access + - attack.initial-access + - attack.credential-access - attack.t1078.004 - attack.t1110 - attack.t1621 diff --git a/rules/cloud/azure/signin_logs/azure_mfa_interrupted.yml b/rules/cloud/azure/signin_logs/azure_mfa_interrupted.yml index ddd625324e1..a4edd40a054 100644 --- a/rules/cloud/azure/signin_logs/azure_mfa_interrupted.yml +++ b/rules/cloud/azure/signin_logs/azure_mfa_interrupted.yml @@ -5,11 +5,11 @@ description: Identifies user login with multifactor authentication failures, whi references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts author: AlertIQ -date: 2021/10/10 -modified: 2022/12/18 +date: 2021-10-10 +modified: 2022-12-18 tags: - - attack.initial_access - - attack.credential_access + - attack.initial-access + - attack.credential-access - attack.t1078.004 - attack.t1110 - attack.t1621 diff --git a/rules/cloud/azure/signin_logs/azure_unusual_authentication_interruption.yml b/rules/cloud/azure/signin_logs/azure_unusual_authentication_interruption.yml index fe9f718b3ff..586aa6bbbab 100644 --- a/rules/cloud/azure/signin_logs/azure_unusual_authentication_interruption.yml +++ b/rules/cloud/azure/signin_logs/azure_unusual_authentication_interruption.yml @@ -5,10 +5,10 @@ description: Detects when there is a interruption in the authentication process. references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts author: Austin Songer @austinsonger -date: 2021/11/26 -modified: 2022/12/18 +date: 2021-11-26 +modified: 2022-12-18 tags: - - attack.initial_access + - attack.initial-access - attack.t1078 logsource: product: azure diff --git a/rules/cloud/azure/signin_logs/azure_user_login_blocked_by_conditional_access.yml b/rules/cloud/azure/signin_logs/azure_user_login_blocked_by_conditional_access.yml index 234607a0114..a2f503b2876 100644 --- a/rules/cloud/azure/signin_logs/azure_user_login_blocked_by_conditional_access.yml +++ b/rules/cloud/azure/signin_logs/azure_user_login_blocked_by_conditional_access.yml @@ -7,11 +7,11 @@ description: | references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts author: AlertIQ -date: 2021/10/10 -modified: 2022/12/25 +date: 2021-10-10 +modified: 2022-12-25 tags: - - attack.credential_access - - attack.initial_access + - attack.credential-access + - attack.initial-access - attack.t1110 - attack.t1078.004 logsource: diff --git a/rules/cloud/azure/signin_logs/azure_users_authenticating_to_other_azure_ad_tenants.yml b/rules/cloud/azure/signin_logs/azure_users_authenticating_to_other_azure_ad_tenants.yml index 33b337adf8d..88f9060785c 100644 --- a/rules/cloud/azure/signin_logs/azure_users_authenticating_to_other_azure_ad_tenants.yml +++ b/rules/cloud/azure/signin_logs/azure_users_authenticating_to_other_azure_ad_tenants.yml @@ -5,9 +5,9 @@ description: Detect when users in your Azure AD tenant are authenticating to oth references: - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins author: MikeDuddington, '@dudders1' -date: 2022/06/30 +date: 2022-06-30 tags: - - attack.initial_access + - attack.initial-access - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_full_data_export_triggered.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_full_data_export_triggered.yml index 8face071a5c..ab30043f2fa 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_full_data_export_triggered.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_full_data_export_triggered.yml @@ -6,7 +6,7 @@ references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html - https://confluence.atlassian.com/adminjiraserver0811/importing-and-exporting-data-1019391889.html author: Muhammad Faisal (@faisalusuf) -date: 2024/02/25 +date: 2024-02-25 tags: - attack.collection - attack.t1213.003 diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml index 8d6c3ed7658..2e920a4e307 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml @@ -6,10 +6,10 @@ references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html - https://confluence.atlassian.com/bitbucketserver/global-permissions-776640369.html author: Muhammad Faisal (@faisalusuf) -date: 2024/02/25 +date: 2024-02-25 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1098 logsource: product: bitbucket diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted.yml index 1adf39cac70..6e8bda2c16c 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted.yml @@ -6,9 +6,9 @@ references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html - https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html author: Muhammad Faisal (@faisalusuf) -date: 2024/02/25 +date: 2024-02-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: bitbucket diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected.yml index 9562f501a28..39179f0e763 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected.yml @@ -6,10 +6,10 @@ references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html - https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html author: Muhammad Faisal (@faisalusuf) -date: 2024/02/25 +date: 2024-02-25 tags: - - attack.lateral_movement - - attack.defense_evasion + - attack.lateral-movement + - attack.defense-evasion - attack.t1562.001 - attack.t1021.004 logsource: diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_log_configuration_update_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_log_configuration_update_detected.yml index d974e932ce6..ce0a8b0aa98 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_log_configuration_update_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_log_configuration_update_detected.yml @@ -5,9 +5,9 @@ description: Detects changes to the bitbucket audit log configuration. references: - https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html author: Muhammad Faisal (@faisalusuf) -date: 2024/02/25 +date: 2024-02-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: bitbucket diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added.yml index c5c9bc28c37..b1baeb37115 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added.yml @@ -6,9 +6,9 @@ references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html - https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html author: Muhammad Faisal (@faisalusuf) -date: 2024/02/25 +date: 2024-02-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: bitbucket diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected.yml index a0c1bca55f5..6019e448233 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected.yml @@ -6,9 +6,9 @@ references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html - https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html author: Muhammad Faisal (@faisalusuf) -date: 2024/02/25 +date: 2024-02-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: bitbucket diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted.yml index 2524ed63a41..5ef1c1901ed 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted.yml @@ -6,9 +6,9 @@ references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html - https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html author: Muhammad Faisal (@faisalusuf) -date: 2024/02/25 +date: 2024-02-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: bitbucket diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_access_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_access_detected.yml index 938e8ee634e..08ebde49a7c 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_access_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_access_detected.yml @@ -5,9 +5,9 @@ description: Detects unauthorized access attempts to a resource. references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html author: Muhammad Faisal (@faisalusuf) -date: 2024/02/25 +date: 2024-02-25 tags: - - attack.resource_development + - attack.resource-development - attack.t1586 logsource: product: bitbucket diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_full_data_export_triggered.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_full_data_export_triggered.yml index b48f50abcc9..ebb2f462150 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_full_data_export_triggered.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_full_data_export_triggered.yml @@ -6,10 +6,10 @@ references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html - https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html author: Muhammad Faisal (@faisalusuf) -date: 2024/02/25 +date: 2024-02-25 tags: - attack.collection - - attack.resource_development + - attack.resource-development - attack.t1213.003 - attack.t1586 logsource: diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_user_details_export_attempt_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_user_details_export_attempt_detected.yml index adeda03de9e..a0e96ebd384 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_user_details_export_attempt_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_user_details_export_attempt_detected.yml @@ -6,7 +6,7 @@ references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html - https://support.atlassian.com/security-and-access-policies/docs/export-user-accounts author: Muhammad Faisal (@faisalusuf) -date: 2024/02/25 +date: 2024-02-25 tags: - attack.collection - attack.reconnaissance diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml index f2662be83d6..7eed1a8403e 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml @@ -7,10 +7,10 @@ description: | references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html author: Muhammad Faisal (@faisalusuf) -date: 2024/02/25 +date: 2024-02-25 tags: - - attack.defense_evasion - - attack.credential_access + - attack.defense-evasion + - attack.credential-access - attack.t1078.004 - attack.t1110 logsource: diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_via_ssh_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_via_ssh_detected.yml index 3a0016ff622..9e9a0cebde4 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_via_ssh_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_via_ssh_detected.yml @@ -8,7 +8,7 @@ references: - https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html - https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html author: Muhammad Faisal (@faisalusuf) -date: 2024/02/25 +date: 2024-02-25 tags: - attack.t1021.004 - attack.t1110 diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_user_permissions_export_attempt_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_user_permissions_export_attempt_detected.yml index a60e8d47744..221d4a24fc9 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_user_permissions_export_attempt_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_user_permissions_export_attempt_detected.yml @@ -6,7 +6,7 @@ references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html - https://confluence.atlassian.com/bitbucketserver/users-and-groups-776640439.html author: Muhammad Faisal (@faisalusuf) -date: 2024/02/25 +date: 2024-02-25 tags: - attack.reconnaissance - attack.t1213 diff --git a/rules/cloud/cisco/duo/cisco_duo_mfa_bypass_via_bypass_code.yml b/rules/cloud/cisco/duo/cisco_duo_mfa_bypass_via_bypass_code.yml index 16887e301f0..1fc5764c2f9 100644 --- a/rules/cloud/cisco/duo/cisco_duo_mfa_bypass_via_bypass_code.yml +++ b/rules/cloud/cisco/duo/cisco_duo_mfa_bypass_via_bypass_code.yml @@ -8,11 +8,11 @@ references: - https://duo.com/docs/adminapi#logs - https://help.duo.com/s/article/6327?language=en_US author: Nikita Khalimonenkov -date: 2024/04/17 +date: 2024-04-17 tags: - - attack.credential_access - - attack.defense_evasion - - attack.initial_access + - attack.credential-access + - attack.defense-evasion + - attack.initial-access logsource: product: cisco service: duo diff --git a/rules/cloud/gcp/audit/gcp_access_policy_deleted.yml b/rules/cloud/gcp/audit/gcp_access_policy_deleted.yml index 02359805cb0..68171169a64 100644 --- a/rules/cloud/gcp/audit/gcp_access_policy_deleted.yml +++ b/rules/cloud/gcp/audit/gcp_access_policy_deleted.yml @@ -9,10 +9,10 @@ references: - https://cloud.google.com/logging/docs/audit/understanding-audit-logs - https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog author: Bryan Lim -date: 2024/01/12 +date: 2024-01-12 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1098 logsource: product: gcp diff --git a/rules/cloud/gcp/audit/gcp_breakglass_container_workload_deployed.yml b/rules/cloud/gcp/audit/gcp_breakglass_container_workload_deployed.yml index 6b68e791ea2..ce1f5b63e04 100644 --- a/rules/cloud/gcp/audit/gcp_breakglass_container_workload_deployed.yml +++ b/rules/cloud/gcp/audit/gcp_breakglass_container_workload_deployed.yml @@ -6,9 +6,9 @@ description: | references: - https://cloud.google.com/binary-authorization author: Bryan Lim -date: 2024/01/12 +date: 2024-01-12 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1548 logsource: product: gcp diff --git a/rules/cloud/gcp/audit/gcp_bucket_enumeration.yml b/rules/cloud/gcp/audit/gcp_bucket_enumeration.yml index 35c71fe4c4c..77b916f3e62 100644 --- a/rules/cloud/gcp/audit/gcp_bucket_enumeration.yml +++ b/rules/cloud/gcp/audit/gcp_bucket_enumeration.yml @@ -5,8 +5,8 @@ description: Detects when storage bucket is enumerated in Google Cloud. references: - https://cloud.google.com/storage/docs/json_api/v1/buckets author: Austin Songer @austinsonger -date: 2021/08/14 -modified: 2022/10/09 +date: 2021-08-14 +modified: 2022-10-09 tags: - attack.discovery logsource: diff --git a/rules/cloud/gcp/audit/gcp_bucket_modified_or_deleted.yml b/rules/cloud/gcp/audit/gcp_bucket_modified_or_deleted.yml index ac0ecb40d7b..7af5b627651 100644 --- a/rules/cloud/gcp/audit/gcp_bucket_modified_or_deleted.yml +++ b/rules/cloud/gcp/audit/gcp_bucket_modified_or_deleted.yml @@ -5,8 +5,8 @@ description: Detects when storage bucket is modified or deleted in Google Cloud. references: - https://cloud.google.com/storage/docs/json_api/v1/buckets author: Austin Songer @austinsonger -date: 2021/08/14 -modified: 2022/10/09 +date: 2021-08-14 +modified: 2022-10-09 tags: - attack.impact logsource: diff --git a/rules/cloud/gcp/audit/gcp_dlp_re_identifies_sensitive_information.yml b/rules/cloud/gcp/audit/gcp_dlp_re_identifies_sensitive_information.yml index 99e162b554a..4c1c0729314 100644 --- a/rules/cloud/gcp/audit/gcp_dlp_re_identifies_sensitive_information.yml +++ b/rules/cloud/gcp/audit/gcp_dlp_re_identifies_sensitive_information.yml @@ -5,8 +5,8 @@ description: Identifies when sensitive information is re-identified in google Cl references: - https://cloud.google.com/dlp/docs/reference/rest/v2/projects.content/reidentify author: Austin Songer @austinsonger -date: 2021/08/15 -modified: 2022/10/09 +date: 2021-08-15 +modified: 2022-10-09 tags: - attack.impact - attack.t1565 diff --git a/rules/cloud/gcp/audit/gcp_dns_zone_modified_or_deleted.yml b/rules/cloud/gcp/audit/gcp_dns_zone_modified_or_deleted.yml index 324e4982683..6e7fcb91b8d 100644 --- a/rules/cloud/gcp/audit/gcp_dns_zone_modified_or_deleted.yml +++ b/rules/cloud/gcp/audit/gcp_dns_zone_modified_or_deleted.yml @@ -5,8 +5,8 @@ description: Identifies when a DNS Zone is modified or deleted in Google Cloud. references: - https://cloud.google.com/dns/docs/reference/v1/managedZones author: Austin Songer @austinsonger -date: 2021/08/15 -modified: 2022/10/09 +date: 2021-08-15 +modified: 2022-10-09 tags: - attack.impact logsource: diff --git a/rules/cloud/gcp/audit/gcp_firewall_rule_modified_or_deleted.yml b/rules/cloud/gcp/audit/gcp_firewall_rule_modified_or_deleted.yml index c9efa342b6a..67178b20f7e 100644 --- a/rules/cloud/gcp/audit/gcp_firewall_rule_modified_or_deleted.yml +++ b/rules/cloud/gcp/audit/gcp_firewall_rule_modified_or_deleted.yml @@ -6,10 +6,10 @@ references: - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging - https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html author: Austin Songer @austinsonger -date: 2021/08/13 -modified: 2022/10/09 +date: 2021-08-13 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562 logsource: product: gcp diff --git a/rules/cloud/gcp/audit/gcp_full_network_traffic_packet_capture.yml b/rules/cloud/gcp/audit/gcp_full_network_traffic_packet_capture.yml index ebd5bc62370..cce5f8a6adc 100644 --- a/rules/cloud/gcp/audit/gcp_full_network_traffic_packet_capture.yml +++ b/rules/cloud/gcp/audit/gcp_full_network_traffic_packet_capture.yml @@ -6,8 +6,8 @@ references: - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging - https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html author: Austin Songer @austinsonger -date: 2021/08/13 -modified: 2022/10/09 +date: 2021-08-13 +modified: 2022-10-09 tags: - attack.collection - attack.t1074 diff --git a/rules/cloud/gcp/audit/gcp_kubernetes_admission_controller.yml b/rules/cloud/gcp/audit/gcp_kubernetes_admission_controller.yml index 7e8288d79ae..09434b208af 100644 --- a/rules/cloud/gcp/audit/gcp_kubernetes_admission_controller.yml +++ b/rules/cloud/gcp/audit/gcp_kubernetes_admission_controller.yml @@ -11,12 +11,12 @@ description: | references: - https://cloud.google.com/kubernetes-engine/docs author: Austin Songer @austinsonger -date: 2021/11/25 -modified: 2022/12/18 +date: 2021-11-25 +modified: 2022-12-18 tags: - attack.persistence - attack.t1078 - - attack.credential_access + - attack.credential-access - attack.t1552 - attack.t1552.007 logsource: diff --git a/rules/cloud/gcp/audit/gcp_kubernetes_cronjob.yml b/rules/cloud/gcp/audit/gcp_kubernetes_cronjob.yml index 42f21598b65..c4a14af460a 100644 --- a/rules/cloud/gcp/audit/gcp_kubernetes_cronjob.yml +++ b/rules/cloud/gcp/audit/gcp_kubernetes_cronjob.yml @@ -10,11 +10,11 @@ references: - https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/ - https://kubernetes.io/docs/concepts/workloads/controllers/job/ author: Austin Songer @austinsonger -date: 2021/11/22 -modified: 2022/12/25 +date: 2021-11-22 +modified: 2022-12-25 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.execution logsource: product: gcp diff --git a/rules/cloud/gcp/audit/gcp_kubernetes_rolebinding.yml b/rules/cloud/gcp/audit/gcp_kubernetes_rolebinding.yml index 384ce9060fe..688614980e4 100644 --- a/rules/cloud/gcp/audit/gcp_kubernetes_rolebinding.yml +++ b/rules/cloud/gcp/audit/gcp_kubernetes_rolebinding.yml @@ -9,10 +9,10 @@ references: - https://kubernetes.io/docs/reference/access-authn-authz/rbac/ - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging author: Austin Songer @austinsonger -date: 2021/08/09 -modified: 2022/10/09 +date: 2021-08-09 +modified: 2022-10-09 tags: - - attack.credential_access + - attack.credential-access logsource: product: gcp service: gcp.audit diff --git a/rules/cloud/gcp/audit/gcp_kubernetes_secrets_modified_or_deleted.yml b/rules/cloud/gcp/audit/gcp_kubernetes_secrets_modified_or_deleted.yml index 2ca21ae8f47..7035f54b627 100644 --- a/rules/cloud/gcp/audit/gcp_kubernetes_secrets_modified_or_deleted.yml +++ b/rules/cloud/gcp/audit/gcp_kubernetes_secrets_modified_or_deleted.yml @@ -5,10 +5,10 @@ description: Identifies when the Secrets are Modified or Deleted. references: - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging author: Austin Songer @austinsonger -date: 2021/08/09 -modified: 2022/10/09 +date: 2021-08-09 +modified: 2022-10-09 tags: - - attack.credential_access + - attack.credential-access logsource: product: gcp service: gcp.audit diff --git a/rules/cloud/gcp/audit/gcp_service_account_disabled_or_deleted.yml b/rules/cloud/gcp/audit/gcp_service_account_disabled_or_deleted.yml index 687c5f03264..93ad5ff44f2 100644 --- a/rules/cloud/gcp/audit/gcp_service_account_disabled_or_deleted.yml +++ b/rules/cloud/gcp/audit/gcp_service_account_disabled_or_deleted.yml @@ -5,8 +5,8 @@ description: Identifies when a service account is disabled or deleted in Google references: - https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts author: Austin Songer @austinsonger -date: 2021/08/14 -modified: 2022/10/09 +date: 2021-08-14 +modified: 2022-10-09 tags: - attack.impact - attack.t1531 diff --git a/rules/cloud/gcp/audit/gcp_service_account_modified.yml b/rules/cloud/gcp/audit/gcp_service_account_modified.yml index 0962aef4068..ce71de60fbb 100644 --- a/rules/cloud/gcp/audit/gcp_service_account_modified.yml +++ b/rules/cloud/gcp/audit/gcp_service_account_modified.yml @@ -5,8 +5,8 @@ description: Identifies when a service account is modified in Google Cloud. references: - https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts author: Austin Songer @austinsonger -date: 2021/08/14 -modified: 2022/10/09 +date: 2021-08-14 +modified: 2022-10-09 tags: - attack.impact logsource: diff --git a/rules/cloud/gcp/audit/gcp_sql_database_modified_or_deleted.yml b/rules/cloud/gcp/audit/gcp_sql_database_modified_or_deleted.yml index 725703e98e7..9b592112238 100644 --- a/rules/cloud/gcp/audit/gcp_sql_database_modified_or_deleted.yml +++ b/rules/cloud/gcp/audit/gcp_sql_database_modified_or_deleted.yml @@ -5,8 +5,8 @@ description: Detect when a Cloud SQL DB has been modified or deleted. references: - https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/users/update author: Austin Songer @austinsonger -date: 2021/10/15 -modified: 2022/12/25 +date: 2021-10-15 +modified: 2022-12-25 tags: - attack.impact logsource: diff --git a/rules/cloud/gcp/audit/gcp_vpn_tunnel_modified_or_deleted.yml b/rules/cloud/gcp/audit/gcp_vpn_tunnel_modified_or_deleted.yml index d22cd01f13b..042c3c699f8 100644 --- a/rules/cloud/gcp/audit/gcp_vpn_tunnel_modified_or_deleted.yml +++ b/rules/cloud/gcp/audit/gcp_vpn_tunnel_modified_or_deleted.yml @@ -5,8 +5,8 @@ description: Identifies when a VPN Tunnel Modified or Deleted in Google Cloud. references: - https://any-api.com/googleapis_com/compute/docs/vpnTunnels author: Austin Songer @austinsonger -date: 2021/08/16 -modified: 2022/10/09 +date: 2021-08-16 +modified: 2022-10-09 tags: - attack.impact logsource: diff --git a/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_access_levels_modified.yml b/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_access_levels_modified.yml index 9632a4d0b53..2e1ee57f77a 100644 --- a/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_access_levels_modified.yml +++ b/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_access_levels_modified.yml @@ -9,10 +9,10 @@ references: - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings - https://support.google.com/a/answer/9261439 author: Bryan Lim -date: 2024/01/12 +date: 2024-01-12 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1098.003 logsource: product: gcp diff --git a/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_removed.yml b/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_removed.yml index bd00afe3dba..6728c7c9275 100644 --- a/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_removed.yml +++ b/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_removed.yml @@ -7,8 +7,8 @@ references: - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST author: Austin Songer -date: 2021/08/26 -modified: 2023/10/11 +date: 2021-08-26 +modified: 2023-10-11 tags: - attack.impact logsource: diff --git a/rules/cloud/gcp/gworkspace/gcp_gworkspace_granted_domain_api_access.yml b/rules/cloud/gcp/gworkspace/gcp_gworkspace_granted_domain_api_access.yml index 332ea09bfea..9bc68121ac2 100644 --- a/rules/cloud/gcp/gworkspace/gcp_gworkspace_granted_domain_api_access.yml +++ b/rules/cloud/gcp/gworkspace/gcp_gworkspace_granted_domain_api_access.yml @@ -6,8 +6,8 @@ references: - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS author: Austin Songer -date: 2021/08/23 -modified: 2023/10/11 +date: 2021-08-23 +modified: 2023-10-11 tags: - attack.persistence - attack.t1098 diff --git a/rules/cloud/gcp/gworkspace/gcp_gworkspace_mfa_disabled.yml b/rules/cloud/gcp/gworkspace/gcp_gworkspace_mfa_disabled.yml index 14b5c94b154..cbe0d68010e 100644 --- a/rules/cloud/gcp/gworkspace/gcp_gworkspace_mfa_disabled.yml +++ b/rules/cloud/gcp/gworkspace/gcp_gworkspace_mfa_disabled.yml @@ -7,8 +7,8 @@ references: - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION author: Austin Songer -date: 2021/08/26 -modified: 2023/10/11 +date: 2021-08-26 +modified: 2023-10-11 tags: - attack.impact logsource: diff --git a/rules/cloud/gcp/gworkspace/gcp_gworkspace_role_modified_or_deleted.yml b/rules/cloud/gcp/gworkspace/gcp_gworkspace_role_modified_or_deleted.yml index dd6fee807f8..06806f4ba97 100644 --- a/rules/cloud/gcp/gworkspace/gcp_gworkspace_role_modified_or_deleted.yml +++ b/rules/cloud/gcp/gworkspace/gcp_gworkspace_role_modified_or_deleted.yml @@ -6,8 +6,8 @@ references: - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings author: Austin Songer -date: 2021/08/24 -modified: 2023/10/11 +date: 2021-08-24 +modified: 2023-10-11 tags: - attack.impact logsource: diff --git a/rules/cloud/gcp/gworkspace/gcp_gworkspace_role_privilege_deleted.yml b/rules/cloud/gcp/gworkspace/gcp_gworkspace_role_privilege_deleted.yml index 6732d34b663..65d9bb869cb 100644 --- a/rules/cloud/gcp/gworkspace/gcp_gworkspace_role_privilege_deleted.yml +++ b/rules/cloud/gcp/gworkspace/gcp_gworkspace_role_privilege_deleted.yml @@ -6,8 +6,8 @@ references: - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings author: Austin Songer -date: 2021/08/24 -modified: 2023/10/11 +date: 2021-08-24 +modified: 2023-10-11 tags: - attack.impact logsource: diff --git a/rules/cloud/gcp/gworkspace/gcp_gworkspace_user_granted_admin_privileges.yml b/rules/cloud/gcp/gworkspace/gcp_gworkspace_user_granted_admin_privileges.yml index 321fa59ff97..ddb75111782 100644 --- a/rules/cloud/gcp/gworkspace/gcp_gworkspace_user_granted_admin_privileges.yml +++ b/rules/cloud/gcp/gworkspace/gcp_gworkspace_user_granted_admin_privileges.yml @@ -6,8 +6,8 @@ references: - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE author: Austin Songer -date: 2021/08/23 -modified: 2023/10/11 +date: 2021-08-23 +modified: 2023-10-11 tags: - attack.persistence - attack.t1098 diff --git a/rules/cloud/github/github_delete_action_invoked.yml b/rules/cloud/github/github_delete_action_invoked.yml index 15a7e5e9f3b..86ec50604ce 100644 --- a/rules/cloud/github/github_delete_action_invoked.yml +++ b/rules/cloud/github/github_delete_action_invoked.yml @@ -3,7 +3,7 @@ id: 16a71777-0b2e-4db7-9888-9d59cb75200b status: test description: Detects delete action in the Github audit logs for codespaces, environment, project and repo. author: Muhammad Faisal (@faisalusuf) -date: 2023/01/19 +date: 2023-01-19 references: - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions tags: diff --git a/rules/cloud/github/github_disable_high_risk_configuration.yml b/rules/cloud/github/github_disable_high_risk_configuration.yml index cc02a58540f..1e9081c2c68 100644 --- a/rules/cloud/github/github_disable_high_risk_configuration.yml +++ b/rules/cloud/github/github_disable_high_risk_configuration.yml @@ -8,11 +8,11 @@ references: - https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise author: Muhammad Faisal (@faisalusuf) -date: 2023/01/29 -modified: 2024/07/22 +date: 2023-01-29 +modified: 2024-07-22 tags: - - attack.credential_access - - attack.defense_evasion + - attack.credential-access + - attack.defense-evasion - attack.persistence - attack.t1556 logsource: diff --git a/rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml b/rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml index a6ab69436e5..c0e6f1dd29b 100644 --- a/rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml +++ b/rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml @@ -5,12 +5,12 @@ description: | Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts. This rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories. author: Muhammad Faisal (@faisalusuf) -date: 2023/01/27 +date: 2023-01-27 references: - https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization tags: - - attack.initial_access + - attack.initial-access - attack.t1195.001 logsource: product: github diff --git a/rules/cloud/github/github_fork_private_repos_enabled_or_cleared.yml b/rules/cloud/github/github_fork_private_repos_enabled_or_cleared.yml index e4872ce95e5..0f4e0ceec16 100644 --- a/rules/cloud/github/github_fork_private_repos_enabled_or_cleared.yml +++ b/rules/cloud/github/github_fork_private_repos_enabled_or_cleared.yml @@ -6,7 +6,7 @@ description: | references: - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#private_repository_forking author: Romain Gaillard (@romain-gaillard) -date: 2024/07/29 +date: 2024-07-29 tags: - attack.persistence - attack.t1020 diff --git a/rules/cloud/github/github_new_org_member.yml b/rules/cloud/github/github_new_org_member.yml index ac17b72bd35..8a15a998ac9 100644 --- a/rules/cloud/github/github_new_org_member.yml +++ b/rules/cloud/github/github_new_org_member.yml @@ -3,7 +3,7 @@ id: 3908d64a-3c06-4091-b503-b3a94424533b status: test description: Detects when a new member is added or invited to a github organization. author: Muhammad Faisal (@faisalusuf) -date: 2023/01/29 +date: 2023-01-29 references: - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions tags: diff --git a/rules/cloud/github/github_new_secret_created.yml b/rules/cloud/github/github_new_secret_created.yml index f5741c62025..5658c6e9590 100644 --- a/rules/cloud/github/github_new_secret_created.yml +++ b/rules/cloud/github/github_new_secret_created.yml @@ -3,14 +3,14 @@ id: f9405037-bc97-4eb7-baba-167dad399b83 status: test description: Detects when a user creates action secret for the organization, environment, codespaces or repository. author: Muhammad Faisal (@faisalusuf) -date: 2023/01/20 +date: 2023-01-20 references: - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation - - attack.initial_access + - attack.privilege-escalation + - attack.initial-access - attack.t1078.004 logsource: product: github diff --git a/rules/cloud/github/github_outside_collaborator_detected.yml b/rules/cloud/github/github_outside_collaborator_detected.yml index 3fa79ec55b5..d9c35e5325a 100644 --- a/rules/cloud/github/github_outside_collaborator_detected.yml +++ b/rules/cloud/github/github_outside_collaborator_detected.yml @@ -4,7 +4,7 @@ status: test description: | Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA. author: Muhammad Faisal (@faisalusuf) -date: 2023/01/20 +date: 2023-01-20 references: - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization diff --git a/rules/cloud/github/github_push_protection_bypass_detected.yml b/rules/cloud/github/github_push_protection_bypass_detected.yml index 371e0b3307a..7e537f304b3 100644 --- a/rules/cloud/github/github_push_protection_bypass_detected.yml +++ b/rules/cloud/github/github_push_protection_bypass_detected.yml @@ -6,9 +6,9 @@ references: - https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations - https://thehackernews.com/2024/03/github-rolls-out-default-secret.html author: Muhammad Faisal (@faisalusuf) -date: 2024/03/07 +date: 2024-03-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: github diff --git a/rules/cloud/github/github_push_protection_disabled.yml b/rules/cloud/github/github_push_protection_disabled.yml index ed6cebfa4f9..dff55ef9118 100644 --- a/rules/cloud/github/github_push_protection_disabled.yml +++ b/rules/cloud/github/github_push_protection_disabled.yml @@ -6,9 +6,9 @@ references: - https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations - https://thehackernews.com/2024/03/github-rolls-out-default-secret.html author: Muhammad Faisal (@faisalusuf) -date: 2024/03/07 +date: 2024-03-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: github diff --git a/rules/cloud/github/github_repo_or_org_transferred.yml b/rules/cloud/github/github_repo_or_org_transferred.yml index ecbed9617c2..17bb54e727a 100644 --- a/rules/cloud/github/github_repo_or_org_transferred.yml +++ b/rules/cloud/github/github_repo_or_org_transferred.yml @@ -8,7 +8,7 @@ references: - https://docs.github.com/en/migrations - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration author: Romain Gaillard (@romain-gaillard) -date: 2024/07/29 +date: 2024-07-29 tags: - attack.persistence - attack.t1020 diff --git a/rules/cloud/github/github_secret_scanning_feature_disabled.yml b/rules/cloud/github/github_secret_scanning_feature_disabled.yml index ce8821fead9..a0a258a0dec 100644 --- a/rules/cloud/github/github_secret_scanning_feature_disabled.yml +++ b/rules/cloud/github/github_secret_scanning_feature_disabled.yml @@ -5,10 +5,10 @@ description: Detects if the secret scanning feature is disabled for an enterpris references: - https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/about-secret-scanning author: Muhammad Faisal (@faisalusuf) -date: 2024/03/07 -modified: 2024/07/19 +date: 2024-03-07 +modified: 2024-07-19 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: github diff --git a/rules/cloud/github/github_self_hosted_runner_changes_detected.yml b/rules/cloud/github/github_self_hosted_runner_changes_detected.yml index 1c5088f655a..581325863af 100644 --- a/rules/cloud/github/github_self_hosted_runner_changes_detected.yml +++ b/rules/cloud/github/github_self_hosted_runner_changes_detected.yml @@ -6,7 +6,7 @@ description: | This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context. author: Muhammad Faisal (@faisalusuf) -date: 2023/01/27 +date: 2023-01-27 references: - https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#search-based-on-operation @@ -14,10 +14,10 @@ tags: - attack.impact - attack.discovery - attack.collection - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation - - attack.initial_access + - attack.privilege-escalation + - attack.initial-access - attack.t1526 - attack.t1213.003 - attack.t1078.004 diff --git a/rules/cloud/github/github_ssh_certificate_config_changed.yml b/rules/cloud/github/github_ssh_certificate_config_changed.yml index 6f53bba27cb..4cd9733ad57 100644 --- a/rules/cloud/github/github_ssh_certificate_config_changed.yml +++ b/rules/cloud/github/github_ssh_certificate_config_changed.yml @@ -6,10 +6,10 @@ references: - https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority author: Romain Gaillard (@romain-gaillard) -date: 2024/07/29 +date: 2024-07-29 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1078.004 logsource: product: github diff --git a/rules/cloud/m365/audit/microsoft365_disabling_mfa.yml b/rules/cloud/m365/audit/microsoft365_disabling_mfa.yml index f2c9c39d29e..e5212e691c7 100644 --- a/rules/cloud/m365/audit/microsoft365_disabling_mfa.yml +++ b/rules/cloud/m365/audit/microsoft365_disabling_mfa.yml @@ -5,7 +5,7 @@ description: Detects disabling of Multi Factor Authentication. references: - https://research.splunk.com/cloud/c783dd98-c703-4252-9e8a-f19d9f5c949e/ author: Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule) -date: 2023/09/18 +date: 2023-09-18 tags: - attack.persistence - attack.t1556 diff --git a/rules/cloud/m365/audit/microsoft365_new_federated_domain_added_audit.yml b/rules/cloud/m365/audit/microsoft365_new_federated_domain_added_audit.yml index 15a46cb76df..957b04d3b5d 100644 --- a/rules/cloud/m365/audit/microsoft365_new_federated_domain_added_audit.yml +++ b/rules/cloud/m365/audit/microsoft365_new_federated_domain_added_audit.yml @@ -9,7 +9,7 @@ references: - https://research.splunk.com/cloud/e155876a-6048-11eb-ae93-0242ac130002/ - https://o365blog.com/post/aadbackdoor/ author: Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule) -date: 2023/09/18 +date: 2023-09-18 tags: - attack.persistence - attack.t1136.003 diff --git a/rules/cloud/m365/exchange/microsoft365_new_federated_domain_added_exchange.yml b/rules/cloud/m365/exchange/microsoft365_new_federated_domain_added_exchange.yml index 12563859a1f..07400d11a6e 100644 --- a/rules/cloud/m365/exchange/microsoft365_new_federated_domain_added_exchange.yml +++ b/rules/cloud/m365/exchange/microsoft365_new_federated_domain_added_exchange.yml @@ -12,7 +12,7 @@ references: - https://www.sygnia.co/golden-saml-advisory - https://o365blog.com/post/aadbackdoor/ author: Splunk Threat Research Team (original rule), '@ionsor (rule)' -date: 2022/02/08 +date: 2022-02-08 tags: - attack.persistence - attack.t1136.003 diff --git a/rules/cloud/m365/threat_detection/microsoft365_from_susp_ip_addresses.yml b/rules/cloud/m365/threat_detection/microsoft365_from_susp_ip_addresses.yml index f9a91c0a6ad..4f75437643e 100644 --- a/rules/cloud/m365/threat_detection/microsoft365_from_susp_ip_addresses.yml +++ b/rules/cloud/m365/threat_detection/microsoft365_from_susp_ip_addresses.yml @@ -8,10 +8,10 @@ references: - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference author: Austin Songer @austinsonger -date: 2021/08/23 -modified: 2022/10/09 +date: 2021-08-23 +modified: 2022-10-09 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1573 logsource: service: threat_detection diff --git a/rules/cloud/m365/threat_management/microsoft365_activity_by_terminated_user.yml b/rules/cloud/m365/threat_management/microsoft365_activity_by_terminated_user.yml index af6c28ab0e3..93b8e534dbf 100644 --- a/rules/cloud/m365/threat_management/microsoft365_activity_by_terminated_user.yml +++ b/rules/cloud/m365/threat_management/microsoft365_activity_by_terminated_user.yml @@ -8,8 +8,8 @@ references: - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference author: Austin Songer @austinsonger -date: 2021/08/23 -modified: 2022/10/09 +date: 2021-08-23 +modified: 2022-10-09 tags: - attack.impact logsource: diff --git a/rules/cloud/m365/threat_management/microsoft365_activity_from_anonymous_ip_addresses.yml b/rules/cloud/m365/threat_management/microsoft365_activity_from_anonymous_ip_addresses.yml index 5cbd3069e65..fee3b5f67f2 100644 --- a/rules/cloud/m365/threat_management/microsoft365_activity_from_anonymous_ip_addresses.yml +++ b/rules/cloud/m365/threat_management/microsoft365_activity_from_anonymous_ip_addresses.yml @@ -6,10 +6,10 @@ references: - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference author: Austin Songer @austinsonger -date: 2021/08/23 -modified: 2022/10/09 +date: 2021-08-23 +modified: 2022-10-09 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1573 logsource: service: threat_management diff --git a/rules/cloud/m365/threat_management/microsoft365_activity_from_infrequent_country.yml b/rules/cloud/m365/threat_management/microsoft365_activity_from_infrequent_country.yml index 5a624c4236f..2019496b612 100644 --- a/rules/cloud/m365/threat_management/microsoft365_activity_from_infrequent_country.yml +++ b/rules/cloud/m365/threat_management/microsoft365_activity_from_infrequent_country.yml @@ -6,10 +6,10 @@ references: - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference author: Austin Songer @austinsonger -date: 2021/08/23 -modified: 2022/10/09 +date: 2021-08-23 +modified: 2022-10-09 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1573 logsource: service: threat_management diff --git a/rules/cloud/m365/threat_management/microsoft365_data_exfiltration_to_unsanctioned_app.yml b/rules/cloud/m365/threat_management/microsoft365_data_exfiltration_to_unsanctioned_app.yml index ea287786921..2c39b190ae1 100644 --- a/rules/cloud/m365/threat_management/microsoft365_data_exfiltration_to_unsanctioned_app.yml +++ b/rules/cloud/m365/threat_management/microsoft365_data_exfiltration_to_unsanctioned_app.yml @@ -6,8 +6,8 @@ references: - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference author: Austin Songer @austinsonger -date: 2021/08/23 -modified: 2022/10/09 +date: 2021-08-23 +modified: 2022-10-09 tags: - attack.exfiltration - attack.t1537 diff --git a/rules/cloud/m365/threat_management/microsoft365_impossible_travel_activity.yml b/rules/cloud/m365/threat_management/microsoft365_impossible_travel_activity.yml index 53b51031aa3..196109e677d 100644 --- a/rules/cloud/m365/threat_management/microsoft365_impossible_travel_activity.yml +++ b/rules/cloud/m365/threat_management/microsoft365_impossible_travel_activity.yml @@ -6,10 +6,10 @@ references: - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference author: Austin Songer @austinsonger -date: 2020/07/06 -modified: 2021/11/27 +date: 2020-07-06 +modified: 2021-11-27 tags: - - attack.initial_access + - attack.initial-access - attack.t1078 logsource: service: threat_management diff --git a/rules/cloud/m365/threat_management/microsoft365_logon_from_risky_ip_address.yml b/rules/cloud/m365/threat_management/microsoft365_logon_from_risky_ip_address.yml index a875b60a924..776e8140b8c 100644 --- a/rules/cloud/m365/threat_management/microsoft365_logon_from_risky_ip_address.yml +++ b/rules/cloud/m365/threat_management/microsoft365_logon_from_risky_ip_address.yml @@ -6,10 +6,10 @@ references: - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference author: Austin Songer @austinsonger -date: 2021/08/23 -modified: 2022/10/09 +date: 2021-08-23 +modified: 2022-10-09 tags: - - attack.initial_access + - attack.initial-access - attack.t1078 logsource: service: threat_management diff --git a/rules/cloud/m365/threat_management/microsoft365_potential_ransomware_activity.yml b/rules/cloud/m365/threat_management/microsoft365_potential_ransomware_activity.yml index 822e7ccca56..7f7eedff190 100644 --- a/rules/cloud/m365/threat_management/microsoft365_potential_ransomware_activity.yml +++ b/rules/cloud/m365/threat_management/microsoft365_potential_ransomware_activity.yml @@ -6,8 +6,8 @@ references: - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference author: austinsonger -date: 2021/08/19 -modified: 2022/10/09 +date: 2021-08-19 +modified: 2022-10-09 tags: - attack.impact - attack.t1486 diff --git a/rules/cloud/m365/threat_management/microsoft365_pst_export_alert.yml b/rules/cloud/m365/threat_management/microsoft365_pst_export_alert.yml index 0e05c502b3e..97c469db042 100644 --- a/rules/cloud/m365/threat_management/microsoft365_pst_export_alert.yml +++ b/rules/cloud/m365/threat_management/microsoft365_pst_export_alert.yml @@ -8,8 +8,8 @@ description: Alert on when a user has performed an eDiscovery search or exported references: - https://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide author: Sorina Ionescu -date: 2022/02/08 -modified: 2022/11/17 +date: 2022-02-08 +modified: 2022-11-17 tags: - attack.collection - attack.t1114 diff --git a/rules/cloud/m365/threat_management/microsoft365_pst_export_alert_using_new_compliancesearchaction.yml b/rules/cloud/m365/threat_management/microsoft365_pst_export_alert_using_new_compliancesearchaction.yml index 71405590f66..9b91ef0c331 100644 --- a/rules/cloud/m365/threat_management/microsoft365_pst_export_alert_using_new_compliancesearchaction.yml +++ b/rules/cloud/m365/threat_management/microsoft365_pst_export_alert_using_new_compliancesearchaction.yml @@ -8,7 +8,7 @@ description: Alert when a user has performed an export to a search using 'New-Co references: - https://learn.microsoft.com/en-us/powershell/module/exchange/new-compliancesearchaction?view=exchange-ps author: Nikita Khalimonenkov -date: 2022/11/17 +date: 2022-11-17 tags: - attack.collection - attack.t1114 diff --git a/rules/cloud/m365/threat_management/microsoft365_susp_inbox_forwarding.yml b/rules/cloud/m365/threat_management/microsoft365_susp_inbox_forwarding.yml index 135ab543275..836f1862e25 100644 --- a/rules/cloud/m365/threat_management/microsoft365_susp_inbox_forwarding.yml +++ b/rules/cloud/m365/threat_management/microsoft365_susp_inbox_forwarding.yml @@ -6,8 +6,8 @@ references: - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference author: Austin Songer @austinsonger -date: 2021/08/22 -modified: 2022/10/09 +date: 2021-08-22 +modified: 2022-10-09 tags: - attack.exfiltration - attack.t1020 diff --git a/rules/cloud/m365/threat_management/microsoft365_susp_oauth_app_file_download_activities.yml b/rules/cloud/m365/threat_management/microsoft365_susp_oauth_app_file_download_activities.yml index a5e1d9fca79..65ac5bccb31 100644 --- a/rules/cloud/m365/threat_management/microsoft365_susp_oauth_app_file_download_activities.yml +++ b/rules/cloud/m365/threat_management/microsoft365_susp_oauth_app_file_download_activities.yml @@ -6,8 +6,8 @@ references: - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference author: Austin Songer @austinsonger -date: 2021/08/23 -modified: 2022/10/09 +date: 2021-08-23 +modified: 2022-10-09 tags: - attack.exfiltration logsource: diff --git a/rules/cloud/m365/threat_management/microsoft365_unusual_volume_of_file_deletion.yml b/rules/cloud/m365/threat_management/microsoft365_unusual_volume_of_file_deletion.yml index 49f97ef05a6..2eb3cc9d991 100644 --- a/rules/cloud/m365/threat_management/microsoft365_unusual_volume_of_file_deletion.yml +++ b/rules/cloud/m365/threat_management/microsoft365_unusual_volume_of_file_deletion.yml @@ -6,8 +6,8 @@ references: - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference author: austinsonger -date: 2021/08/19 -modified: 2022/10/09 +date: 2021-08-19 +modified: 2022-10-09 tags: - attack.impact - attack.t1485 diff --git a/rules/cloud/m365/threat_management/microsoft365_user_restricted_from_sending_email.yml b/rules/cloud/m365/threat_management/microsoft365_user_restricted_from_sending_email.yml index 7620ba619ec..bdb895930cf 100644 --- a/rules/cloud/m365/threat_management/microsoft365_user_restricted_from_sending_email.yml +++ b/rules/cloud/m365/threat_management/microsoft365_user_restricted_from_sending_email.yml @@ -6,10 +6,10 @@ references: - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference author: austinsonger -date: 2021/08/19 -modified: 2022/10/09 +date: 2021-08-19 +modified: 2022-10-09 tags: - - attack.initial_access + - attack.initial-access - attack.t1199 logsource: service: threat_management diff --git a/rules/cloud/okta/okta_admin_activity_from_proxy_query.yml b/rules/cloud/okta/okta_admin_activity_from_proxy_query.yml index dd6a9957a21..7b9cadb89f7 100644 --- a/rules/cloud/okta/okta_admin_activity_from_proxy_query.yml +++ b/rules/cloud/okta/okta_admin_activity_from_proxy_query.yml @@ -7,9 +7,9 @@ references: - https://dataconomy.com/2023/10/23/okta-data-breach/ - https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/ author: Muhammad Faisal @faisalusuf -date: 2023/10/25 +date: 2023-10-25 tags: - - attack.credential_access + - attack.credential-access logsource: service: okta product: okta diff --git a/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml b/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml index 5a03726691b..4a2e0abf3a4 100644 --- a/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml +++ b/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml @@ -6,8 +6,8 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ author: Austin Songer @austinsonger -date: 2021/09/12 -modified: 2022/10/09 +date: 2021-09-12 +modified: 2022-10-09 tags: - attack.persistence - attack.t1098.003 diff --git a/rules/cloud/okta/okta_admin_role_assignment_created.yml b/rules/cloud/okta/okta_admin_role_assignment_created.yml index e16a60c69f6..615706388bf 100644 --- a/rules/cloud/okta/okta_admin_role_assignment_created.yml +++ b/rules/cloud/okta/okta_admin_role_assignment_created.yml @@ -6,7 +6,7 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ author: Nikita Khalimonenkov -date: 2023/01/19 +date: 2023-01-19 tags: - attack.persistence logsource: diff --git a/rules/cloud/okta/okta_api_token_created.yml b/rules/cloud/okta/okta_api_token_created.yml index b2e259f85a9..4545592dbf3 100644 --- a/rules/cloud/okta/okta_api_token_created.yml +++ b/rules/cloud/okta/okta_api_token_created.yml @@ -6,8 +6,8 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ author: Austin Songer @austinsonger -date: 2021/09/12 -modified: 2022/10/09 +date: 2021-09-12 +modified: 2022-10-09 tags: - attack.persistence logsource: diff --git a/rules/cloud/okta/okta_api_token_revoked.yml b/rules/cloud/okta/okta_api_token_revoked.yml index e57121bfaec..404b072bcd4 100644 --- a/rules/cloud/okta/okta_api_token_revoked.yml +++ b/rules/cloud/okta/okta_api_token_revoked.yml @@ -6,8 +6,8 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ author: Austin Songer @austinsonger -date: 2021/09/12 -modified: 2022/10/09 +date: 2021-09-12 +modified: 2022-10-09 tags: - attack.impact logsource: diff --git a/rules/cloud/okta/okta_application_modified_or_deleted.yml b/rules/cloud/okta/okta_application_modified_or_deleted.yml index 800cb86988b..21e31cb6313 100644 --- a/rules/cloud/okta/okta_application_modified_or_deleted.yml +++ b/rules/cloud/okta/okta_application_modified_or_deleted.yml @@ -6,8 +6,8 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ author: Austin Songer @austinsonger -date: 2021/09/12 -modified: 2022/10/09 +date: 2021-09-12 +modified: 2022-10-09 tags: - attack.impact logsource: diff --git a/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml b/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml index 8d77d6eb59b..7c7d86ee991 100644 --- a/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml +++ b/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml @@ -6,8 +6,8 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ author: Austin Songer @austinsonger -date: 2021/09/12 -modified: 2022/10/09 +date: 2021-09-12 +modified: 2022-10-09 tags: - attack.impact logsource: diff --git a/rules/cloud/okta/okta_fastpass_phishing_detection.yml b/rules/cloud/okta/okta_fastpass_phishing_detection.yml index 1928185e8eb..baabd6db43b 100644 --- a/rules/cloud/okta/okta_fastpass_phishing_detection.yml +++ b/rules/cloud/okta/okta_fastpass_phishing_detection.yml @@ -7,9 +7,9 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ author: Austin Songer @austinsonger -date: 2023/05/07 +date: 2023-05-07 tags: - - attack.initial_access + - attack.initial-access - attack.t1566 logsource: product: okta diff --git a/rules/cloud/okta/okta_identity_provider_created.yml b/rules/cloud/okta/okta_identity_provider_created.yml index 03bb1d9257e..9cdb42b5df3 100644 --- a/rules/cloud/okta/okta_identity_provider_created.yml +++ b/rules/cloud/okta/okta_identity_provider_created.yml @@ -6,7 +6,7 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection author: kelnage -date: 2023/09/07 +date: 2023-09-07 tags: - attack.persistence - attack.t1098.001 diff --git a/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml b/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml index 2ffd5a7cf57..ebb382786ad 100644 --- a/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml +++ b/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml @@ -6,12 +6,12 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ author: Austin Songer @austinsonger -date: 2021/09/21 -modified: 2022/10/09 +date: 2021-09-21 +modified: 2022-10-09 tags: - attack.persistence - - attack.credential_access - - attack.defense_evasion + - attack.credential-access + - attack.defense-evasion - attack.t1556.006 logsource: product: okta diff --git a/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml b/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml index 5e348ee53b6..bc3ef31cf11 100644 --- a/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml +++ b/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml @@ -6,8 +6,8 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ author: Austin Songer @austinsonger -date: 2021/09/12 -modified: 2022/10/09 +date: 2021-09-12 +modified: 2022-10-09 tags: - attack.impact logsource: diff --git a/rules/cloud/okta/okta_new_behaviours_admin_console.yml b/rules/cloud/okta/okta_new_behaviours_admin_console.yml index ae5728da746..f84a4e1756f 100644 --- a/rules/cloud/okta/okta_new_behaviours_admin_console.yml +++ b/rules/cloud/okta/okta_new_behaviours_admin_console.yml @@ -6,10 +6,10 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection author: kelnage -date: 2023/09/07 -modified: 2024/06/26 +date: 2023-09-07 +modified: 2024-06-26 tags: - - attack.initial_access + - attack.initial-access - attack.t1078.004 logsource: product: okta diff --git a/rules/cloud/okta/okta_password_in_alternateid_field.yml b/rules/cloud/okta/okta_password_in_alternateid_field.yml index 6328e5e3ea4..30daec17d92 100644 --- a/rules/cloud/okta/okta_password_in_alternateid_field.yml +++ b/rules/cloud/okta/okta_password_in_alternateid_field.yml @@ -9,10 +9,10 @@ references: - https://www.mitiga.io/blog/how-okta-passwords-can-be-compromised-uncovering-a-risk-to-user-data - https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-character-restriction.htm author: kelnage -date: 2023/04/03 -modified: 2023/10/25 +date: 2023-04-03 +modified: 2023-10-25 tags: - - attack.credential_access + - attack.credential-access - attack.t1552 logsource: product: okta diff --git a/rules/cloud/okta/okta_policy_modified_or_deleted.yml b/rules/cloud/okta/okta_policy_modified_or_deleted.yml index 547fcadcd6a..536b76f3251 100644 --- a/rules/cloud/okta/okta_policy_modified_or_deleted.yml +++ b/rules/cloud/okta/okta_policy_modified_or_deleted.yml @@ -6,8 +6,8 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ author: Austin Songer @austinsonger -date: 2021/09/12 -modified: 2022/10/09 +date: 2021-09-12 +modified: 2022-10-09 tags: - attack.impact logsource: diff --git a/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml b/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml index 958e131d33d..76e02fd5682 100644 --- a/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml +++ b/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml @@ -6,8 +6,8 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ author: Austin Songer @austinsonger -date: 2021/09/12 -modified: 2022/10/09 +date: 2021-09-12 +modified: 2022-10-09 tags: - attack.impact logsource: diff --git a/rules/cloud/okta/okta_security_threat_detected.yml b/rules/cloud/okta/okta_security_threat_detected.yml index c060324cadf..cae93bca42e 100644 --- a/rules/cloud/okta/okta_security_threat_detected.yml +++ b/rules/cloud/okta/okta_security_threat_detected.yml @@ -7,10 +7,10 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ author: Austin Songer @austinsonger -date: 2021/09/12 -modified: 2022/10/09 +date: 2021-09-12 +modified: 2022-10-09 tags: - - attack.command_and_control + - attack.command-and-control logsource: product: okta service: okta diff --git a/rules/cloud/okta/okta_suspicious_activity_enduser_report.yml b/rules/cloud/okta/okta_suspicious_activity_enduser_report.yml index 75e09e6a91b..a0f40fa35cc 100644 --- a/rules/cloud/okta/okta_suspicious_activity_enduser_report.yml +++ b/rules/cloud/okta/okta_suspicious_activity_enduser_report.yml @@ -6,9 +6,9 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://github.com/okta/workflows-templates/blob/master/workflows/suspicious_activity_reported/readme.md author: kelnage -date: 2023/09/07 +date: 2023-09-07 tags: - - attack.resource_development + - attack.resource-development - attack.t1586.003 logsource: product: okta diff --git a/rules/cloud/okta/okta_unauthorized_access_to_app.yml b/rules/cloud/okta/okta_unauthorized_access_to_app.yml index 0206a7b963a..07d397a67cd 100644 --- a/rules/cloud/okta/okta_unauthorized_access_to_app.yml +++ b/rules/cloud/okta/okta_unauthorized_access_to_app.yml @@ -6,8 +6,8 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ author: Austin Songer @austinsonger -date: 2021/09/12 -modified: 2022/10/09 +date: 2021-09-12 +modified: 2022-10-09 tags: - attack.impact logsource: diff --git a/rules/cloud/okta/okta_user_account_locked_out.yml b/rules/cloud/okta/okta_user_account_locked_out.yml index 6a55d16e373..0c5949c2ae9 100644 --- a/rules/cloud/okta/okta_user_account_locked_out.yml +++ b/rules/cloud/okta/okta_user_account_locked_out.yml @@ -6,8 +6,8 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://developer.okta.com/docs/reference/api/event-types/ author: Austin Songer @austinsonger -date: 2021/09/12 -modified: 2022/10/09 +date: 2021-09-12 +modified: 2022-10-09 tags: - attack.impact - attack.t1531 diff --git a/rules/cloud/okta/okta_user_created.yml b/rules/cloud/okta/okta_user_created.yml index 7f29524c2f2..43a0a2b18bf 100644 --- a/rules/cloud/okta/okta_user_created.yml +++ b/rules/cloud/okta/okta_user_created.yml @@ -3,11 +3,11 @@ id: b6c718dd-8f53-4b9f-98d8-93fdca966969 status: experimental description: Detects new user account creation author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/10/25 +date: 2023-10-25 references: - https://developer.okta.com/docs/reference/api/event-types/ tags: - - attack.credential_access + - attack.credential-access logsource: service: okta product: okta diff --git a/rules/cloud/okta/okta_user_session_start_via_anonymised_proxy.yml b/rules/cloud/okta/okta_user_session_start_via_anonymised_proxy.yml index 37cb9e1045f..30bd4efb98d 100644 --- a/rules/cloud/okta/okta_user_session_start_via_anonymised_proxy.yml +++ b/rules/cloud/okta/okta_user_session_start_via_anonymised_proxy.yml @@ -6,9 +6,9 @@ references: - https://developer.okta.com/docs/reference/api/system-log/ - https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection author: kelnage -date: 2023/09/07 +date: 2023-09-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.006 logsource: product: okta diff --git a/rules/cloud/onelogin/onelogin_assumed_another_user.yml b/rules/cloud/onelogin/onelogin_assumed_another_user.yml index 642afaaac0a..a9d86ad2470 100644 --- a/rules/cloud/onelogin/onelogin_assumed_another_user.yml +++ b/rules/cloud/onelogin/onelogin_assumed_another_user.yml @@ -5,8 +5,8 @@ description: Detects when an user assumed another user account. references: - https://developers.onelogin.com/api-docs/1/events/event-resource author: Austin Songer @austinsonger -date: 2021/10/12 -modified: 2022/12/25 +date: 2021-10-12 +modified: 2022-12-25 tags: - attack.impact logsource: diff --git a/rules/cloud/onelogin/onelogin_user_account_locked.yml b/rules/cloud/onelogin/onelogin_user_account_locked.yml index 5ee7ed79755..90139c2f214 100644 --- a/rules/cloud/onelogin/onelogin_user_account_locked.yml +++ b/rules/cloud/onelogin/onelogin_user_account_locked.yml @@ -5,8 +5,8 @@ description: Detects when an user account is locked or suspended. references: - https://developers.onelogin.com/api-docs/1/events/event-resource/ author: Austin Songer @austinsonger -date: 2021/10/12 -modified: 2022/12/25 +date: 2021-10-12 +modified: 2022-12-25 tags: - attack.impact logsource: diff --git a/rules/compliance/default_credentials_usage.yml b/rules/compliance/default_credentials_usage.yml index f17099bb5ae..f4fdad7254b 100644 --- a/rules/compliance/default_credentials_usage.yml +++ b/rules/compliance/default_credentials_usage.yml @@ -10,9 +10,9 @@ references: - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf - https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists author: Alexandr Yampolskyi, SOC Prime -date: 2019/03/26 +date: 2019-03-26 tags: - - attack.initial_access + - attack.initial-access # - CSC4 # - CSC4.2 # - NIST CSF 1.1 PR.AC-4 diff --git a/rules/compliance/host_without_firewall.yml b/rules/compliance/host_without_firewall.yml index 4db3823ddc0..1677b7eccab 100644 --- a/rules/compliance/host_without_firewall.yml +++ b/rules/compliance/host_without_firewall.yml @@ -7,8 +7,8 @@ references: - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf author: Alexandr Yampolskyi, SOC Prime -date: 2019/03/19 -modified: 2022/10/05 +date: 2019-03-19 +modified: 2022-10-05 # tags: # - CSC9 # - CSC9.4 diff --git a/rules/compliance/netflow_cleartext_protocols.yml b/rules/compliance/netflow_cleartext_protocols.yml index cbcda8ea153..eb72f0f058c 100644 --- a/rules/compliance/netflow_cleartext_protocols.yml +++ b/rules/compliance/netflow_cleartext_protocols.yml @@ -10,10 +10,10 @@ references: - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf author: Alexandr Yampolskyi, SOC Prime -date: 2019/03/26 -modified: 2022/11/18 +date: 2019-03-26 +modified: 2022-11-18 tags: - - attack.credential_access + - attack.credential-access # - CSC4 # - CSC4.5 # - CSC14 diff --git a/rules/linux/auditd/lnx_auditd_audio_capture.yml b/rules/linux/auditd/lnx_auditd_audio_capture.yml index 50f45bc6e11..0151e8182ed 100644 --- a/rules/linux/auditd/lnx_auditd_audio_capture.yml +++ b/rules/linux/auditd/lnx_auditd_audio_capture.yml @@ -6,8 +6,8 @@ references: - https://linux.die.net/man/1/arecord - https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa author: 'Pawel Mazur' -date: 2021/09/04 -modified: 2022/10/09 +date: 2021-09-04 +modified: 2022-10-09 tags: - attack.collection - attack.t1123 diff --git a/rules/linux/auditd/lnx_auditd_auditing_config_change.yml b/rules/linux/auditd/lnx_auditd_auditing_config_change.yml index 8b6e756b387..05f4975db74 100644 --- a/rules/linux/auditd/lnx_auditd_auditing_config_change.yml +++ b/rules/linux/auditd/lnx_auditd_auditing_config_change.yml @@ -6,10 +6,10 @@ references: - https://github.com/Neo23x0/auditd/blob/master/audit.rules - Self Experience author: Mikhail Larin, oscd.community -date: 2019/10/25 -modified: 2021/11/27 +date: 2019-10-25 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.006 logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_binary_padding.yml b/rules/linux/auditd/lnx_auditd_binary_padding.yml index 968099af1da..a625c742319 100644 --- a/rules/linux/auditd/lnx_auditd_binary_padding.yml +++ b/rules/linux/auditd/lnx_auditd_binary_padding.yml @@ -7,10 +7,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md author: Igor Fits, oscd.community -date: 2020/10/13 -modified: 2023/05/03 +date: 2020-10-13 +modified: 2023-05-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027.001 logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml b/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml index 87da3bbb5ef..8b2d48a6112 100644 --- a/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml +++ b/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml @@ -6,7 +6,7 @@ references: - https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ - https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor author: Rafal Piasecki -date: 2022/08/10 +date: 2022-08-10 tags: - attack.execution - attack.t1106 diff --git a/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml b/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml index 4ea35cbb860..20d3adf0b83 100644 --- a/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml +++ b/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml @@ -8,9 +8,9 @@ references: - https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ - https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor author: Rafal Piasecki -date: 2022/08/10 +date: 2022-08-10 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml b/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml index 0efda4f22ba..1102264f1d9 100644 --- a/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml +++ b/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml @@ -8,11 +8,11 @@ references: - https://mn3m.info/posts/suid-vs-capabilities/ - https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099 author: 'Pawel Mazur' -date: 2021/11/28 -modified: 2022/12/25 +date: 2021-11-28 +modified: 2022-12-25 tags: - attack.collection - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1123 - attack.t1548 logsource: diff --git a/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml b/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml index b86345eac68..48fdc5bd09c 100644 --- a/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml +++ b/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml @@ -5,10 +5,10 @@ description: Detect file time attribute change to hide new or changes to existin references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md author: 'Igor Fits, oscd.community' -date: 2020/10/15 -modified: 2022/11/28 +date: 2020-10-15 +modified: 2022-11-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.006 logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_chattr_immutable_removal.yml b/rules/linux/auditd/lnx_auditd_chattr_immutable_removal.yml index 50d720de36b..5121bf17c38 100644 --- a/rules/linux/auditd/lnx_auditd_chattr_immutable_removal.yml +++ b/rules/linux/auditd/lnx_auditd_chattr_immutable_removal.yml @@ -5,10 +5,10 @@ description: Detects removing immutable file attribute. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md author: Jakob Weinzettl, oscd.community -date: 2019/09/23 -modified: 2022/11/26 +date: 2019-09-23 +modified: 2022-11-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1222.002 logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_clipboard_collection.yml b/rules/linux/auditd/lnx_auditd_clipboard_collection.yml index d7f6633ff3b..5a9df631442 100644 --- a/rules/linux/auditd/lnx_auditd_clipboard_collection.yml +++ b/rules/linux/auditd/lnx_auditd_clipboard_collection.yml @@ -9,8 +9,8 @@ references: - https://linux.die.net/man/1/xclip - https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/ author: 'Pawel Mazur' -date: 2021/09/24 -modified: 2022/11/26 +date: 2021-09-24 +modified: 2022-11-26 tags: - attack.collection - attack.t1115 diff --git a/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml b/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml index 0064fb44335..006ea96d06e 100644 --- a/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml +++ b/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml @@ -8,8 +8,8 @@ description: | references: - https://linux.die.net/man/1/xclip author: 'Pawel Mazur' -date: 2021/10/01 -modified: 2022/10/09 +date: 2021-10-01 +modified: 2022-10-09 tags: - attack.collection - attack.t1115 diff --git a/rules/linux/auditd/lnx_auditd_coinminer.yml b/rules/linux/auditd/lnx_auditd_coinminer.yml index fd45113d6b7..f1b8ee148f2 100644 --- a/rules/linux/auditd/lnx_auditd_coinminer.yml +++ b/rules/linux/auditd/lnx_auditd_coinminer.yml @@ -5,10 +5,10 @@ description: Detects command line parameter very often used with coin miners references: - https://xmrig.com/docs/miner/command-line-options author: Florian Roth (Nextron Systems) -date: 2021/10/09 -modified: 2022/12/25 +date: 2021-10-09 +modified: 2022-12-25 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1068 logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_create_account.yml b/rules/linux/auditd/lnx_auditd_create_account.yml index 71a21f5b26d..6ada819f2c5 100644 --- a/rules/linux/auditd/lnx_auditd_create_account.yml +++ b/rules/linux/auditd/lnx_auditd_create_account.yml @@ -7,8 +7,8 @@ references: - https://access.redhat.com/articles/4409591#audit-record-types-2 - https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07 author: Marie Euler, Pawel Mazur -date: 2020/05/18 -modified: 2022/12/20 +date: 2020-05-18 +modified: 2022-12-20 tags: - attack.t1136.001 - attack.persistence diff --git a/rules/linux/auditd/lnx_auditd_data_compressed.yml b/rules/linux/auditd/lnx_auditd_data_compressed.yml index 480b03092ff..1a54bfcf4c2 100644 --- a/rules/linux/auditd/lnx_auditd_data_compressed.yml +++ b/rules/linux/auditd/lnx_auditd_data_compressed.yml @@ -5,8 +5,8 @@ description: An adversary may compress data (e.g., sensitive documents) that is references: - https://github.com/redcanaryco/atomic-red-team/blob/a78b9ed805ab9ea2e422e1aa7741e9407d82d7b1/atomics/T1560.001/T1560.001.md author: Timur Zinniatullin, oscd.community -date: 2019/10/21 -modified: 2023/07/28 +date: 2019-10-21 +modified: 2023-07-28 tags: - attack.exfiltration - attack.t1560.001 diff --git a/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml b/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml index 1beb9d63caa..314f2ed7391 100644 --- a/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml +++ b/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml @@ -8,8 +8,8 @@ references: - https://linux.die.net/man/1/wget - https://gtfobins.github.io/gtfobins/wget/ author: 'Pawel Mazur' -date: 2021/11/18 -modified: 2022/12/25 +date: 2021-11-18 +modified: 2022-12-25 tags: - attack.exfiltration - attack.t1048.003 diff --git a/rules/linux/auditd/lnx_auditd_dd_delete_file.yml b/rules/linux/auditd/lnx_auditd_dd_delete_file.yml index 3cb8f77c61f..6fa3ffb31e7 100644 --- a/rules/linux/auditd/lnx_auditd_dd_delete_file.yml +++ b/rules/linux/auditd/lnx_auditd_dd_delete_file.yml @@ -5,7 +5,7 @@ description: Detects overwriting (effectively wiping/deleting) of a file. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md author: Jakob Weinzettl, oscd.community -date: 2019/10/23 +date: 2019-10-23 tags: - attack.impact - attack.t1485 diff --git a/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml b/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml index f25bf12f5f7..85f985e3045 100644 --- a/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml +++ b/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md - https://firewalld.org/documentation/man-pages/firewall-cmd.html author: 'Pawel Mazur' -date: 2022/01/22 +date: 2022-01-22 tags: - attack.t1562.004 - - attack.defense_evasion + - attack.defense-evasion logsource: product: linux service: auditd diff --git a/rules/linux/auditd/lnx_auditd_file_or_folder_permissions.yml b/rules/linux/auditd/lnx_auditd_file_or_folder_permissions.yml index 9ba7d2e7346..b6a6f107c17 100644 --- a/rules/linux/auditd/lnx_auditd_file_or_folder_permissions.yml +++ b/rules/linux/auditd/lnx_auditd_file_or_folder_permissions.yml @@ -5,10 +5,10 @@ description: Detects file and folder permission changes. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md author: Jakob Weinzettl, oscd.community -date: 2019/09/23 -modified: 2021/11/27 +date: 2019-09-23 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1222.002 logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml b/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml index 67ac87b8d13..4838d797d7a 100644 --- a/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml +++ b/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml @@ -5,10 +5,10 @@ description: 'Detecting attempts to extract passwords with grep' references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md author: 'Igor Fits, oscd.community' -date: 2020/10/15 -modified: 2023/04/30 +date: 2020-10-15 +modified: 2023-04-30 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.001 logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml b/rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml index ea5f53b8d00..d0ae6033ece 100644 --- a/rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml +++ b/rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml @@ -8,9 +8,9 @@ description: Detects calls to hidden files or files located in hidden directorie references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md author: David Burkett, @signalblur -date: 2022/12/30 +date: 2022-12-30 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.001 logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml b/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml index b7fa135205b..afd7da3fc1d 100644 --- a/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml +++ b/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml @@ -5,10 +5,10 @@ description: Detects adversary creating hidden file or directory, by detecting d references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md author: 'Pawel Mazur' -date: 2021/09/06 -modified: 2022/10/09 +date: 2021-09-06 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.001 logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml b/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml index 584fbe36389..54699ee356b 100644 --- a/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml +++ b/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml @@ -5,10 +5,10 @@ description: Detects appending of zip file to image references: - https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/ author: 'Pawel Mazur' -date: 2021/09/09 -modified: 2022/10/09 +date: 2021-09-09 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027.003 logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml b/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml index fdf65128103..0e74a32ccf8 100644 --- a/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml +++ b/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml @@ -8,10 +8,10 @@ references: - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing - https://access.redhat.com/articles/4409591#audit-record-types-2 author: 'Pawel Mazur' -date: 2021/05/24 -modified: 2022/12/18 +date: 2021-05-24 +modified: 2022-12-18 tags: - - attack.credential_access + - attack.credential-access - attack.t1003 - attack.t1056.001 logsource: diff --git a/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml b/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml index 742164d4909..63b46b9de6b 100644 --- a/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml +++ b/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md - https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community -date: 2019/10/24 -modified: 2021/11/27 +date: 2019-10-24 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.006 logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_load_module_insmod.yml b/rules/linux/auditd/lnx_auditd_load_module_insmod.yml index 108f57e50d8..1aa091c82ff 100644 --- a/rules/linux/auditd/lnx_auditd_load_module_insmod.yml +++ b/rules/linux/auditd/lnx_auditd_load_module_insmod.yml @@ -10,11 +10,11 @@ references: - https://linux.die.net/man/8/insmod - https://man7.org/linux/man-pages/man8/kmod.8.html author: 'Pawel Mazur' -date: 2021/11/02 -modified: 2022/12/25 +date: 2021-11-02 +modified: 2022-12-25 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1547.006 logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_logging_config_change.yml b/rules/linux/auditd/lnx_auditd_logging_config_change.yml index db00c3f2221..92ff9509c84 100644 --- a/rules/linux/auditd/lnx_auditd_logging_config_change.yml +++ b/rules/linux/auditd/lnx_auditd_logging_config_change.yml @@ -5,10 +5,10 @@ description: Detect changes of syslog daemons configuration files references: - self experience author: Mikhail Larin, oscd.community -date: 2019/10/25 -modified: 2021/11/27 +date: 2019-10-25 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.006 logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml index 253fa5aa571..2f3378f77df 100644 --- a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml +++ b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml @@ -7,10 +7,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/8a82e9b66a5b4f4bc5b91089e9f24e0544f20ad7/atomics/T1036.003/T1036.003.md#atomic-test-2---masquerading-as-linux-crond-process author: Timur Zinniatullin, oscd.community -date: 2019/10/21 -modified: 2023/08/22 +date: 2019-10-21 +modified: 2023-08-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.003 logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml b/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml index 3a042511c1d..5c8561fe79d 100644 --- a/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml +++ b/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml @@ -11,10 +11,10 @@ references: - https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html - https://blog.aquasec.com/container-security-tnt-container-attack author: IAI -date: 2023/03/06 +date: 2023-03-06 tags: - attack.t1562.004 - - attack.defense_evasion + - attack.defense-evasion logsource: product: linux service: auditd diff --git a/rules/linux/auditd/lnx_auditd_network_service_scanning.yml b/rules/linux/auditd/lnx_auditd_network_service_scanning.yml index 9606fc5ae44..498333b0a10 100644 --- a/rules/linux/auditd/lnx_auditd_network_service_scanning.yml +++ b/rules/linux/auditd/lnx_auditd_network_service_scanning.yml @@ -8,8 +8,8 @@ description: Detects enumeration of local or remote network services. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md author: Alejandro Ortuno, oscd.community -date: 2020/10/21 -modified: 2023/09/26 +date: 2020-10-21 +modified: 2023-09-26 tags: - attack.discovery - attack.t1046 diff --git a/rules/linux/auditd/lnx_auditd_network_sniffing.yml b/rules/linux/auditd/lnx_auditd_network_sniffing.yml index f0b51e62987..0a41e4b26e7 100644 --- a/rules/linux/auditd/lnx_auditd_network_sniffing.yml +++ b/rules/linux/auditd/lnx_auditd_network_sniffing.yml @@ -7,10 +7,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md author: Timur Zinniatullin, oscd.community -date: 2019/10/21 -modified: 2022/12/18 +date: 2019-10-21 +modified: 2022-12-18 tags: - - attack.credential_access + - attack.credential-access - attack.discovery - attack.t1040 logsource: diff --git a/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml b/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml index c899ed623ba..9c1282641a2 100644 --- a/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml +++ b/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml @@ -9,11 +9,11 @@ references: - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure - https://github.com/Azure/Azure-Sentinel/pull/3059 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2021/09/17 -modified: 2022/11/26 +date: 2021-09-17 +modified: 2022-11-26 tags: - - attack.privilege_escalation - - attack.initial_access + - attack.privilege-escalation + - attack.initial-access - attack.execution - attack.t1068 - attack.t1190 diff --git a/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml b/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml index a167a859dc8..1b99271476e 100644 --- a/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml +++ b/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml @@ -8,8 +8,8 @@ references: - https://man7.org/linux/man-pages/man1/passwd.1.html - https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu author: Ömer Günal, oscd.community, Pawel Mazur -date: 2020/10/08 -modified: 2022/12/18 +date: 2020-10-08 +modified: 2022-12-18 tags: - attack.discovery - attack.t1201 diff --git a/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml b/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml index 1dbbda8d870..4542567b73f 100644 --- a/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml +++ b/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml @@ -5,8 +5,8 @@ description: Detects a reload or a start of a service. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md author: Jakob Weinzettl, oscd.community -date: 2019/09/23 -modified: 2021/11/27 +date: 2019-09-23 +modified: 2021-11-27 tags: - attack.persistence - attack.t1543.002 diff --git a/rules/linux/auditd/lnx_auditd_screencapture_import.yml b/rules/linux/auditd/lnx_auditd_screencapture_import.yml index 083ec68bbf0..2192ebadc58 100644 --- a/rules/linux/auditd/lnx_auditd_screencapture_import.yml +++ b/rules/linux/auditd/lnx_auditd_screencapture_import.yml @@ -10,8 +10,8 @@ references: - https://linux.die.net/man/1/import - https://imagemagick.org/ author: 'Pawel Mazur' -date: 2021/09/21 -modified: 2022/10/09 +date: 2021-09-21 +modified: 2022-10-09 tags: - attack.collection - attack.t1113 diff --git a/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml b/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml index 86ecd900b4f..409f8b1ea5b 100644 --- a/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml +++ b/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml @@ -6,8 +6,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture - https://linux.die.net/man/1/xwd author: 'Pawel Mazur' -date: 2021/09/13 -modified: 2022/12/18 +date: 2021-09-13 +modified: 2022-12-18 tags: - attack.collection - attack.t1113 diff --git a/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml b/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml index 0878a35b3f1..96c850cde1b 100644 --- a/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml +++ b/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml @@ -5,8 +5,8 @@ description: 'Detection use of the command "split" to split files into parts and references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1030/T1030.md author: 'Igor Fits, oscd.community' -date: 2020/10/15 -modified: 2022/11/28 +date: 2020-10-15 +modified: 2022-11-28 tags: - attack.exfiltration - attack.t1030 diff --git a/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml b/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml index 6408e58e783..ff5ed5d240d 100644 --- a/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml +++ b/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml @@ -5,10 +5,10 @@ description: Detects embedding of files with usage of steghide binary, the adver references: - https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/ author: 'Pawel Mazur' -date: 2021/09/11 -modified: 2022/10/09 +date: 2021-09-11 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027.003 logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml b/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml index 269f1c388dd..e9d6cf6d2f2 100644 --- a/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml +++ b/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml @@ -5,10 +5,10 @@ description: Detects extraction of files with usage of steghide binary, the adve references: - https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/ author: 'Pawel Mazur' -date: 2021/09/11 -modified: 2022/10/09 +date: 2021-09-11 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027.003 logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml b/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml index 47b0228101d..62161920caf 100644 --- a/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml +++ b/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml @@ -8,10 +8,10 @@ description: | references: - https://github.com/Neo23x0/auditd author: Marie Euler -date: 2020/05/18 -modified: 2021/11/27 +date: 2020-05-18 +modified: 2021-11-27 tags: - - attack.command_and_control + - attack.command-and-control logsource: product: linux service: auditd diff --git a/rules/linux/auditd/lnx_auditd_susp_cmds.yml b/rules/linux/auditd/lnx_auditd_susp_cmds.yml index 2845a12e1b3..1791136a65a 100644 --- a/rules/linux/auditd/lnx_auditd_susp_cmds.yml +++ b/rules/linux/auditd/lnx_auditd_susp_cmds.yml @@ -5,8 +5,8 @@ description: Detects relevant commands often related to malware or hacking activ references: - Internal Research - mostly derived from exploit code including code in MSF author: Florian Roth (Nextron Systems) -date: 2017/12/12 -modified: 2022/10/05 +date: 2017-12-12 +modified: 2022-10-05 tags: - attack.execution - attack.t1059.004 diff --git a/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml b/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml index 86b4ea4f8a2..cf0bdf53dcb 100644 --- a/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml +++ b/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml @@ -5,12 +5,12 @@ description: Detects program executions in suspicious non-program folders relate references: - Internal Research author: Florian Roth (Nextron Systems) -date: 2018/01/23 -modified: 2021/11/27 +date: 2018-01-23 +modified: 2021-11-27 tags: - attack.t1587 - attack.t1584 - - attack.resource_development + - attack.resource-development logsource: product: linux service: auditd diff --git a/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml b/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml index 63c13cebcd5..79eecb0421f 100644 --- a/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml +++ b/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml @@ -5,10 +5,10 @@ description: 'Detects commandline operations on shell history files' references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md author: 'Mikhail Larin, oscd.community' -date: 2020/10/17 -modified: 2022/11/28 +date: 2020-10-17 +modified: 2022-11-28 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.003 logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_system_info_discovery.yml b/rules/linux/auditd/lnx_auditd_system_info_discovery.yml index 40eb3f94a0d..24a2ee31f5b 100644 --- a/rules/linux/auditd/lnx_auditd_system_info_discovery.yml +++ b/rules/linux/auditd/lnx_auditd_system_info_discovery.yml @@ -5,8 +5,8 @@ description: Detects System Information Discovery commands references: - https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1082/T1082.md author: Pawel Mazur -date: 2021/09/03 -modified: 2023/03/06 +date: 2021-09-03 +modified: 2023-03-06 tags: - attack.discovery - attack.t1082 diff --git a/rules/linux/auditd/lnx_auditd_system_info_discovery2.yml b/rules/linux/auditd/lnx_auditd_system_info_discovery2.yml index 637b70e2c21..09289371e7e 100644 --- a/rules/linux/auditd/lnx_auditd_system_info_discovery2.yml +++ b/rules/linux/auditd/lnx_auditd_system_info_discovery2.yml @@ -8,8 +8,8 @@ description: Detects system information discovery commands references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-4---linux-vm-check-via-hardware author: Ömer Günal, oscd.community -date: 2020/10/08 -modified: 2022/11/26 +date: 2020-10-08 +modified: 2022-11-26 tags: - attack.discovery - attack.t1082 diff --git a/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml b/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml index 8910fea3922..e5770d53dff 100644 --- a/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml +++ b/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml @@ -5,8 +5,8 @@ description: Adversaries may shutdown/reboot systems to interrupt access to, or references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md author: 'Igor Fits, oscd.community' -date: 2020/10/15 -modified: 2022/11/26 +date: 2020-10-15 +modified: 2022-11-26 tags: - attack.impact - attack.t1529 diff --git a/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml b/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml index e856859f392..528056f660b 100644 --- a/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml +++ b/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml @@ -5,8 +5,8 @@ description: Detects a creation of systemd services which could be used by adver references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md author: 'Pawel Mazur' -date: 2022/02/03 -modified: 2022/02/06 +date: 2022-02-03 +modified: 2022-02-06 tags: - attack.persistence - attack.t1543.002 diff --git a/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml b/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml index 125006950c0..541b7fce57b 100644 --- a/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml +++ b/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml @@ -2,7 +2,7 @@ title: Unix Shell Configuration Modification id: a94cdd87-6c54-4678-a6cc-2814ffe5a13d related: - id: e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9 - type: obsoletes + type: obsolete status: test description: Detect unix shell configuration modification. Adversaries may establish persistence through executing malicious commands triggered when a new shell is opened. references: @@ -10,8 +10,8 @@ references: - https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack - https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat author: Peter Matkovski, IAI -date: 2023/03/06 -modified: 2023/03/15 +date: 2023-03-06 +modified: 2023-03-15 tags: - attack.persistence - attack.t1546.004 diff --git a/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml b/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml index 6509ff29d77..2f053b55adb 100644 --- a/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml +++ b/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml @@ -5,10 +5,10 @@ description: Detects extracting of zip file from image file references: - https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/ author: 'Pawel Mazur' -date: 2021/09/09 -modified: 2022/10/09 +date: 2021-09-09 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027.003 logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_user_discovery.yml b/rules/linux/auditd/lnx_auditd_user_discovery.yml index 2468ebdf083..0bfbbf39799 100644 --- a/rules/linux/auditd/lnx_auditd_user_discovery.yml +++ b/rules/linux/auditd/lnx_auditd_user_discovery.yml @@ -5,8 +5,8 @@ description: Adversaries may use the information from System Owner/User Discover references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md author: Timur Zinniatullin, oscd.community -date: 2019/10/21 -modified: 2021/11/27 +date: 2019-10-21 +modified: 2021-11-27 tags: - attack.discovery - attack.t1033 diff --git a/rules/linux/auditd/lnx_auditd_web_rce.yml b/rules/linux/auditd/lnx_auditd_web_rce.yml index 047a72c2040..e81fdc90f9c 100644 --- a/rules/linux/auditd/lnx_auditd_web_rce.yml +++ b/rules/linux/auditd/lnx_auditd_web_rce.yml @@ -5,8 +5,8 @@ description: Detects possible command execution by web application/web shell references: - Personal Experience of the Author author: Ilyas Ochkov, Beyu Denis, oscd.community -date: 2019/10/12 -modified: 2022/12/25 +date: 2019-10-12 +modified: 2022-12-25 tags: - attack.persistence - attack.t1505.003 diff --git a/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml b/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml index 27829b53931..7e671643998 100644 --- a/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml +++ b/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml @@ -5,10 +5,10 @@ description: Detects potential PwnKit exploitation CVE-2021-4034 in auth logs references: - https://twitter.com/wdormann/status/1486161836961579020 author: Sreeman -date: 2022/01/26 -modified: 2023/01/23 +date: 2022-01-26 +modified: 2023-01-23 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1548.001 logsource: product: linux diff --git a/rules/linux/builtin/clamav/lnx_clamav_relevant_message.yml b/rules/linux/builtin/clamav/lnx_clamav_relevant_message.yml index 43da1ba42ce..7f35fd59897 100644 --- a/rules/linux/builtin/clamav/lnx_clamav_relevant_message.yml +++ b/rules/linux/builtin/clamav/lnx_clamav_relevant_message.yml @@ -5,9 +5,9 @@ description: Detects relevant ClamAV messages references: - https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/clam_av_rules.xml author: Florian Roth (Nextron Systems) -date: 2017/03/01 +date: 2017-03-01 tags: - - attack.resource_development + - attack.resource-development - attack.t1588.001 logsource: product: linux diff --git a/rules/linux/builtin/cron/lnx_cron_crontab_file_modification.yml b/rules/linux/builtin/cron/lnx_cron_crontab_file_modification.yml index fc07550d22e..480ae81f646 100644 --- a/rules/linux/builtin/cron/lnx_cron_crontab_file_modification.yml +++ b/rules/linux/builtin/cron/lnx_cron_crontab_file_modification.yml @@ -5,7 +5,7 @@ description: Detects suspicious modification of crontab file. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md author: Pawel Mazur -date: 2022/04/16 +date: 2022-04-16 tags: - attack.persistence - attack.t1053.003 diff --git a/rules/linux/builtin/guacamole/lnx_guacamole_susp_guacamole.yml b/rules/linux/builtin/guacamole/lnx_guacamole_susp_guacamole.yml index 616740cba0e..c16c3615776 100644 --- a/rules/linux/builtin/guacamole/lnx_guacamole_susp_guacamole.yml +++ b/rules/linux/builtin/guacamole/lnx_guacamole_susp_guacamole.yml @@ -5,10 +5,10 @@ description: Detects suspicious session with two users present references: - https://research.checkpoint.com/2020/apache-guacamole-rce/ author: Florian Roth (Nextron Systems) -date: 2020/07/03 -modified: 2021/11/27 +date: 2020-07-03 +modified: 2021-11-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1212 logsource: product: linux diff --git a/rules/linux/builtin/lnx_apt_equationgroup_lnx.yml b/rules/linux/builtin/lnx_apt_equationgroup_lnx.yml index 3022534da16..e922a0dfc94 100755 --- a/rules/linux/builtin/lnx_apt_equationgroup_lnx.yml +++ b/rules/linux/builtin/lnx_apt_equationgroup_lnx.yml @@ -5,8 +5,8 @@ description: Detects suspicious shell commands used in various Equation Group sc references: - https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 author: Florian Roth (Nextron Systems) -date: 2017/04/09 -modified: 2021/11/27 +date: 2017-04-09 +modified: 2021-11-27 tags: - attack.execution - attack.g0020 diff --git a/rules/linux/builtin/lnx_buffer_overflows.yml b/rules/linux/builtin/lnx_buffer_overflows.yml index 17bb8612fd5..32d428ffa1d 100644 --- a/rules/linux/builtin/lnx_buffer_overflows.yml +++ b/rules/linux/builtin/lnx_buffer_overflows.yml @@ -5,10 +5,10 @@ description: Detects buffer overflow attempts in Unix system log files references: - https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/attack_rules.xml author: Florian Roth (Nextron Systems) -date: 2017/03/01 +date: 2017-03-01 tags: - attack.t1068 - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: linux detection: diff --git a/rules/linux/builtin/lnx_clear_syslog.yml b/rules/linux/builtin/lnx_clear_syslog.yml index af04269f549..079fdfc8e5d 100644 --- a/rules/linux/builtin/lnx_clear_syslog.yml +++ b/rules/linux/builtin/lnx_clear_syslog.yml @@ -5,8 +5,8 @@ description: Detects specific commands commonly used to remove or empty the sysl references: - https://www.virustotal.com/gui/file/fc614fb4bda24ae8ca2c44e812d12c0fab6dd7a097472a35dd12ded053ab8474 author: Max Altgelt (Nextron Systems) -date: 2021/09/10 -modified: 2022/11/26 +date: 2021-09-10 +modified: 2022-11-26 tags: - attack.impact - attack.t1565.001 diff --git a/rules/linux/builtin/lnx_file_copy.yml b/rules/linux/builtin/lnx_file_copy.yml index 1bb1facc868..223fcda0ff2 100644 --- a/rules/linux/builtin/lnx_file_copy.yml +++ b/rules/linux/builtin/lnx_file_copy.yml @@ -5,10 +5,10 @@ description: Detects the use of tools that copy files from or to remote systems references: - https://attack.mitre.org/techniques/T1105/ author: Ömer Günal -date: 2020/06/18 +date: 2020-06-18 tags: - - attack.command_and_control - - attack.lateral_movement + - attack.command-and-control + - attack.lateral-movement - attack.t1105 logsource: product: linux diff --git a/rules/linux/builtin/lnx_ldso_preload_injection.yml b/rules/linux/builtin/lnx_ldso_preload_injection.yml index fe3b96902d9..6f3bddb5380 100644 --- a/rules/linux/builtin/lnx_ldso_preload_injection.yml +++ b/rules/linux/builtin/lnx_ldso_preload_injection.yml @@ -5,11 +5,11 @@ description: Detects the ld.so preload persistence file. See `man ld.so` for mor references: - https://man7.org/linux/man-pages/man8/ld.so.8.html author: Christian Burkard (Nextron Systems) -date: 2021/05/05 -modified: 2022/10/09 +date: 2021-05-05 +modified: 2022-10-09 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.006 logsource: product: linux diff --git a/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml b/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml index 91ef302ee22..75e939f0681 100644 --- a/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml +++ b/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml @@ -6,10 +6,10 @@ references: - https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/ - https://github.com/Immersive-Labs-Sec/nimbuspwn author: Bhabesh Raj -date: 2022/05/04 -modified: 2023/01/23 +date: 2022-05-04 +modified: 2023-01-23 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1068 logsource: product: linux diff --git a/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml b/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml index 624efdca8ca..00fa9e19acf 100644 --- a/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml +++ b/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml @@ -6,10 +6,10 @@ references: - https://redcanary.com/blog/ebpf-malware/ - https://man7.org/linux/man-pages/man7/bpf-helpers.7.html author: Red Canary (idea), Nasreddine Bencherchali -date: 2023/01/25 +date: 2023-01-25 tags: - attack.persistence - - attack.defense_evasion + - attack.defense-evasion logsource: product: linux detection: diff --git a/rules/linux/builtin/lnx_privileged_user_creation.yml b/rules/linux/builtin/lnx_privileged_user_creation.yml index 1882648793b..44d9931fdb5 100644 --- a/rules/linux/builtin/lnx_privileged_user_creation.yml +++ b/rules/linux/builtin/lnx_privileged_user_creation.yml @@ -7,7 +7,7 @@ references: - https://linux.die.net/man/8/useradd - https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid author: Pawel Mazur -date: 2022/12/21 +date: 2022-12-21 tags: - attack.persistence - attack.t1136.001 diff --git a/rules/linux/builtin/lnx_shell_clear_cmd_history.yml b/rules/linux/builtin/lnx_shell_clear_cmd_history.yml index 58e06994857..72009ad1439 100644 --- a/rules/linux/builtin/lnx_shell_clear_cmd_history.yml +++ b/rules/linux/builtin/lnx_shell_clear_cmd_history.yml @@ -9,10 +9,10 @@ references: - https://www.hackers-arise.com/post/2016/06/20/covering-your-bash-shell-tracks-antiforensics - https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/ author: Patrick Bareiss -date: 2019/03/24 -modified: 2024/04/17 +date: 2019-03-24 +modified: 2024-04-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.003 # Example config for this one (place it in .bash_profile): # (is_empty=false; inotifywait -m .bash_history | while read file; do if [ $(wc -l <.bash_history) -lt 1 ]; then if [ "$is_empty" = false ]; then logger -i -p local5.info -t empty_bash_history "$USER : ~/.bash_history is empty "; is_empty=true; fi; else is_empty=false; fi; done ) & diff --git a/rules/linux/builtin/lnx_shell_susp_commands.yml b/rules/linux/builtin/lnx_shell_susp_commands.yml index dc901ee3b54..78ba2b5cf66 100644 --- a/rules/linux/builtin/lnx_shell_susp_commands.yml +++ b/rules/linux/builtin/lnx_shell_susp_commands.yml @@ -8,8 +8,8 @@ references: - http://pastebin.com/FtygZ1cg - https://artkond.com/2017/03/23/pivoting-guide/ author: Florian Roth (Nextron Systems) -date: 2017/08/21 -modified: 2021/11/27 +date: 2017-08-21 +modified: 2021-11-27 tags: - attack.execution - attack.t1059.004 diff --git a/rules/linux/builtin/lnx_shell_susp_log_entries.yml b/rules/linux/builtin/lnx_shell_susp_log_entries.yml index caa3385bade..35d0e403725 100644 --- a/rules/linux/builtin/lnx_shell_susp_log_entries.yml +++ b/rules/linux/builtin/lnx_shell_susp_log_entries.yml @@ -5,8 +5,8 @@ description: Detects suspicious log entries in Linux log files references: - https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml author: Florian Roth (Nextron Systems) -date: 2017/03/25 -modified: 2021/11/27 +date: 2017-03-25 +modified: 2021-11-27 tags: - attack.impact logsource: diff --git a/rules/linux/builtin/lnx_shell_susp_rev_shells.yml b/rules/linux/builtin/lnx_shell_susp_rev_shells.yml index 58d50b2a24f..ea5e843107a 100644 --- a/rules/linux/builtin/lnx_shell_susp_rev_shells.yml +++ b/rules/linux/builtin/lnx_shell_susp_rev_shells.yml @@ -5,8 +5,8 @@ description: Detects suspicious shell commands or program code that may be execu references: - https://alamot.github.io/reverse_shells/ author: Florian Roth (Nextron Systems) -date: 2019/04/02 -modified: 2021/11/27 +date: 2019-04-02 +modified: 2021-11-27 tags: - attack.execution - attack.t1059.004 diff --git a/rules/linux/builtin/lnx_shellshock.yml b/rules/linux/builtin/lnx_shellshock.yml index 8e9b5d2f417..dc1d28a91ef 100644 --- a/rules/linux/builtin/lnx_shellshock.yml +++ b/rules/linux/builtin/lnx_shellshock.yml @@ -5,8 +5,8 @@ description: Detects shellshock expressions in log files references: - https://owasp.org/www-pdf-archive/Shellshock_-_Tudor_Enache.pdf author: Florian Roth (Nextron Systems) -date: 2017/03/14 -modified: 2022/10/09 +date: 2017-03-14 +modified: 2022-10-09 tags: - attack.persistence - attack.t1505.003 diff --git a/rules/linux/builtin/lnx_space_after_filename_.yml b/rules/linux/builtin/lnx_space_after_filename_.yml index 722dd1e6758..0a58e45b1e0 100644 --- a/rules/linux/builtin/lnx_space_after_filename_.yml +++ b/rules/linux/builtin/lnx_space_after_filename_.yml @@ -5,8 +5,8 @@ description: Detects space after filename references: - https://attack.mitre.org/techniques/T1064 author: Ömer Günal -date: 2020/06/17 -modified: 2021/11/27 +date: 2020-06-17 +modified: 2021-11-27 tags: - attack.execution logsource: diff --git a/rules/linux/builtin/lnx_susp_dev_tcp.yml b/rules/linux/builtin/lnx_susp_dev_tcp.yml index d8f68a34fc6..5b0fe6b0286 100644 --- a/rules/linux/builtin/lnx_susp_dev_tcp.yml +++ b/rules/linux/builtin/lnx_susp_dev_tcp.yml @@ -7,8 +7,8 @@ references: - https://book.hacktricks.xyz/shells/shells/linux - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan author: frack113 -date: 2021/12/10 -modified: 2023/01/06 +date: 2021-12-10 +modified: 2023-01-06 tags: - attack.reconnaissance logsource: diff --git a/rules/linux/builtin/lnx_susp_jexboss.yml b/rules/linux/builtin/lnx_susp_jexboss.yml index eceedcdb6e2..1fea76f4f89 100644 --- a/rules/linux/builtin/lnx_susp_jexboss.yml +++ b/rules/linux/builtin/lnx_susp_jexboss.yml @@ -5,8 +5,8 @@ description: Detects suspicious command sequence that JexBoss references: - https://www.us-cert.gov/ncas/analysis-reports/AR18-312A author: Florian Roth (Nextron Systems) -date: 2017/08/24 -modified: 2022/07/07 +date: 2017-08-24 +modified: 2022-07-07 tags: - attack.execution - attack.t1059.004 diff --git a/rules/linux/builtin/lnx_symlink_etc_passwd.yml b/rules/linux/builtin/lnx_symlink_etc_passwd.yml index 75393a3b996..fa126b32f3d 100644 --- a/rules/linux/builtin/lnx_symlink_etc_passwd.yml +++ b/rules/linux/builtin/lnx_symlink_etc_passwd.yml @@ -5,8 +5,8 @@ description: Detects suspicious command lines that look as if they would create references: - https://www.qualys.com/2021/05/04/21nails/21nails.txt author: Florian Roth (Nextron Systems) -date: 2019/04/05 -modified: 2021/11/27 +date: 2019-04-05 +modified: 2021-11-27 tags: - attack.t1204.001 - attack.execution diff --git a/rules/linux/builtin/sshd/lnx_sshd_ssh_cve_2018_15473.yml b/rules/linux/builtin/sshd/lnx_sshd_ssh_cve_2018_15473.yml index f9c561aaa5e..3975548b9b3 100644 --- a/rules/linux/builtin/sshd/lnx_sshd_ssh_cve_2018_15473.yml +++ b/rules/linux/builtin/sshd/lnx_sshd_ssh_cve_2018_15473.yml @@ -5,8 +5,8 @@ description: Detects exploitation attempt using public exploit code for CVE-2018 references: - https://github.com/Rhynorater/CVE-2018-15473-Exploit author: Florian Roth (Nextron Systems) -date: 2017/08/24 -modified: 2021/11/27 +date: 2017-08-24 +modified: 2021-11-27 tags: - attack.reconnaissance - attack.t1589 diff --git a/rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml b/rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml index 8584d39b6dc..d89bcc20e35 100644 --- a/rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml +++ b/rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml @@ -6,10 +6,10 @@ references: - https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c - https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml author: Florian Roth (Nextron Systems) -date: 2017/06/30 -modified: 2021/11/27 +date: 2017-06-30 +modified: 2021-11-27 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: product: linux diff --git a/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml b/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml index 20808e855f9..d2df0e0e8dd 100644 --- a/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml +++ b/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml @@ -10,13 +10,13 @@ references: - https://access.redhat.com/security/cve/cve-2019-14287 - https://twitter.com/matthieugarin/status/1183970598210412546 author: Florian Roth (Nextron Systems) -date: 2019/10/15 -modified: 2022/11/26 +date: 2019-10-15 +modified: 2022-11-26 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1068 - attack.t1548.003 - - cve.2019.14287 + - cve.2019-14287 logsource: product: linux service: sudo diff --git a/rules/linux/builtin/syslog/lnx_syslog_security_tools_disabling_syslog.yml b/rules/linux/builtin/syslog/lnx_syslog_security_tools_disabling_syslog.yml index 0ae57f85439..76ec9b5b57e 100644 --- a/rules/linux/builtin/syslog/lnx_syslog_security_tools_disabling_syslog.yml +++ b/rules/linux/builtin/syslog/lnx_syslog_security_tools_disabling_syslog.yml @@ -8,10 +8,10 @@ description: Detects disabling security tools references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md author: Ömer Günal, Alejandro Ortuno, oscd.community -date: 2020/06/17 -modified: 2022/11/26 +date: 2020-06-17 +modified: 2022-11-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: product: linux diff --git a/rules/linux/builtin/syslog/lnx_syslog_susp_named.yml b/rules/linux/builtin/syslog/lnx_syslog_susp_named.yml index 86afe19fd25..34cbba11747 100644 --- a/rules/linux/builtin/syslog/lnx_syslog_susp_named.yml +++ b/rules/linux/builtin/syslog/lnx_syslog_susp_named.yml @@ -5,10 +5,10 @@ description: Detects suspicious DNS error messages that indicate a fatal or susp references: - https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/named_rules.xml author: Florian Roth (Nextron Systems) -date: 2018/02/20 -modified: 2022/10/05 +date: 2018-02-20 +modified: 2022-10-05 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: product: linux diff --git a/rules/linux/builtin/vsftpd/lnx_vsftpd_susp_error_messages.yml b/rules/linux/builtin/vsftpd/lnx_vsftpd_susp_error_messages.yml index bbdfe379f53..d91978ed380 100644 --- a/rules/linux/builtin/vsftpd/lnx_vsftpd_susp_error_messages.yml +++ b/rules/linux/builtin/vsftpd/lnx_vsftpd_susp_error_messages.yml @@ -5,10 +5,10 @@ description: Detects suspicious VSFTPD error messages that indicate a fatal or s references: - https://github.com/dagwieers/vsftpd/ author: Florian Roth (Nextron Systems) -date: 2017/07/05 -modified: 2021/11/27 +date: 2017-07-05 +modified: 2021-11-27 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: product: linux diff --git a/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml b/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml index be5bdee6f68..f92735f301d 100644 --- a/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml +++ b/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml @@ -6,10 +6,10 @@ references: - https://research.splunk.com/endpoint/linux_doas_conf_file_creation/ - https://www.makeuseof.com/how-to-install-and-use-doas/ author: Sittikorn S, Teoderick Contreras -date: 2022/01/20 -modified: 2022/12/31 +date: 2022-01-20 +modified: 2022-12-31 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1548 logsource: product: linux diff --git a/rules/linux/file_event/file_event_lnx_persistence_cron_files.yml b/rules/linux/file_event/file_event_lnx_persistence_cron_files.yml index cd9e431c878..e02b5abf5fb 100644 --- a/rules/linux/file_event/file_event_lnx_persistence_cron_files.yml +++ b/rules/linux/file_event/file_event_lnx_persistence_cron_files.yml @@ -5,8 +5,8 @@ description: Detects creation of cron file or files in Cron directories which co references: - https://github.com/microsoft/MSTIC-Sysmon/blob/f1477c0512b0747c1455283069c21faec758e29d/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC -date: 2021/10/15 -modified: 2022/12/31 +date: 2021-10-15 +modified: 2022-12-31 tags: - attack.persistence - attack.t1053.003 diff --git a/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml b/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml index 1ba00ab8ec1..27dca4e9c42 100644 --- a/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml +++ b/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml @@ -5,8 +5,8 @@ description: Detects creation of sudoers file or files in "sudoers.d" directory references: - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/05 -modified: 2022/12/31 +date: 2022-07-05 +modified: 2022-12-31 tags: - attack.persistence - attack.t1053.003 diff --git a/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml b/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml index 02764040e45..c3043b6c577 100644 --- a/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml +++ b/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml @@ -8,7 +8,7 @@ references: - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2023/06/02 +date: 2023-06-02 tags: - attack.persistence logsource: diff --git a/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml b/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml index 4c56cf49f65..426c2a1f010 100644 --- a/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml +++ b/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml @@ -5,10 +5,10 @@ description: Detects the creation of the file "rootlog" which is used by the Tri references: - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L33 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/05 -modified: 2022/12/31 +date: 2022-07-05 +modified: 2022-12-31 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: linux category: file_event diff --git a/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml b/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml index 81fc28ec889..317ebc444e8 100644 --- a/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml +++ b/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml @@ -5,11 +5,11 @@ description: Detects the creation of "ebpfbackdoor" files in both "cron.d" and " references: - https://github.com/h3xduck/TripleCross/blob/12629558b8b0a27a5488a0b98f1ea7042e76f8ab/apps/deployer.sh author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/05 -modified: 2022/12/31 +date: 2022-07-05 +modified: 2022-12-31 tags: - attack.persistence - - attack.defense_evasion + - attack.defense-evasion - attack.t1053.003 logsource: diff --git a/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml b/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml index 14d61ef7f1a..54b932957f4 100644 --- a/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml +++ b/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml @@ -8,9 +8,9 @@ references: - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2023/06/02 +date: 2023-06-02 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: product: linux diff --git a/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml b/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml index e6337afbc0b..888515b0d23 100644 --- a/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml +++ b/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml @@ -5,8 +5,8 @@ description: Detects a bash contecting to a remote IP address (often found when references: - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/d9921e370b7c668ee8cc42d09b1932c1b98fa9dc/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md author: Florian Roth (Nextron Systems) -date: 2021/10/16 -modified: 2022/12/25 +date: 2021-10-16 +modified: 2022-12-25 tags: - attack.execution - attack.t1059.004 diff --git a/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml b/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml index 4bb860662d0..4d21a10a891 100644 --- a/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml +++ b/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml @@ -5,7 +5,7 @@ description: Detects process connections to a Monero crypto mining pool references: - https://www.poolwatch.io/coin/monero author: Florian Roth (Nextron Systems) -date: 2021/10/26 +date: 2021-10-26 tags: - attack.impact - attack.t1496 diff --git a/rules/linux/network_connection/net_connection_lnx_domain_localtonet_tunnel.yml b/rules/linux/network_connection/net_connection_lnx_domain_localtonet_tunnel.yml index b9ffc29a693..3332ea6e263 100644 --- a/rules/linux/network_connection/net_connection_lnx_domain_localtonet_tunnel.yml +++ b/rules/linux/network_connection/net_connection_lnx_domain_localtonet_tunnel.yml @@ -9,9 +9,9 @@ references: - https://localtonet.com/documents/supported-tunnels - https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications author: Andreas Braathen (mnemonic.io) -date: 2024/06/17 +date: 2024-06-17 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1572 - attack.t1090 - attack.t1102 diff --git a/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml b/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml index 4496a3c0158..9d5d9fdf14e 100644 --- a/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml +++ b/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/hakluke/status/1587733971814977537/photo/1 - https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent author: Florian Roth (Nextron Systems) -date: 2022/11/03 +date: 2022-11-03 tags: - attack.exfiltration - - attack.command_and_control + - attack.command-and-control - attack.t1567 - attack.t1568.002 - attack.t1572 diff --git a/rules/linux/network_connection/net_connection_lnx_susp_malware_callback_port.yml b/rules/linux/network_connection/net_connection_lnx_susp_malware_callback_port.yml index 3864d356d6d..9d7cc8a1a10 100644 --- a/rules/linux/network_connection/net_connection_lnx_susp_malware_callback_port.yml +++ b/rules/linux/network_connection/net_connection_lnx_susp_malware_callback_port.yml @@ -13,10 +13,10 @@ references: - https://thehackernews.com/2024/01/systembc-malwares-c2-server-analysis.html - https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors author: hasselj -date: 2024/05/10 +date: 2024-05-10 tags: - attack.persistence - - attack.command_and_control + - attack.command-and-control - attack.t1571 logsource: category: network_connection diff --git a/rules/linux/process_creation/proc_creation_lnx_at_command.yml b/rules/linux/process_creation/proc_creation_lnx_at_command.yml index 8ba08536c1a..d2126c9e0c8 100644 --- a/rules/linux/process_creation/proc_creation_lnx_at_command.yml +++ b/rules/linux/process_creation/proc_creation_lnx_at_command.yml @@ -7,8 +7,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md author: Ömer Günal, oscd.community -date: 2020/10/06 -modified: 2022/07/07 +date: 2020-10-06 +modified: 2022-07-07 tags: - attack.persistence - attack.t1053.002 diff --git a/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml b/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml index f73fc3efe0a..11b1943f67a 100644 --- a/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml +++ b/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml @@ -5,10 +5,10 @@ description: Detects usage of base64 utility to decode arbitrary base64-encoded references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md author: Daniil Yugoslavskiy, oscd.community -date: 2020/10/19 -modified: 2021/11/27 +date: 2020-10-19 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 logsource: category: process_creation diff --git a/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml b/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml index c3ea5de42ad..71af7da3ba3 100644 --- a/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml +++ b/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml @@ -6,10 +6,10 @@ references: - https://github.com/arget13/DDexec - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally author: pH-T (Nextron Systems) -date: 2022/07/26 -modified: 2023/06/16 +date: 2022-07-26 +modified: 2023-06-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1140 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml b/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml index b5017a42ecc..35be59a78c0 100644 --- a/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml +++ b/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml @@ -6,9 +6,9 @@ references: - https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html - https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/15 +date: 2022-09-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1140 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml b/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml index 5867934c307..739fda4b357 100644 --- a/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml @@ -7,7 +7,7 @@ references: - https://www.revshells.com/ - https://linux.die.net/man/1/bash author: '@d4ns4n_' -date: 2023/04/07 +date: 2023-04-07 tags: - attack.execution logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml b/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml index eb6839b7bfe..8c1535caf0c 100644 --- a/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml +++ b/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml @@ -7,10 +7,10 @@ references: - https://bpftrace.org/ - https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/25 +date: 2023-01-25 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml b/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml index 8ffc0608f65..31f65a21904 100644 --- a/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml +++ b/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml @@ -6,7 +6,7 @@ references: - https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/ - https://bpftrace.org/ author: Andreas Hunkeler (@Karneades) -date: 2022/02/11 +date: 2022-02-11 tags: - attack.execution - attack.t1059.004 diff --git a/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml index ff14daba38f..87811e044d4 100644 --- a/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml @@ -7,8 +7,8 @@ references: - https://github.com/carlospolop/PEASS-ng - https://github.com/diego-treitos/linux-smart-enumeration author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/28 -modified: 2024/03/05 +date: 2022-12-28 +modified: 2024-03-05 tags: - attack.discovery - attack.t1083 diff --git a/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml b/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml index 68763fafd90..f1dde2f9bc1 100644 --- a/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml +++ b/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml @@ -5,8 +5,8 @@ description: Detects the execution of a cat /etc/sudoers to list all users that references: - https://github.com/sleventyeleven/linuxprivchecker/ author: Florian Roth (Nextron Systems) -date: 2022/06/20 -modified: 2022/09/15 +date: 2022-06-20 +modified: 2022-09-15 tags: - attack.reconnaissance - attack.t1592.004 diff --git a/rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml b/rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml index 3d3a589c9df..41186cae01f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml +++ b/rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml @@ -8,9 +8,9 @@ description: Detects usage of the 'chattr' utility to remove immutable file attr references: - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/15 +date: 2022-09-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1222.002 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml b/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml index 37aee1399f2..202156876d6 100644 --- a/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml +++ b/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml @@ -5,10 +5,10 @@ description: Detects attempts to clear logs on the system. Adversaries may clear references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md author: Ömer Günal, oscd.community -date: 2020/10/07 -modified: 2022/09/15 +date: 2020-10-07 +modified: 2022-09-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.002 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml b/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml index ff5820eb550..fc1ec32b09f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml +++ b/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml @@ -5,10 +5,10 @@ description: Detects specific commands commonly used to remove or empty the sysl references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md author: Max Altgelt (Nextron Systems), Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC -date: 2021/10/15 -modified: 2022/09/15 +date: 2021-10-15 +modified: 2022-09-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.002 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml b/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml index bf691a47d37..65df521210d 100644 --- a/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml +++ b/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml @@ -7,8 +7,8 @@ description: | references: - https://www.packetlabs.net/posts/clipboard-data-security/ author: Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC -date: 2021/10/15 -modified: 2022/09/15 +date: 2021-10-15 +modified: 2022-09-15 tags: - attack.collection - attack.t1115 diff --git a/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml b/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml index 585d63236b1..97b01638eaf 100644 --- a/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml +++ b/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml @@ -6,9 +6,9 @@ references: - https://blogs.blackberry.com/ - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144 author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2023/01/31 +date: 2023-01-31 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.001 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml b/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml index f92b908ab73..7966a068cd3 100644 --- a/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml +++ b/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml @@ -8,7 +8,7 @@ references: - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2023/06/02 +date: 2023-06-02 tags: - attack.discovery - attack.t1007 diff --git a/rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml b/rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml index 419d47d549c..1b9559e5095 100644 --- a/rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml +++ b/rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml @@ -7,9 +7,9 @@ description: | references: - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/15 +date: 2022-09-15 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml b/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml index 3d998d06cd3..f0457cf0ee0 100644 --- a/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml +++ b/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml @@ -5,8 +5,8 @@ description: Detects command line parameters or strings often used by crypto min references: - https://www.poolwatch.io/coin/monero author: Florian Roth (Nextron Systems) -date: 2021/10/26 -modified: 2022/12/25 +date: 2021-10-26 +modified: 2022-12-25 tags: - attack.impact - attack.t1496 diff --git a/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml b/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml index 1e80ebbf8fd..2799dbbc50c 100644 --- a/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml +++ b/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml @@ -5,9 +5,9 @@ description: Detects a curl process start on linux, which indicates a file downl references: - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/15 +date: 2022-09-15 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/linux/process_creation/proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml b/rules/linux/process_creation/proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml index fa251f6e97f..cb7decc2bea 100644 --- a/rules/linux/process_creation/proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml +++ b/rules/linux/process_creation/proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml @@ -8,13 +8,13 @@ description: Detects spawning of suspicious child processes by Atlassian Conflue references: - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/03 +date: 2022-06-03 tags: - - attack.initial_access + - attack.initial-access - attack.execution - attack.t1190 - attack.t1059 - - cve.2022.26134 + - cve.2022-26134 logsource: category: process_creation product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml b/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml index aef001baf61..a92e6acfa0f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml +++ b/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml @@ -7,11 +7,11 @@ references: - https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html - https://github.com/apache/spark/pull/36315/files author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/20 +date: 2022-07-20 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - cve.2022.33891 + - cve.2022-33891 logsource: product: linux category: process_creation diff --git a/rules/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yml b/rules/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yml index 71ffcad28cd..73e15abcbe9 100644 --- a/rules/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yml +++ b/rules/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yml @@ -5,8 +5,8 @@ description: Detects potential overwriting and deletion of a file using DD. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-2---macoslinux---overwrite-file-with-dd author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC -date: 2021/10/15 -modified: 2022/07/07 +date: 2021-10-15 +modified: 2022-07-07 tags: - attack.impact - attack.t1485 diff --git a/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml b/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml index 4d7d8fbbb32..468b38d9650 100644 --- a/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml +++ b/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml @@ -6,9 +6,9 @@ references: - https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/ - https://github.com/AonCyberLabs/Cexigua/blob/34d338620afae4c6335ba8d8d499e1d7d3d5d7b5/overwrite.sh author: Joseph Kamau -date: 2023/12/01 +date: 2023-12-01 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1055.009 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml b/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml index f99cf647cbd..8cf9eb0f232 100644 --- a/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml +++ b/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml @@ -6,9 +6,9 @@ references: - https://blogs.blackberry.com/ - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144 author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2023/01/18 +date: 2023-01-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml b/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml index 564c37a36b4..900d56296e6 100644 --- a/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml +++ b/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml @@ -6,9 +6,9 @@ references: - https://research.splunk.com/endpoint/linux_doas_tool_execution/ - https://www.makeuseof.com/how-to-install-and-use-doas/ author: Sittikorn S, Teoderick Contreras -date: 2022/01/20 +date: 2022-01-20 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1548 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml index c41dc38f2e9..01f9f2a1e7d 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml @@ -6,7 +6,7 @@ references: - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/ - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_network.html author: Cedric Maurugeon -date: 2023/09/04 +date: 2023-09-04 tags: - attack.discovery - attack.t1033 diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml index dfc63fc1cf2..e0d84eb4083 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml @@ -5,7 +5,7 @@ description: Detects execution of the "esxcli" command with the "system" and "pe references: - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/09/04 +date: 2023-09-04 tags: - attack.execution logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml index af6e9829d22..112773edc9b 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml @@ -7,7 +7,7 @@ references: - https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_storage.html author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon -date: 2023/09/04 +date: 2023-09-04 tags: - attack.discovery - attack.t1033 diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml index 845319727e7..7a9aaa4022f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml @@ -6,9 +6,9 @@ references: - https://support.solarwinds.com/SuccessCenter/s/article/Configure-ESXi-Syslog-to-LEM?language=en_US - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html author: Cedric Maurugeon -date: 2023/09/04 +date: 2023-09-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 - attack.t1562.003 logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml index eee3487fc8b..b3e56ea01d9 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml @@ -6,7 +6,7 @@ references: - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/ - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html author: Cedric Maurugeon -date: 2023/09/04 +date: 2023-09-04 tags: - attack.discovery - attack.t1033 diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_user_account_creation.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_user_account_creation.yml index 0b5069ed56b..fa7319486c7 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_user_account_creation.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_user_account_creation.yml @@ -5,7 +5,7 @@ description: Detects user account creation on ESXi system via esxcli references: - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html author: Cedric Maurugeon -date: 2023/08/22 +date: 2023-08-22 tags: - attack.persistence - attack.t1136 diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml index b93f97ad0d4..503618cb215 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml @@ -8,7 +8,7 @@ references: - https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/ - https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html author: Cedric Maurugeon -date: 2023/09/04 +date: 2023-09-04 tags: - attack.discovery - attack.t1033 diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml index 42df2b18703..9afeb12b41f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml @@ -8,7 +8,7 @@ references: - https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/ - https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon -date: 2023/09/04 +date: 2023-09-04 tags: - attack.execution logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml index 2eede884801..844503adc2c 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml @@ -7,7 +7,7 @@ references: - https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vsan.html author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon -date: 2023/09/04 +date: 2023-09-04 tags: - attack.discovery - attack.t1033 diff --git a/rules/linux/process_creation/proc_creation_lnx_file_and_directory_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_file_and_directory_discovery.yml index a7c0e3ce83c..1238daa1a9f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_file_and_directory_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_file_and_directory_discovery.yml @@ -5,8 +5,8 @@ description: Detects usage of system utilities to discover files and directories references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md author: Daniil Yugoslavskiy, oscd.community -date: 2020/10/19 -modified: 2022/11/25 +date: 2020-10-19 +modified: 2022-11-25 tags: - attack.discovery - attack.t1083 diff --git a/rules/linux/process_creation/proc_creation_lnx_file_deletion.yml b/rules/linux/process_creation/proc_creation_lnx_file_deletion.yml index 47adf83de28..6f3a01262e5 100644 --- a/rules/linux/process_creation/proc_creation_lnx_file_deletion.yml +++ b/rules/linux/process_creation/proc_creation_lnx_file_deletion.yml @@ -5,10 +5,10 @@ description: Detects file deletion using "rm", "shred" or "unlink" commands whic references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md author: Ömer Günal, oscd.community -date: 2020/10/07 -modified: 2022/09/15 +date: 2020-10-07 +modified: 2022-09-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.004 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml index ea1e5b0c9ec..fff00b0951b 100644 --- a/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml @@ -9,7 +9,7 @@ references: - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2023/06/02 +date: 2023-06-02 tags: - attack.discovery - attack.t1082 diff --git a/rules/linux/process_creation/proc_creation_lnx_groupdel.yml b/rules/linux/process_creation/proc_creation_lnx_groupdel.yml index 6d10e5a4f6b..26fd46ff229 100644 --- a/rules/linux/process_creation/proc_creation_lnx_groupdel.yml +++ b/rules/linux/process_creation/proc_creation_lnx_groupdel.yml @@ -8,7 +8,7 @@ references: - https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/ - https://linux.die.net/man/8/groupdel author: Tuan Le (NCSGroup) -date: 2022/12/26 +date: 2022-12-26 tags: - attack.impact - attack.t1531 diff --git a/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml b/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml index 2ef7e1b58d2..c5f75e71dc0 100644 --- a/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml +++ b/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml @@ -6,7 +6,7 @@ references: - https://gtfobins.github.io/gtfobins/apt/ - https://gtfobins.github.io/gtfobins/apt-get/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/28 +date: 2022-12-28 tags: - attack.discovery - attack.t1083 diff --git a/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml b/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml index de4f854c365..0228c228358 100644 --- a/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml +++ b/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml @@ -7,7 +7,7 @@ references: - https://gtfobins.github.io/gtfobins/rvim/ - https://gtfobins.github.io/gtfobins/vimdiff/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/28 +date: 2022-12-28 tags: - attack.discovery - attack.t1083 diff --git a/rules/linux/process_creation/proc_creation_lnx_install_root_certificate.yml b/rules/linux/process_creation/proc_creation_lnx_install_root_certificate.yml index ea8e6b830b1..8e7bdba0b3e 100644 --- a/rules/linux/process_creation/proc_creation_lnx_install_root_certificate.yml +++ b/rules/linux/process_creation/proc_creation_lnx_install_root_certificate.yml @@ -5,10 +5,10 @@ description: Detects installation of new certificate on the system which attacke references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md author: Ömer Günal, oscd.community -date: 2020/10/05 -modified: 2022/07/07 +date: 2020-10-05 +modified: 2022-07-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1553.004 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml b/rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml index 48712c358db..723a99b5e8e 100644 --- a/rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml +++ b/rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml @@ -5,9 +5,9 @@ description: Detects installation of suspicious packages using system installati references: - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/03 +date: 2023-01-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1553.004 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml b/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml index 7c13288f271..d4524534f95 100644 --- a/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml +++ b/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml @@ -7,9 +7,9 @@ references: - https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144 author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2023/01/18 +date: 2023-01-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_kill_process.yml b/rules/linux/process_creation/proc_creation_lnx_kill_process.yml index 1ebfc0e5c98..0dd9466797b 100644 --- a/rules/linux/process_creation/proc_creation_lnx_kill_process.yml +++ b/rules/linux/process_creation/proc_creation_lnx_kill_process.yml @@ -6,9 +6,9 @@ references: - https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html - https://www.cyberciti.biz/faq/how-force-kill-process-linux/ author: Tuan Le (NCSGroup) -date: 2023/03/16 +date: 2023-03-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_local_account.yml b/rules/linux/process_creation/proc_creation_lnx_local_account.yml index 8bd382f44e2..35b1422283e 100644 --- a/rules/linux/process_creation/proc_creation_lnx_local_account.yml +++ b/rules/linux/process_creation/proc_creation_lnx_local_account.yml @@ -5,8 +5,8 @@ description: Detects enumeration of local systeam accounts. This information can references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md author: Alejandro Ortuno, oscd.community -date: 2020/10/08 -modified: 2022/11/27 +date: 2020-10-08 +modified: 2022-11-27 tags: - attack.discovery - attack.t1087.001 diff --git a/rules/linux/process_creation/proc_creation_lnx_local_groups.yml b/rules/linux/process_creation/proc_creation_lnx_local_groups.yml index 3cfe8edcd08..3cd4f9b6f51 100644 --- a/rules/linux/process_creation/proc_creation_lnx_local_groups.yml +++ b/rules/linux/process_creation/proc_creation_lnx_local_groups.yml @@ -5,8 +5,8 @@ description: Detects enumeration of local system groups. Adversaries may attempt references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md author: Ömer Günal, Alejandro Ortuno, oscd.community -date: 2020/10/11 -modified: 2022/11/27 +date: 2020-10-11 +modified: 2022-11-27 tags: - attack.discovery - attack.t1069.001 diff --git a/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml index eabb5c08beb..1508c6c0ced 100644 --- a/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml @@ -7,7 +7,7 @@ references: - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2023/06/02 +date: 2023-06-02 tags: - attack.discovery - attack.t1082 diff --git a/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml b/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml index 737e41af771..9f7174fcfa3 100644 --- a/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml +++ b/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml @@ -6,7 +6,7 @@ references: - https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/16 +date: 2023-06-16 tags: - attack.execution logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml b/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml index 250cba342db..f24488fd89d 100644 --- a/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml +++ b/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml @@ -9,7 +9,7 @@ references: - https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/16 +date: 2023-06-16 tags: - attack.execution logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml b/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml index 2629345c566..28715cccf69 100644 --- a/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml +++ b/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml @@ -7,9 +7,9 @@ references: - https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/ - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144 author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2023/01/12 +date: 2023-01-12 tags: - - attack.credential_access + - attack.credential-access - attack.t1564 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml b/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml index 2e43b72af9f..d1c9106c6d2 100644 --- a/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml @@ -9,7 +9,7 @@ references: - https://www.infosecademy.com/netcat-reverse-shells/ - https://man7.org/linux/man-pages/man1/ncat.1.html author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)' -date: 2023/04/07 +date: 2023-04-07 tags: - attack.execution - attack.t1059 diff --git a/rules/linux/process_creation/proc_creation_lnx_nohup.yml b/rules/linux/process_creation/proc_creation_lnx_nohup.yml index dedce2fb1bf..d3ddc5983ee 100644 --- a/rules/linux/process_creation/proc_creation_lnx_nohup.yml +++ b/rules/linux/process_creation/proc_creation_lnx_nohup.yml @@ -7,7 +7,7 @@ references: - https://en.wikipedia.org/wiki/Nohup - https://www.computerhope.com/unix/unohup.htm author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io' -date: 2022/06/06 +date: 2022-06-06 tags: - attack.execution - attack.t1059.004 diff --git a/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml b/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml index 03af205e6fb..9bd6a20b566 100644 --- a/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml +++ b/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml @@ -11,7 +11,7 @@ references: - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2023/06/02 +date: 2023-06-02 tags: - attack.execution logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml b/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml index 7711f5db5ec..6e568c3093a 100644 --- a/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml +++ b/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml @@ -11,11 +11,11 @@ references: - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure - https://github.com/Azure/Azure-Sentinel/pull/3059 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC -date: 2021/10/15 -modified: 2022/10/05 +date: 2021-10-15 +modified: 2022-10-05 tags: - - attack.privilege_escalation - - attack.initial_access + - attack.privilege-escalation + - attack.initial-access - attack.execution - attack.t1068 - attack.t1190 diff --git a/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml b/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml index 5dbd85298ab..b985e82b4b8 100644 --- a/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml +++ b/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml @@ -9,11 +9,11 @@ references: - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure - https://github.com/Azure/Azure-Sentinel/pull/3059 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC -date: 2021/10/15 -modified: 2022/10/05 +date: 2021-10-15 +modified: 2022-10-05 tags: - - attack.privilege_escalation - - attack.initial_access + - attack.privilege-escalation + - attack.initial-access - attack.execution - attack.t1068 - attack.t1190 diff --git a/rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml b/rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml index 54d39c73038..4cec24ad152 100644 --- a/rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml @@ -6,7 +6,7 @@ references: - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet - https://www.revshells.com/ author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)' -date: 2023/04/07 +date: 2023-04-07 tags: - attack.execution logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml b/rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml index 4dc456108d2..b2958fe5647 100644 --- a/rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml @@ -8,7 +8,7 @@ references: - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet - https://www.revshells.com/ author: '@d4ns4n_' -date: 2023/04/07 +date: 2023-04-07 tags: - attack.execution logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_pnscan_binary_cli_pattern.yml b/rules/linux/process_creation/proc_creation_lnx_pnscan_binary_cli_pattern.yml index 5424c0eb861..ef24826f143 100644 --- a/rules/linux/process_creation/proc_creation_lnx_pnscan_binary_cli_pattern.yml +++ b/rules/linux/process_creation/proc_creation_lnx_pnscan_binary_cli_pattern.yml @@ -5,7 +5,7 @@ description: | Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network. This behavior has been identified in a Linux malware campaign targeting Docker, Apache Hadoop, Redis, and Confluence and was previously used by the threat actor known as TeamTNT author: David Burkett (@signalblur) -date: 2024/04/16 +date: 2024-04-16 references: - https://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence - https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf diff --git a/rules/linux/process_creation/proc_creation_lnx_process_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_process_discovery.yml index f61dbffc925..ccb7e71601b 100644 --- a/rules/linux/process_creation/proc_creation_lnx_process_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_process_discovery.yml @@ -7,8 +7,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md author: Ömer Günal, oscd.community -date: 2020/10/06 -modified: 2022/07/07 +date: 2020-10-06 +modified: 2022-07-07 tags: - attack.discovery - attack.t1057 diff --git a/rules/linux/process_creation/proc_creation_lnx_proxy_connection.yml b/rules/linux/process_creation/proc_creation_lnx_proxy_connection.yml index 7670709865e..7ff8d5f5a44 100644 --- a/rules/linux/process_creation/proc_creation_lnx_proxy_connection.yml +++ b/rules/linux/process_creation/proc_creation_lnx_proxy_connection.yml @@ -5,10 +5,10 @@ description: Detects setting proxy configuration references: - https://attack.mitre.org/techniques/T1090/ author: Ömer Günal -date: 2020/06/17 -modified: 2022/10/05 +date: 2020-06-17 +modified: 2022-10-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1090 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml b/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml index d42e55c0a72..a75bd0cbd09 100644 --- a/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml +++ b/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml @@ -8,8 +8,8 @@ description: Detects python spawning a pretty tty which could be indicative of p references: - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/ author: Nextron Systems -date: 2022/06/03 -modified: 2023/06/16 +date: 2022-06-03 +modified: 2023-06-16 tags: - attack.execution - attack.t1059 diff --git a/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml b/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml index b138ebc9e0f..218f8e6e99c 100644 --- a/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml @@ -9,7 +9,7 @@ references: - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet - https://www.revshells.com/ author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)' -date: 2023/04/24 +date: 2023-04-24 tags: - attack.execution logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml b/rules/linux/process_creation/proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml index 27c08b20dfa..0ddc7f59fb2 100644 --- a/rules/linux/process_creation/proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml +++ b/rules/linux/process_creation/proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml @@ -12,9 +12,9 @@ description: | references: - Internal Research author: Josh Nickels, Qi Nan -date: 2024/03/11 +date: 2024-03-11 tags: - - attack.initial_access + - attack.initial-access - attack.t1133 logsource: category: process_creation diff --git a/rules/linux/process_creation/proc_creation_lnx_remote_system_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_remote_system_discovery.yml index 9faab9fe433..23052b47d8b 100644 --- a/rules/linux/process_creation/proc_creation_lnx_remote_system_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_remote_system_discovery.yml @@ -5,8 +5,8 @@ description: Detects the enumeration of other remote systems. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md author: Alejandro Ortuno, oscd.community -date: 2020/10/22 -modified: 2021/11/27 +date: 2020-10-22 +modified: 2021-11-27 tags: - attack.discovery - attack.t1018 diff --git a/rules/linux/process_creation/proc_creation_lnx_remove_package.yml b/rules/linux/process_creation/proc_creation_lnx_remove_package.yml index 06346824c76..5dd05a15716 100644 --- a/rules/linux/process_creation/proc_creation_lnx_remove_package.yml +++ b/rules/linux/process_creation/proc_creation_lnx_remove_package.yml @@ -8,9 +8,9 @@ references: - https://linuxhint.com/uninstall_yum_package/ - https://linuxhint.com/uninstall-debian-packages/ author: Tuan Le (NCSGroup), Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/09 +date: 2023-03-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml b/rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml index 6bacb829c38..d82b70d9f53 100644 --- a/rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml @@ -6,7 +6,7 @@ references: - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet - https://www.revshells.com/ author: '@d4ns4n_' -date: 2023/04/07 +date: 2023-04-07 tags: - attack.execution logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml b/rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml index b9f627587c3..fbaa7c54a1e 100644 --- a/rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml +++ b/rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml @@ -5,12 +5,12 @@ description: Detects abuse of the cron utility to perform task scheduling for in references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md author: Alejandro Ortuno, oscd.community -date: 2020/10/06 -modified: 2022/11/27 +date: 2020-10-06 +modified: 2022-11-27 tags: - attack.execution - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1053.003 logsource: category: process_creation diff --git a/rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml index 5101c2e7565..bf3d1b3bde6 100644 --- a/rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml @@ -5,8 +5,8 @@ description: Detects usage of system utilities (only grep and egrep for now) to references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md author: Daniil Yugoslavskiy, oscd.community -date: 2020/10/19 -modified: 2022/11/27 +date: 2020-10-19 +modified: 2022-11-27 tags: - attack.discovery - attack.t1518.001 diff --git a/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml b/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml index fa83e7f3899..8e553910065 100644 --- a/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml +++ b/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml @@ -5,10 +5,10 @@ description: Detects disabling security tools references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md author: Ömer Günal, Alejandro Ortuno, oscd.community -date: 2020/06/17 -modified: 2022/10/09 +date: 2020-06-17 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: category: process_creation diff --git a/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml b/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml index 4cd16414042..4d559978134 100644 --- a/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml +++ b/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml @@ -5,9 +5,9 @@ description: Detects the usage of utilities such as 'systemctl', 'service'...etc references: - https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/15 +date: 2022-09-15 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml b/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml index f807d3c6010..3df87f2ff55 100644 --- a/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml +++ b/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml @@ -6,8 +6,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md - https://attack.mitre.org/techniques/T1548/001/ author: Ömer Günal -date: 2020/06/16 -modified: 2022/10/05 +date: 2020-06-16 +modified: 2022-10-05 tags: - attack.persistence - attack.t1548.001 diff --git a/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml b/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml index b50cf0f0822..3f24ef84158 100644 --- a/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml +++ b/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml @@ -7,9 +7,9 @@ references: - https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/ - https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/ author: Muhammad Faisal -date: 2023/08/03 +date: 2023-08-03 tags: - - attack.command_and_control + - attack.command-and-control - attack.persistence - attack.t1219 logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml b/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml index 3226bafe730..5cf978a1d1b 100644 --- a/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml +++ b/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml @@ -7,13 +7,13 @@ references: - https://access.redhat.com/security/cve/cve-2019-14287 - https://twitter.com/matthieugarin/status/1183970598210412546 author: Florian Roth (Nextron Systems) -date: 2019/10/15 -modified: 2022/10/05 +date: 2019-10-15 +modified: 2022-10-05 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1068 - attack.t1548.003 - - cve.2019.14287 + - cve.2019-14287 logsource: product: linux category: process_creation diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml b/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml index e570ccd0daf..b24b41b5b97 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml @@ -6,9 +6,9 @@ references: - https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io' -date: 2022/06/03 +date: 2022-06-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1222.002 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_container_residence_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_susp_container_residence_discovery.yml index fa82f89141f..4403c74abce 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_container_residence_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_container_residence_discovery.yml @@ -9,7 +9,7 @@ tags: - attack.discovery - attack.t1082 author: Seth Hanford -date: 2023/08/23 +date: 2023-08-23 logsource: category: process_creation product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml b/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml index 13629815405..3a5ebc00b6a 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml @@ -12,8 +12,8 @@ references: - https://curl.se/docs/manpage.html - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html author: Nasreddine Bencherchali (Nextron Systems), Cedric MAURUGEON (Update) -date: 2022/09/15 -modified: 2023/05/02 +date: 2022-09-15 +modified: 2023-05-02 tags: - attack.exfiltration - attack.t1567 diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_curl_useragent.yml b/rules/linux/process_creation/proc_creation_lnx_susp_curl_useragent.yml index 33e5eb9871e..81717c6850a 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_curl_useragent.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_curl_useragent.yml @@ -8,9 +8,9 @@ description: Detects a suspicious curl process start on linux with set useragent references: - https://curl.se/docs/manpage.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/15 +date: 2022-09-15 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: category: process_creation diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_dockerenv_recon.yml b/rules/linux/process_creation/proc_creation_lnx_susp_dockerenv_recon.yml index 2e4c41830bc..f0729ae0ee0 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_dockerenv_recon.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_dockerenv_recon.yml @@ -9,7 +9,7 @@ tags: - attack.discovery - attack.t1082 author: Seth Hanford -date: 2023/08/23 +date: 2023-08-23 logsource: category: process_creation product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml b/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml index 98d0b807449..aa8b8c6146f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml @@ -8,9 +8,9 @@ references: - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2023/06/02 +date: 2023-06-02 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_find_execution.yml b/rules/linux/process_creation/proc_creation_lnx_susp_find_execution.yml index 7c15f0efb51..9c301f67240 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_find_execution.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_find_execution.yml @@ -8,7 +8,7 @@ description: Detects usage of "find" binary in a suspicious manner to perform di references: - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/28 +date: 2022-12-28 tags: - attack.discovery - attack.t1083 diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml b/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml index 8abc41bc303..52a4ba438d4 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml @@ -5,8 +5,8 @@ description: Detects execution of "git" in order to clone a remote repository th references: - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/03 -modified: 2023/01/05 +date: 2023-01-03 +modified: 2023-01-05 tags: - attack.reconnaissance - attack.t1593.003 diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml b/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml index f520d0b930c..a886e3f95e8 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml @@ -6,8 +6,8 @@ references: - https://github.com/sleventyeleven/linuxprivchecker/ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md author: Florian Roth (Nextron Systems) -date: 2022/06/20 -modified: 2022/09/15 +date: 2022-06-20 +modified: 2022-09-15 tags: - attack.impact - attack.t1565.001 diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml b/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml index 74f8b622958..f67989cb00f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml @@ -6,8 +6,8 @@ references: - https://github.com/sleventyeleven/linuxprivchecker/ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md author: Florian Roth (Nextron Systems) -date: 2022/06/20 -modified: 2022/09/15 +date: 2022-06-20 +modified: 2022-09-15 tags: - attack.reconnaissance - attack.t1592.004 diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml b/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml index 32f9da31bd3..4b41010ac4e 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml @@ -13,11 +13,11 @@ references: - https://github.com/Ne0nd0g/merlin - https://github.com/Pennyw0rth/NetExec/ author: Nasreddine Bencherchali (Nextron Systems), Georg Lauenstein (sure[secure]) -date: 2023/01/03 -modified: 2023/10/25 +date: 2023-01-03 +modified: 2023-10-25 tags: - attack.execution - - attack.resource_development + - attack.resource-development - attack.t1587 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_inod_listing.yml b/rules/linux/process_creation/proc_creation_lnx_susp_inod_listing.yml index 9e052d5454c..057cbb35df9 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_inod_listing.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_inod_listing.yml @@ -9,7 +9,7 @@ tags: - attack.discovery - attack.t1082 author: Seth Hanford -date: 2023/08/23 +date: 2023-08-23 logsource: category: process_creation product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml b/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml index f4d1b909489..f7314d15cf7 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml @@ -5,10 +5,10 @@ description: Detects suspicious interactive bash as a parent to rather uncommon references: - Internal Research author: Florian Roth (Nextron Systems) -date: 2022/03/14 +date: 2022-03-14 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1059.004 - attack.t1036 logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_java_children.yml b/rules/linux/process_creation/proc_creation_lnx_susp_java_children.yml index 4e910659634..322cd563e32 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_java_children.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_java_children.yml @@ -5,7 +5,7 @@ description: Detects java process spawning suspicious children references: - https://www.tecmint.com/different-types-of-linux-shells/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/03 +date: 2022-06-03 tags: - attack.execution - attack.t1059 diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_network_utilities_execution.yml b/rules/linux/process_creation/proc_creation_lnx_susp_network_utilities_execution.yml index 8111a5334b1..9dd224d6b9f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_network_utilities_execution.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_network_utilities_execution.yml @@ -7,8 +7,8 @@ references: - https://github.com/projectdiscovery/naabu - https://github.com/Tib3rius/AutoRecon author: Alejandro Ortuno, oscd.community, Georg Lauenstein (sure[secure]) -date: 2020/10/21 -modified: 2023/10/25 +date: 2020-10-21 +modified: 2023-10-25 tags: - attack.discovery - attack.t1046 diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml b/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml index ea7c51a21ba..558728a330f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml @@ -5,10 +5,10 @@ description: Detects suspicious process command line that starts with a shell th references: - Internal Research author: Florian Roth (Nextron Systems) -date: 2022/03/14 -modified: 2022/07/26 +date: 2022-03-14 +modified: 2022-07-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1140 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml b/rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml index d2581b08100..23ace9edfd4 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml @@ -5,11 +5,11 @@ description: Detects events with patterns found in commands used for reconnaissa references: - https://github.com/sleventyeleven/linuxprivchecker/blob/0d701080bbf92efd464e97d71a70f97c6f2cd658/linuxprivchecker.py author: Florian Roth (Nextron Systems) -date: 2022/06/20 +date: 2022-06-20 tags: - attack.reconnaissance - attack.t1592.004 - - attack.credential_access + - attack.credential-access - attack.t1552.001 logsource: category: process_creation diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yml b/rules/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yml index a7353a4ff92..d56ff8274da 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yml @@ -5,7 +5,7 @@ description: Detects changes of sensitive and critical files. Monitors files tha references: - https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor author: '@d4ns4n_ (Wuerth-Phoenix)' -date: 2023/05/30 +date: 2023-05-30 tags: - attack.impact - attack.t1565.001 diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml b/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml index 600a994ff1b..a38d2322d8f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml @@ -8,7 +8,7 @@ references: - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2023/06/02 +date: 2023-06-02 tags: - attack.execution logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml b/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml index 514239ba619..8819b59ec4f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml @@ -8,7 +8,7 @@ references: - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2023/06/02 +date: 2023-06-02 tags: - attack.execution logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_system_info_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_system_info_discovery.yml index f45de992bbb..ec5d3f4a7e7 100644 --- a/rules/linux/process_creation/proc_creation_lnx_system_info_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_system_info_discovery.yml @@ -5,8 +5,8 @@ description: Detects system information discovery commands references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md author: Ömer Günal, oscd.community -date: 2020/10/08 -modified: 2021/09/14 +date: 2020-10-08 +modified: 2021-09-14 tags: - attack.discovery - attack.t1082 diff --git a/rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml index 0b2ca2e7a92..7beb43031ba 100644 --- a/rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml @@ -5,8 +5,8 @@ description: Detects usage of system utilities to discover system network connec references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md author: Daniil Yugoslavskiy, oscd.community -date: 2020/10/19 -modified: 2023/01/17 +date: 2020-10-19 +modified: 2023-01-17 tags: - attack.discovery - attack.t1049 diff --git a/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml index 69a1c879999..647835e76ba 100644 --- a/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml @@ -5,8 +5,8 @@ description: Detects enumeration of local network configuration references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md author: Ömer Günal and remotephone, oscd.community -date: 2020/10/06 -modified: 2022/09/15 +date: 2020-10-06 +modified: 2022-09-15 tags: - attack.discovery - attack.t1016 diff --git a/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml b/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml index ac6b07c9c02..b3ed4dc1b1c 100644 --- a/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml +++ b/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml @@ -6,9 +6,9 @@ references: - https://blogs.blackberry.com/ - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144 author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2023/01/11 +date: 2023-01-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.006 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml b/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml index 31d219dc919..cbf35716893 100644 --- a/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml +++ b/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml @@ -5,10 +5,10 @@ description: Detects execution of a the file "execve_hijack" which is used by th references: - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L275 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/05 +date: 2022-07-05 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation logsource: category: process_creation product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml b/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml index f7d1534ee36..40b2fc6dc37 100644 --- a/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml +++ b/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml @@ -5,9 +5,9 @@ description: Detects default install commands of the Triple Cross eBPF rootkit b references: - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/05 +date: 2022-07-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1014 logsource: category: process_creation diff --git a/rules/linux/process_creation/proc_creation_lnx_userdel.yml b/rules/linux/process_creation/proc_creation_lnx_userdel.yml index eed85d3c1d3..e31b7ce3af1 100644 --- a/rules/linux/process_creation/proc_creation_lnx_userdel.yml +++ b/rules/linux/process_creation/proc_creation_lnx_userdel.yml @@ -8,7 +8,7 @@ references: - https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/ - https://linux.die.net/man/8/userdel author: Tuan Le (NCSGroup) -date: 2022/12/26 +date: 2022-12-26 tags: - attack.impact - attack.t1531 diff --git a/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml b/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml index 15e18c81605..739ac09ec00 100644 --- a/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml +++ b/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml @@ -6,9 +6,9 @@ references: - https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/ - https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/ author: TuanLe (GTSC) -date: 2022/12/21 +date: 2022-12-21 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.persistence logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml b/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml index 8cf0416cf31..11140a97aed 100644 --- a/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml +++ b/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml @@ -6,8 +6,8 @@ references: - https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/ - https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2021/10/15 -modified: 2022/12/28 +date: 2021-10-15 +modified: 2022-12-28 tags: - attack.persistence - attack.t1505.003 diff --git a/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml b/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml index 1b4668243bd..736add1f2a1 100644 --- a/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml +++ b/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml @@ -8,9 +8,9 @@ references: - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2023/06/02 +date: 2023-06-02 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml b/rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml index 85a089c1188..1a05768ddc4 100644 --- a/rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml @@ -6,7 +6,7 @@ references: - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet - https://www.revshells.com/ author: '@d4ns4n_' -date: 2023/04/24 +date: 2023-04-24 tags: - attack.execution - attack.t1059 diff --git a/rules/macos/file_event/file_event_macos_emond_launch_daemon.yml b/rules/macos/file_event/file_event_macos_emond_launch_daemon.yml index 5307aa8a63a..d7997433959 100644 --- a/rules/macos/file_event/file_event_macos_emond_launch_daemon.yml +++ b/rules/macos/file_event/file_event_macos_emond_launch_daemon.yml @@ -6,11 +6,11 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md - https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124 author: Alejandro Ortuno, oscd.community -date: 2020/10/23 -modified: 2021/11/27 +date: 2020-10-23 +modified: 2021-11-27 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1546.014 logsource: category: file_event diff --git a/rules/macos/file_event/file_event_macos_susp_startup_item_created.yml b/rules/macos/file_event/file_event_macos_susp_startup_item_created.yml index 263f13b5a48..9a9e0ec58ea 100644 --- a/rules/macos/file_event/file_event_macos_susp_startup_item_created.yml +++ b/rules/macos/file_event/file_event_macos_susp_startup_item_created.yml @@ -9,11 +9,11 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.005/T1037.005.md - https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html author: Alejandro Ortuno, oscd.community -date: 2020/10/14 -modified: 2024/08/11 +date: 2020-10-14 +modified: 2024-08-11 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1037.005 logsource: category: file_event diff --git a/rules/macos/process_creation/proc_creation_macos_applescript.yml b/rules/macos/process_creation/proc_creation_macos_applescript.yml index a12eeeaa6a1..200543bcfe1 100644 --- a/rules/macos/process_creation/proc_creation_macos_applescript.yml +++ b/rules/macos/process_creation/proc_creation_macos_applescript.yml @@ -6,8 +6,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md - https://redcanary.com/blog/applescript/ author: Alejandro Ortuno, oscd.community -date: 2020/10/21 -modified: 2023/02/01 +date: 2020-10-21 +modified: 2023-02-01 tags: - attack.execution - attack.t1059.002 diff --git a/rules/macos/process_creation/proc_creation_macos_base64_decode.yml b/rules/macos/process_creation/proc_creation_macos_base64_decode.yml index 89667d96eea..7c0cd7b35a6 100644 --- a/rules/macos/process_creation/proc_creation_macos_base64_decode.yml +++ b/rules/macos/process_creation/proc_creation_macos_base64_decode.yml @@ -5,10 +5,10 @@ description: Detects usage of base64 utility to decode arbitrary base64-encoded references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md author: Daniil Yugoslavskiy, oscd.community -date: 2020/10/19 -modified: 2022/11/26 +date: 2020-10-19 +modified: 2022-11-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 logsource: category: process_creation diff --git a/rules/macos/process_creation/proc_creation_macos_binary_padding.yml b/rules/macos/process_creation/proc_creation_macos_binary_padding.yml index 55dd6c029e3..6e3aa15f961 100644 --- a/rules/macos/process_creation/proc_creation_macos_binary_padding.yml +++ b/rules/macos/process_creation/proc_creation_macos_binary_padding.yml @@ -7,10 +7,10 @@ references: - https://linux.die.net/man/1/truncate - https://linux.die.net/man/1/dd author: 'Igor Fits, Mikhail Larin, oscd.community' -date: 2020/10/19 -modified: 2023/02/17 +date: 2020-10-19 +modified: 2023-02-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027.001 logsource: product: macos diff --git a/rules/macos/process_creation/proc_creation_macos_change_file_time_attr.yml b/rules/macos/process_creation/proc_creation_macos_change_file_time_attr.yml index ae85c6f8532..ceb3df825f9 100644 --- a/rules/macos/process_creation/proc_creation_macos_change_file_time_attr.yml +++ b/rules/macos/process_creation/proc_creation_macos_change_file_time_attr.yml @@ -5,10 +5,10 @@ description: Detect file time attribute change to hide new or changes to existin references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md author: Igor Fits, Mikhail Larin, oscd.community -date: 2020/10/19 -modified: 2022/01/12 +date: 2020-10-19 +modified: 2022-01-12 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.006 logsource: product: macos diff --git a/rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml b/rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml index 0b81ac8b06e..121e3a8f913 100644 --- a/rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml +++ b/rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml @@ -5,10 +5,10 @@ description: Detects deletion of local audit logs references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md author: remotephone, oscd.community -date: 2020/10/11 -modified: 2022/09/16 +date: 2020-10-11 +modified: 2022-09-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.002 logsource: product: macos diff --git a/rules/macos/process_creation/proc_creation_macos_clipboard_data_via_osascript.yml b/rules/macos/process_creation/proc_creation_macos_clipboard_data_via_osascript.yml index 4e7ef66d7a8..ef92da21431 100644 --- a/rules/macos/process_creation/proc_creation_macos_clipboard_data_via_osascript.yml +++ b/rules/macos/process_creation/proc_creation_macos_clipboard_data_via_osascript.yml @@ -8,7 +8,7 @@ description: Detects possible collection of data from the clipboard via executio references: - https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/ author: Sohan G (D4rkCiph3r) -date: 2023/01/31 +date: 2023-01-31 tags: - attack.collection - attack.execution diff --git a/rules/macos/process_creation/proc_creation_macos_create_account.yml b/rules/macos/process_creation/proc_creation_macos_create_account.yml index f8028065a1c..b6c287a97d2 100644 --- a/rules/macos/process_creation/proc_creation_macos_create_account.yml +++ b/rules/macos/process_creation/proc_creation_macos_create_account.yml @@ -6,8 +6,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md - https://ss64.com/osx/sysadminctl.html author: Alejandro Ortuno, oscd.community -date: 2020/10/06 -modified: 2023/02/18 +date: 2020-10-06 +modified: 2023-02-18 tags: - attack.t1136.001 - attack.persistence diff --git a/rules/macos/process_creation/proc_creation_macos_create_hidden_account.yml b/rules/macos/process_creation/proc_creation_macos_create_hidden_account.yml index 99775193998..1b87357e68a 100644 --- a/rules/macos/process_creation/proc_creation_macos_create_hidden_account.yml +++ b/rules/macos/process_creation/proc_creation_macos_create_hidden_account.yml @@ -5,10 +5,10 @@ description: Detects creation of a hidden user account on macOS (UserID < 500) o references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.002/T1564.002.md author: Daniil Yugoslavskiy, oscd.community -date: 2020/10/10 -modified: 2021/11/27 +date: 2020-10-10 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.002 logsource: category: process_creation diff --git a/rules/macos/process_creation/proc_creation_macos_creds_from_keychain.yml b/rules/macos/process_creation/proc_creation_macos_creds_from_keychain.yml index 6ca0e5c269f..c97cc545b43 100644 --- a/rules/macos/process_creation/proc_creation_macos_creds_from_keychain.yml +++ b/rules/macos/process_creation/proc_creation_macos_creds_from_keychain.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md - https://gist.github.com/Capybara/6228955 author: Tim Ismilyaev, oscd.community, Florian Roth (Nextron Systems) -date: 2020/10/19 -modified: 2021/11/27 +date: 2020-10-19 +modified: 2021-11-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1555.001 logsource: category: process_creation diff --git a/rules/macos/process_creation/proc_creation_macos_csrutil_disable.yml b/rules/macos/process_creation/proc_creation_macos_csrutil_disable.yml index 15570945f0e..69c47afe7fb 100644 --- a/rules/macos/process_creation/proc_creation_macos_csrutil_disable.yml +++ b/rules/macos/process_creation/proc_creation_macos_csrutil_disable.yml @@ -9,7 +9,7 @@ references: - https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/ - https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2024/01/02 +date: 2024-01-02 tags: - attack.discovery - attack.t1518.001 diff --git a/rules/macos/process_creation/proc_creation_macos_csrutil_status.yml b/rules/macos/process_creation/proc_creation_macos_csrutil_status.yml index 82dd7b5e87a..1790b6dcb14 100644 --- a/rules/macos/process_creation/proc_creation_macos_csrutil_status.yml +++ b/rules/macos/process_creation/proc_creation_macos_csrutil_status.yml @@ -9,7 +9,7 @@ references: - https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/ - https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2024/01/02 +date: 2024-01-02 tags: - attack.discovery - attack.t1518.001 diff --git a/rules/macos/process_creation/proc_creation_macos_disable_security_tools.yml b/rules/macos/process_creation/proc_creation_macos_disable_security_tools.yml index edde80cf917..651aaac827d 100644 --- a/rules/macos/process_creation/proc_creation_macos_disable_security_tools.yml +++ b/rules/macos/process_creation/proc_creation_macos_disable_security_tools.yml @@ -5,10 +5,10 @@ description: Detects disabling security tools references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md author: Daniil Yugoslavskiy, oscd.community -date: 2020/10/19 -modified: 2021/11/27 +date: 2020-10-19 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml b/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml index b847f32c748..b07a2082ea6 100644 --- a/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml +++ b/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml @@ -2,17 +2,17 @@ title: User Added To Admin Group Via Dscl id: b743623c-2776-40e0-87b1-682b975d0ca5 related: - id: 0c1ffcf9-efa9-436e-ab68-23a9496ebf5b - type: obsoletes + type: obsolete status: test description: Detects attempts to create and add an account to the admin group via "dscl" references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-2---create-local-account-with-admin-privileges---macos - https://ss64.com/osx/dscl.html author: Sohan G (D4rkCiph3r) -date: 2023/03/19 +date: 2023-03-19 tags: - - attack.initial_access - - attack.privilege_escalation + - attack.initial-access + - attack.privilege-escalation - attack.t1078.003 logsource: category: process_creation diff --git a/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml b/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml index 1835065729a..7750a439aa5 100644 --- a/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml +++ b/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-5---add-a-newexisting-user-to-the-admin-group-using-dseditgroup-utility---macos - https://ss64.com/osx/dseditgroup.html author: Sohan G (D4rkCiph3r) -date: 2023/08/22 +date: 2023-08-22 tags: - - attack.initial_access - - attack.privilege_escalation + - attack.initial-access + - attack.privilege-escalation - attack.t1078.003 logsource: category: process_creation diff --git a/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml b/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml index 6329028d797..8c65fef061e 100644 --- a/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml +++ b/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml @@ -7,12 +7,12 @@ references: - https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/persistence_enable_root_account.toml - https://ss64.com/osx/dsenableroot.html author: Sohan G (D4rkCiph3r) -date: 2023/08/22 +date: 2023-08-22 tags: - attack.t1078 - attack.t1078.001 - attack.t1078.003 - - attack.initial_access + - attack.initial-access - attack.persistence logsource: category: process_creation diff --git a/rules/macos/process_creation/proc_creation_macos_file_and_directory_discovery.yml b/rules/macos/process_creation/proc_creation_macos_file_and_directory_discovery.yml index 4aca758c0e2..0594770a536 100644 --- a/rules/macos/process_creation/proc_creation_macos_file_and_directory_discovery.yml +++ b/rules/macos/process_creation/proc_creation_macos_file_and_directory_discovery.yml @@ -5,8 +5,8 @@ description: Detects usage of system utilities to discover files and directories references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md author: Daniil Yugoslavskiy, oscd.community -date: 2020/10/19 -modified: 2022/11/25 +date: 2020-10-19 +modified: 2022-11-25 tags: - attack.discovery - attack.t1083 diff --git a/rules/macos/process_creation/proc_creation_macos_find_cred_in_files.yml b/rules/macos/process_creation/proc_creation_macos_find_cred_in_files.yml index 099c35e679a..d6dab1a8777 100644 --- a/rules/macos/process_creation/proc_creation_macos_find_cred_in_files.yml +++ b/rules/macos/process_creation/proc_creation_macos_find_cred_in_files.yml @@ -5,10 +5,10 @@ description: Detecting attempts to extract passwords with grep and laZagne references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md author: 'Igor Fits, Mikhail Larin, oscd.community' -date: 2020/10/19 -modified: 2021/11/27 +date: 2020-10-19 +modified: 2021-11-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.001 logsource: product: macos diff --git a/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml b/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml index 59f5616cd86..dd931957b18 100644 --- a/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml +++ b/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md - https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/ author: remotephone, oscd.community -date: 2020/10/13 -modified: 2022/12/25 +date: 2020-10-13 +modified: 2022-12-25 tags: - - attack.credential_access + - attack.credential-access - attack.t1056.002 logsource: product: macos diff --git a/rules/macos/process_creation/proc_creation_macos_hdiutil_create.yml b/rules/macos/process_creation/proc_creation_macos_hdiutil_create.yml index 7e6ec47bf93..b5e119db81c 100644 --- a/rules/macos/process_creation/proc_creation_macos_hdiutil_create.yml +++ b/rules/macos/process_creation/proc_creation_macos_hdiutil_create.yml @@ -7,7 +7,7 @@ references: - https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/ - https://ss64.com/mac/hdiutil.html author: Omar Khaled (@beacon_exe) -date: 2024/08/10 +date: 2024-08-10 tags: - attack.exfiltration logsource: diff --git a/rules/macos/process_creation/proc_creation_macos_hdiutil_mount.yml b/rules/macos/process_creation/proc_creation_macos_hdiutil_mount.yml index ee3ae233f60..5463640d8ce 100644 --- a/rules/macos/process_creation/proc_creation_macos_hdiutil_mount.yml +++ b/rules/macos/process_creation/proc_creation_macos_hdiutil_mount.yml @@ -7,9 +7,9 @@ references: - https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/ - https://ss64.com/mac/hdiutil.html author: Omar Khaled (@beacon_exe) -date: 2024/08/10 +date: 2024-08-10 tags: - - attack.initial_access + - attack.initial-access - attack.t1566.001 - attack.t1560.001 logsource: diff --git a/rules/macos/process_creation/proc_creation_macos_installer_susp_child_process.yml b/rules/macos/process_creation/proc_creation_macos_installer_susp_child_process.yml index c0104c9ec61..4329d11b7f5 100644 --- a/rules/macos/process_creation/proc_creation_macos_installer_susp_child_process.yml +++ b/rules/macos/process_creation/proc_creation_macos_installer_susp_child_process.yml @@ -6,14 +6,14 @@ references: - https://redcanary.com/blog/clipping-silver-sparrows-wings/ - https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_installer_package_spawned_network_event.toml author: Sohan G (D4rkCiph3r) -date: 2023/02/18 +date: 2023-02-18 tags: - attack.t1059 - attack.t1059.007 - attack.t1071 - attack.t1071.001 - attack.execution - - attack.command_and_control + - attack.command-and-control logsource: category: process_creation product: macos diff --git a/rules/macos/process_creation/proc_creation_macos_ioreg_discovery.yml b/rules/macos/process_creation/proc_creation_macos_ioreg_discovery.yml index 3a042212c04..79956ea7dae 100644 --- a/rules/macos/process_creation/proc_creation_macos_ioreg_discovery.yml +++ b/rules/macos/process_creation/proc_creation_macos_ioreg_discovery.yml @@ -11,8 +11,8 @@ references: - https://www.virustotal.com/gui/file/5907d59ec1303cfb5c0a0f4aaca3efc0830707d86c732ba6b9e842b5730b95dc/behavior - https://www.trendmicro.com/en_ph/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2023/12/20 -modified: 2024/01/02 +date: 2023-12-20 +modified: 2024-01-02 tags: - attack.discovery - attack.t1082 diff --git a/rules/macos/process_creation/proc_creation_macos_jamf_susp_child.yml b/rules/macos/process_creation/proc_creation_macos_jamf_susp_child.yml index 9d326c3a9e0..28f3c5337f4 100644 --- a/rules/macos/process_creation/proc_creation_macos_jamf_susp_child.yml +++ b/rules/macos/process_creation/proc_creation_macos_jamf_susp_child.yml @@ -7,7 +7,7 @@ references: - https://www.zoocoup.org/casper/jamf_cheatsheet.pdf - https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/22 +date: 2023-08-22 tags: - attack.execution logsource: diff --git a/rules/macos/process_creation/proc_creation_macos_jamf_usage.yml b/rules/macos/process_creation/proc_creation_macos_jamf_usage.yml index 414ef823603..6f407c9e7e8 100644 --- a/rules/macos/process_creation/proc_creation_macos_jamf_usage.yml +++ b/rules/macos/process_creation/proc_creation_macos_jamf_usage.yml @@ -8,7 +8,7 @@ references: - https://www.zoocoup.org/casper/jamf_cheatsheet.pdf - https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html author: Jay Pandit -date: 2023/08/22 +date: 2023-08-22 tags: - attack.execution logsource: diff --git a/rules/macos/process_creation/proc_creation_macos_jxa_in_memory_execution.yml b/rules/macos/process_creation/proc_creation_macos_jxa_in_memory_execution.yml index d17fb3ffd98..731fbda274a 100644 --- a/rules/macos/process_creation/proc_creation_macos_jxa_in_memory_execution.yml +++ b/rules/macos/process_creation/proc_creation_macos_jxa_in_memory_execution.yml @@ -8,7 +8,7 @@ description: Detects possible malicious execution of JXA in-memory via OSAScript references: - https://redcanary.com/blog/applescript/ author: Sohan G (D4rkCiph3r) -date: 2023/01/31 +date: 2023-01-31 tags: - attack.t1059.002 - attack.t1059.007 diff --git a/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml b/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml index ce721a9c8e3..aabc461339d 100644 --- a/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml +++ b/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml @@ -9,7 +9,7 @@ references: - https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html - https://www.loobins.io/binaries/launchctl/ author: Pratinav Chandra -date: 2024/05/13 +date: 2024-05-13 tags: - attack.execution - attack.persistence diff --git a/rules/macos/process_creation/proc_creation_macos_local_account.yml b/rules/macos/process_creation/proc_creation_macos_local_account.yml index 51871afe38b..f3f0ad86624 100644 --- a/rules/macos/process_creation/proc_creation_macos_local_account.yml +++ b/rules/macos/process_creation/proc_creation_macos_local_account.yml @@ -5,8 +5,8 @@ description: Detects enumeration of local systeam accounts on MacOS references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md author: Alejandro Ortuno, oscd.community -date: 2020/10/08 -modified: 2022/11/27 +date: 2020-10-08 +modified: 2022-11-27 tags: - attack.discovery - attack.t1087.001 diff --git a/rules/macos/process_creation/proc_creation_macos_local_groups.yml b/rules/macos/process_creation/proc_creation_macos_local_groups.yml index 43c241a02a6..a25fadffc44 100644 --- a/rules/macos/process_creation/proc_creation_macos_local_groups.yml +++ b/rules/macos/process_creation/proc_creation_macos_local_groups.yml @@ -5,8 +5,8 @@ description: Detects enumeration of local system groups references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md author: Ömer Günal, Alejandro Ortuno, oscd.community -date: 2020/10/11 -modified: 2022/11/27 +date: 2020-10-11 +modified: 2022-11-27 tags: - attack.discovery - attack.t1069.001 diff --git a/rules/macos/process_creation/proc_creation_macos_network_service_scanning.yml b/rules/macos/process_creation/proc_creation_macos_network_service_scanning.yml index 55f66033961..7a0c704e8f8 100644 --- a/rules/macos/process_creation/proc_creation_macos_network_service_scanning.yml +++ b/rules/macos/process_creation/proc_creation_macos_network_service_scanning.yml @@ -5,8 +5,8 @@ description: Detects enumeration of local or remote network services. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md author: Alejandro Ortuno, oscd.community -date: 2020/10/21 -modified: 2021/11/27 +date: 2020-10-21 +modified: 2021-11-27 tags: - attack.discovery - attack.t1046 diff --git a/rules/macos/process_creation/proc_creation_macos_network_sniffing.yml b/rules/macos/process_creation/proc_creation_macos_network_sniffing.yml index 325859b70b3..c4b0eccc68b 100644 --- a/rules/macos/process_creation/proc_creation_macos_network_sniffing.yml +++ b/rules/macos/process_creation/proc_creation_macos_network_sniffing.yml @@ -7,11 +7,11 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md author: Alejandro Ortuno, oscd.community -date: 2020/10/14 -modified: 2022/11/26 +date: 2020-10-14 +modified: 2022-11-26 tags: - attack.discovery - - attack.credential_access + - attack.credential-access - attack.t1040 logsource: category: process_creation diff --git a/rules/macos/process_creation/proc_creation_macos_nscurl_usage.yml b/rules/macos/process_creation/proc_creation_macos_nscurl_usage.yml index cab90630b93..69ec424a0bf 100644 --- a/rules/macos/process_creation/proc_creation_macos_nscurl_usage.yml +++ b/rules/macos/process_creation/proc_creation_macos_nscurl_usage.yml @@ -7,10 +7,10 @@ references: - https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl - https://gist.github.com/nasbench/ca6ef95db04ae04ffd1e0b1ce709cadd author: Daniel Cortez -date: 2024/06/04 +date: 2024-06-04 tags: - - attack.defense_evasion - - attack.command_and_control + - attack.defense-evasion + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/macos/process_creation/proc_creation_macos_office_susp_child_processes.yml b/rules/macos/process_creation/proc_creation_macos_office_susp_child_processes.yml index 84af621ca79..98655b4d96a 100644 --- a/rules/macos/process_creation/proc_creation_macos_office_susp_child_processes.yml +++ b/rules/macos/process_creation/proc_creation_macos_office_susp_child_processes.yml @@ -6,8 +6,8 @@ references: - https://redcanary.com/blog/applescript/ - https://objective-see.org/blog/blog_0x4B.html author: Sohan G (D4rkCiph3r) -date: 2023/01/31 -modified: 2023/02/04 +date: 2023-01-31 +modified: 2023-02-04 tags: - attack.execution - attack.persistence diff --git a/rules/macos/process_creation/proc_creation_macos_osacompile_runonly_execution.yml b/rules/macos/process_creation/proc_creation_macos_osacompile_runonly_execution.yml index ed9df6e6a6c..182e656dc3f 100644 --- a/rules/macos/process_creation/proc_creation_macos_osacompile_runonly_execution.yml +++ b/rules/macos/process_creation/proc_creation_macos_osacompile_runonly_execution.yml @@ -6,7 +6,7 @@ references: - https://redcanary.com/blog/applescript/ - https://ss64.com/osx/osacompile.html author: Sohan G (D4rkCiph3r) -date: 2023/01/31 +date: 2023-01-31 tags: - attack.t1059.002 - attack.execution diff --git a/rules/macos/process_creation/proc_creation_macos_payload_decoded_and_decrypted.yml b/rules/macos/process_creation/proc_creation_macos_payload_decoded_and_decrypted.yml index 1d1cbbc2d32..87eda5e0b02 100644 --- a/rules/macos/process_creation/proc_creation_macos_payload_decoded_and_decrypted.yml +++ b/rules/macos/process_creation/proc_creation_macos_payload_decoded_and_decrypted.yml @@ -5,13 +5,13 @@ description: Detects when a built-in utility is used to decode and decrypt a pay references: - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d42c3d772e04f1e8d0eb60f5233bc79def1ea73105a2d8822f44164f77ef823 author: Tim Rauch (rule), Elastic (idea) -date: 2022/10/17 +date: 2022-10-17 tags: - attack.t1059 - attack.t1204 - attack.execution - attack.t1140 - - attack.defense_evasion + - attack.defense-evasion - attack.s0482 - attack.s0402 logsource: diff --git a/rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml b/rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml index 9ea30486925..b69e77d7b68 100644 --- a/rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml +++ b/rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml @@ -6,7 +6,7 @@ references: - https://redcanary.com/blog/clipping-silver-sparrows-wings/ - https://www.manpagez.com/man/8/PlistBuddy/ author: Sohan G (D4rkCiph3r) -date: 2023/02/18 +date: 2023-02-18 tags: - attack.persistence - attack.t1543.001 diff --git a/rules/macos/process_creation/proc_creation_macos_remote_access_tools_teamviewer_incoming_connection.yml b/rules/macos/process_creation/proc_creation_macos_remote_access_tools_teamviewer_incoming_connection.yml index 510078c7069..3ccdd9b1251 100644 --- a/rules/macos/process_creation/proc_creation_macos_remote_access_tools_teamviewer_incoming_connection.yml +++ b/rules/macos/process_creation/proc_creation_macos_remote_access_tools_teamviewer_incoming_connection.yml @@ -12,9 +12,9 @@ description: | references: - Internal Research author: Josh Nickels, Qi Nan -date: 2024/03/11 +date: 2024-03-11 tags: - - attack.initial_access + - attack.initial-access - attack.t1133 logsource: category: process_creation diff --git a/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml b/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml index 40d2eed7e15..19f8bf9e9cf 100644 --- a/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml +++ b/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml @@ -5,8 +5,8 @@ description: Detects the enumeration of other remote systems. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md author: Alejandro Ortuno, oscd.community -date: 2020/10/22 -modified: 2021/11/27 +date: 2020-10-22 +modified: 2021-11-27 tags: - attack.discovery - attack.t1018 diff --git a/rules/macos/process_creation/proc_creation_macos_schedule_task_job_cron.yml b/rules/macos/process_creation/proc_creation_macos_schedule_task_job_cron.yml index 08aebeaecda..00950715f13 100644 --- a/rules/macos/process_creation/proc_creation_macos_schedule_task_job_cron.yml +++ b/rules/macos/process_creation/proc_creation_macos_schedule_task_job_cron.yml @@ -5,12 +5,12 @@ description: Detects abuse of the cron utility to perform task scheduling for in references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md author: Alejandro Ortuno, oscd.community -date: 2020/10/06 -modified: 2022/11/27 +date: 2020-10-06 +modified: 2022-11-27 tags: - attack.execution - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1053.003 logsource: category: process_creation diff --git a/rules/macos/process_creation/proc_creation_macos_screencapture.yml b/rules/macos/process_creation/proc_creation_macos_screencapture.yml index 865a81a202f..572ad6d4ad5 100644 --- a/rules/macos/process_creation/proc_creation_macos_screencapture.yml +++ b/rules/macos/process_creation/proc_creation_macos_screencapture.yml @@ -6,8 +6,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md - https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py author: remotephone, oscd.community -date: 2020/10/13 -modified: 2021/11/27 +date: 2020-10-13 +modified: 2021-11-27 tags: - attack.collection - attack.t1113 diff --git a/rules/macos/process_creation/proc_creation_macos_security_software_discovery.yml b/rules/macos/process_creation/proc_creation_macos_security_software_discovery.yml index c07596097c0..88ed5f7b8bf 100644 --- a/rules/macos/process_creation/proc_creation_macos_security_software_discovery.yml +++ b/rules/macos/process_creation/proc_creation_macos_security_software_discovery.yml @@ -5,8 +5,8 @@ description: Detects usage of system utilities (only grep for now) to discover s references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md author: Daniil Yugoslavskiy, oscd.community -date: 2020/10/19 -modified: 2022/11/27 +date: 2020-10-19 +modified: 2022-11-27 tags: - attack.discovery - attack.t1518.001 diff --git a/rules/macos/process_creation/proc_creation_macos_space_after_filename.yml b/rules/macos/process_creation/proc_creation_macos_space_after_filename.yml index 4570e106d75..781e0f0ac96 100644 --- a/rules/macos/process_creation/proc_creation_macos_space_after_filename.yml +++ b/rules/macos/process_creation/proc_creation_macos_space_after_filename.yml @@ -5,10 +5,10 @@ description: Detects attempts to masquerade as legitimate files by adding a spac references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.006/T1036.006.md author: remotephone -date: 2021/11/20 -modified: 2023/01/04 +date: 2021-11-20 +modified: 2023-01-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.006 logsource: product: macos diff --git a/rules/macos/process_creation/proc_creation_macos_split_file_into_pieces.yml b/rules/macos/process_creation/proc_creation_macos_split_file_into_pieces.yml index 0c7efb3d50e..feec9c3f46e 100644 --- a/rules/macos/process_creation/proc_creation_macos_split_file_into_pieces.yml +++ b/rules/macos/process_creation/proc_creation_macos_split_file_into_pieces.yml @@ -5,8 +5,8 @@ description: Detection use of the command "split" to split files into parts and references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1030/T1030.md author: 'Igor Fits, Mikhail Larin, oscd.community' -date: 2020/10/15 -modified: 2021/11/27 +date: 2020-10-15 +modified: 2021-11-27 tags: - attack.exfiltration - attack.t1030 diff --git a/rules/macos/process_creation/proc_creation_macos_susp_browser_child_process.yml b/rules/macos/process_creation/proc_creation_macos_susp_browser_child_process.yml index 20424bbdc65..701f098564a 100644 --- a/rules/macos/process_creation/proc_creation_macos_susp_browser_child_process.yml +++ b/rules/macos/process_creation/proc_creation_macos_susp_browser_child_process.yml @@ -6,9 +6,9 @@ references: - https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang - https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_initial_access_suspicious_browser_childproc.toml author: Sohan G (D4rkCiph3r) -date: 2023/04/05 +date: 2023-04-05 tags: - - attack.initial_access + - attack.initial-access - attack.execution - attack.t1189 - attack.t1203 diff --git a/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml b/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml index 9590d7a9226..5f031bcb9f1 100644 --- a/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml +++ b/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml @@ -6,15 +6,15 @@ author: Tim Rauch (rule), Elastic (idea) references: - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685 - https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/ -date: 2022/10/21 -modified: 2022/12/28 +date: 2022-10-21 +modified: 2022-12-28 logsource: category: process_creation product: macos tags: - attack.t1566 - attack.t1566.002 - - attack.initial_access + - attack.initial-access - attack.t1059 - attack.t1059.002 - attack.t1204 @@ -22,7 +22,7 @@ tags: - attack.execution - attack.persistence - attack.t1553 - - attack.defense_evasion + - attack.defense-evasion detection: selection_parent: ParentImage|endswith: '/Script Editor' diff --git a/rules/macos/process_creation/proc_creation_macos_susp_find_execution.yml b/rules/macos/process_creation/proc_creation_macos_susp_find_execution.yml index 9aebe117cfa..862cfc10a9e 100644 --- a/rules/macos/process_creation/proc_creation_macos_susp_find_execution.yml +++ b/rules/macos/process_creation/proc_creation_macos_susp_find_execution.yml @@ -8,7 +8,7 @@ description: Detects usage of "find" binary in a suspicious manner to perform di references: - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/28 +date: 2022-12-28 tags: - attack.discovery - attack.t1083 diff --git a/rules/macos/process_creation/proc_creation_macos_susp_histfile_operations.yml b/rules/macos/process_creation/proc_creation_macos_susp_histfile_operations.yml index 48557ffb62d..e191add1b9f 100644 --- a/rules/macos/process_creation/proc_creation_macos_susp_histfile_operations.yml +++ b/rules/macos/process_creation/proc_creation_macos_susp_histfile_operations.yml @@ -5,10 +5,10 @@ description: Detects commandline operations on shell history files references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md author: 'Mikhail Larin, oscd.community' -date: 2020/10/17 -modified: 2021/11/27 +date: 2020-10-17 +modified: 2021-11-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.003 logsource: product: macos diff --git a/rules/macos/process_creation/proc_creation_macos_susp_in_memory_download_and_compile.yml b/rules/macos/process_creation/proc_creation_macos_susp_in_memory_download_and_compile.yml index 30e7de4628b..ba21295677b 100644 --- a/rules/macos/process_creation/proc_creation_macos_susp_in_memory_download_and_compile.yml +++ b/rules/macos/process_creation/proc_creation_macos_susp_in_memory_download_and_compile.yml @@ -5,9 +5,9 @@ description: Detects potential in-memory downloading and compiling of applets us references: - https://redcanary.com/blog/mac-application-bundles/ author: Sohan G (D4rkCiph3r), Red Canary (idea) -date: 2023/08/22 +date: 2023-08-22 tags: - - attack.command_and_control + - attack.command-and-control - attack.execution - attack.t1059.007 - attack.t1105 diff --git a/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml b/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml index cf04547cd4e..b245c5f0e8a 100644 --- a/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml +++ b/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml @@ -7,8 +7,8 @@ references: - https://www.manpagez.com/man/8/firmwarepasswd/ - https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web author: Austin Songer @austinsonger -date: 2021/09/30 -modified: 2022/10/09 +date: 2021-09-30 +modified: 2022-10-09 tags: - attack.impact logsource: diff --git a/rules/macos/process_creation/proc_creation_macos_suspicious_applet_behaviour.yml b/rules/macos/process_creation/proc_creation_macos_suspicious_applet_behaviour.yml index 38e8911a2a8..099e0f3f25d 100644 --- a/rules/macos/process_creation/proc_creation_macos_suspicious_applet_behaviour.yml +++ b/rules/macos/process_creation/proc_creation_macos_suspicious_applet_behaviour.yml @@ -5,7 +5,7 @@ description: Detects potential suspicious applet or osascript executing "osacomp references: - https://redcanary.com/blog/mac-application-bundles/ author: Sohan G (D4rkCiph3r), Red Canary (Idea) -date: 2023/04/03 +date: 2023-04-03 tags: - attack.execution - attack.t1059.002 diff --git a/rules/macos/process_creation/proc_creation_macos_swvers_discovery.yml b/rules/macos/process_creation/proc_creation_macos_swvers_discovery.yml index 8ff85e62f46..e98c15627b3 100644 --- a/rules/macos/process_creation/proc_creation_macos_swvers_discovery.yml +++ b/rules/macos/process_creation/proc_creation_macos_swvers_discovery.yml @@ -7,7 +7,7 @@ references: - https://www.virustotal.com/gui/file/03b71eaceadea05bc0eea5cddecaa05f245126d6b16cfcd0f3ba0442ac58dab3/behavior - https://ss64.com/osx/sw_vers.html author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2023/12/20 +date: 2023-12-20 tags: - attack.discovery - attack.t1082 diff --git a/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml b/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml index c44d3ee8491..17b0026dc1a 100644 --- a/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml +++ b/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml @@ -2,17 +2,17 @@ title: User Added To Admin Group Via Sysadminctl id: 652c098d-dc11-4ba6-8566-c20e89042f2b related: - id: 0c1ffcf9-efa9-436e-ab68-23a9496ebf5b - type: obsoletes + type: obsolete status: test description: Detects attempts to create and add an account to the admin group via "sysadminctl" references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos - https://ss64.com/osx/sysadminctl.html author: Sohan G (D4rkCiph3r) -date: 2023/03/19 +date: 2023-03-19 tags: - - attack.initial_access - - attack.privilege_escalation + - attack.initial-access + - attack.privilege-escalation - attack.t1078.003 logsource: category: process_creation diff --git a/rules/macos/process_creation/proc_creation_macos_sysadminctl_enable_guest_account.yml b/rules/macos/process_creation/proc_creation_macos_sysadminctl_enable_guest_account.yml index a9bfa4c0890..354dcb77b5a 100644 --- a/rules/macos/process_creation/proc_creation_macos_sysadminctl_enable_guest_account.yml +++ b/rules/macos/process_creation/proc_creation_macos_sysadminctl_enable_guest_account.yml @@ -5,9 +5,9 @@ description: Detects attempts to enable the guest account using the sysadminctl references: - https://ss64.com/osx/sysadminctl.html author: Sohan G (D4rkCiph3r) -date: 2023/02/18 +date: 2023-02-18 tags: - - attack.initial_access + - attack.initial-access - attack.t1078 - attack.t1078.001 logsource: diff --git a/rules/macos/process_creation/proc_creation_macos_sysctl_discovery.yml b/rules/macos/process_creation/proc_creation_macos_sysctl_discovery.yml index 06113ec554c..db1a2af4493 100644 --- a/rules/macos/process_creation/proc_creation_macos_sysctl_discovery.yml +++ b/rules/macos/process_creation/proc_creation_macos_sysctl_discovery.yml @@ -13,9 +13,9 @@ references: - https://www.virustotal.com/gui/file/1c547a064494a35d6b5e6b459de183ab2720a22725e082bed6f6629211f7abc1/behavior - https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior author: Pratinav Chandra -date: 2024/05/27 +date: 2024-05-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1497.001 - attack.discovery - attack.t1082 diff --git a/rules/macos/process_creation/proc_creation_macos_system_network_connections_discovery.yml b/rules/macos/process_creation/proc_creation_macos_system_network_connections_discovery.yml index de11916adaf..f5de845711c 100644 --- a/rules/macos/process_creation/proc_creation_macos_system_network_connections_discovery.yml +++ b/rules/macos/process_creation/proc_creation_macos_system_network_connections_discovery.yml @@ -5,8 +5,8 @@ description: Detects usage of system utilities to discover system network connec references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md author: Daniil Yugoslavskiy, oscd.community -date: 2020/10/19 -modified: 2022/12/28 +date: 2020-10-19 +modified: 2022-12-28 tags: - attack.discovery - attack.t1049 diff --git a/rules/macos/process_creation/proc_creation_macos_system_network_discovery.yml b/rules/macos/process_creation/proc_creation_macos_system_network_discovery.yml index 32242df97cc..690993b3b3b 100644 --- a/rules/macos/process_creation/proc_creation_macos_system_network_discovery.yml +++ b/rules/macos/process_creation/proc_creation_macos_system_network_discovery.yml @@ -5,8 +5,8 @@ description: Detects enumeration of local network configuration references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md author: remotephone, oscd.community -date: 2020/10/06 -modified: 2022/12/28 +date: 2020-10-06 +modified: 2022-12-28 tags: - attack.discovery - attack.t1016 diff --git a/rules/macos/process_creation/proc_creation_macos_system_profiler_discovery.yml b/rules/macos/process_creation/proc_creation_macos_system_profiler_discovery.yml index ca2c895bd3d..2035384e5e8 100644 --- a/rules/macos/process_creation/proc_creation_macos_system_profiler_discovery.yml +++ b/rules/macos/process_creation/proc_creation_macos_system_profiler_discovery.yml @@ -12,10 +12,10 @@ references: - https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/ - https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af author: Stephen Lincoln `@slincoln_aiq` (AttackIQ) -date: 2024/01/02 +date: 2024-01-02 tags: - attack.discovery - - attack.defense_evasion + - attack.defense-evasion - attack.t1082 - attack.t1497.001 logsource: diff --git a/rules/macos/process_creation/proc_creation_macos_system_shutdown_reboot.yml b/rules/macos/process_creation/proc_creation_macos_system_shutdown_reboot.yml index cf4abd528aa..407bdd4e19f 100644 --- a/rules/macos/process_creation/proc_creation_macos_system_shutdown_reboot.yml +++ b/rules/macos/process_creation/proc_creation_macos_system_shutdown_reboot.yml @@ -5,8 +5,8 @@ description: Adversaries may shutdown/reboot systems to interrupt access to, or references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md author: 'Igor Fits, Mikhail Larin, oscd.community' -date: 2020/10/19 -modified: 2022/11/26 +date: 2020-10-19 +modified: 2022-11-26 tags: - attack.impact - attack.t1529 diff --git a/rules/macos/process_creation/proc_creation_macos_tail_base64_decode_from_image.yml b/rules/macos/process_creation/proc_creation_macos_tail_base64_decode_from_image.yml index 2ea720557f9..6d5e3933ad6 100644 --- a/rules/macos/process_creation/proc_creation_macos_tail_base64_decode_from_image.yml +++ b/rules/macos/process_creation/proc_creation_macos_tail_base64_decode_from_image.yml @@ -7,9 +7,9 @@ references: - https://www.virustotal.com/gui/file/16bafdf741e7a13137c489f3c8db1334f171c7cb13b62617d691b0a64783cc48/behavior - https://www.virustotal.com/gui/file/483fafc64a2b84197e1ef6a3f51e443f84dc5742602e08b9e8ec6ad690b34ed0/behavior author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2023/12/20 +date: 2023-12-20 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1140 logsource: product: macos diff --git a/rules/macos/process_creation/proc_creation_macos_tmutil_delete_backup.yml b/rules/macos/process_creation/proc_creation_macos_tmutil_delete_backup.yml index 1f4dd23ac94..c35b0f18de5 100644 --- a/rules/macos/process_creation/proc_creation_macos_tmutil_delete_backup.yml +++ b/rules/macos/process_creation/proc_creation_macos_tmutil_delete_backup.yml @@ -8,7 +8,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine - https://www.loobins.io/binaries/tmutil/ author: Pratinav Chandra -date: 2024/05/29 +date: 2024-05-29 tags: - attack.impact - attack.t1490 diff --git a/rules/macos/process_creation/proc_creation_macos_tmutil_disable_backup.yml b/rules/macos/process_creation/proc_creation_macos_tmutil_disable_backup.yml index 42fc5013de8..abeed71c433 100644 --- a/rules/macos/process_creation/proc_creation_macos_tmutil_disable_backup.yml +++ b/rules/macos/process_creation/proc_creation_macos_tmutil_disable_backup.yml @@ -8,7 +8,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine - https://www.loobins.io/binaries/tmutil/ author: Pratinav Chandra -date: 2024/05/29 +date: 2024-05-29 tags: - attack.impact - attack.t1490 diff --git a/rules/macos/process_creation/proc_creation_macos_tmutil_exclude_file_from_backup.yml b/rules/macos/process_creation/proc_creation_macos_tmutil_exclude_file_from_backup.yml index d02100cd7db..04a1e2e1c47 100644 --- a/rules/macos/process_creation/proc_creation_macos_tmutil_exclude_file_from_backup.yml +++ b/rules/macos/process_creation/proc_creation_macos_tmutil_exclude_file_from_backup.yml @@ -8,7 +8,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine - https://www.loobins.io/binaries/tmutil/ author: Pratinav Chandra -date: 2024/05/29 +date: 2024-05-29 tags: - attack.impact - attack.t1490 diff --git a/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml b/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml index a93bd9b958a..693066ec9d1 100644 --- a/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml +++ b/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml @@ -7,9 +7,9 @@ references: - https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset - https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/ author: Tim Rauch (rule), Elastic (idea) -date: 2022/10/17 +date: 2022-10-17 tags: - - attack.command_and_control + - attack.command-and-control logsource: category: process_creation product: macos diff --git a/rules/macos/process_creation/proc_creation_macos_xattr_gatekeeper_bypass.yml b/rules/macos/process_creation/proc_creation_macos_xattr_gatekeeper_bypass.yml index 6a3aed53834..1525ff58c1f 100644 --- a/rules/macos/process_creation/proc_creation_macos_xattr_gatekeeper_bypass.yml +++ b/rules/macos/process_creation/proc_creation_macos_xattr_gatekeeper_bypass.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/1fed40dc7e48f16ed44dcdd9c73b9222a70cca85/atomics/T1553.001/T1553.001.md - https://www.loobins.io/binaries/xattr/ author: Daniil Yugoslavskiy, oscd.community -date: 2020/10/19 -modified: 2024/04/18 +date: 2020-10-19 +modified: 2024-04-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1553.001 logsource: category: process_creation diff --git a/rules/macos/process_creation/proc_creation_macos_xcsset_malware_infection.yml b/rules/macos/process_creation/proc_creation_macos_xcsset_malware_infection.yml index 91529f371b1..2064fed936d 100644 --- a/rules/macos/process_creation/proc_creation_macos_xcsset_malware_infection.yml +++ b/rules/macos/process_creation/proc_creation_macos_xcsset_malware_infection.yml @@ -6,9 +6,9 @@ references: - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08 - https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset author: Tim Rauch (rule), Elastic (idea) -date: 2022/10/17 +date: 2022-10-17 tags: - - attack.command_and_control + - attack.command-and-control logsource: category: process_creation product: macos diff --git a/rules/network/cisco/aaa/cisco_cli_clear_logs.yml b/rules/network/cisco/aaa/cisco_cli_clear_logs.yml index e32eba875c4..543be076f71 100644 --- a/rules/network/cisco/aaa/cisco_cli_clear_logs.yml +++ b/rules/network/cisco/aaa/cisco_cli_clear_logs.yml @@ -6,10 +6,10 @@ references: - https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/command/reference/sysmgmt/n5k-sysmgmt-cr/n5k-sm_cmds_c.html - https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609 author: Austin Clark -date: 2019/08/12 -modified: 2023/05/26 +date: 2019-08-12 +modified: 2023-05-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.003 logsource: product: cisco diff --git a/rules/network/cisco/aaa/cisco_cli_collect_data.yml b/rules/network/cisco/aaa/cisco_cli_collect_data.yml index a735063db82..dafb8093281 100644 --- a/rules/network/cisco/aaa/cisco_cli_collect_data.yml +++ b/rules/network/cisco/aaa/cisco_cli_collect_data.yml @@ -7,11 +7,11 @@ references: - https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/show_startup-config.htm - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html author: Austin Clark -date: 2019/08/11 -modified: 2023/01/04 +date: 2019-08-11 +modified: 2023-01-04 tags: - attack.discovery - - attack.credential_access + - attack.credential-access - attack.collection - attack.t1087.001 - attack.t1552.001 diff --git a/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml b/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml index 3485e200ea1..6656c54dffc 100644 --- a/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml +++ b/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml @@ -5,11 +5,11 @@ description: Show when private keys are being exported from the device, or when references: - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-a1-cr-book_chapter_0111.html author: Austin Clark -date: 2019/08/12 -modified: 2023/01/04 +date: 2019-08-12 +modified: 2023-01-04 tags: - - attack.credential_access - - attack.defense_evasion + - attack.credential-access + - attack.defense-evasion - attack.t1553.004 - attack.t1552.004 logsource: diff --git a/rules/network/cisco/aaa/cisco_cli_disable_logging.yml b/rules/network/cisco/aaa/cisco_cli_disable_logging.yml index 06711af2975..6eea7252689 100644 --- a/rules/network/cisco/aaa/cisco_cli_disable_logging.yml +++ b/rules/network/cisco/aaa/cisco_cli_disable_logging.yml @@ -5,10 +5,10 @@ description: Turn off logging locally or remote references: - https://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a2.pdf author: Austin Clark -date: 2019/08/11 -modified: 2023/01/04 +date: 2019-08-11 +modified: 2023-01-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: cisco diff --git a/rules/network/cisco/aaa/cisco_cli_discovery.yml b/rules/network/cisco/aaa/cisco_cli_discovery.yml index 5d657406737..6a66a8d8fd5 100644 --- a/rules/network/cisco/aaa/cisco_cli_discovery.yml +++ b/rules/network/cisco/aaa/cisco_cli_discovery.yml @@ -5,8 +5,8 @@ description: Find information about network devices that is not stored in config references: - https://www.cisco.com/c/en/us/td/docs/server_nw_virtual/2-5_release/command_reference/show.html author: Austin Clark -date: 2019/08/12 -modified: 2023/01/04 +date: 2019-08-12 +modified: 2023-01-04 tags: - attack.discovery - attack.t1083 diff --git a/rules/network/cisco/aaa/cisco_cli_dos.yml b/rules/network/cisco/aaa/cisco_cli_dos.yml index e2455a3bc96..b1279b6db7e 100644 --- a/rules/network/cisco/aaa/cisco_cli_dos.yml +++ b/rules/network/cisco/aaa/cisco_cli_dos.yml @@ -3,8 +3,8 @@ id: d94a35f0-7a29-45f6-90a0-80df6159967c status: test description: Detect a system being shutdown or put into different boot mode author: Austin Clark -date: 2019/08/15 -modified: 2023/01/04 +date: 2019-08-15 +modified: 2023-01-04 tags: - attack.impact - attack.t1495 diff --git a/rules/network/cisco/aaa/cisco_cli_file_deletion.yml b/rules/network/cisco/aaa/cisco_cli_file_deletion.yml index beedf97933d..917a540896b 100644 --- a/rules/network/cisco/aaa/cisco_cli_file_deletion.yml +++ b/rules/network/cisco/aaa/cisco_cli_file_deletion.yml @@ -3,10 +3,10 @@ id: 71d65515-c436-43c0-841b-236b1f32c21e status: test description: See what files are being deleted from flash file systems author: Austin Clark -date: 2019/08/12 -modified: 2023/01/04 +date: 2019-08-12 +modified: 2023-01-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.impact - attack.t1070.004 - attack.t1561.001 diff --git a/rules/network/cisco/aaa/cisco_cli_input_capture.yml b/rules/network/cisco/aaa/cisco_cli_input_capture.yml index ccd20f84a59..55b4622e6b4 100644 --- a/rules/network/cisco/aaa/cisco_cli_input_capture.yml +++ b/rules/network/cisco/aaa/cisco_cli_input_capture.yml @@ -3,10 +3,10 @@ id: b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b status: test description: See what commands are being input into the device by other people, full credentials can be in the history author: Austin Clark -date: 2019/08/11 -modified: 2023/01/04 +date: 2019-08-11 +modified: 2023-01-04 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.003 logsource: product: cisco diff --git a/rules/network/cisco/aaa/cisco_cli_local_accounts.yml b/rules/network/cisco/aaa/cisco_cli_local_accounts.yml index 6787735651b..e1d47c0bcfc 100644 --- a/rules/network/cisco/aaa/cisco_cli_local_accounts.yml +++ b/rules/network/cisco/aaa/cisco_cli_local_accounts.yml @@ -3,8 +3,8 @@ id: 6d844f0f-1c18-41af-8f19-33e7654edfc3 status: test description: Find local accounts being created or modified as well as remote authentication configurations author: Austin Clark -date: 2019/08/12 -modified: 2023/01/04 +date: 2019-08-12 +modified: 2023-01-04 tags: - attack.persistence - attack.t1136.001 diff --git a/rules/network/cisco/aaa/cisco_cli_modify_config.yml b/rules/network/cisco/aaa/cisco_cli_modify_config.yml index 699678c942c..70c52e3a416 100644 --- a/rules/network/cisco/aaa/cisco_cli_modify_config.yml +++ b/rules/network/cisco/aaa/cisco_cli_modify_config.yml @@ -3,8 +3,8 @@ id: 671ffc77-50a7-464f-9e3d-9ea2b493b26b status: test description: Modifications to a config that will serve an adversary's impacts or persistence author: Austin Clark -date: 2019/08/12 -modified: 2023/01/04 +date: 2019-08-12 +modified: 2023-01-04 tags: - attack.persistence - attack.impact diff --git a/rules/network/cisco/aaa/cisco_cli_moving_data.yml b/rules/network/cisco/aaa/cisco_cli_moving_data.yml index a5068ab1def..2b8196ca573 100644 --- a/rules/network/cisco/aaa/cisco_cli_moving_data.yml +++ b/rules/network/cisco/aaa/cisco_cli_moving_data.yml @@ -3,12 +3,12 @@ id: 5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59 status: test description: Various protocols maybe used to put data on the device for exfil or infil author: Austin Clark -date: 2019/08/12 -modified: 2023/01/04 +date: 2019-08-12 +modified: 2023-01-04 tags: - attack.collection - - attack.lateral_movement - - attack.command_and_control + - attack.lateral-movement + - attack.command-and-control - attack.exfiltration - attack.t1074 - attack.t1105 diff --git a/rules/network/cisco/aaa/cisco_cli_net_sniff.yml b/rules/network/cisco/aaa/cisco_cli_net_sniff.yml index e5063d4dcf6..c55cd087c92 100644 --- a/rules/network/cisco/aaa/cisco_cli_net_sniff.yml +++ b/rules/network/cisco/aaa/cisco_cli_net_sniff.yml @@ -3,10 +3,10 @@ id: b9e1f193-d236-4451-aaae-2f3d2102120d status: test description: Show when a monitor or a span/rspan is setup or modified author: Austin Clark -date: 2019/08/11 -modified: 2023/01/04 +date: 2019-08-11 +modified: 2023-01-04 tags: - - attack.credential_access + - attack.credential-access - attack.discovery - attack.t1040 logsource: diff --git a/rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml b/rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml index c7161576533..1ce546fcfde 100644 --- a/rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml +++ b/rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml @@ -5,14 +5,14 @@ description: Detects BGP failures which may be indicative of brute force attacks references: - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf author: Tim Brown -date: 2023/01/09 -modified: 2023/01/23 +date: 2023-01-09 +modified: 2023-01-23 tags: - - attack.initial_access + - attack.initial-access - attack.persistence - - attack.privilege_escalation - - attack.defense_evasion - - attack.credential_access + - attack.privilege-escalation + - attack.defense-evasion + - attack.credential-access - attack.collection - attack.t1078 - attack.t1110 diff --git a/rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml b/rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml index 10800ba25f8..d8827cb7afe 100644 --- a/rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml +++ b/rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml @@ -5,13 +5,13 @@ description: Detects LDP failures which may be indicative of brute force attacks references: - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf author: Tim Brown -date: 2023/01/09 +date: 2023-01-09 tags: - - attack.initial_access + - attack.initial-access - attack.persistence - - attack.privilege_escalation - - attack.defense_evasion - - attack.credential_access + - attack.privilege-escalation + - attack.defense-evasion + - attack.credential-access - attack.collection - attack.t1078 - attack.t1110 diff --git a/rules/network/dns/net_dns_external_service_interaction_domains.yml b/rules/network/dns/net_dns_external_service_interaction_domains.yml index a0cc8cdd08f..c5844d93205 100644 --- a/rules/network/dns/net_dns_external_service_interaction_domains.yml +++ b/rules/network/dns/net_dns_external_service_interaction_domains.yml @@ -5,9 +5,9 @@ description: Detects suspicious DNS queries to external service interaction doma references: - https://twitter.com/breakersall/status/1533493587828260866 author: Florian Roth (Nextron Systems), Matt Kelly (list of domains) -date: 2022/06/07 +date: 2022-06-07 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - attack.reconnaissance - attack.t1595.002 diff --git a/rules/network/dns/net_dns_mal_cobaltstrike.yml b/rules/network/dns/net_dns_mal_cobaltstrike.yml index e88298a07b4..b09887d679e 100644 --- a/rules/network/dns/net_dns_mal_cobaltstrike.yml +++ b/rules/network/dns/net_dns_mal_cobaltstrike.yml @@ -6,10 +6,10 @@ references: - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/ author: Florian Roth (Nextron Systems) -date: 2018/05/10 -modified: 2022/10/09 +date: 2018-05-10 +modified: 2022-10-09 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.004 logsource: category: dns diff --git a/rules/network/dns/net_dns_pua_cryptocoin_mining_xmr.yml b/rules/network/dns/net_dns_pua_cryptocoin_mining_xmr.yml index 97e90addca5..d980f568948 100644 --- a/rules/network/dns/net_dns_pua_cryptocoin_mining_xmr.yml +++ b/rules/network/dns/net_dns_pua_cryptocoin_mining_xmr.yml @@ -5,7 +5,7 @@ description: Detects suspicious DNS queries to Monero mining pools references: - https://www.nextron-systems.com/2021/10/24/monero-mining-pool-fqdns/ author: Florian Roth (Nextron Systems) -date: 2021/10/24 +date: 2021-10-24 tags: - attack.impact - attack.t1496 diff --git a/rules/network/dns/net_dns_susp_b64_queries.yml b/rules/network/dns/net_dns_susp_b64_queries.yml index 3ef23ee855e..fa5084bc596 100644 --- a/rules/network/dns/net_dns_susp_b64_queries.yml +++ b/rules/network/dns/net_dns_susp_b64_queries.yml @@ -5,12 +5,12 @@ description: Detects suspicious DNS queries using base64 encoding references: - https://github.com/krmaxwell/dns-exfiltration author: Florian Roth (Nextron Systems) -date: 2018/05/10 -modified: 2022/10/09 +date: 2018-05-10 +modified: 2022-10-09 tags: - attack.exfiltration - attack.t1048.003 - - attack.command_and_control + - attack.command-and-control - attack.t1071.004 logsource: category: dns diff --git a/rules/network/dns/net_dns_susp_telegram_api.yml b/rules/network/dns/net_dns_susp_telegram_api.yml index fa940cc9297..56a3929bae7 100644 --- a/rules/network/dns/net_dns_susp_telegram_api.yml +++ b/rules/network/dns/net_dns_susp_telegram_api.yml @@ -8,10 +8,10 @@ references: - https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/ - https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/ author: Florian Roth (Nextron Systems) -date: 2018/06/05 -modified: 2022/10/09 +date: 2018-06-05 +modified: 2022-10-09 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1102.002 logsource: category: dns diff --git a/rules/network/dns/net_dns_susp_txt_exec_strings.yml b/rules/network/dns/net_dns_susp_txt_exec_strings.yml index 76dcb90121c..ea44dfd0b4b 100644 --- a/rules/network/dns/net_dns_susp_txt_exec_strings.yml +++ b/rules/network/dns/net_dns_susp_txt_exec_strings.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/stvemillertime/status/1024707932447854592 - https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1 author: Markus Neis -date: 2018/08/08 -modified: 2021/11/27 +date: 2018-08-08 +modified: 2021-11-27 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.004 logsource: category: dns diff --git a/rules/network/dns/net_dns_wannacry_killswitch_domain.yml b/rules/network/dns/net_dns_wannacry_killswitch_domain.yml index dbf91f08b6a..85bc230241d 100644 --- a/rules/network/dns/net_dns_wannacry_killswitch_domain.yml +++ b/rules/network/dns/net_dns_wannacry_killswitch_domain.yml @@ -5,10 +5,10 @@ description: Detects wannacry killswitch domain dns queries references: - https://www.mandiant.com/resources/blog/wannacry-ransomware-campaign author: Mike Wade -date: 2020/09/16 -modified: 2022/03/24 +date: 2020-09-16 +modified: 2022-03-24 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: category: dns diff --git a/rules/network/firewall/net_firewall_cleartext_protocols.yml b/rules/network/firewall/net_firewall_cleartext_protocols.yml index 6bc0432ed35..4e8935c7f58 100644 --- a/rules/network/firewall/net_firewall_cleartext_protocols.yml +++ b/rules/network/firewall/net_firewall_cleartext_protocols.yml @@ -9,10 +9,10 @@ references: - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf author: Alexandr Yampolskyi, SOC Prime, Tim Shelton -date: 2019/03/26 -modified: 2022/10/10 +date: 2019-03-26 +modified: 2022-10-10 tags: - - attack.credential_access + - attack.credential-access # - CSC4 # - CSC4.5 # - CSC14 diff --git a/rules/network/huawei/bgp/huawei_bgp_auth_failed.yml b/rules/network/huawei/bgp/huawei_bgp_auth_failed.yml index 5021d7aed6c..4843bcbe6a8 100644 --- a/rules/network/huawei/bgp/huawei_bgp_auth_failed.yml +++ b/rules/network/huawei/bgp/huawei_bgp_auth_failed.yml @@ -5,14 +5,14 @@ description: Detects BGP failures which may be indicative of brute force attacks references: - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf author: Tim Brown -date: 2023/01/09 -modified: 2023/01/23 +date: 2023-01-09 +modified: 2023-01-23 tags: - - attack.initial_access + - attack.initial-access - attack.persistence - - attack.privilege_escalation - - attack.defense_evasion - - attack.credential_access + - attack.privilege-escalation + - attack.defense-evasion + - attack.credential-access - attack.collection - attack.t1078 - attack.t1110 diff --git a/rules/network/juniper/bgp/juniper_bgp_missing_md5.yml b/rules/network/juniper/bgp/juniper_bgp_missing_md5.yml index 1982086a117..78cb752e322 100644 --- a/rules/network/juniper/bgp/juniper_bgp_missing_md5.yml +++ b/rules/network/juniper/bgp/juniper_bgp_missing_md5.yml @@ -5,14 +5,14 @@ description: Detects juniper BGP missing MD5 digest. Which may be indicative of references: - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf author: Tim Brown -date: 2023/01/09 -modified: 2023/01/23 +date: 2023-01-09 +modified: 2023-01-23 tags: - - attack.initial_access + - attack.initial-access - attack.persistence - - attack.privilege_escalation - - attack.defense_evasion - - attack.credential_access + - attack.privilege-escalation + - attack.defense-evasion + - attack.credential-access - attack.collection - attack.t1078 - attack.t1110 diff --git a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml index ec3b2988a7a..0df94623804 100644 --- a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml +++ b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml @@ -5,8 +5,8 @@ description: 'Windows DCE-RPC functions which indicate an execution techniques o references: - https://github.com/mitre-attack/bzar#indicators-for-attck-execution author: '@neu5ron, SOC Prime' -date: 2020/03/19 -modified: 2021/11/27 +date: 2020-03-19 +modified: 2021-11-27 tags: - attack.execution - attack.t1047 diff --git a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml index a5bbc4c1ac5..31fa8d65f26 100644 --- a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml +++ b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml @@ -5,8 +5,8 @@ description: 'Windows DCE-RPC functions which indicate a persistence techniques references: - https://github.com/mitre-attack/bzar#indicators-for-attck-persistence author: '@neu5ron, SOC Prime' -date: 2020/03/19 -modified: 2021/11/27 +date: 2020-03-19 +modified: 2021-11-27 tags: - attack.persistence - attack.t1547.004 diff --git a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml index 3ff369979ae..bb632c13a84 100644 --- a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml +++ b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml @@ -12,8 +12,8 @@ references: - https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf - https://threatpost.com/microsoft-petitpotam-poc/168163/ author: '@neu5ron, @Antonlovesdnb, Mike Remen' -date: 2021/08/17 -modified: 2022/11/28 +date: 2021-08-17 +modified: 2022-11-28 tags: - attack.t1557.001 - attack.t1187 diff --git a/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml index 4a188b5e948..41d9d2aa516 100644 --- a/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml +++ b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml @@ -16,13 +16,13 @@ references: - https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/ author: '@neu5ron (Nate Guagenti)' -date: 2021/08/23 -modified: 2022/07/07 +date: 2021-08-23 +modified: 2022-07-07 tags: - attack.execution - - cve.2021.1678 - - cve.2021.1675 - - cve.2021.34527 + - cve.2021-1678 + - cve.2021-1675 + - cve.2021-34527 logsource: product: zeek service: dce_rpc diff --git a/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml b/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml index 3e3c14fb143..645e5b4e371 100644 --- a/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml +++ b/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml @@ -7,10 +7,10 @@ references: - https://dirkjanm.io/a-different-way-of-abusing-zerologon/ - https://twitter.com/_dirkjan/status/1309214379003588608 author: OTR (Open Threat Research), @neu5ron -date: 2018/11/28 -modified: 2022/10/09 +date: 2018-11-28 +modified: 2022-10-09 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 logsource: product: zeek diff --git a/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml b/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml index ff65bc439b8..9d8ed45fd89 100644 --- a/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml +++ b/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml @@ -5,10 +5,10 @@ description: Detects the presence of default Cobalt Strike certificate in the HT references: - https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468 author: Bhabesh Raj -date: 2021/06/23 -modified: 2022/10/09 +date: 2021-06-23 +modified: 2022-10-09 tags: - - attack.command_and_control + - attack.command-and-control - attack.s0154 logsource: product: zeek diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml index a715f2934e5..4439d628a1f 100644 --- a/rules/network/zeek/zeek_dns_mining_pools.yml +++ b/rules/network/zeek/zeek_dns_mining_pools.yml @@ -5,8 +5,8 @@ description: Identifies clients that may be performing DNS lookups associated wi references: - https://github.com/Azure/Azure-Sentinel/blob/fa0411f9424b6c47b4d5a20165e4f1b168c1f103/Detections/ASimDNS/imDNS_Miners.yaml author: Saw Winn Naung, Azure-Sentinel, @neu5ron -date: 2021/08/19 -modified: 2022/07/07 +date: 2021-08-19 +modified: 2022-07-07 tags: - attack.execution - attack.t1569.002 diff --git a/rules/network/zeek/zeek_dns_nkn.yml b/rules/network/zeek/zeek_dns_nkn.yml index 6e96c4e49a8..c91edb615b0 100644 --- a/rules/network/zeek/zeek_dns_nkn.yml +++ b/rules/network/zeek/zeek_dns_nkn.yml @@ -7,9 +7,9 @@ references: - https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/ - https://github.com/Maka8ka/NGLite author: Michael Portera (@mportatoes) -date: 2022/04/21 +date: 2022-04-21 tags: - - attack.command_and_control + - attack.command-and-control logsource: product: zeek service: dns diff --git a/rules/network/zeek/zeek_dns_susp_zbit_flag.yml b/rules/network/zeek/zeek_dns_susp_zbit_flag.yml index 6f948522582..1e95fddf50f 100644 --- a/rules/network/zeek/zeek_dns_susp_zbit_flag.yml +++ b/rules/network/zeek/zeek_dns_susp_zbit_flag.yml @@ -13,12 +13,12 @@ references: - https://tools.ietf.org/html/rfc2929#section-2.1 - https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS author: '@neu5ron, SOC Prime Team, Corelight' -date: 2021/05/04 -modified: 2022/11/29 +date: 2021-05-04 +modified: 2022-11-29 tags: - attack.t1095 - attack.t1571 - - attack.command_and_control + - attack.command-and-control logsource: product: zeek service: dns diff --git a/rules/network/zeek/zeek_dns_torproxy.yml b/rules/network/zeek/zeek_dns_torproxy.yml index 82e7d3aba7c..1cfa8e426e0 100644 --- a/rules/network/zeek/zeek_dns_torproxy.yml +++ b/rules/network/zeek/zeek_dns_torproxy.yml @@ -5,8 +5,8 @@ description: Identifies IPs performing DNS lookups associated with common Tor pr references: - https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/ASimDNS/imDNS_TorProxies.yaml author: Saw Winn Naung , Azure-Sentinel -date: 2021/08/15 -modified: 2022/10/09 +date: 2021-08-15 +modified: 2022-10-09 tags: - attack.exfiltration - attack.t1048 diff --git a/rules/network/zeek/zeek_http_executable_download_from_webdav.yml b/rules/network/zeek/zeek_http_executable_download_from_webdav.yml index 40639e815fb..4f9c5036118 100644 --- a/rules/network/zeek/zeek_http_executable_download_from_webdav.yml +++ b/rules/network/zeek/zeek_http_executable_download_from_webdav.yml @@ -6,10 +6,10 @@ references: - http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html - https://github.com/OTRF/detection-hackathon-apt29 author: 'SOC Prime, Adam Swan' -date: 2020/05/01 -modified: 2021/11/27 +date: 2020-05-01 +modified: 2021-11-27 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: product: zeek diff --git a/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml b/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml index 58a2c26ec33..2d77cb85d4b 100644 --- a/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml +++ b/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml @@ -9,13 +9,13 @@ references: - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure - https://twitter.com/neu5ron/status/1438987292971053057?s=20 author: Nate Guagenti (neu5ron) -date: 2021/09/20 -modified: 2019/09/20 +date: 2021-09-20 +modified: 2019-09-20 tags: - - attack.privilege_escalation - - attack.initial_access + - attack.privilege-escalation + - attack.initial-access - attack.execution - - attack.lateral_movement + - attack.lateral-movement - attack.t1068 - attack.t1190 - attack.t1203 diff --git a/rules/network/zeek/zeek_http_webdav_put_request.yml b/rules/network/zeek/zeek_http_webdav_put_request.yml index 32f66aed3e1..c0a987f2e83 100644 --- a/rules/network/zeek/zeek_http_webdav_put_request.yml +++ b/rules/network/zeek/zeek_http_webdav_put_request.yml @@ -5,8 +5,8 @@ description: A General detection for WebDav user-agent being used to PUT files o references: - https://github.com/OTRF/detection-hackathon-apt29/issues/17 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/05/02 -modified: 2024/03/13 +date: 2020-05-02 +modified: 2024-03-13 tags: - attack.exfiltration - attack.t1048.003 diff --git a/rules/network/zeek/zeek_rdp_public_listener.yml b/rules/network/zeek/zeek_rdp_public_listener.yml index 1d142837bb7..a6c34b190b8 100644 --- a/rules/network/zeek/zeek_rdp_public_listener.yml +++ b/rules/network/zeek/zeek_rdp_public_listener.yml @@ -6,10 +6,10 @@ description: | references: - https://attack.mitre.org/techniques/T1021/001/ author: Josh Brower @DefensiveDepth -date: 2020/08/22 -modified: 2024/03/13 +date: 2020-08-22 +modified: 2024-03-13 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.001 logsource: product: zeek diff --git a/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml b/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml index 54b3ac4afc9..65c68a83198 100644 --- a/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml +++ b/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml @@ -8,10 +8,10 @@ description: Detects remote task creation via at.exe or API interacting with ATS references: - https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html author: 'Samir Bousseaden, @neu5rn' -date: 2020/04/03 -modified: 2022/12/27 +date: 2020-04-03 +modified: 2022-12-27 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.persistence - car.2013-05-004 - car.2015-04-001 diff --git a/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml b/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml index 4b2fa257341..bc0ebc1bf1e 100644 --- a/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml +++ b/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml @@ -5,10 +5,10 @@ description: 'Detect AD credential dumping using impacket secretdump HKTL. Based references: - https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html author: 'Samir Bousseaden, @neu5ron' -date: 2020/03/19 -modified: 2021/11/27 +date: 2020-03-19 +modified: 2021-11-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.002 - attack.t1003.004 - attack.t1003.003 diff --git a/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml b/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml index 4f4173fc2ae..4fdf10b4eda 100644 --- a/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml +++ b/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml @@ -8,10 +8,10 @@ description: This detection excludes known namped pipes accessible remotely and references: - https://twitter.com/menasec1/status/1104489274387451904 author: Samir Bousseaden, @neu5ron, Tim Shelton -date: 2020/04/02 -modified: 2022/12/27 +date: 2020-04-02 +modified: 2022-12-27 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 logsource: product: zeek diff --git a/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml b/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml index c1940bef359..8a1d13566bf 100644 --- a/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml +++ b/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml @@ -8,10 +8,10 @@ description: detects execution of psexec or paexec with renamed service name, th references: - https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html author: Samir Bousseaden, @neu5ron, Tim Shelton -date: 2020/04/02 -modified: 2022/12/27 +date: 2020-04-02 +modified: 2022-12-27 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 logsource: product: zeek diff --git a/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml b/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml index 63b86335244..32096ef4636 100644 --- a/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml +++ b/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml @@ -8,8 +8,8 @@ description: Detects known sensitive file extensions via Zeek references: - Internal Research author: Samir Bousseaden, @neu5ron -date: 2020/04/02 -modified: 2021/11/27 +date: 2020-04-02 +modified: 2021-11-27 tags: - attack.collection logsource: diff --git a/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml b/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml index 80e974747e2..979a113bf67 100644 --- a/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml +++ b/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml @@ -8,10 +8,10 @@ description: Transferring files with well-known filenames (sensitive files with references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment author: '@neu5ron, Teymur Kheirkhabarov, oscd.community' -date: 2020/04/02 -modified: 2021/11/27 +date: 2020-04-02 +modified: 2021-11-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.002 - attack.t1003.001 - attack.t1003.003 diff --git a/rules/network/zeek/zeek_susp_kerberos_rc4.yml b/rules/network/zeek/zeek_susp_kerberos_rc4.yml index 5cc7d95f889..70e230989ce 100644 --- a/rules/network/zeek/zeek_susp_kerberos_rc4.yml +++ b/rules/network/zeek/zeek_susp_kerberos_rc4.yml @@ -5,10 +5,10 @@ description: Detects kerberos TGS request using RC4 encryption which may be indi references: - https://adsecurity.org/?p=3458 author: sigma -date: 2020/02/12 -modified: 2021/11/27 +date: 2020-02-12 +modified: 2021-11-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1558.003 logsource: product: zeek diff --git a/rules/web/product/apache/web_apache_segfault.yml b/rules/web/product/apache/web_apache_segfault.yml index cc262e02a8d..b09a2ee1ea0 100644 --- a/rules/web/product/apache/web_apache_segfault.yml +++ b/rules/web/product/apache/web_apache_segfault.yml @@ -5,8 +5,8 @@ description: Detects a segmentation fault error message caused by a crashing apa references: - http://www.securityfocus.com/infocus/1633 author: Florian Roth (Nextron Systems) -date: 2017/02/28 -modified: 2021/11/27 +date: 2017-02-28 +modified: 2021-11-27 tags: - attack.impact - attack.t1499.004 diff --git a/rules/web/product/apache/web_apache_threading_error.yml b/rules/web/product/apache/web_apache_threading_error.yml index 3fe9c383f5b..b103bf99b3c 100644 --- a/rules/web/product/apache/web_apache_threading_error.yml +++ b/rules/web/product/apache/web_apache_threading_error.yml @@ -5,11 +5,11 @@ description: Detects an issue in apache logs that reports threading related erro references: - https://github.com/hannob/apache-uaf/blob/da40f2be3684c8095ec6066fa68eb5c07a086233/README.md author: Florian Roth (Nextron Systems) -date: 2019/01/22 -modified: 2021/11/27 +date: 2019-01-22 +modified: 2021-11-27 tags: - - attack.initial_access - - attack.lateral_movement + - attack.initial-access + - attack.lateral-movement - attack.t1190 - attack.t1210 logsource: diff --git a/rules/web/product/nginx/web_nginx_core_dump.yml b/rules/web/product/nginx/web_nginx_core_dump.yml index 3450d965e90..02924b209c2 100644 --- a/rules/web/product/nginx/web_nginx_core_dump.yml +++ b/rules/web/product/nginx/web_nginx_core_dump.yml @@ -6,8 +6,8 @@ references: - https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps - https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/ author: Florian Roth (Nextron Systems) -date: 2021/05/31 -modified: 2023/05/08 +date: 2021-05-31 +modified: 2023-05-08 tags: - attack.impact - attack.t1499.004 diff --git a/rules/web/proxy_generic/proxy_download_susp_dyndns.yml b/rules/web/proxy_generic/proxy_download_susp_dyndns.yml index e5153abd1c7..7203074075f 100644 --- a/rules/web/proxy_generic/proxy_download_susp_dyndns.yml +++ b/rules/web/proxy_generic/proxy_download_susp_dyndns.yml @@ -5,11 +5,11 @@ description: Detects download of certain file types from hosts with dynamic DNS references: - https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats author: Florian Roth (Nextron Systems) -date: 2017/11/08 -modified: 2023/05/18 +date: 2017-11-08 +modified: 2023-05-18 tags: - - attack.defense_evasion - - attack.command_and_control + - attack.defense-evasion + - attack.command-and-control - attack.t1105 - attack.t1568 logsource: diff --git a/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml b/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml index 36f89f5aeb6..8e667f1624c 100644 --- a/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml +++ b/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml @@ -11,10 +11,10 @@ references: - https://www.spamhaus.org/statistics/tlds/ - https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/ author: Florian Roth (Nextron Systems) -date: 2017/11/07 -modified: 2023/05/18 +date: 2017-11-07 +modified: 2023-05-18 tags: - - attack.initial_access + - attack.initial-access - attack.t1566 - attack.execution - attack.t1203 diff --git a/rules/web/proxy_generic/proxy_download_susp_tlds_whitelist.yml b/rules/web/proxy_generic/proxy_download_susp_tlds_whitelist.yml index e405b04f6d3..b041d6b3986 100644 --- a/rules/web/proxy_generic/proxy_download_susp_tlds_whitelist.yml +++ b/rules/web/proxy_generic/proxy_download_susp_tlds_whitelist.yml @@ -8,10 +8,10 @@ description: Detects executable downloads from suspicious remote systems references: - Internal Research author: Florian Roth (Nextron Systems) -date: 2017/03/13 -modified: 2023/05/18 +date: 2017-03-13 +modified: 2023-05-18 tags: - - attack.initial_access + - attack.initial-access - attack.t1566 - attack.execution - attack.t1203 diff --git a/rules/web/proxy_generic/proxy_downloadcradle_webdav.yml b/rules/web/proxy_generic/proxy_downloadcradle_webdav.yml index 11340a82f18..0491d6dd36c 100644 --- a/rules/web/proxy_generic/proxy_downloadcradle_webdav.yml +++ b/rules/web/proxy_generic/proxy_downloadcradle_webdav.yml @@ -5,10 +5,10 @@ description: Detects WebDav DownloadCradle references: - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html author: Florian Roth (Nextron Systems) -date: 2018/04/06 -modified: 2021/11/27 +date: 2018-04-06 +modified: 2021-11-27 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: category: proxy diff --git a/rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml b/rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml index ade684022fd..6a2f8c07bd8 100644 --- a/rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml +++ b/rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml @@ -10,9 +10,9 @@ references: - https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029 - https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516 author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo -date: 2023/11/08 +date: 2023-11-08 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: proxy diff --git a/rules/web/proxy_generic/proxy_hktl_baby_shark_default_agent_url.yml b/rules/web/proxy_generic/proxy_hktl_baby_shark_default_agent_url.yml index 517e51994ff..9007be2d216 100644 --- a/rules/web/proxy_generic/proxy_hktl_baby_shark_default_agent_url.yml +++ b/rules/web/proxy_generic/proxy_hktl_baby_shark_default_agent_url.yml @@ -5,10 +5,10 @@ description: Detects Baby Shark C2 Framework default communication patterns references: - https://nasbench.medium.com/understanding-detecting-c2-frameworks-babyshark-641be4595845 author: Florian Roth (Nextron Systems) -date: 2021/06/09 -modified: 2024/02/15 +date: 2021-06-09 +modified: 2024-02-15 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: category: proxy diff --git a/rules/web/proxy_generic/proxy_hktl_cobalt_strike_malleable_c2_requests.yml b/rules/web/proxy_generic/proxy_hktl_cobalt_strike_malleable_c2_requests.yml index 6eaa03271f2..e758a828134 100644 --- a/rules/web/proxy_generic/proxy_hktl_cobalt_strike_malleable_c2_requests.yml +++ b/rules/web/proxy_generic/proxy_hktl_cobalt_strike_malleable_c2_requests.yml @@ -2,13 +2,13 @@ title: HackTool - CobaltStrike Malleable Profile Patterns - Proxy id: f3f21ce1-cdef-4bfc-8328-ed2e826f5fac related: - id: 953b895e-5cc9-454b-b183-7f3db555452e - type: obsoletes + type: obsolete - id: 41b42a36-f62c-4c34-bd40-8cb804a34ad8 - type: obsoletes + type: obsolete - id: 37325383-740a-403d-b1a2-b2b4ab7992e7 - type: obsoletes + type: obsolete - id: c9b33401-cc6a-4cf6-83bb-57ddcb2407fc - type: obsoletes + type: obsolete status: test description: Detects cobalt strike malleable profiles patterns (URI, User-Agents, Methods). references: @@ -18,10 +18,10 @@ references: - https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/ - https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile author: Markus Neis, Florian Roth (Nextron Systems) -date: 2024/02/15 +date: 2024-02-15 tags: - - attack.defense_evasion - - attack.command_and_control + - attack.defense-evasion + - attack.command-and-control - attack.t1071.001 logsource: category: proxy diff --git a/rules/web/proxy_generic/proxy_hktl_empire_ua_uri_patterns.yml b/rules/web/proxy_generic/proxy_hktl_empire_ua_uri_patterns.yml index f7236717142..8e91d7e6173 100644 --- a/rules/web/proxy_generic/proxy_hktl_empire_ua_uri_patterns.yml +++ b/rules/web/proxy_generic/proxy_hktl_empire_ua_uri_patterns.yml @@ -5,11 +5,11 @@ description: Detects user agent and URI paths used by empire agents references: - https://github.com/BC-SECURITY/Empire author: Florian Roth (Nextron Systems) -date: 2020/07/13 -modified: 2024/02/26 +date: 2020-07-13 +modified: 2024-02-26 tags: - - attack.defense_evasion - - attack.command_and_control + - attack.defense-evasion + - attack.command-and-control - attack.t1071.001 logsource: category: proxy diff --git a/rules/web/proxy_generic/proxy_pua_advanced_ip_scanner_update_check.yml b/rules/web/proxy_generic/proxy_pua_advanced_ip_scanner_update_check.yml index b89fcf8d719..ef41f25b4b1 100644 --- a/rules/web/proxy_generic/proxy_pua_advanced_ip_scanner_update_check.yml +++ b/rules/web/proxy_generic/proxy_pua_advanced_ip_scanner_update_check.yml @@ -6,8 +6,8 @@ references: - https://www.advanced-ip-scanner.com/ - https://www.advanced-port-scanner.com/ author: Axel Olsson -date: 2022/08/14 -modified: 2024/02/15 +date: 2022-08-14 +modified: 2024-02-15 tags: - attack.discovery - attack.t1590 diff --git a/rules/web/proxy_generic/proxy_pwndrop.yml b/rules/web/proxy_generic/proxy_pwndrop.yml index f7959832dfe..271b9cf238e 100644 --- a/rules/web/proxy_generic/proxy_pwndrop.yml +++ b/rules/web/proxy_generic/proxy_pwndrop.yml @@ -5,10 +5,10 @@ description: Detects downloads from PwnDrp web servers developed for red team te references: - https://breakdev.org/pwndrop/ author: Florian Roth (Nextron Systems) -date: 2020/04/15 -modified: 2021/11/27 +date: 2020-04-15 +modified: 2021-11-27 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 - attack.t1102.001 - attack.t1102.003 diff --git a/rules/web/proxy_generic/proxy_raw_paste_service_access.yml b/rules/web/proxy_generic/proxy_raw_paste_service_access.yml index 5a3d53fc412..c0443c5ffc0 100644 --- a/rules/web/proxy_generic/proxy_raw_paste_service_access.yml +++ b/rules/web/proxy_generic/proxy_raw_paste_service_access.yml @@ -5,14 +5,14 @@ description: Detects direct access to raw pastes in different paste services oft references: - https://www.virustotal.com/gui/domain/paste.ee/relations author: Florian Roth (Nextron Systems) -date: 2019/12/05 -modified: 2023/01/19 +date: 2019-12-05 +modified: 2023-01-19 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 - attack.t1102.001 - attack.t1102.003 - - attack.defense_evasion + - attack.defense-evasion logsource: category: proxy detection: diff --git a/rules/web/proxy_generic/proxy_susp_flash_download_loc.yml b/rules/web/proxy_generic/proxy_susp_flash_download_loc.yml index 5d3e43ddd59..5a49114b99c 100644 --- a/rules/web/proxy_generic/proxy_susp_flash_download_loc.yml +++ b/rules/web/proxy_generic/proxy_susp_flash_download_loc.yml @@ -5,14 +5,14 @@ description: Detects a flashplayer update from an unofficial location references: - https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb author: Florian Roth (Nextron Systems) -date: 2017/10/25 -modified: 2022/08/08 +date: 2017-10-25 +modified: 2022-08-08 tags: - - attack.initial_access + - attack.initial-access - attack.t1189 - attack.execution - attack.t1204.002 - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.005 logsource: category: proxy diff --git a/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml b/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml index d776a2950a3..36f7535dc62 100644 --- a/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml +++ b/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml @@ -7,9 +7,9 @@ references: - https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11 - https://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638 author: Gavin Knapp -date: 2023/03/16 +date: 2023-03-16 tags: - - attack.credential_access + - attack.credential-access - attack.t1056 logsource: category: proxy diff --git a/rules/web/proxy_generic/proxy_telegram_api.yml b/rules/web/proxy_generic/proxy_telegram_api.yml index 37f5d744ba1..b09d4a7d98b 100644 --- a/rules/web/proxy_generic/proxy_telegram_api.yml +++ b/rules/web/proxy_generic/proxy_telegram_api.yml @@ -7,11 +7,11 @@ references: - https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/ - https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/ author: Florian Roth (Nextron Systems) -date: 2018/06/05 -modified: 2023/05/18 +date: 2018-06-05 +modified: 2023-05-18 tags: - - attack.defense_evasion - - attack.command_and_control + - attack.defense-evasion + - attack.command-and-control - attack.t1071.001 - attack.t1102.002 logsource: diff --git a/rules/web/proxy_generic/proxy_ua_apt.yml b/rules/web/proxy_generic/proxy_ua_apt.yml index f8d276185a0..830baffd50d 100644 --- a/rules/web/proxy_generic/proxy_ua_apt.yml +++ b/rules/web/proxy_generic/proxy_ua_apt.yml @@ -5,10 +5,10 @@ description: Detects suspicious user agent strings used in APT malware in proxy references: - Internal Research author: Florian Roth (Nextron Systems), Markus Neis -date: 2019/11/12 -modified: 2024/02/15 +date: 2019-11-12 +modified: 2024-02-15 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: category: proxy diff --git a/rules/web/proxy_generic/proxy_ua_base64_encoded.yml b/rules/web/proxy_generic/proxy_ua_base64_encoded.yml index 124a11a1873..9c0d77d1c73 100644 --- a/rules/web/proxy_generic/proxy_ua_base64_encoded.yml +++ b/rules/web/proxy_generic/proxy_ua_base64_encoded.yml @@ -8,9 +8,9 @@ description: Detects suspicious encoded User-Agent strings, as seen used by some references: - https://deviceatlas.com/blog/list-of-user-agent-strings#desktop author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/04 +date: 2023-05-04 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: category: proxy diff --git a/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_ip.yml b/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_ip.yml index 043b61f6284..e7d0cb2f8ef 100644 --- a/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_ip.yml +++ b/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_ip.yml @@ -5,12 +5,12 @@ description: Detects Bitsadmin connections to IP addresses instead of FQDN names references: - https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027 author: Florian Roth (Nextron Systems) -date: 2022/06/10 -modified: 2022/08/24 +date: 2022-06-10 +modified: 2022-08-24 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1197 - attack.s0190 diff --git a/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml b/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml index 8f541a58a25..86957937370 100644 --- a/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml +++ b/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml @@ -6,12 +6,12 @@ references: - https://twitter.com/jhencinski/status/1102695118455349248 - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/ author: Florian Roth (Nextron Systems), Tim Shelton -date: 2019/03/07 -modified: 2023/05/17 +date: 2019-03-07 +modified: 2023-05-17 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1197 - attack.s0190 diff --git a/rules/web/proxy_generic/proxy_ua_cryptominer.yml b/rules/web/proxy_generic/proxy_ua_cryptominer.yml index 04e5d7eba55..ca947fb1c80 100644 --- a/rules/web/proxy_generic/proxy_ua_cryptominer.yml +++ b/rules/web/proxy_generic/proxy_ua_cryptominer.yml @@ -6,10 +6,10 @@ references: - https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65 - https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h author: Florian Roth (Nextron Systems) -date: 2019/10/21 -modified: 2021/11/27 +date: 2019-10-21 +modified: 2021-11-27 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: category: proxy diff --git a/rules/web/proxy_generic/proxy_ua_empty.yml b/rules/web/proxy_generic/proxy_ua_empty.yml index d588f58c533..70b50e0d7a4 100644 --- a/rules/web/proxy_generic/proxy_ua_empty.yml +++ b/rules/web/proxy_generic/proxy_ua_empty.yml @@ -7,11 +7,11 @@ description: | references: - https://twitter.com/Carlos_Perez/status/883455096645931008 author: Florian Roth (Nextron Systems) -date: 2017/07/08 -modified: 2021/11/27 +date: 2017-07-08 +modified: 2021-11-27 tags: - - attack.defense_evasion - - attack.command_and_control + - attack.defense-evasion + - attack.command-and-control - attack.t1071.001 logsource: category: proxy diff --git a/rules/web/proxy_generic/proxy_ua_frameworks.yml b/rules/web/proxy_generic/proxy_ua_frameworks.yml index 15c5d660adc..c6b89bc3f61 100644 --- a/rules/web/proxy_generic/proxy_ua_frameworks.yml +++ b/rules/web/proxy_generic/proxy_ua_frameworks.yml @@ -5,10 +5,10 @@ description: Detects suspicious user agent strings used by exploit / pentest fra references: - https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/ author: Florian Roth (Nextron Systems) -date: 2017/07/08 -modified: 2021/11/27 +date: 2017-07-08 +modified: 2021-11-27 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: category: proxy diff --git a/rules/web/proxy_generic/proxy_ua_hacktool.yml b/rules/web/proxy_generic/proxy_ua_hacktool.yml index e2878229843..b3a803ef553 100644 --- a/rules/web/proxy_generic/proxy_ua_hacktool.yml +++ b/rules/web/proxy_generic/proxy_ua_hacktool.yml @@ -6,12 +6,12 @@ references: - https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules author: Florian Roth (Nextron Systems) -date: 2017/07/08 -modified: 2022/07/07 +date: 2017-07-08 +modified: 2022-07-07 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - attack.credential_access + - attack.credential-access - attack.t1110 logsource: category: proxy diff --git a/rules/web/proxy_generic/proxy_ua_malware.yml b/rules/web/proxy_generic/proxy_ua_malware.yml index 9b8246bd930..3705b7a2082 100644 --- a/rules/web/proxy_generic/proxy_ua_malware.yml +++ b/rules/web/proxy_generic/proxy_ua_malware.yml @@ -12,10 +12,10 @@ references: - https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large - https://twitter.com/crep1x/status/1635034100213112833 author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2017/07/08 -modified: 2024/04/14 +date: 2017-07-08 +modified: 2024-04-14 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: category: proxy diff --git a/rules/web/proxy_generic/proxy_ua_powershell.yml b/rules/web/proxy_generic/proxy_ua_powershell.yml index 16357dd5fc2..59e9ab91c49 100644 --- a/rules/web/proxy_generic/proxy_ua_powershell.yml +++ b/rules/web/proxy_generic/proxy_ua_powershell.yml @@ -5,11 +5,11 @@ description: Detects Windows PowerShell Web Access references: - https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest author: Florian Roth (Nextron Systems) -date: 2017/03/13 -modified: 2021/11/27 +date: 2017-03-13 +modified: 2021-11-27 tags: - - attack.defense_evasion - - attack.command_and_control + - attack.defense-evasion + - attack.command-and-control - attack.t1071.001 logsource: category: proxy diff --git a/rules/web/proxy_generic/proxy_ua_rclone.yml b/rules/web/proxy_generic/proxy_ua_rclone.yml index d1dfdfd91f0..711fe14e8bc 100644 --- a/rules/web/proxy_generic/proxy_ua_rclone.yml +++ b/rules/web/proxy_generic/proxy_ua_rclone.yml @@ -6,7 +6,7 @@ references: - https://rclone.org/ - https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone author: Janantha Marasinghe -date: 2022/10/18 +date: 2022-10-18 tags: - attack.exfiltration - attack.t1567.002 diff --git a/rules/web/proxy_generic/proxy_ua_susp.yml b/rules/web/proxy_generic/proxy_ua_susp.yml index f88ff970292..fa1f1b2a5c1 100644 --- a/rules/web/proxy_generic/proxy_ua_susp.yml +++ b/rules/web/proxy_generic/proxy_ua_susp.yml @@ -5,10 +5,10 @@ description: Detects suspicious malformed user agent strings in proxy logs references: - https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb author: Florian Roth (Nextron Systems) -date: 2017/07/08 -modified: 2022/10/31 +date: 2017-07-08 +modified: 2022-10-31 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: category: proxy diff --git a/rules/web/proxy_generic/proxy_ua_susp_base64.yml b/rules/web/proxy_generic/proxy_ua_susp_base64.yml index 7b26ed5b152..8e5ceab6c59 100644 --- a/rules/web/proxy_generic/proxy_ua_susp_base64.yml +++ b/rules/web/proxy_generic/proxy_ua_susp_base64.yml @@ -9,10 +9,10 @@ references: - https://blogs.jpcert.or.jp/en/2022/07/yamabot.html - https://deviceatlas.com/blog/list-of-user-agent-strings#desktop author: Florian Roth (Nextron Systems), Brian Ingram (update) -date: 2022/07/08 -modified: 2023/05/04 +date: 2022-07-08 +modified: 2023-05-04 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: category: proxy diff --git a/rules/web/proxy_generic/proxy_webdav_external_execution.yml b/rules/web/proxy_generic/proxy_webdav_external_execution.yml index 162e07b85d5..c7e646534ee 100644 --- a/rules/web/proxy_generic/proxy_webdav_external_execution.yml +++ b/rules/web/proxy_generic/proxy_webdav_external_execution.yml @@ -12,9 +12,9 @@ references: - https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html - https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html author: Ahmed Farouk -date: 2024/05/10 +date: 2024-05-10 tags: - - attack.initial_access + - attack.initial-access - attack.t1584 - attack.t1566 logsource: diff --git a/rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml b/rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml index 17e3291c6d0..e57e2c6ea64 100644 --- a/rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml +++ b/rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml @@ -10,7 +10,7 @@ references: - https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029 - https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516 author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo -date: 2023/11/08 +date: 2023-11-08 tags: - attack.execution - attack.t1190 diff --git a/rules/web/webserver_generic/web_iis_tilt_shortname_scan.yml b/rules/web/webserver_generic/web_iis_tilt_shortname_scan.yml index 5ae2c3ea656..73496d03328 100644 --- a/rules/web/webserver_generic/web_iis_tilt_shortname_scan.yml +++ b/rules/web/webserver_generic/web_iis_tilt_shortname_scan.yml @@ -7,10 +7,10 @@ references: - https://www.exploit-db.com/exploits/19525 - https://github.com/lijiejie/IIS_shortname_Scanner author: frack113 -date: 2021/10/06 -modified: 2023/01/02 +date: 2021-10-06 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: webserver diff --git a/rules/web/webserver_generic/web_java_payload_in_access_logs.yml b/rules/web/webserver_generic/web_java_payload_in_access_logs.yml index 4de443dd8d9..4d3fb2da78a 100644 --- a/rules/web/webserver_generic/web_java_payload_in_access_logs.yml +++ b/rules/web/webserver_generic/web_java_payload_in_access_logs.yml @@ -9,12 +9,12 @@ references: - https://twitter.com/httpvoid0x2f/status/1532924261035384832 - https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035 author: frack113, Harjot Singh, "@cyb3rjy0t" (update) -date: 2022/06/04 -modified: 2023/01/19 +date: 2022-06-04 +modified: 2023-01-19 tags: - - cve.2022.26134 - - cve.2021.26084 - - attack.initial_access + - cve.2022-26134 + - cve.2021-26084 + - attack.initial-access - attack.t1190 logsource: category: webserver diff --git a/rules/web/webserver_generic/web_jndi_exploit.yml b/rules/web/webserver_generic/web_jndi_exploit.yml index 538c64f0b22..02b5c26a0ca 100644 --- a/rules/web/webserver_generic/web_jndi_exploit.yml +++ b/rules/web/webserver_generic/web_jndi_exploit.yml @@ -6,10 +6,10 @@ references: - https://github.com/pimps/JNDI-Exploit-Kit - https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit author: Florian Roth (Nextron Systems) -date: 2021/12/12 -modified: 2022/12/25 +date: 2021-12-12 +modified: 2022-12-25 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: webserver diff --git a/rules/web/webserver_generic/web_path_traversal_exploitation_attempt.yml b/rules/web/webserver_generic/web_path_traversal_exploitation_attempt.yml index a791a130fb1..3fba9d8e8e0 100644 --- a/rules/web/webserver_generic/web_path_traversal_exploitation_attempt.yml +++ b/rules/web/webserver_generic/web_path_traversal_exploitation_attempt.yml @@ -6,10 +6,10 @@ references: - https://github.com/projectdiscovery/nuclei-templates - https://book.hacktricks.xyz/pentesting-web/file-inclusion author: Subhash Popuri (@pbssubhash), Florian Roth (Nextron Systems), Thurein Oo, Nasreddine Bencherchali (Nextron Systems) -date: 2021/09/25 -modified: 2023/08/31 +date: 2021-09-25 +modified: 2023-08-31 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: webserver diff --git a/rules/web/webserver_generic/web_source_code_enumeration.yml b/rules/web/webserver_generic/web_source_code_enumeration.yml index 6ecfd798470..9f17c3de267 100644 --- a/rules/web/webserver_generic/web_source_code_enumeration.yml +++ b/rules/web/webserver_generic/web_source_code_enumeration.yml @@ -6,8 +6,8 @@ references: - https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html - https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1 author: James Ahearn -date: 2019/06/08 -modified: 2022/10/05 +date: 2019-06-08 +modified: 2022-10-05 tags: - attack.discovery - attack.t1083 diff --git a/rules/web/webserver_generic/web_sql_injection_in_access_logs.yml b/rules/web/webserver_generic/web_sql_injection_in_access_logs.yml index 3d7daf35834..8de0913631f 100644 --- a/rules/web/webserver_generic/web_sql_injection_in_access_logs.yml +++ b/rules/web/webserver_generic/web_sql_injection_in_access_logs.yml @@ -9,10 +9,10 @@ references: - https://github.com/payloadbox/sql-injection-payload-list - https://book.hacktricks.xyz/pentesting-web/sql-injection/mysql-injection author: Saw Win Naung, Nasreddine Bencherchali (Nextron Systems), Thurein Oo (Yoma Bank) -date: 2020/02/22 -modified: 2023/09/04 +date: 2020-02-22 +modified: 2023-09-04 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: webserver diff --git a/rules/web/webserver_generic/web_ssti_in_access_logs.yml b/rules/web/webserver_generic/web_ssti_in_access_logs.yml index 1540ec405e2..ae334e32eb2 100644 --- a/rules/web/webserver_generic/web_ssti_in_access_logs.yml +++ b/rules/web/webserver_generic/web_ssti_in_access_logs.yml @@ -6,9 +6,9 @@ references: - https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection - https://github.com/payloadbox/ssti-payloads author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/14 +date: 2022-06-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1221 logsource: category: webserver diff --git a/rules/web/webserver_generic/web_susp_useragents.yml b/rules/web/webserver_generic/web_susp_useragents.yml index 189ba702e13..aa9c3b512c2 100644 --- a/rules/web/webserver_generic/web_susp_useragents.yml +++ b/rules/web/webserver_generic/web_susp_useragents.yml @@ -7,10 +7,10 @@ references: - https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst - https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92 author: Nasreddine Bencherchali (Nextron Systems), Tim Shelton -date: 2022/07/19 -modified: 2023/01/02 +date: 2022-07-19 +modified: 2023-01-02 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: category: webserver diff --git a/rules/web/webserver_generic/web_susp_windows_path_uri.yml b/rules/web/webserver_generic/web_susp_windows_path_uri.yml index f38d7742f9d..dcdfdbc7482 100644 --- a/rules/web/webserver_generic/web_susp_windows_path_uri.yml +++ b/rules/web/webserver_generic/web_susp_windows_path_uri.yml @@ -5,8 +5,8 @@ description: Detects suspicious Windows strings in URI which could indicate poss references: - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/06 -modified: 2023/01/02 +date: 2022-06-06 +modified: 2023-01-02 tags: - attack.persistence - attack.exfiltration diff --git a/rules/web/webserver_generic/web_webshell_regeorg.yml b/rules/web/webserver_generic/web_webshell_regeorg.yml index c5653e0a8aa..6e8f5100025 100644 --- a/rules/web/webserver_generic/web_webshell_regeorg.yml +++ b/rules/web/webserver_generic/web_webshell_regeorg.yml @@ -6,8 +6,8 @@ references: - https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3 - https://github.com/sensepost/reGeorg author: Cian Heasley -date: 2020/08/04 -modified: 2023/01/02 +date: 2020-08-04 +modified: 2023-01-02 tags: - attack.persistence - attack.t1505.003 diff --git a/rules/web/webserver_generic/web_win_webshells_in_access_logs.yml b/rules/web/webserver_generic/web_win_webshells_in_access_logs.yml index 3d4bc3a9c4c..cf1becfe64b 100644 --- a/rules/web/webserver_generic/web_win_webshells_in_access_logs.yml +++ b/rules/web/webserver_generic/web_win_webshells_in_access_logs.yml @@ -6,8 +6,8 @@ references: - https://bad-jubies.github.io/RCE-NOW-WHAT/ - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2017/02/19 -modified: 2022/11/18 +date: 2017-02-19 +modified: 2022-11-18 tags: - attack.persistence - attack.t1505.003 diff --git a/rules/web/webserver_generic/web_xss_in_access_logs.yml b/rules/web/webserver_generic/web_xss_in_access_logs.yml index 693863859ae..99ba9d73342 100644 --- a/rules/web/webserver_generic/web_xss_in_access_logs.yml +++ b/rules/web/webserver_generic/web_xss_in_access_logs.yml @@ -6,10 +6,10 @@ references: - https://github.com/payloadbox/xss-payload-list - https://portswigger.net/web-security/cross-site-scripting/contexts author: Saw Win Naung, Nasreddine Bencherchali -date: 2021/08/15 -modified: 2022/06/14 +date: 2021-08-15 +modified: 2022-06-14 tags: - - attack.initial_access + - attack.initial-access - attack.t1189 logsource: category: webserver diff --git a/rules/windows/builtin/application/Other/win_av_relevant_match.yml b/rules/windows/builtin/application/Other/win_av_relevant_match.yml index 478f50e8c49..ec8c6bb71f5 100644 --- a/rules/windows/builtin/application/Other/win_av_relevant_match.yml +++ b/rules/windows/builtin/application/Other/win_av_relevant_match.yml @@ -9,10 +9,10 @@ references: - https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01 - https://www.nextron-systems.com/?s=antivirus author: Florian Roth (Nextron Systems), Arnim Rupp -date: 2017/02/19 -modified: 2024/07/17 +date: 2017-02-19 +modified: 2024-07-17 tags: - - attack.resource_development + - attack.resource-development - attack.t1588 logsource: product: windows diff --git a/rules/windows/builtin/application/application_error/win_application_msmpeng_crash_error.yml b/rules/windows/builtin/application/application_error/win_application_msmpeng_crash_error.yml index 66006fdf0e3..fd5c9af50a3 100644 --- a/rules/windows/builtin/application/application_error/win_application_msmpeng_crash_error.yml +++ b/rules/windows/builtin/application/application_error/win_application_msmpeng_crash_error.yml @@ -9,10 +9,10 @@ references: - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5 - https://technet.microsoft.com/en-us/library/security/4022344 author: Florian Roth (Nextron Systems) -date: 2017/05/09 -modified: 2023/04/14 +date: 2017-05-09 +modified: 2023-04-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1211 - attack.t1562.001 logsource: diff --git a/rules/windows/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml b/rules/windows/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml index 354310fcbc5..bc259ba1bf6 100644 --- a/rules/windows/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml +++ b/rules/windows/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml @@ -7,9 +7,9 @@ references: - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/07 +date: 2022-12-07 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: product: windows diff --git a/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse.yml b/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse.yml index b6b20076a64..52b236c43ec 100644 --- a/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse.yml +++ b/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse.yml @@ -6,9 +6,9 @@ references: - https://twitter.com/mgreen27/status/1558223256704122882 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11) author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/14 +date: 2022-08-14 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.003 logsource: product: windows diff --git a/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml b/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml index d7e97fa0578..fe91750165f 100644 --- a/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml +++ b/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml @@ -6,8 +6,8 @@ references: - https://twitter.com/mgreen27/status/1558223256704122882 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11) author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/14 -modified: 2023/10/23 +date: 2022-08-14 +modified: 2023-10-23 tags: - attack.execution logsource: diff --git a/rules/windows/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml b/rules/windows/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml index 1667f6cd703..590805da375 100644 --- a/rules/windows/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml +++ b/rules/windows/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml @@ -12,18 +12,18 @@ references: - https://www.youtube.com/watch?v=ebmW42YYveI # "CVEs in Windows Event Logs? What You Need to Know" by 13Cubed. - https://nullsec.us/windows-event-log-audit-cve/ author: Florian Roth (Nextron Systems), Zach Mathis -date: 2020/01/15 -modified: 2022/10/22 +date: 2020-01-15 +modified: 2022-10-22 tags: - attack.execution - attack.t1203 - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1068 - - attack.defense_evasion + - attack.defense-evasion - attack.t1211 - - attack.credential_access + - attack.credential-access - attack.t1212 - - attack.lateral_movement + - attack.lateral-movement - attack.t1210 - attack.impact - attack.t1499.004 diff --git a/rules/windows/builtin/application/microsoft_windows_backup/win_susp_backup_delete.yml b/rules/windows/builtin/application/microsoft_windows_backup/win_susp_backup_delete.yml index 871ca2a814d..72dad5d0fe2 100644 --- a/rules/windows/builtin/application/microsoft_windows_backup/win_susp_backup_delete.yml +++ b/rules/windows/builtin/application/microsoft_windows_backup/win_susp_backup_delete.yml @@ -6,10 +6,10 @@ references: - https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 author: Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection) -date: 2017/05/12 -modified: 2022/12/25 +date: 2017-05-12 +modified: 2022-12-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.004 logsource: product: windows diff --git a/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml b/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml index d88d265645f..0df2c011dd6 100644 --- a/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml +++ b/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml @@ -6,9 +6,9 @@ references: - https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies - https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv author: frack113 -date: 2023/01/12 +date: 2023-01-12 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1072 logsource: product: windows diff --git a/rules/windows/builtin/application/msiinstaller/win_builtin_remove_application.yml b/rules/windows/builtin/application/msiinstaller/win_builtin_remove_application.yml index 4f6bd8c47c0..ebfe282d258 100644 --- a/rules/windows/builtin/application/msiinstaller/win_builtin_remove_application.yml +++ b/rules/windows/builtin/application/msiinstaller/win_builtin_remove_application.yml @@ -6,8 +6,8 @@ references: - https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml - https://learn.microsoft.com/en-us/windows/win32/msi/event-logging author: frack113 -date: 2022/01/28 -modified: 2022/09/17 +date: 2022-01-28 +modified: 2022-09-17 tags: - attack.impact - attack.t1489 diff --git a/rules/windows/builtin/application/msiinstaller/win_msi_install_from_susp_locations.yml b/rules/windows/builtin/application/msiinstaller/win_msi_install_from_susp_locations.yml index 85b1848faa6..06d5a78221c 100644 --- a/rules/windows/builtin/application/msiinstaller/win_msi_install_from_susp_locations.yml +++ b/rules/windows/builtin/application/msiinstaller/win_msi_install_from_susp_locations.yml @@ -5,8 +5,8 @@ description: Detects MSI package installation from suspicious locations references: - https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/31 -modified: 2023/10/23 +date: 2022-08-31 +modified: 2023-10-23 tags: - attack.execution logsource: diff --git a/rules/windows/builtin/application/msiinstaller/win_msi_install_from_web.yml b/rules/windows/builtin/application/msiinstaller/win_msi_install_from_web.yml index c6bd3ad8e9f..4e9d41ad790 100644 --- a/rules/windows/builtin/application/msiinstaller/win_msi_install_from_web.yml +++ b/rules/windows/builtin/application/msiinstaller/win_msi_install_from_web.yml @@ -5,10 +5,10 @@ description: Detects installation of a remote msi file from web. references: - https://twitter.com/_st0pp3r_/status/1583922009842802689 author: Stamatis Chatzimangou -date: 2022/10/23 -modified: 2022/10/23 +date: 2022-10-23 +modified: 2022-10-23 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.t1218.007 logsource: diff --git a/rules/windows/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml b/rules/windows/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml index 6fdb563ffef..9b4557c63f3 100644 --- a/rules/windows/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml +++ b/rules/windows/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml @@ -5,8 +5,8 @@ description: Detects successful installation of Atera Remote Monitoring & Manage references: - https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent author: Bhabesh Raj -date: 2021/09/01 -modified: 2022/12/25 +date: 2021-09-01 +modified: 2022-12-25 tags: - attack.t1219 logsource: diff --git a/rules/windows/builtin/application/mssqlserver/win_mssql_add_sysadmin_account.yml b/rules/windows/builtin/application/mssqlserver/win_mssql_add_sysadmin_account.yml index 4b0abb91b14..c6fa02f6fc8 100644 --- a/rules/windows/builtin/application/mssqlserver/win_mssql_add_sysadmin_account.yml +++ b/rules/windows/builtin/application/mssqlserver/win_mssql_add_sysadmin_account.yml @@ -5,8 +5,8 @@ description: Detects when an attacker tries to backdoor the MSSQL server by addi references: - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/13 -modified: 2024/06/26 +date: 2022-07-13 +modified: 2024-06-26 tags: - attack.persistence logsource: diff --git a/rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml b/rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml index fef5c0328b3..ded6786fd3e 100644 --- a/rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml +++ b/rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml @@ -7,10 +7,10 @@ references: - https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16 - https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/13 -modified: 2024/06/26 +date: 2022-07-13 +modified: 2024-06-26 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows service: application diff --git a/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon.yml b/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon.yml index 106195511a4..43e71d81701 100644 --- a/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon.yml +++ b/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon.yml @@ -9,10 +9,10 @@ references: - https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/ - https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html author: Nasreddine Bencherchali (Nextron Systems), j4son -date: 2023/10/11 -modified: 2024/06/26 +date: 2023-10-11 +modified: 2024-06-26 tags: - - attack.credential_access + - attack.credential-access - attack.t1110 logsource: product: windows diff --git a/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml b/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml index 8ef4e47cfcd..1e1ed8cb292 100644 --- a/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml +++ b/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml @@ -9,10 +9,10 @@ references: - https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/ - https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html author: j4son -date: 2023/10/11 -modified: 2024/06/26 +date: 2023-10-11 +modified: 2024-06-26 tags: - - attack.credential_access + - attack.credential-access - attack.t1110 logsource: product: windows diff --git a/rules/windows/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml b/rules/windows/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml index f00dcd98506..fd665d9ebe9 100644 --- a/rules/windows/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml +++ b/rules/windows/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml @@ -6,8 +6,8 @@ references: - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/ - https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/13 -modified: 2024/06/26 +date: 2022-07-13 +modified: 2024-06-26 tags: - attack.persistence logsource: diff --git a/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yml b/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yml index 377bfa323a1..a1dc1641fd0 100644 --- a/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yml +++ b/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yml @@ -6,8 +6,8 @@ references: - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/ - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/12 -modified: 2024/06/26 +date: 2022-07-12 +modified: 2024-06-26 tags: - attack.execution logsource: diff --git a/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml b/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml index c9f63d11d38..d552ec61a12 100644 --- a/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml +++ b/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml @@ -7,8 +7,8 @@ references: - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/ - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/12 -modified: 2024/06/26 +date: 2022-07-12 +modified: 2024-06-26 tags: - attack.execution logsource: diff --git a/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml b/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml index 7ff83280ebe..3f457d197ae 100644 --- a/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml +++ b/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml @@ -9,7 +9,7 @@ references: - https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling - https://github.com/SigmaHQ/sigma/pull/4467 author: Ali Alwashali -date: 2023/10/10 +date: 2023-10-10 tags: - attack.execution - attack.t1059.003 diff --git a/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml b/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml index e7d582b5ee3..2cbd3dc6bea 100644 --- a/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml +++ b/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml @@ -9,7 +9,7 @@ references: - https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling - https://github.com/SigmaHQ/sigma/pull/4467 author: Ali Alwashali -date: 2023/10/10 +date: 2023-10-10 tags: - attack.execution - attack.t1059.003 diff --git a/rules/windows/builtin/application/windows_error_reporting/win_application_msmpeng_crash_wer.yml b/rules/windows/builtin/application/windows_error_reporting/win_application_msmpeng_crash_wer.yml index 2a1822b34c1..5e5ca6ee100 100644 --- a/rules/windows/builtin/application/windows_error_reporting/win_application_msmpeng_crash_wer.yml +++ b/rules/windows/builtin/application/windows_error_reporting/win_application_msmpeng_crash_wer.yml @@ -6,10 +6,10 @@ references: - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5 - https://technet.microsoft.com/en-us/library/security/4022344 author: Florian Roth (Nextron Systems) -date: 2017/05/09 -modified: 2023/04/14 +date: 2017-05-09 +modified: 2023-04-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1211 - attack.t1562.001 logsource: diff --git a/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml b/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml index 3cd264830da..09d71429850 100644 --- a/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml +++ b/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml @@ -7,8 +7,8 @@ references: - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker - https://nxlog.co/documentation/nxlog-user-guide/applocker.html author: Pushkarev Dmitry -date: 2020/06/28 -modified: 2021/11/27 +date: 2020-06-28 +modified: 2021-11-27 tags: - attack.execution - attack.t1204.002 diff --git a/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml b/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml index e7145460a01..ae6b708d206 100644 --- a/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml +++ b/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml @@ -5,10 +5,10 @@ description: Detects execution of Sysinternals tools via an AppX package. Attack references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/16 -modified: 2023/09/12 +date: 2023-01-16 +modified: 2023-09-12 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution logsource: product: windows diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml index 89a606da371..7dd5202187b 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml @@ -6,9 +6,9 @@ references: - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting - https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv author: frack113 -date: 2023/01/11 +date: 2023-01-11 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows service: appxdeployment-server diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml index 3f25523bf3b..ead0d07f936 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml @@ -7,10 +7,10 @@ references: - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ - https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/11 -modified: 2023/01/12 +date: 2023-01-11 +modified: 2023-01-12 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows service: appxdeployment-server diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml index 67f5cdd7928..61911603c47 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml @@ -6,9 +6,9 @@ references: - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting - https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv author: frack113 -date: 2023/01/11 +date: 2023-01-11 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows service: appxdeployment-server diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml index e6e7a0a2a00..0def9b02204 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml @@ -8,9 +8,9 @@ references: - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/11 +date: 2023-01-11 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows service: appxdeployment-server diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml index 34f841c4008..4609d8dc0f5 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml @@ -8,10 +8,10 @@ references: - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/11 -modified: 2024/02/09 +date: 2023-01-11 +modified: 2024-02-09 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows service: appxdeployment-server diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml index 050c81c624e..cd524159b00 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml @@ -8,9 +8,9 @@ references: - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/11 +date: 2023-01-11 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows service: appxdeployment-server diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml index 76767c6bdd6..7e54e98286c 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml @@ -8,9 +8,9 @@ references: - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/11 +date: 2023-01-11 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows service: appxdeployment-server diff --git a/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml b/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml index 065666b0553..c5bf6d39fd1 100644 --- a/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml +++ b/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml @@ -6,9 +6,9 @@ references: - Internal Research - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/16 +date: 2023-01-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution logsource: product: windows diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_job_via_bitsadmin.yml b/rules/windows/builtin/bits_client/win_bits_client_new_job_via_bitsadmin.yml index 027a7c8b533..7ab2c352948 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_new_job_via_bitsadmin.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_new_job_via_bitsadmin.yml @@ -5,10 +5,10 @@ description: Detects the creation of a new bits job by Bitsadmin references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md author: frack113 -date: 2022/03/01 -modified: 2023/03/27 +date: 2022-03-01 +modified: 2023-03-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1197 logsource: diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_job_via_powershell.yml b/rules/windows/builtin/bits_client/win_bits_client_new_job_via_powershell.yml index 9e2463ed36e..b5becafe0e1 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_new_job_via_powershell.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_new_job_via_powershell.yml @@ -5,10 +5,10 @@ description: Detects the creation of a new bits job by PowerShell references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md author: frack113 -date: 2022/03/01 -modified: 2023/03/27 +date: 2022-03-01 +modified: 2023-03-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1197 logsource: diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_saving_susp_extensions.yml b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_saving_susp_extensions.yml index aefbf76cd99..493d667abc2 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_saving_susp_extensions.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_saving_susp_extensions.yml @@ -5,10 +5,10 @@ description: Detects new BITS transfer job saving local files with potential sus references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md author: frack113 -date: 2022/03/01 -modified: 2023/03/27 +date: 2022-03-01 +modified: 2023-03-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1197 logsource: diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml index 7291d4f8594..41986fcf02c 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml @@ -8,10 +8,10 @@ references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ author: Florian Roth (Nextron Systems) -date: 2022/06/28 -modified: 2024/02/09 +date: 2022-06-28 +modified: 2024-02-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1197 logsource: diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml index 240d923a445..9bcdf087d7c 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml @@ -11,10 +11,10 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/11 -modified: 2023/03/27 +date: 2023-01-11 +modified: 2023-03-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1197 logsource: diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml index 6af8db014f4..5f5fc4dce4f 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md - https://twitter.com/malmoeb/status/1535142803075960832 author: Florian Roth (Nextron Systems) -date: 2022/06/10 -modified: 2023/03/27 +date: 2022-06-10 +modified: 2023-03-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1197 logsource: diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_trasnfer_susp_local_folder.yml b/rules/windows/builtin/bits_client/win_bits_client_new_trasnfer_susp_local_folder.yml index 17c7032ad77..1aedba92c0b 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_new_trasnfer_susp_local_folder.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_new_trasnfer_susp_local_folder.yml @@ -5,10 +5,10 @@ description: Detects new BITS transfer job where the LocalName/Saved file is sto references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md author: Florian Roth (Nextron Systems) -date: 2022/06/28 -modified: 2023/03/27 +date: 2022-06-28 +modified: 2023-03-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1197 logsource: diff --git a/rules/windows/builtin/capi2/win_capi2_acquire_certificate_private_key.yml b/rules/windows/builtin/capi2/win_capi2_acquire_certificate_private_key.yml index 2bb76c3f1f8..dd8a5d9abc9 100644 --- a/rules/windows/builtin/capi2/win_capi2_acquire_certificate_private_key.yml +++ b/rules/windows/builtin/capi2/win_capi2_acquire_certificate_private_key.yml @@ -5,9 +5,9 @@ description: Detects when an application acquires a certificate private key references: - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html author: Zach Mathis -date: 2023/05/13 +date: 2023-05-13 tags: - - attack.credential_access + - attack.credential-access - attack.t1649 logsource: product: windows diff --git a/rules/windows/builtin/certificate_services_client_lifecycle_system/win_certificateservicesclient_lifecycle_system_cert_exported.yml b/rules/windows/builtin/certificate_services_client_lifecycle_system/win_certificateservicesclient_lifecycle_system_cert_exported.yml index 72a7cee6090..4b53504b49b 100644 --- a/rules/windows/builtin/certificate_services_client_lifecycle_system/win_certificateservicesclient_lifecycle_system_cert_exported.yml +++ b/rules/windows/builtin/certificate_services_client_lifecycle_system/win_certificateservicesclient_lifecycle_system_cert_exported.yml @@ -5,9 +5,9 @@ description: Detects when an application exports a certificate (and potentially references: - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html author: Zach Mathis -date: 2023/05/13 +date: 2023-05-13 tags: - - attack.credential_access + - attack.credential-access - attack.t1649 logsource: product: windows diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml index 0c178bde098..f09c8ed6ca5 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml @@ -10,8 +10,8 @@ references: - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/01/20 -modified: 2023/11/15 +date: 2022-01-20 +modified: 2023-11-15 tags: - attack.execution logsource: diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml index 8b489aeeda1..806153fcc9b 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml @@ -7,9 +7,9 @@ references: - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/06 +date: 2023-06-06 tags: - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: windows service: codeintegrity-operational diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml index 88f5cd8472a..4b31e41651a 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml @@ -7,10 +7,10 @@ references: - https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/11/10 -modified: 2023/06/07 +date: 2022-11-10 +modified: 2023-06-07 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543 logsource: product: windows diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml index 263a7748778..c85104a1cae 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml @@ -7,9 +7,9 @@ references: - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/06 +date: 2023-06-06 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543 logsource: product: windows diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml index 5857197ab3b..a67becafc4f 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml @@ -7,9 +7,9 @@ references: - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/06 +date: 2023-06-06 tags: - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: windows service: codeintegrity-operational diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml index fa131873f6f..639299a5ac2 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml @@ -7,9 +7,9 @@ references: - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/06 +date: 2023-06-06 tags: - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: windows service: codeintegrity-operational diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml index 168ce438b64..7d530423ce5 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml @@ -7,9 +7,9 @@ references: - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/06 +date: 2023-06-06 tags: - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: windows service: codeintegrity-operational diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml index cfde6fdbd9b..10251e574f0 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml @@ -7,9 +7,9 @@ references: - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/06 +date: 2023-06-06 tags: - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: windows service: codeintegrity-operational diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml index 80107107604..2a922e6608c 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml @@ -7,9 +7,9 @@ references: - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/06 +date: 2023-06-06 tags: - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: windows service: codeintegrity-operational diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml index 1ff2d7fbddd..8132420bd57 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml @@ -7,10 +7,10 @@ references: - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/06 -modified: 2023/06/14 +date: 2023-06-06 +modified: 2023-06-14 tags: - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: windows service: codeintegrity-operational diff --git a/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml b/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml index c5031c255ec..eb3ec37e67d 100644 --- a/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml +++ b/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/nas_bench/status/1539679555908141061 - https://twitter.com/j00sean/status/1537750439701225472 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/14 +date: 2022-08-14 tags: - attack.execution logsource: diff --git a/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml b/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml index 0bd1e22121a..5ea279d46e7 100644 --- a/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml +++ b/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml @@ -9,9 +9,9 @@ references: - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/16 +date: 2023-01-16 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.004 logsource: product: windows diff --git a/rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml b/rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml index 6b34ee5bc6e..3dec408da8a 100644 --- a/rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml +++ b/rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml @@ -8,7 +8,7 @@ description: Detects DNS queries for anonfiles.com, which is an anonymous file u references: - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/16 +date: 2023-01-16 tags: - attack.exfiltration - attack.t1567.002 diff --git a/rules/windows/builtin/dns_client/win_dns_client_mega_nz.yml b/rules/windows/builtin/dns_client/win_dns_client_mega_nz.yml index 482d0af52de..c26c1601c62 100644 --- a/rules/windows/builtin/dns_client/win_dns_client_mega_nz.yml +++ b/rules/windows/builtin/dns_client/win_dns_client_mega_nz.yml @@ -8,7 +8,7 @@ description: Detects DNS queries for subdomains related to MEGA sharing website references: - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/16 +date: 2023-01-16 tags: - attack.exfiltration - attack.t1567.002 diff --git a/rules/windows/builtin/dns_client/win_dns_client_tor_onion.yml b/rules/windows/builtin/dns_client/win_dns_client_tor_onion.yml index d1fd8d13a45..6285befe47c 100644 --- a/rules/windows/builtin/dns_client/win_dns_client_tor_onion.yml +++ b/rules/windows/builtin/dns_client/win_dns_client_tor_onion.yml @@ -8,9 +8,9 @@ description: Detects DNS resolution of an .onion address related to Tor routing references: - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/02/20 +date: 2022-02-20 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1090.003 logsource: product: windows diff --git a/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml b/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml index e5622c0cdf6..5665769bd8a 100644 --- a/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml +++ b/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml @@ -8,8 +8,8 @@ description: Detects DNS queries to "ufile.io", which was seen abused by malware references: - https://thedfirreport.com/2021/12/13/diavol-ransomware/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/16 -modified: 2023/09/18 +date: 2023-01-16 +modified: 2023-09-18 tags: - attack.exfiltration - attack.t1567.002 diff --git a/rules/windows/builtin/dns_server/win_dns_server_failed_dns_zone_transfer.yml b/rules/windows/builtin/dns_server/win_dns_server_failed_dns_zone_transfer.yml index 6461916383c..f45594d4bb1 100644 --- a/rules/windows/builtin/dns_server/win_dns_server_failed_dns_zone_transfer.yml +++ b/rules/windows/builtin/dns_server/win_dns_server_failed_dns_zone_transfer.yml @@ -5,7 +5,7 @@ description: Detects when a DNS zone transfer failed. references: - https://kb.eventtracker.com/evtpass/evtpages/EventId_6004_Microsoft-Windows-DNS-Server-Service_65410.asp author: Zach Mathis -date: 2023/05/24 +date: 2023-05-24 tags: - attack.reconnaissance - attack.t1590.002 diff --git a/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml b/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml index c54cc0c0e8a..3809a504b42 100644 --- a/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml +++ b/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml @@ -12,10 +12,10 @@ references: - https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx - https://twitter.com/gentilkiwi/status/861641945944391680 author: Florian Roth (Nextron Systems) -date: 2017/05/08 -modified: 2023/02/05 +date: 2017-05-08 +modified: 2023-02-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 logsource: product: windows diff --git a/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml b/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml index 4fe4f122b18..d49dd6119bd 100644 --- a/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml +++ b/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml @@ -6,10 +6,10 @@ references: - https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/ - https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/ author: Florian Roth (Nextron Systems) -date: 2017/11/09 -modified: 2021/11/30 +date: 2017-11-09 +modified: 2021-11-30 tags: - - attack.initial_access + - attack.initial-access - attack.t1200 logsource: product: windows diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml index 287e59bcc1c..b6c1d02021d 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml @@ -5,10 +5,10 @@ description: Detects when a rule has been added to the Windows Firewall exceptio references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 -date: 2022/02/19 -modified: 2024/05/10 +date: 2022-02-19 +modified: 2024-05-10 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: product: windows diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml index 35c316fe790..b031231fa7a 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml @@ -9,10 +9,10 @@ references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) - https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/# author: frack113 -date: 2023/02/26 -modified: 2024/05/10 +date: 2023-02-26 +modified: 2024-05-10 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: product: windows diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_wmiprvse.yml b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_wmiprvse.yml index 74479a8ce2c..293aab409d7 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_wmiprvse.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_wmiprvse.yml @@ -9,9 +9,9 @@ references: - https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170 - https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/ author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2024/05/10 +date: 2024-05-10 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: product: windows diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml b/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml index 1974b5ec6a6..c19cf42826b 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml @@ -5,10 +5,10 @@ description: Detects when a all the rules have been deleted from the Windows Def references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/17 -modified: 2024/01/22 +date: 2023-01-17 +modified: 2024-01-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: product: windows diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml b/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml index 38278e2d2a3..82539c5b44d 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml @@ -5,10 +5,10 @@ description: Detects when a single rules or all of the rules have been deleted f references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 -date: 2022/02/19 -modified: 2023/06/12 +date: 2022-02-19 +modified: 2023-06-12 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: product: windows diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml b/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml index 3735d8bae49..208954b53b4 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml @@ -5,10 +5,10 @@ description: Detects activity when The Windows Defender Firewall service failed references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 -date: 2022/02/19 -modified: 2023/01/17 +date: 2022-02-19 +modified: 2023-01-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: product: windows diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml b/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml index 0893e06cbec..7ee0b2918ff 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml @@ -5,10 +5,10 @@ description: Detects activity when Windows Defender Firewall has been reset to i references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 -date: 2022/02/19 -modified: 2023/04/21 +date: 2022-02-19 +modified: 2023-04-21 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: product: windows diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml b/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml index 3b1f60be741..fd8ed1f8b06 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml @@ -5,10 +5,10 @@ description: Detects activity when the settings of the Windows firewall have bee references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2022/02/19 -modified: 2023/04/21 +date: 2022-02-19 +modified: 2023-04-21 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: product: windows diff --git a/rules/windows/builtin/ldap/win_ldap_recon.yml b/rules/windows/builtin/ldap/win_ldap_recon.yml index 202f234d8ae..a9687d3bdfd 100644 --- a/rules/windows/builtin/ldap/win_ldap_recon.yml +++ b/rules/windows/builtin/ldap/win_ldap_recon.yml @@ -9,8 +9,8 @@ references: - https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c - https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427 author: Adeem Mawani -date: 2021/06/22 -modified: 2023/11/03 +date: 2021-06-22 +modified: 2023-11-03 tags: - attack.discovery - attack.t1069.002 diff --git a/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml b/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml index cdc61fb3965..aed77195c35 100644 --- a/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml +++ b/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml @@ -7,11 +7,11 @@ references: - https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection - https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml author: frack113 -date: 2023/01/13 -modified: 2023/05/05 +date: 2023-01-13 +modified: 2023-05-05 tags: - - attack.credential_access - - attack.privilege_escalation + - attack.credential-access + - attack.privilege-escalation logsource: product: windows service: lsa-server diff --git a/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml b/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml index dbe4af2d6ed..24e905b04df 100644 --- a/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml +++ b/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml @@ -5,11 +5,11 @@ description: Detects specific patterns found after a successful ProxyLogon explo references: - https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c author: Florian Roth (Nextron Systems) -date: 2021/08/09 -modified: 2023/01/23 +date: 2021-08-09 +modified: 2023-01-23 tags: - attack.t1587.001 - - attack.resource_development + - attack.resource-development logsource: product: windows service: msexchange-management diff --git a/rules/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml b/rules/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml index 2de17e7a155..2c6ddf4dbe4 100644 --- a/rules/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml +++ b/rules/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml @@ -5,8 +5,8 @@ description: Detects a write of an Exchange CSR to an untypical directory or wit references: - https://twitter.com/GossiTheDog/status/1429175908905127938 author: Max Altgelt (Nextron Systems) -date: 2021/08/23 -modified: 2023/01/23 +date: 2021-08-23 +modified: 2023-01-23 tags: - attack.persistence - attack.t1505.003 diff --git a/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml b/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml index 77d53ea104b..99984a876ce 100644 --- a/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml +++ b/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml @@ -5,8 +5,8 @@ description: Detects a successful export of an Exchange mailbox to untypical dir references: - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html author: Florian Roth (Nextron Systems), Rich Warren, Christian Burkard (Nextron Systems) -date: 2021/08/09 -modified: 2023/04/30 +date: 2021-08-09 +modified: 2023-04-30 tags: - attack.persistence - attack.t1505.003 diff --git a/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml b/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml index db7cb0a5469..a7ad1d02224 100644 --- a/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml +++ b/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml @@ -5,10 +5,10 @@ description: Detects removal of an exported Exchange mailbox which could be to c references: - https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430 author: Christian Burkard (Nextron Systems) -date: 2021/08/27 -modified: 2023/01/23 +date: 2021-08-27 +modified: 2023-01-23 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070 logsource: service: msexchange-management diff --git a/rules/windows/builtin/msexchange/win_exchange_set_oabvirtualdirectory_externalurl.yml b/rules/windows/builtin/msexchange/win_exchange_set_oabvirtualdirectory_externalurl.yml index 56824366bdd..7694a34aad3 100644 --- a/rules/windows/builtin/msexchange/win_exchange_set_oabvirtualdirectory_externalurl.yml +++ b/rules/windows/builtin/msexchange/win_exchange_set_oabvirtualdirectory_externalurl.yml @@ -5,8 +5,8 @@ description: Rule to detect an adversary setting OabVirtualDirectory External UR references: - https://twitter.com/OTR_Community/status/1371053369071132675 author: Jose Rodriguez @Cyb3rPandaH -date: 2021/03/15 -modified: 2023/01/23 +date: 2021-03-15 +modified: 2023-01-23 tags: - attack.persistence - attack.t1505.003 diff --git a/rules/windows/builtin/msexchange/win_exchange_transportagent.yml b/rules/windows/builtin/msexchange/win_exchange_transportagent.yml index 049794fa033..14d05c3b8e4 100644 --- a/rules/windows/builtin/msexchange/win_exchange_transportagent.yml +++ b/rules/windows/builtin/msexchange/win_exchange_transportagent.yml @@ -8,8 +8,8 @@ description: Detects the Installation of a Exchange Transport Agent references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=7 author: Tobias Michalski (Nextron Systems) -date: 2021/06/08 -modified: 2022/11/27 +date: 2021-06-08 +modified: 2022-11-27 tags: - attack.persistence - attack.t1505.002 diff --git a/rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml b/rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml index 376b5d0884b..d1d173bd706 100644 --- a/rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml +++ b/rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml @@ -5,8 +5,8 @@ description: Detects a failed installation of a Exchange Transport Agent references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=8 author: Tobias Michalski (Nextron Systems) -date: 2021/06/08 -modified: 2022/07/12 +date: 2021-06-08 +modified: 2022-07-12 tags: - attack.persistence - attack.t1505.002 diff --git a/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml b/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml index 92a842704ab..856952d4e05 100644 --- a/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml +++ b/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml @@ -5,10 +5,10 @@ description: Detects logons using NTLM, which could be caused by a legacy source references: - https://twitter.com/JohnLaTwC/status/1004895028995477505 author: Florian Roth (Nextron Systems) -date: 2018/06/08 -modified: 2024/07/22 +date: 2018-06-08 +modified: 2024-07-22 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1550.002 logsource: product: windows diff --git a/rules/windows/builtin/ntlm/win_susp_ntlm_brute_force.yml b/rules/windows/builtin/ntlm/win_susp_ntlm_brute_force.yml index 5a54cb841a2..07f321d3669 100644 --- a/rules/windows/builtin/ntlm/win_susp_ntlm_brute_force.yml +++ b/rules/windows/builtin/ntlm/win_susp_ntlm_brute_force.yml @@ -5,9 +5,9 @@ description: Detects common NTLM brute force device names references: - https://www.varonis.com/blog/investigate-ntlm-brute-force author: Jerry Shockley '@jsh0x' -date: 2022/02/02 +date: 2022-02-02 tags: - - attack.credential_access + - attack.credential-access - attack.t1110 logsource: product: windows diff --git a/rules/windows/builtin/ntlm/win_susp_ntlm_rdp.yml b/rules/windows/builtin/ntlm/win_susp_ntlm_rdp.yml index 9ddc74de3cd..9fa708b59d8 100644 --- a/rules/windows/builtin/ntlm/win_susp_ntlm_rdp.yml +++ b/rules/windows/builtin/ntlm/win_susp_ntlm_rdp.yml @@ -5,10 +5,10 @@ description: Detects logons using NTLM to hosts that are potentially not part of references: - n/a author: James Pemberton -date: 2020/05/22 -modified: 2021/11/27 +date: 2020-05-22 +modified: 2021-11-27 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: product: windows diff --git a/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml b/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml index 3c7fabeeefd..c347b70ce68 100644 --- a/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml +++ b/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml @@ -9,9 +9,9 @@ references: - https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 author: mdecrevoisier -date: 2022/10/25 +date: 2022-10-25 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.004 logsource: product: windows diff --git a/rules/windows/builtin/security/account_management/win_security_access_token_abuse.yml b/rules/windows/builtin/security/account_management/win_security_access_token_abuse.yml index ad2d8a9d9fd..9d9da74b022 100644 --- a/rules/windows/builtin/security/account_management/win_security_access_token_abuse.yml +++ b/rules/windows/builtin/security/account_management/win_security_access_token_abuse.yml @@ -6,11 +6,11 @@ references: - https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation - https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html author: Michaela Adams, Zach Mathis -date: 2022/11/06 -modified: 2023/04/26 +date: 2022-11-06 +modified: 2023-04-26 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1134.001 - stp.4u logsource: diff --git a/rules/windows/builtin/security/account_management/win_security_admin_rdp_login.yml b/rules/windows/builtin/security/account_management/win_security_admin_rdp_login.yml index 64fdb30e213..6d5cdb1daa2 100644 --- a/rules/windows/builtin/security/account_management/win_security_admin_rdp_login.yml +++ b/rules/windows/builtin/security/account_management/win_security_admin_rdp_login.yml @@ -5,10 +5,10 @@ description: Detect remote login by Administrator user (depending on internal pa references: - https://car.mitre.org/wiki/CAR-2016-04-005 author: juju4 -date: 2017/10/29 -modified: 2022/10/09 +date: 2017-10-29 +modified: 2022-10-09 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1078.001 - attack.t1078.002 - attack.t1078.003 diff --git a/rules/windows/builtin/security/account_management/win_security_diagtrack_eop_default_login_username.yml b/rules/windows/builtin/security/account_management/win_security_diagtrack_eop_default_login_username.yml index bd555e9f2c6..f82648724f0 100644 --- a/rules/windows/builtin/security/account_management/win_security_diagtrack_eop_default_login_username.yml +++ b/rules/windows/builtin/security/account_management/win_security_diagtrack_eop_default_login_username.yml @@ -5,9 +5,9 @@ description: Detects the default "UserName" used by the DiagTrackEoP POC references: - https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L46 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/03 +date: 2022-08-03 tags: - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: windows service: security diff --git a/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml b/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml index 8f2c34367e2..49ab072e347 100644 --- a/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml +++ b/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml @@ -2,7 +2,7 @@ title: A Member Was Added to a Security-Enabled Global Group id: c43c26be-2e87-46c7-8661-284588c5a53e related: - id: 9cf01b6c-e723-4841-a868-6d7f8245ca6e - type: obsoletes + type: obsolete status: stable description: Detects activity when a member is added to a security-enabled global group references: @@ -12,7 +12,7 @@ references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728 - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632 author: Alexandr Yampolskyi, SOC Prime -date: 2023/04/26 +date: 2023-04-26 tags: - attack.persistence - attack.t1098 diff --git a/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml b/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml index f6a26ca420a..b19f83a08fc 100644 --- a/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml +++ b/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml @@ -2,7 +2,7 @@ title: A Member Was Removed From a Security-Enabled Global Group id: 02c39d30-02b5-45d2-b435-8aebfe5a8629 related: - id: 9cf01b6c-e723-4841-a868-6d7f8245ca6e - type: obsoletes + type: obsolete status: stable description: Detects activity when a member is removed from a security-enabled global group references: @@ -12,7 +12,7 @@ references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729 - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633 author: Alexandr Yampolskyi, SOC Prime -date: 2023/04/26 +date: 2023-04-26 tags: - attack.persistence - attack.t1098 diff --git a/rules/windows/builtin/security/account_management/win_security_overpass_the_hash.yml b/rules/windows/builtin/security/account_management/win_security_overpass_the_hash.yml index cce89e4f344..1983e0316d1 100644 --- a/rules/windows/builtin/security/account_management/win_security_overpass_the_hash.yml +++ b/rules/windows/builtin/security/account_management/win_security_overpass_the_hash.yml @@ -5,10 +5,10 @@ description: Detects successful logon with logon type 9 (NewCredentials) which m references: - https://web.archive.org/web/20220419045003/https://cyberwardog.blogspot.com/2017/04/chronicles-of-threat-hunter-hunting-for.html author: Roberto Rodriguez (source), Dominik Schaudel (rule) -date: 2018/02/12 -modified: 2021/11/27 +date: 2018-02-12 +modified: 2021-11-27 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.s0002 - attack.t1550.002 logsource: diff --git a/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml b/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml index df700d51dae..9a011cfe146 100644 --- a/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml +++ b/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml @@ -7,10 +7,10 @@ references: - https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis - https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/ author: Dave Kennedy, Jeff Warren (method) / David Vassallo (rule) -date: 2019/06/14 -modified: 2022/10/05 +date: 2019-06-14 +modified: 2022-10-05 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1550.002 logsource: product: windows diff --git a/rules/windows/builtin/security/account_management/win_security_rdp_bluekeep_poc_scanner.yml b/rules/windows/builtin/security/account_management/win_security_rdp_bluekeep_poc_scanner.yml index 9bb8fc0c5a3..ce57e274c58 100644 --- a/rules/windows/builtin/security/account_management/win_security_rdp_bluekeep_poc_scanner.yml +++ b/rules/windows/builtin/security/account_management/win_security_rdp_bluekeep_poc_scanner.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/AdamTheAnalyst/status/1134394070045003776 - https://github.com/zerosum0x0/CVE-2019-0708 author: Florian Roth (Nextron Systems), Adam Bradbury (idea) -date: 2019/06/02 -modified: 2022/12/25 +date: 2019-06-02 +modified: 2022-12-25 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1210 - car.2013-07-002 logsource: diff --git a/rules/windows/builtin/security/account_management/win_security_rdp_localhost_login.yml b/rules/windows/builtin/security/account_management/win_security_rdp_localhost_login.yml index e70a0a8166c..f3fd14ef94b 100644 --- a/rules/windows/builtin/security/account_management/win_security_rdp_localhost_login.yml +++ b/rules/windows/builtin/security/account_management/win_security_rdp_localhost_login.yml @@ -5,10 +5,10 @@ description: RDP login with localhost source address may be a tunnelled login references: - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html author: Thomas Patzke -date: 2019/01/28 -modified: 2022/10/09 +date: 2019-01-28 +modified: 2022-10-09 tags: - - attack.lateral_movement + - attack.lateral-movement - car.2013-07-002 - attack.t1021.001 logsource: diff --git a/rules/windows/builtin/security/account_management/win_security_scrcons_remote_wmi_scripteventconsumer.yml b/rules/windows/builtin/security/account_management/win_security_scrcons_remote_wmi_scripteventconsumer.yml index 5a81b4aae36..0cbb18bb51a 100644 --- a/rules/windows/builtin/security/account_management/win_security_scrcons_remote_wmi_scripteventconsumer.yml +++ b/rules/windows/builtin/security/account_management/win_security_scrcons_remote_wmi_scripteventconsumer.yml @@ -5,11 +5,11 @@ description: Detect potential adversaries leveraging WMI ActiveScriptEventConsum references: - https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/09/02 -modified: 2021/11/27 +date: 2020-09-02 +modified: 2021-11-27 tags: - - attack.lateral_movement - - attack.privilege_escalation + - attack.lateral-movement + - attack.privilege-escalation - attack.persistence - attack.t1546.003 logsource: diff --git a/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml b/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml index 6cdded1b32e..99720325b99 100644 --- a/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml +++ b/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml @@ -2,7 +2,7 @@ title: A Security-Enabled Global Group Was Deleted id: b237c54b-0f15-4612-a819-44b735e0de27 related: - id: 9cf01b6c-e723-4841-a868-6d7f8245ca6e - type: obsoletes + type: obsolete status: stable description: Detects activity when a security-enabled global group is deleted references: @@ -12,7 +12,7 @@ references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730 - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634 author: Alexandr Yampolskyi, SOC Prime -date: 2023/04/26 +date: 2023-04-26 tags: - attack.persistence - attack.t1098 diff --git a/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml b/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml index 23e7bac365c..b55315b33b3 100644 --- a/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml +++ b/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml @@ -9,11 +9,11 @@ references: - https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html - https://twitter.com/Purp1eW0lf/status/1616144561965002752 author: Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity) -date: 2023/01/19 -modified: 2024/03/11 +date: 2023-01-19 +modified: 2024-03-11 tags: - - attack.initial_access - - attack.credential_access + - attack.initial-access + - attack.credential-access - attack.t1133 - attack.t1078 - attack.t1110 diff --git a/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml b/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml index 1221fd8ecdf..9457318f6d9 100644 --- a/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml +++ b/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml @@ -9,11 +9,11 @@ references: - https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html - https://twitter.com/Purp1eW0lf/status/1616144561965002752 author: Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity) -date: 2023/01/19 -modified: 2024/03/11 +date: 2023-01-19 +modified: 2024-03-11 tags: - - attack.initial_access - - attack.credential_access + - attack.initial-access + - attack.credential-access - attack.t1133 - attack.t1078 - attack.t1110 diff --git a/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml b/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml index fa7e68301d2..25409436cab 100644 --- a/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml +++ b/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml @@ -5,10 +5,10 @@ description: Detects a failed logon attempt from a public IP. A login from a pub references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625 author: NVISO -date: 2020/05/06 -modified: 2024/03/11 +date: 2020-05-06 +modified: 2024-03-11 tags: - - attack.initial_access + - attack.initial-access - attack.persistence - attack.t1078 - attack.t1190 diff --git a/rules/windows/builtin/security/account_management/win_security_susp_logon_newcredentials.yml b/rules/windows/builtin/security/account_management/win_security_susp_logon_newcredentials.yml index 8f33d701164..4a95af66df3 100644 --- a/rules/windows/builtin/security/account_management/win_security_susp_logon_newcredentials.yml +++ b/rules/windows/builtin/security/account_management/win_security_susp_logon_newcredentials.yml @@ -5,10 +5,10 @@ description: Detects logon events that specify new credentials references: - https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf author: Max Altgelt (Nextron Systems) -date: 2022/04/06 +date: 2022-04-06 tags: - - attack.defense_evasion - - attack.lateral_movement + - attack.defense-evasion + - attack.lateral-movement - attack.t1550 logsource: product: windows diff --git a/rules/windows/builtin/security/account_management/win_security_susp_privesc_kerberos_relay_over_ldap.yml b/rules/windows/builtin/security/account_management/win_security_susp_privesc_kerberos_relay_over_ldap.yml index b8b3a0b4ba3..b40b4902dac 100644 --- a/rules/windows/builtin/security/account_management/win_security_susp_privesc_kerberos_relay_over_ldap.yml +++ b/rules/windows/builtin/security/account_management/win_security_susp_privesc_kerberos_relay_over_ldap.yml @@ -8,11 +8,11 @@ references: - https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g - https://github.com/elastic/detection-rules/blob/5fe7833312031a4787e07893e27e4ea7a7665745/rules/_deprecated/privilege_escalation_krbrelayup_suspicious_logon.toml#L38 author: Elastic, @SBousseaden -date: 2022/04/27 -modified: 2024/07/02 +date: 2022-04-27 +modified: 2024-07-02 tags: - - attack.privilege_escalation - - attack.credential_access + - attack.privilege-escalation + - attack.credential-access - attack.t1548 logsource: product: windows diff --git a/rules/windows/builtin/security/account_management/win_security_susp_rottenpotato.yml b/rules/windows/builtin/security/account_management/win_security_susp_rottenpotato.yml index 69a5295e1b4..e53c6f5fcae 100644 --- a/rules/windows/builtin/security/account_management/win_security_susp_rottenpotato.yml +++ b/rules/windows/builtin/security/account_management/win_security_susp_rottenpotato.yml @@ -5,11 +5,11 @@ description: Detects logon events that have characteristics of events generated references: - https://twitter.com/SBousseaden/status/1195284233729777665 author: '@SBousseaden, Florian Roth' -date: 2019/11/15 -modified: 2022/12/22 +date: 2019-11-15 +modified: 2022-12-22 tags: - - attack.privilege_escalation - - attack.credential_access + - attack.privilege-escalation + - attack.credential-access - attack.t1557.001 logsource: product: windows diff --git a/rules/windows/builtin/security/account_management/win_security_susp_wmi_login.yml b/rules/windows/builtin/security/account_management/win_security_susp_wmi_login.yml index d96c2bc0751..8d42dd8fe54 100644 --- a/rules/windows/builtin/security/account_management/win_security_susp_wmi_login.yml +++ b/rules/windows/builtin/security/account_management/win_security_susp_wmi_login.yml @@ -5,8 +5,8 @@ description: Detects successful logon attempts performed with WMI references: - Internal Research author: Thomas Patzke -date: 2019/12/04 -modified: 2024/01/17 +date: 2019-12-04 +modified: 2024-01-17 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml b/rules/windows/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml index 4b285c08125..14b6344a2a2 100644 --- a/rules/windows/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml +++ b/rules/windows/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml @@ -9,9 +9,9 @@ references: - https://github.com/amjcyber/EDRNoiseMaker - https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983 author: '@gott_cyber' -date: 2024/01/08 +date: 2024-01-08 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yml b/rules/windows/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yml index 87c0b6e68dd..364703d638e 100644 --- a/rules/windows/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yml +++ b/rules/windows/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yml @@ -8,8 +8,8 @@ references: - https://o365blog.com/post/hybridhealthagent/ - https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC -date: 2021/08/26 -modified: 2022/10/09 +date: 2021-08-26 +modified: 2022-10-09 tags: - attack.discovery - attack.t1012 diff --git a/rules/windows/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yml b/rules/windows/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yml index 9ab2a239c01..244a01243d6 100644 --- a/rules/windows/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yml +++ b/rules/windows/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yml @@ -10,8 +10,8 @@ references: - https://o365blog.com/post/hybridhealthagent/ - https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC -date: 2021/08/26 -modified: 2022/10/09 +date: 2021-08-26 +modified: 2022-10-09 tags: - attack.discovery - attack.t1012 diff --git a/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml b/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml index ea8e3a2ded6..09362d1ba9e 100644 --- a/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml +++ b/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml @@ -6,8 +6,8 @@ references: - https://twitter.com/menasec1/status/1111556090137903104 - https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf author: Samir Bousseaden, Roberto Rodriguez @Cyb3rWard0g, oscd.community, Tim Shelton, Maxence Fossat -date: 2019/04/03 -modified: 2022/08/16 +date: 2019-04-03 +modified: 2022-08-16 tags: - attack.persistence - attack.t1098 diff --git a/rules/windows/builtin/security/win_security_account_discovery.yml b/rules/windows/builtin/security/win_security_account_discovery.yml index da3c979636e..af11cfd8b49 100644 --- a/rules/windows/builtin/security/win_security_account_discovery.yml +++ b/rules/windows/builtin/security/win_security_account_discovery.yml @@ -5,8 +5,8 @@ description: Detect priv users or groups recon based on 4661 eventid and known p references: - https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html author: Samir Bousseaden -date: 2019/04/03 -modified: 2022/07/13 +date: 2019-04-03 +modified: 2022-07-13 tags: - attack.discovery - attack.t1087.002 diff --git a/rules/windows/builtin/security/win_security_ad_object_writedac_access.yml b/rules/windows/builtin/security/win_security_ad_object_writedac_access.yml index 80d06363faa..ed8afb06366 100644 --- a/rules/windows/builtin/security/win_security_ad_object_writedac_access.yml +++ b/rules/windows/builtin/security/win_security_ad_object_writedac_access.yml @@ -7,10 +7,10 @@ references: - https://threathunterplaybook.com/library/windows/active_directory_replication.html - https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/09/12 -modified: 2021/11/27 +date: 2019-09-12 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1222.001 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml b/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml index e8a492702e2..afe44408f50 100644 --- a/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml +++ b/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml @@ -7,10 +7,10 @@ references: - https://threathunterplaybook.com/library/windows/active_directory_replication.html - https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/07/26 -modified: 2021/11/27 +date: 2019-07-26 +modified: 2021-11-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.006 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_ad_user_enumeration.yml b/rules/windows/builtin/security/win_security_ad_user_enumeration.yml index 02d0d51d1b0..9345f98344f 100644 --- a/rules/windows/builtin/security/win_security_ad_user_enumeration.yml +++ b/rules/windows/builtin/security/win_security_ad_user_enumeration.yml @@ -8,8 +8,8 @@ references: - https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all # For further investigation of the accessed properties - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662 author: Maxime Thiebaut (@0xThiebaut) -date: 2020/03/30 -modified: 2022/11/08 +date: 2020-03-30 +modified: 2022-11-08 tags: - attack.discovery - attack.t1087.002 diff --git a/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability.yml b/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability.yml index 1a981c5ef16..0c0eebd08e5 100644 --- a/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability.yml +++ b/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability.yml @@ -5,11 +5,11 @@ description: Detects certificate creation with template allowing risk permission references: - https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf author: Orlinum , BlueDefenZer -date: 2021/11/17 -modified: 2022/12/25 +date: 2021-11-17 +modified: 2022-12-25 tags: - - attack.privilege_escalation - - attack.credential_access + - attack.privilege-escalation + - attack.credential-access logsource: product: windows service: security diff --git a/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability_eku.yml b/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability_eku.yml index 145e665788e..5ed1de3cd44 100644 --- a/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability_eku.yml +++ b/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability_eku.yml @@ -5,11 +5,11 @@ description: Detects certificate creation with template allowing risk permission references: - https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf author: Orlinum , BlueDefenZer -date: 2021/11/17 -modified: 2022/12/25 +date: 2021-11-17 +modified: 2022-12-25 tags: - - attack.privilege_escalation - - attack.credential_access + - attack.privilege-escalation + - attack.credential-access logsource: product: windows service: security diff --git a/rules/windows/builtin/security/win_security_add_remove_computer.yml b/rules/windows/builtin/security/win_security_add_remove_computer.yml index 26021daf2a0..41dce43e694 100644 --- a/rules/windows/builtin/security/win_security_add_remove_computer.yml +++ b/rules/windows/builtin/security/win_security_add_remove_computer.yml @@ -7,9 +7,9 @@ references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743 author: frack113 -date: 2022/10/14 +date: 2022-10-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1207 logsource: service: security diff --git a/rules/windows/builtin/security/win_security_admin_share_access.yml b/rules/windows/builtin/security/win_security_admin_share_access.yml index 43c6b024a29..a9031cc89ba 100644 --- a/rules/windows/builtin/security/win_security_admin_share_access.yml +++ b/rules/windows/builtin/security/win_security_admin_share_access.yml @@ -5,10 +5,10 @@ description: Detects access to ADMIN$ network share references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5140 author: Florian Roth (Nextron Systems) -date: 2017/03/04 -modified: 2024/01/16 +date: 2017-03-04 +modified: 2024-01-16 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_alert_active_directory_user_control.yml b/rules/windows/builtin/security/win_security_alert_active_directory_user_control.yml index 208cfbfb4a4..1e3cb336565 100644 --- a/rules/windows/builtin/security/win_security_alert_active_directory_user_control.yml +++ b/rules/windows/builtin/security/win_security_alert_active_directory_user_control.yml @@ -5,8 +5,8 @@ description: Detects scenario where if a user is assigned the SeEnableDelegation references: - https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/ author: '@neu5ron' -date: 2017/07/30 -modified: 2021/12/02 +date: 2017-07-30 +modified: 2021-12-02 tags: - attack.persistence - attack.t1098 diff --git a/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml b/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml index adadace58ad..fb9a78d5f0c 100644 --- a/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml +++ b/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml @@ -7,8 +7,8 @@ references: - https://adsecurity.org/?p=3466 - https://blog.harmj0y.net/redteaming/another-word-on-delegation/ author: '@neu5ron' -date: 2017/04/13 -modified: 2024/02/26 +date: 2017-04-13 +modified: 2024-02-26 tags: - attack.t1098 - attack.persistence diff --git a/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml b/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml index 98a8035d94e..1716d8ae95d 100644 --- a/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml +++ b/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml @@ -6,10 +6,10 @@ references: - https://adsecurity.org/?p=2053 - https://blog.harmj0y.net/redteaming/another-word-on-delegation/ author: '@neu5ron' -date: 2017/07/30 -modified: 2021/11/27 +date: 2017-07-30 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_alert_ruler.yml b/rules/windows/builtin/security/win_security_alert_ruler.yml index 3565ff5a1cd..3c3ce3c84ed 100644 --- a/rules/windows/builtin/security/win_security_alert_ruler.yml +++ b/rules/windows/builtin/security/win_security_alert_ruler.yml @@ -9,8 +9,8 @@ references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624 author: Florian Roth (Nextron Systems) -date: 2017/05/31 -modified: 2022/10/09 +date: 2017-05-31 +modified: 2022-10-09 tags: - attack.discovery - attack.execution diff --git a/rules/windows/builtin/security/win_security_atsvc_task.yml b/rules/windows/builtin/security/win_security_atsvc_task.yml index 42b2bf7d604..4aaa0440edc 100644 --- a/rules/windows/builtin/security/win_security_atsvc_task.yml +++ b/rules/windows/builtin/security/win_security_atsvc_task.yml @@ -5,10 +5,10 @@ description: Detects remote task creation via at.exe or API interacting with ATS references: - https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html author: Samir Bousseaden -date: 2019/04/03 -modified: 2024/08/01 +date: 2019-04-03 +modified: 2024-08-01 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.persistence - car.2013-05-004 - car.2015-04-001 diff --git a/rules/windows/builtin/security/win_security_audit_log_cleared.yml b/rules/windows/builtin/security/win_security_audit_log_cleared.yml index 402d2394cdf..4847955f7c8 100644 --- a/rules/windows/builtin/security/win_security_audit_log_cleared.yml +++ b/rules/windows/builtin/security/win_security_audit_log_cleared.yml @@ -2,9 +2,9 @@ title: Security Eventlog Cleared id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982 related: - id: f2f01843-e7b8-4f95-a35a-d23584476423 - type: obsoletes + type: obsolete - id: a122ac13-daf8-4175-83a2-72c387be339d - type: obsoletes + type: obsolete status: test description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution references: @@ -12,10 +12,10 @@ references: - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 - https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml author: Florian Roth (Nextron Systems) -date: 2017/01/10 -modified: 2022/02/24 +date: 2017-01-10 +modified: 2022-02-24 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.001 - car.2016-04-002 logsource: diff --git a/rules/windows/builtin/security/win_security_camera_microphone_access.yml b/rules/windows/builtin/security/win_security_camera_microphone_access.yml index 735dd4dae68..cb774ef9415 100644 --- a/rules/windows/builtin/security/win_security_camera_microphone_access.yml +++ b/rules/windows/builtin/security/win_security_camera_microphone_access.yml @@ -6,8 +6,8 @@ references: - https://twitter.com/duzvik/status/1269671601852813320 - https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/06/07 -modified: 2021/11/27 +date: 2020-06-07 +modified: 2021-11-27 tags: - attack.collection - attack.t1123 diff --git a/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml b/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml index 51617ab1ac6..9efcab107bc 100644 --- a/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml +++ b/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml @@ -10,12 +10,12 @@ references: - https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/ - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/ author: Florian Roth (Nextron Systems), Wojciech Lesicki -date: 2021/05/26 -modified: 2022/11/27 +date: 2021-05-26 +modified: 2022-11-27 tags: - attack.execution - - attack.privilege_escalation - - attack.lateral_movement + - attack.privilege-escalation + - attack.lateral-movement - attack.t1021.002 - attack.t1543.003 - attack.t1569.002 diff --git a/rules/windows/builtin/security/win_security_codeintegrity_check_failure.yml b/rules/windows/builtin/security/win_security_codeintegrity_check_failure.yml index 8149598ef2e..3d6e2e99d70 100644 --- a/rules/windows/builtin/security/win_security_codeintegrity_check_failure.yml +++ b/rules/windows/builtin/security/win_security_codeintegrity_check_failure.yml @@ -7,10 +7,10 @@ references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6281 author: Thomas Patzke -date: 2019/12/03 -modified: 2023/12/13 +date: 2019-12-03 +modified: 2023-12-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027.001 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml b/rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml index c53e821f915..f00f6343cbb 100644 --- a/rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml +++ b/rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml @@ -7,10 +7,10 @@ references: - https://dirkjanm.io/a-different-way-of-abusing-zerologon/ - https://twitter.com/_dirkjan/status/1309214379003588608 author: OTR (Open Threat Research) -date: 2018/11/28 -modified: 2022/08/11 +date: 2018-11-28 +modified: 2022-08-11 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_dcom_iertutil_dll_hijack.yml b/rules/windows/builtin/security/win_security_dcom_iertutil_dll_hijack.yml index c04e22fc86b..a3e5886949b 100644 --- a/rules/windows/builtin/security/win_security_dcom_iertutil_dll_hijack.yml +++ b/rules/windows/builtin/security/win_security_dcom_iertutil_dll_hijack.yml @@ -5,10 +5,10 @@ description: Detects a threat actor creating a file named `iertutil.dll` in the references: - https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) -date: 2020/10/12 -modified: 2022/11/26 +date: 2020-10-12 +modified: 2022-11-26 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 - attack.t1021.003 logsource: diff --git a/rules/windows/builtin/security/win_security_dcsync.yml b/rules/windows/builtin/security/win_security_dcsync.yml index cffb472eaa3..2bff892a9f0 100644 --- a/rules/windows/builtin/security/win_security_dcsync.yml +++ b/rules/windows/builtin/security/win_security_dcsync.yml @@ -8,10 +8,10 @@ references: - https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662 author: Benjamin Delpy, Florian Roth (Nextron Systems), Scott Dermott, Sorina Ionescu -date: 2018/06/03 -modified: 2022/04/26 +date: 2018-06-03 +modified: 2022-04-26 tags: - - attack.credential_access + - attack.credential-access - attack.s0002 - attack.t1003.006 logsource: diff --git a/rules/windows/builtin/security/win_security_device_installation_blocked.yml b/rules/windows/builtin/security/win_security_device_installation_blocked.yml index 67132d91b2f..843b8c433a1 100644 --- a/rules/windows/builtin/security/win_security_device_installation_blocked.yml +++ b/rules/windows/builtin/security/win_security_device_installation_blocked.yml @@ -6,9 +6,9 @@ references: - https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423 author: frack113 -date: 2022/10/14 +date: 2022-10-14 tags: - - attack.initial_access + - attack.initial-access - attack.t1200 logsource: service: security diff --git a/rules/windows/builtin/security/win_security_disable_event_auditing.yml b/rules/windows/builtin/security/win_security_disable_event_auditing.yml index b24436b4637..037f2e5f49b 100644 --- a/rules/windows/builtin/security/win_security_disable_event_auditing.yml +++ b/rules/windows/builtin/security/win_security_disable_event_auditing.yml @@ -12,10 +12,10 @@ description: | references: - https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit author: '@neu5ron, Nasreddine Bencherchali (Nextron Systems)' -date: 2017/11/19 -modified: 2023/11/15 +date: 2017-11-19 +modified: 2023-11-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.002 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_disable_event_auditing_critical.yml b/rules/windows/builtin/security/win_security_disable_event_auditing_critical.yml index 9b12184d2c9..9c33fe35d8a 100644 --- a/rules/windows/builtin/security/win_security_disable_event_auditing_critical.yml +++ b/rules/windows/builtin/security/win_security_disable_event_auditing_critical.yml @@ -9,10 +9,10 @@ references: - https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit - https://github.com/SigmaHQ/sigma/blob/master/documentation/logsource-guides/windows/service/security.md author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/20 -modified: 2023/11/17 +date: 2023-06-20 +modified: 2023-11-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.002 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml b/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml index 8787ac6c4e8..5de777d3d31 100644 --- a/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml +++ b/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml @@ -17,10 +17,10 @@ references: - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/06/05 -modified: 2022/12/20 +date: 2020-06-05 +modified: 2022-12-20 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 - attack.t1562 logsource: diff --git a/rules/windows/builtin/security/win_security_dpapi_domain_backupkey_extraction.yml b/rules/windows/builtin/security/win_security_dpapi_domain_backupkey_extraction.yml index 7589b9ba207..d63ac03c9d7 100644 --- a/rules/windows/builtin/security/win_security_dpapi_domain_backupkey_extraction.yml +++ b/rules/windows/builtin/security/win_security_dpapi_domain_backupkey_extraction.yml @@ -5,10 +5,10 @@ description: Detects tools extracting LSA secret DPAPI domain backup key from Do references: - https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/06/20 -modified: 2022/02/24 +date: 2019-06-20 +modified: 2022-02-24 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.004 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_dpapi_domain_masterkey_backup_attempt.yml b/rules/windows/builtin/security/win_security_dpapi_domain_masterkey_backup_attempt.yml index faf167c2f39..99e40eb3ced 100644 --- a/rules/windows/builtin/security/win_security_dpapi_domain_masterkey_backup_attempt.yml +++ b/rules/windows/builtin/security/win_security_dpapi_domain_masterkey_backup_attempt.yml @@ -5,10 +5,10 @@ description: Detects anyone attempting a backup for the DPAPI Master Key. This e references: - https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/08/10 -modified: 2023/03/15 +date: 2019-08-10 +modified: 2023-03-15 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.004 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_external_device.yml b/rules/windows/builtin/security/win_security_external_device.yml index efb26ace039..b05dc01ab05 100644 --- a/rules/windows/builtin/security/win_security_external_device.yml +++ b/rules/windows/builtin/security/win_security_external_device.yml @@ -5,13 +5,13 @@ description: Detects external disk drives or plugged-in USB devices. references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6416 author: Keith Wright -date: 2019/11/20 -modified: 2024/02/09 +date: 2019-11-20 +modified: 2024-02-09 tags: - attack.t1091 - attack.t1200 - - attack.lateral_movement - - attack.initial_access + - attack.lateral-movement + - attack.initial-access logsource: product: windows service: security diff --git a/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml b/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml index 612b78bced6..799759ea8b4 100644 --- a/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml +++ b/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml @@ -6,11 +6,11 @@ references: - https://twitter.com/menasec1/status/1106899890377052160 - https://www.secureworks.com/blog/ransomware-as-a-distraction author: Samir Bousseaden -date: 2019/04/03 -modified: 2024/08/01 +date: 2019-04-03 +modified: 2024-08-01 tags: - attack.persistence - - attack.lateral_movement + - attack.lateral-movement - attack.t1053.005 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_hidden_user_creation.yml b/rules/windows/builtin/security/win_security_hidden_user_creation.yml index 227f3f32e08..27034718944 100644 --- a/rules/windows/builtin/security/win_security_hidden_user_creation.yml +++ b/rules/windows/builtin/security/win_security_hidden_user_creation.yml @@ -5,8 +5,8 @@ description: Detects the creation of a local hidden user account which should no references: - https://twitter.com/SBousseaden/status/1387743867663958021 author: Christian Burkard (Nextron Systems) -date: 2021/05/03 -modified: 2024/01/16 +date: 2021-05-03 +modified: 2024-01-16 tags: - attack.persistence - attack.t1136.001 diff --git a/rules/windows/builtin/security/win_security_hktl_edr_silencer.yml b/rules/windows/builtin/security/win_security_hktl_edr_silencer.yml index 8acae880d5c..b05e65f769a 100644 --- a/rules/windows/builtin/security/win_security_hktl_edr_silencer.yml +++ b/rules/windows/builtin/security/win_security_hktl_edr_silencer.yml @@ -6,10 +6,10 @@ description: | references: - https://github.com/netero1010/EDRSilencer author: Thodoris Polyzos (@SmoothDeploy) -date: 2024/01/29 -modified: 2024/01/30 +date: 2024-01-29 +modified: 2024-01-30 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_hktl_nofilter.yml b/rules/windows/builtin/security/win_security_hktl_nofilter.yml index 1e8bd099bad..b36699cc42c 100644 --- a/rules/windows/builtin/security/win_security_hktl_nofilter.yml +++ b/rules/windows/builtin/security/win_security_hktl_nofilter.yml @@ -9,9 +9,9 @@ references: - https://www.deepinstinct.com/blog/nofilter-abusing-windows-filtering-platform-for-privilege-escalation - https://x.com/_st0pp3r_/status/1742203752361128162?s=20 author: Stamatis Chatzimangou (st0pp3r) -date: 2024/01/05 +date: 2024-01-05 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1134 - attack.t1134.001 logsource: diff --git a/rules/windows/builtin/security/win_security_hybridconnectionmgr_svc_installation.yml b/rules/windows/builtin/security/win_security_hybridconnectionmgr_svc_installation.yml index b13d7677bc2..eec43ba867e 100644 --- a/rules/windows/builtin/security/win_security_hybridconnectionmgr_svc_installation.yml +++ b/rules/windows/builtin/security/win_security_hybridconnectionmgr_svc_installation.yml @@ -5,8 +5,8 @@ description: Rule to detect the Hybrid Connection Manager service installation. references: - https://twitter.com/Cyb3rWard0g/status/1381642789369286662 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2021/04/12 -modified: 2022/10/09 +date: 2021-04-12 +modified: 2022-10-09 tags: - attack.persistence - attack.t1554 diff --git a/rules/windows/builtin/security/win_security_impacket_psexec.yml b/rules/windows/builtin/security/win_security_impacket_psexec.yml index 2916fea761a..955c6cc3774 100644 --- a/rules/windows/builtin/security/win_security_impacket_psexec.yml +++ b/rules/windows/builtin/security/win_security_impacket_psexec.yml @@ -5,10 +5,10 @@ description: Detects execution of Impacket's psexec.py. references: - https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html author: Bhabesh Raj -date: 2020/12/14 -modified: 2022/09/22 +date: 2020-12-14 +modified: 2022-09-22 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_impacket_secretdump.yml b/rules/windows/builtin/security/win_security_impacket_secretdump.yml index 87bfc42cb64..c1f9be9e954 100644 --- a/rules/windows/builtin/security/win_security_impacket_secretdump.yml +++ b/rules/windows/builtin/security/win_security_impacket_secretdump.yml @@ -5,10 +5,10 @@ description: Detect AD credential dumping using impacket secretdump HKTL references: - https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html author: Samir Bousseaden, wagga -date: 2019/04/03 -modified: 2022/08/11 +date: 2019-04-03 +modified: 2022-08-11 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.002 - attack.t1003.004 - attack.t1003.003 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_clip_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_clip_services_security.yml index 2286217e906..46458e5de4e 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_clip_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_clip_services_security.yml @@ -8,10 +8,10 @@ description: Detects Obfuscated use of Clip.exe to execute PowerShell references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 26) author: Jonathan Cheong, oscd.community -date: 2020/10/13 -modified: 2022/11/27 +date: 2020-10-13 +modified: 2022-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_obfuscated_iex_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_obfuscated_iex_services_security.yml index 6df46a8012f..9b525d71548 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_obfuscated_iex_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_obfuscated_iex_services_security.yml @@ -8,10 +8,10 @@ description: Detects all variations of obfuscated powershell IEX invocation code references: - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888 author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community -date: 2019/11/08 -modified: 2022/11/27 +date: 2019-11-08 +modified: 2022-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yml index 53a723781a8..4af12b8efe6 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yml @@ -8,10 +8,10 @@ description: Detects Obfuscated use of stdin to execute PowerShell references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 25) author: Jonathan Cheong, oscd.community -date: 2020/10/15 -modified: 2022/11/29 +date: 2020-10-15 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml index 98c8fd885fa..60440bf5fde 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml @@ -8,10 +8,10 @@ description: Detects Obfuscated use of Environment Variables to execute PowerShe references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 24) author: Jonathan Cheong, oscd.community -date: 2020/10/15 -modified: 2022/11/29 +date: 2020-10-15 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml index 9e563fe6bb2..ec98587c5e8 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml @@ -8,10 +8,10 @@ description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19) author: Timur Zinniatullin, oscd.community -date: 2020/10/18 -modified: 2022/11/29 +date: 2020-10-18 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml index 2a4d21b38da..c06c13a9ac2 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml @@ -8,10 +8,10 @@ description: Detects Obfuscated Powershell via RUNDLL LAUNCHER references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23) author: Timur Zinniatullin, oscd.community -date: 2020/10/18 -modified: 2022/11/29 +date: 2020-10-18 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml index 5141c4d910d..9be90685610 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml @@ -8,10 +8,10 @@ description: Detects Obfuscated Powershell via Stdin in Scripts references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task28) author: Nikita Nazarov, oscd.community -date: 2020/10/12 -modified: 2022/11/29 +date: 2020-10-12 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml index 25c235df63a..2458ab037f6 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml @@ -8,10 +8,10 @@ description: Detects Obfuscated Powershell via use Clip.exe in Scripts references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task29) author: Nikita Nazarov, oscd.community -date: 2020/10/09 -modified: 2022/11/29 +date: 2020-10-09 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml index 2353469ecd6..e9422f5bdc8 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml @@ -8,10 +8,10 @@ description: Detects Obfuscated Powershell via use MSHTA in Scripts references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31) author: Nikita Nazarov, oscd.community -date: 2020/10/09 -modified: 2022/11/29 +date: 2020-10-09 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml index 0b1742b9a14..fcbdcf8334e 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml @@ -8,10 +8,10 @@ description: Detects Obfuscated Powershell via use Rundll32 in Scripts references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task30) author: Nikita Nazarov, oscd.community -date: 2020/10/09 -modified: 2022/11/29 +date: 2020-10-09 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml index d9b7e017751..f1b060d275f 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml @@ -8,10 +8,10 @@ description: Detects Obfuscated Powershell via VAR++ LAUNCHER references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27) author: Timur Zinniatullin, oscd.community -date: 2020/10/13 -modified: 2022/11/29 +date: 2020-10-13 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/security/win_security_iso_mount.yml b/rules/windows/builtin/security/win_security_iso_mount.yml index 488a5ebcf6d..cedb6c41813 100644 --- a/rules/windows/builtin/security/win_security_iso_mount.yml +++ b/rules/windows/builtin/security/win_security_iso_mount.yml @@ -8,10 +8,10 @@ references: - https://twitter.com/MsftSecIntel/status/1257324139515269121 - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image author: Syed Hasan (@syedhasan009) -date: 2021/05/29 -modified: 2023/11/09 +date: 2021-05-29 +modified: 2023-11-09 tags: - - attack.initial_access + - attack.initial-access - attack.t1566.001 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_lm_namedpipe.yml b/rules/windows/builtin/security/win_security_lm_namedpipe.yml index 373ba4c499f..e8bf899b0c3 100644 --- a/rules/windows/builtin/security/win_security_lm_namedpipe.yml +++ b/rules/windows/builtin/security/win_security_lm_namedpipe.yml @@ -5,10 +5,10 @@ description: This detection excludes known namped pipes accessible remotely and references: - https://twitter.com/menasec1/status/1104489274387451904 author: Samir Bousseaden -date: 2019/04/03 -modified: 2023/03/14 +date: 2019-04-03 +modified: 2023-03-14 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_lsass_access_non_system_account.yml b/rules/windows/builtin/security/win_security_lsass_access_non_system_account.yml index 6902384e35c..8d2d48cb7c0 100644 --- a/rules/windows/builtin/security/win_security_lsass_access_non_system_account.yml +++ b/rules/windows/builtin/security/win_security_lsass_access_non_system_account.yml @@ -5,10 +5,10 @@ description: Detects potential mimikatz-like tools accessing LSASS from non syst references: - https://threathunterplaybook.com/hunts/windows/170105-LSASSMemoryReadAccess/notebook.html author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/06/20 -modified: 2023/12/11 +date: 2019-06-20 +modified: 2023-12-11 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_mal_creddumper.yml b/rules/windows/builtin/security/win_security_mal_creddumper.yml index f5e9ec665e3..b582b697f91 100644 --- a/rules/windows/builtin/security/win_security_mal_creddumper.yml +++ b/rules/windows/builtin/security/win_security_mal_creddumper.yml @@ -8,10 +8,10 @@ description: Detects well-known credential dumping tools execution via service e references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community -date: 2017/03/05 -modified: 2022/11/29 +date: 2017-03-05 +modified: 2022-11-29 tags: - - attack.credential_access + - attack.credential-access - attack.execution - attack.t1003.001 - attack.t1003.002 diff --git a/rules/windows/builtin/security/win_security_mal_wceaux_dll.yml b/rules/windows/builtin/security/win_security_mal_wceaux_dll.yml index 35be952048b..eafca054913 100644 --- a/rules/windows/builtin/security/win_security_mal_wceaux_dll.yml +++ b/rules/windows/builtin/security/win_security_mal_wceaux_dll.yml @@ -6,10 +6,10 @@ references: - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - https://jpcertcc.github.io/ToolAnalysisResultSheet author: Thomas Patzke -date: 2017/06/14 -modified: 2021/11/27 +date: 2017-06-14 +modified: 2021-11-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1003 - attack.s0005 logsource: diff --git a/rules/windows/builtin/security/win_security_metasploit_authentication.yml b/rules/windows/builtin/security/win_security_metasploit_authentication.yml index 77fc9441327..856f7ab6c8c 100644 --- a/rules/windows/builtin/security/win_security_metasploit_authentication.yml +++ b/rules/windows/builtin/security/win_security_metasploit_authentication.yml @@ -5,10 +5,10 @@ description: Alerts on Metasploit host's authentications on the domain. references: - https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/lib/rex/proto/smb/client.rb author: Chakib Gzenayi (@Chak092), Hosni Mribah -date: 2020/05/06 -modified: 2024/01/25 +date: 2020-05-06 +modified: 2024-01-25 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml b/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml index ddb7ac87512..d7a490fa6ba 100644 --- a/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml +++ b/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml @@ -8,10 +8,10 @@ description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) references: - https://bczyz1.github.io/2021/01/30/psexec.html author: Bartlomiej Czyz, Relativity -date: 2021/01/21 -modified: 2022/10/05 +date: 2021-01-21 +modified: 2022-10-05 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 - attack.t1570 - attack.execution diff --git a/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml b/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml index 9b245807d51..6611647728a 100644 --- a/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml +++ b/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml @@ -9,10 +9,10 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ author: Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems) -date: 2019/10/26 -modified: 2023/11/15 +date: 2019-10-26 +modified: 2023-11-15 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1134.001 - attack.t1134.002 logsource: diff --git a/rules/windows/builtin/security/win_security_net_ntlm_downgrade.yml b/rules/windows/builtin/security/win_security_net_ntlm_downgrade.yml index 47567df26b5..8f89ffb5c8e 100644 --- a/rules/windows/builtin/security/win_security_net_ntlm_downgrade.yml +++ b/rules/windows/builtin/security/win_security_net_ntlm_downgrade.yml @@ -8,10 +8,10 @@ description: Detects NetNTLM downgrade attack references: - https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks author: Florian Roth (Nextron Systems), wagga -date: 2018/03/20 -modified: 2022/10/09 +date: 2018-03-20 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 - attack.t1112 # Windows Security Eventlog: Process Creation with Full Command Line diff --git a/rules/windows/builtin/security/win_security_net_share_obj_susp_desktop_ini.yml b/rules/windows/builtin/security/win_security_net_share_obj_susp_desktop_ini.yml index bb4ae39f9b4..5d72c067ad3 100755 --- a/rules/windows/builtin/security/win_security_net_share_obj_susp_desktop_ini.yml +++ b/rules/windows/builtin/security/win_security_net_share_obj_susp_desktop_ini.yml @@ -5,8 +5,8 @@ description: Detects unusual processes accessing desktop.ini remotely over netwo references: - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/ author: Tim Shelton (HAWK.IO) -date: 2021/12/06 -modified: 2022/01/16 +date: 2021-12-06 +modified: 2022-01-16 tags: - attack.persistence - attack.t1547.009 diff --git a/rules/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml b/rules/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml index aea6eff2f1f..1b985f45202 100644 --- a/rules/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml +++ b/rules/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml @@ -6,10 +6,10 @@ description: | references: - https://twitter.com/SBousseaden/status/1387743867663958021 author: Ilyas Ochkov, oscd.community -date: 2019/10/25 -modified: 2024/01/16 +date: 2019-10-25 +modified: 2024-01-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_not_allowed_rdp_access.yml b/rules/windows/builtin/security/win_security_not_allowed_rdp_access.yml index c7ff113fca3..ef4dbe90bf0 100644 --- a/rules/windows/builtin/security/win_security_not_allowed_rdp_access.yml +++ b/rules/windows/builtin/security/win_security_not_allowed_rdp_access.yml @@ -7,10 +7,10 @@ description: | references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825 author: Pushkarev Dmitry -date: 2020/06/27 -modified: 2021/11/27 +date: 2020-06-27 +modified: 2021-11-27 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.001 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_password_policy_enumerated.yml b/rules/windows/builtin/security/win_security_password_policy_enumerated.yml index 637684bca04..012d086c180 100644 --- a/rules/windows/builtin/security/win_security_password_policy_enumerated.yml +++ b/rules/windows/builtin/security/win_security_password_policy_enumerated.yml @@ -6,7 +6,7 @@ references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661 - https://github.com/jpalanco/alienvault-ossim/blob/f74359c0c027e42560924b5cff25cdf121e5505a/os-sim/agent/src/ParserUtil.py#L951 author: Zach Mathis -date: 2023/05/19 +date: 2023-05-19 tags: - attack.discovery - attack.t1201 diff --git a/rules/windows/builtin/security/win_security_pcap_drivers.yml b/rules/windows/builtin/security/win_security_pcap_drivers.yml index 3d0cd3caed6..b3af39b5645 100644 --- a/rules/windows/builtin/security/win_security_pcap_drivers.yml +++ b/rules/windows/builtin/security/win_security_pcap_drivers.yml @@ -5,11 +5,11 @@ description: Detects Windows Pcap driver installation based on a list of associa references: - https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more author: Cian Heasley -date: 2020/06/10 -modified: 2023/04/14 +date: 2020-06-10 +modified: 2023-04-14 tags: - attack.discovery - - attack.credential_access + - attack.credential-access - attack.t1040 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_petitpotam_network_share.yml b/rules/windows/builtin/security/win_security_petitpotam_network_share.yml index 05372aa15e2..f40d555be23 100644 --- a/rules/windows/builtin/security/win_security_petitpotam_network_share.yml +++ b/rules/windows/builtin/security/win_security_petitpotam_network_share.yml @@ -6,10 +6,10 @@ references: - https://github.com/topotam/PetitPotam - https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml author: Mauricio Velazco, Michael Haag -date: 2021/09/02 -modified: 2022/08/11 +date: 2021-09-02 +modified: 2022-08-11 tags: - - attack.credential_access + - attack.credential-access - attack.t1187 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml b/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml index ff7ff7288c2..82b42e1fc8d 100644 --- a/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml +++ b/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml @@ -12,10 +12,10 @@ references: - https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/ - https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml author: Mauricio Velazco, Michael Haag -date: 2021/09/02 -modified: 2022/10/05 +date: 2021-09-02 +modified: 2022-10-05 tags: - - attack.credential_access + - attack.credential-access - attack.t1187 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_possible_dc_shadow.yml b/rules/windows/builtin/security/win_security_possible_dc_shadow.yml index 4e8e58d8440..fe739546f1e 100644 --- a/rules/windows/builtin/security/win_security_possible_dc_shadow.yml +++ b/rules/windows/builtin/security/win_security_possible_dc_shadow.yml @@ -10,10 +10,10 @@ references: - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2 - https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48 author: Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah -date: 2019/10/25 -modified: 2022/10/17 +date: 2019-10-25 +modified: 2022-10-17 tags: - - attack.credential_access + - attack.credential-access - attack.t1207 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml b/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml index fd4ec339fd4..bd8261a759b 100644 --- a/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml +++ b/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml @@ -8,8 +8,8 @@ description: Detects powershell script installed as a Service references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: oscd.community, Natalia Shornikova -date: 2020/10/06 -modified: 2022/11/29 +date: 2020-10-06 +modified: 2022-11-29 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/builtin/security/win_security_protected_storage_service_access.yml b/rules/windows/builtin/security/win_security_protected_storage_service_access.yml index 633f721e8d7..0a738aabd3a 100644 --- a/rules/windows/builtin/security/win_security_protected_storage_service_access.yml +++ b/rules/windows/builtin/security/win_security_protected_storage_service_access.yml @@ -5,10 +5,10 @@ description: Detects access to a protected_storage service over the network. Pot references: - https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/08/10 -modified: 2021/11/27 +date: 2019-08-10 +modified: 2021-11-27 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml b/rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml index 0b39686b59d..9e00ce5c946 100644 --- a/rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml +++ b/rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml @@ -6,12 +6,12 @@ references: - https://twitter.com/SBousseaden/status/1096148422984384514 - https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx author: Samir Bousseaden -date: 2019/02/16 -modified: 2022/09/02 +date: 2019-02-16 +modified: 2022-09-02 tags: - - attack.defense_evasion - - attack.command_and_control - - attack.lateral_movement + - attack.defense-evasion + - attack.command-and-control + - attack.lateral-movement - attack.t1090.001 - attack.t1090.002 - attack.t1021.001 diff --git a/rules/windows/builtin/security/win_security_register_new_logon_process_by_rubeus.yml b/rules/windows/builtin/security/win_security_register_new_logon_process_by_rubeus.yml index fe018796a61..12b6abebf09 100644 --- a/rules/windows/builtin/security/win_security_register_new_logon_process_by_rubeus.yml +++ b/rules/windows/builtin/security/win_security_register_new_logon_process_by_rubeus.yml @@ -5,11 +5,11 @@ description: Detects potential use of Rubeus via registered new trusted logon pr references: - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community -date: 2019/10/24 -modified: 2022/10/09 +date: 2019-10-24 +modified: 2022-10-09 tags: - - attack.lateral_movement - - attack.privilege_escalation + - attack.lateral-movement + - attack.privilege-escalation - attack.t1558.003 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_registry_permissions_weakness_check.yml b/rules/windows/builtin/security/win_security_registry_permissions_weakness_check.yml index 4e74565af40..5c0f306c97b 100644 --- a/rules/windows/builtin/security/win_security_registry_permissions_weakness_check.yml +++ b/rules/windows/builtin/security/win_security_registry_permissions_weakness_check.yml @@ -9,11 +9,11 @@ references: - https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/service_registry_permissions_weakness_check/ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness author: Center for Threat Informed Defense (CTID) Summiting the Pyramid Team -date: 2023/09/28 +date: 2023-09-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.011 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_remote_powershell_session.yml b/rules/windows/builtin/security/win_security_remote_powershell_session.yml index a3c06b2b154..00e84fcb322 100644 --- a/rules/windows/builtin/security/win_security_remote_powershell_session.yml +++ b/rules/windows/builtin/security/win_security_remote_powershell_session.yml @@ -5,8 +5,8 @@ description: Detects basic PowerShell Remoting (WinRM) by monitoring for network references: - https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/09/12 -modified: 2022/10/09 +date: 2019-09-12 +modified: 2022-10-09 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/security/win_security_replay_attack_detected.yml b/rules/windows/builtin/security/win_security_replay_attack_detected.yml index 47d992d631a..79eef53d90b 100644 --- a/rules/windows/builtin/security/win_security_replay_attack_detected.yml +++ b/rules/windows/builtin/security/win_security_replay_attack_detected.yml @@ -6,9 +6,9 @@ references: - https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4649 author: frack113 -date: 2022/10/14 +date: 2022-10-14 tags: - - attack.credential_access + - attack.credential-access - attack.t1558 logsource: service: security diff --git a/rules/windows/builtin/security/win_security_sam_registry_hive_handle_request.yml b/rules/windows/builtin/security/win_security_sam_registry_hive_handle_request.yml index e0e039e56d6..b2b959289c3 100644 --- a/rules/windows/builtin/security/win_security_sam_registry_hive_handle_request.yml +++ b/rules/windows/builtin/security/win_security_sam_registry_hive_handle_request.yml @@ -5,12 +5,12 @@ description: Detects handles requested to SAM registry hive references: - https://threathunterplaybook.com/hunts/windows/190725-SAMRegistryHiveHandleRequest/notebook.html author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/08/12 -modified: 2021/11/27 +date: 2019-08-12 +modified: 2021-11-27 tags: - attack.discovery - attack.t1012 - - attack.credential_access + - attack.credential-access - attack.t1552.002 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_scm_database_handle_failure.yml b/rules/windows/builtin/security/win_security_scm_database_handle_failure.yml index 32e1d3cce86..819798bf43b 100644 --- a/rules/windows/builtin/security/win_security_scm_database_handle_failure.yml +++ b/rules/windows/builtin/security/win_security_scm_database_handle_failure.yml @@ -5,8 +5,8 @@ description: Detects non-system users failing to get a handle of the SCM databas references: - https://threathunterplaybook.com/hunts/windows/190826-RemoteSCMHandle/notebook.html author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/08/12 -modified: 2022/07/11 +date: 2019-08-12 +modified: 2022-07-11 tags: - attack.discovery - attack.t1010 diff --git a/rules/windows/builtin/security/win_security_scm_database_privileged_operation.yml b/rules/windows/builtin/security/win_security_scm_database_privileged_operation.yml index 33caeee2092..4fe9c2da3f6 100644 --- a/rules/windows/builtin/security/win_security_scm_database_privileged_operation.yml +++ b/rules/windows/builtin/security/win_security_scm_database_privileged_operation.yml @@ -5,10 +5,10 @@ description: Detects non-system users performing privileged operation os the SCM references: - https://threathunterplaybook.com/hunts/windows/190826-RemoteSCMHandle/notebook.html author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton -date: 2019/08/15 -modified: 2022/09/18 +date: 2019-08-15 +modified: 2022-09-18 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1548 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml b/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml index af624d7e78d..a67b53e1302 100644 --- a/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml +++ b/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml @@ -8,8 +8,8 @@ description: Detects service installation of different remote access tools softw references: - https://redcanary.com/blog/misbehaving-rats/ author: Connor Martin, Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/23 -modified: 2023/11/15 +date: 2022-12-23 +modified: 2023-11-15 tags: - attack.persistence - attack.t1543.003 diff --git a/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml b/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml index e9b47576efe..6b7dcfc1cd8 100644 --- a/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml +++ b/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml @@ -10,10 +10,10 @@ references: - https://www.x86matthew.com/view_post?id=create_svc_rpc - https://twitter.com/SBousseaden/status/1490608838701166596 author: Tim Rauch (Nextron Systems), Elastic (idea) -date: 2022/09/15 -modified: 2023/01/04 +date: 2022-09-15 +modified: 2023-01-04 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543 logsource: service: security diff --git a/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml b/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml index 7dcc955bc0e..014709cebb2 100644 --- a/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml +++ b/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml @@ -6,10 +6,10 @@ references: - https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml - https://securitydatasets.com/notebooks/atomic/windows/lateral_movement/SDWIN-200806015757.html?highlight=create%20file author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research) -date: 2020/08/06 -modified: 2021/11/27 +date: 2020-08-06 +modified: 2021-11-27 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_susp_add_domain_trust.yml b/rules/windows/builtin/security/win_security_susp_add_domain_trust.yml index 089b5483d29..4f5388a2a84 100644 --- a/rules/windows/builtin/security/win_security_susp_add_domain_trust.yml +++ b/rules/windows/builtin/security/win_security_susp_add_domain_trust.yml @@ -5,8 +5,8 @@ description: Addition of domains is seldom and should be verified for legitimacy references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4706 author: Thomas Patzke -date: 2019/12/03 -modified: 2024/01/16 +date: 2019-12-03 +modified: 2024-01-16 tags: - attack.persistence - attack.t1098 diff --git a/rules/windows/builtin/security/win_security_susp_add_sid_history.yml b/rules/windows/builtin/security/win_security_susp_add_sid_history.yml index 60d809e4426..9019ef076b7 100644 --- a/rules/windows/builtin/security/win_security_susp_add_sid_history.yml +++ b/rules/windows/builtin/security/win_security_susp_add_sid_history.yml @@ -5,10 +5,10 @@ description: An attacker can use the SID history attribute to gain additional pr references: - https://adsecurity.org/?p=1772 author: Thomas Patzke, @atc_project (improvements) -date: 2017/02/19 +date: 2017-02-19 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1134.005 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_susp_computer_name.yml b/rules/windows/builtin/security/win_security_susp_computer_name.yml index dd3ff20708c..70a0ecc6b20 100644 --- a/rules/windows/builtin/security/win_security_susp_computer_name.yml +++ b/rules/windows/builtin/security/win_security_susp_computer_name.yml @@ -7,13 +7,13 @@ references: - https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py - https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py author: elhoim -date: 2022/09/09 -modified: 2023/01/04 +date: 2022-09-09 +modified: 2023-01-04 tags: - - cve.2021.42278 - - cve.2021.42287 + - cve.2021-42278 + - cve.2021-42287 - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1078 logsource: service: security diff --git a/rules/windows/builtin/security/win_security_susp_dsrm_password_change.yml b/rules/windows/builtin/security/win_security_susp_dsrm_password_change.yml index 1ee5e8e68be..6875253228c 100644 --- a/rules/windows/builtin/security/win_security_susp_dsrm_password_change.yml +++ b/rules/windows/builtin/security/win_security_susp_dsrm_password_change.yml @@ -12,8 +12,8 @@ references: - https://adsecurity.org/?p=1714 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794 author: Thomas Patzke -date: 2017/02/19 -modified: 2020/08/23 +date: 2017-02-19 +modified: 2020-08-23 tags: - attack.persistence - attack.t1098 diff --git a/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml b/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml index db443a59835..00a5c062d41 100644 --- a/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml +++ b/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml @@ -6,13 +6,13 @@ references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625 - https://twitter.com/SBousseaden/status/1101431884540710913 author: Florian Roth (Nextron Systems) -date: 2017/02/19 -modified: 2022/06/29 +date: 2017-02-19 +modified: 2022-06-29 tags: - attack.persistence - - attack.defense_evasion - - attack.privilege_escalation - - attack.initial_access + - attack.defense-evasion + - attack.privilege-escalation + - attack.initial-access - attack.t1078 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_susp_kerberos_manipulation.yml b/rules/windows/builtin/security/win_security_susp_kerberos_manipulation.yml index b82c1100f83..8f8e1307007 100644 --- a/rules/windows/builtin/security/win_security_susp_kerberos_manipulation.yml +++ b/rules/windows/builtin/security/win_security_susp_kerberos_manipulation.yml @@ -5,10 +5,10 @@ description: Detects failed Kerberos TGT issue operation. This can be a sign of references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771 author: Florian Roth (Nextron Systems) -date: 2017/02/10 -modified: 2024/01/16 +date: 2017-02-10 +modified: 2024-01-16 tags: - - attack.credential_access + - attack.credential-access - attack.t1212 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml b/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml index e4fc27fb3d6..68e73db122f 100644 --- a/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml +++ b/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml @@ -7,11 +7,11 @@ references: - https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/ - https://github.com/fox-it/LDAPFragger author: xknow @xknow_infosec -date: 2019/03/24 -modified: 2022/10/05 +date: 2019-03-24 +modified: 2022-10-05 tags: - attack.t1001.003 - - attack.command_and_control + - attack.command-and-control logsource: product: windows service: security diff --git a/rules/windows/builtin/security/win_security_susp_local_anon_logon_created.yml b/rules/windows/builtin/security/win_security_susp_local_anon_logon_created.yml index a94bacbefe8..51f5630e50c 100644 --- a/rules/windows/builtin/security/win_security_susp_local_anon_logon_created.yml +++ b/rules/windows/builtin/security/win_security_susp_local_anon_logon_created.yml @@ -5,8 +5,8 @@ description: Detects the creation of suspicious accounts similar to ANONYMOUS LO references: - https://twitter.com/SBousseaden/status/1189469425482829824 author: James Pemberton / @4A616D6573 -date: 2019/10/31 -modified: 2022/10/09 +date: 2019-10-31 +modified: 2022-10-09 tags: - attack.persistence - attack.t1136.001 diff --git a/rules/windows/builtin/security/win_security_susp_logon_explicit_credentials.yml b/rules/windows/builtin/security/win_security_susp_logon_explicit_credentials.yml index a4ba750adb2..5e6a3c0dcfa 100644 --- a/rules/windows/builtin/security/win_security_susp_logon_explicit_credentials.yml +++ b/rules/windows/builtin/security/win_security_susp_logon_explicit_credentials.yml @@ -5,11 +5,11 @@ description: Detects suspicious processes logging on with explicit credentials references: - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Tim Shelton -date: 2020/10/05 -modified: 2022/08/03 +date: 2020-10-05 +modified: 2022-08-03 tags: - attack.t1078 - - attack.lateral_movement + - attack.lateral-movement logsource: product: windows service: security diff --git a/rules/windows/builtin/security/win_security_susp_lsass_dump.yml b/rules/windows/builtin/security/win_security_susp_lsass_dump.yml index c83f32e84c1..8591c8ad22d 100644 --- a/rules/windows/builtin/security/win_security_susp_lsass_dump.yml +++ b/rules/windows/builtin/security/win_security_susp_lsass_dump.yml @@ -5,10 +5,10 @@ description: Detects process handle on LSASS process with certain access mask an references: - https://twitter.com/jackcr/status/807385668833968128 author: sigma -date: 2017/02/12 -modified: 2022/10/09 +date: 2017-02-12 +modified: 2022-10-09 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml b/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml index f7d6edc4a9b..d612b07cbba 100644 --- a/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml +++ b/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml @@ -6,10 +6,10 @@ references: - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update) -date: 2019/11/01 -modified: 2023/12/19 +date: 2019-11-01 +modified: 2023-12-19 tags: - - attack.credential_access + - attack.credential-access - car.2019-04-004 - attack.t1003.001 logsource: diff --git a/rules/windows/builtin/security/win_security_susp_net_recon_activity.yml b/rules/windows/builtin/security/win_security_susp_net_recon_activity.yml index 76d15c0f741..019d428a534 100644 --- a/rules/windows/builtin/security/win_security_susp_net_recon_activity.yml +++ b/rules/windows/builtin/security/win_security_susp_net_recon_activity.yml @@ -5,8 +5,8 @@ description: Detects activity as "net user administrator /domain" and "net group references: - https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html author: Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community -date: 2017/03/07 -modified: 2022/08/22 +date: 2017-03-07 +modified: 2022-08-22 tags: - attack.discovery - attack.t1087.002 diff --git a/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip.yml b/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip.yml index a5e567bac8a..721a836380c 100644 --- a/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip.yml +++ b/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip.yml @@ -5,9 +5,9 @@ description: Detects the extraction of password protected ZIP archives. See the references: - https://twitter.com/sbousseaden/status/1523383197513379841 author: Florian Roth (Nextron Systems) -date: 2022/05/09 +date: 2022-05-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_filename.yml b/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_filename.yml index 7695bc707df..03c9c7ef69e 100644 --- a/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_filename.yml +++ b/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_filename.yml @@ -5,10 +5,10 @@ description: Detects the extraction of password protected ZIP archives with susp references: - https://twitter.com/sbousseaden/status/1523383197513379841 author: Florian Roth (Nextron Systems) -date: 2022/05/09 +date: 2022-05-09 tags: - - attack.command_and_control - - attack.defense_evasion + - attack.command-and-control + - attack.defense-evasion - attack.t1027 - attack.t1105 - attack.t1036 diff --git a/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_outlook.yml b/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_outlook.yml index a56d17fbee7..e6b90b3f541 100644 --- a/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_outlook.yml +++ b/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_outlook.yml @@ -5,10 +5,10 @@ description: Detects the extraction of password protected ZIP archives. See the references: - https://twitter.com/sbousseaden/status/1523383197513379841 author: Florian Roth (Nextron Systems) -date: 2022/05/09 +date: 2022-05-09 tags: - - attack.defense_evasion - - attack.initial_access + - attack.defense-evasion + - attack.initial-access - attack.t1027 - attack.t1566.001 logsource: diff --git a/rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml b/rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml index 86e24c91880..b3f6f6f01d8 100644 --- a/rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml +++ b/rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml @@ -9,10 +9,10 @@ description: | references: - https://github.com/GhostPack/Rubeus author: Ilyas Ochkov, oscd.community -date: 2019/10/24 -modified: 2024/03/15 +date: 2019-10-24 +modified: 2024-03-15 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1558.003 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml b/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml index e53c65d65c9..fe014d71341 100644 --- a/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml +++ b/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml @@ -7,9 +7,9 @@ references: - https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/ - https://twitter.com/SBousseaden/status/1581300963650187264? author: Nasreddine Bencherchali (Nextron Systems), Elastic (idea) -date: 2022/10/17 +date: 2022-10-17 tags: - - attack.credential_access + - attack.credential-access - attack.t1556 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_susp_psexec.yml b/rules/windows/builtin/security/win_security_susp_psexec.yml index a2ccfd7ae2e..30a0a7717e4 100644 --- a/rules/windows/builtin/security/win_security_susp_psexec.yml +++ b/rules/windows/builtin/security/win_security_susp_psexec.yml @@ -5,10 +5,10 @@ description: detects execution of psexec or paexec with renamed service name, th references: - https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html author: Samir Bousseaden -date: 2019/04/03 -modified: 2022/08/11 +date: 2019-04-03 +modified: 2022-08-11 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_susp_raccess_sensitive_fext.yml b/rules/windows/builtin/security/win_security_susp_raccess_sensitive_fext.yml index 4d1fad92a16..c5df4fceba7 100644 --- a/rules/windows/builtin/security/win_security_susp_raccess_sensitive_fext.yml +++ b/rules/windows/builtin/security/win_security_susp_raccess_sensitive_fext.yml @@ -8,8 +8,8 @@ description: Detects known sensitive file extensions accessed on a network share references: - Internal Research author: Samir Bousseaden -date: 2019/04/03 -modified: 2022/10/09 +date: 2019-04-03 +modified: 2022-10-09 tags: - attack.collection - attack.t1039 diff --git a/rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml b/rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml index edac915ee6d..c9f7b1201d6 100644 --- a/rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml +++ b/rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml @@ -6,10 +6,10 @@ references: - https://adsecurity.org/?p=3458 - https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity author: Florian Roth (Nextron Systems) -date: 2017/02/06 -modified: 2022/06/19 +date: 2017-02-06 +modified: 2022-06-19 tags: - - attack.credential_access + - attack.credential-access - attack.t1558.003 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml index 74a1d121b32..e9baa258663 100644 --- a/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml @@ -5,11 +5,11 @@ description: Detects suspicious scheduled task creation events. Based on attribu references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/05 -modified: 2022/12/07 +date: 2022-12-05 +modified: 2022-12-07 tags: - attack.execution - - attack.privilege_escalation + - attack.privilege-escalation - attack.persistence - attack.t1053.005 logsource: diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml index ef2b2741681..852c3c3561d 100644 --- a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml @@ -13,11 +13,11 @@ references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4699 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4701 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/05 -modified: 2023/03/13 +date: 2022-12-05 +modified: 2023-03-13 tags: - attack.execution - - attack.privilege_escalation + - attack.privilege-escalation - attack.persistence - attack.t1053.005 logsource: diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml index f4bfb19da79..7c02f0e1298 100644 --- a/rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml @@ -8,10 +8,10 @@ description: Detects update to a scheduled task event that contain suspicious ke references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/05 +date: 2022-12-05 tags: - attack.execution - - attack.privilege_escalation + - attack.privilege-escalation - attack.persistence - attack.t1053.005 logsource: diff --git a/rules/windows/builtin/security/win_security_susp_sdelete.yml b/rules/windows/builtin/security/win_security_susp_sdelete.yml index 59e7648d973..4700f531631 100644 --- a/rules/windows/builtin/security/win_security_susp_sdelete.yml +++ b/rules/windows/builtin/security/win_security_susp_sdelete.yml @@ -7,11 +7,11 @@ references: - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - https://learn.microsoft.com/en-gb/sysinternals/downloads/sdelete author: Thomas Patzke -date: 2017/06/14 -modified: 2021/11/27 +date: 2017-06-14 +modified: 2021-11-27 tags: - attack.impact - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.004 - attack.t1027.005 - attack.t1485 diff --git a/rules/windows/builtin/security/win_security_susp_time_modification.yml b/rules/windows/builtin/security/win_security_susp_time_modification.yml index aad7c7ab9d6..c166fde2d42 100644 --- a/rules/windows/builtin/security/win_security_susp_time_modification.yml +++ b/rules/windows/builtin/security/win_security_susp_time_modification.yml @@ -7,10 +7,10 @@ references: - Live environment caused by malware - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616 author: '@neu5ron' -date: 2019/02/05 -modified: 2022/08/03 +date: 2019-02-05 +modified: 2022-08-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.006 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_svcctl_remote_service.yml b/rules/windows/builtin/security/win_security_svcctl_remote_service.yml index 7b980ffe534..218d5801568 100644 --- a/rules/windows/builtin/security/win_security_svcctl_remote_service.yml +++ b/rules/windows/builtin/security/win_security_svcctl_remote_service.yml @@ -5,10 +5,10 @@ description: Detects remote service activity via remote access to the svcctl nam references: - https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html author: Samir Bousseaden -date: 2019/04/03 -modified: 2024/08/01 +date: 2019-04-03 +modified: 2024-08-01 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.persistence - attack.t1021.002 logsource: diff --git a/rules/windows/builtin/security/win_security_syskey_registry_access.yml b/rules/windows/builtin/security/win_security_syskey_registry_access.yml index d8f4129d4d7..470e9e0837d 100644 --- a/rules/windows/builtin/security/win_security_syskey_registry_access.yml +++ b/rules/windows/builtin/security/win_security_syskey_registry_access.yml @@ -5,8 +5,8 @@ description: Detects handle requests and access operations to specific registry references: - https://threathunterplaybook.com/hunts/windows/190625-RegKeyAccessSyskey/notebook.html author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/08/12 -modified: 2021/11/27 +date: 2019-08-12 +modified: 2021-11-27 tags: - attack.discovery - attack.t1012 diff --git a/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml b/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml index b47d83f3fdf..a1b3ecb9765 100644 --- a/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml +++ b/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml @@ -8,10 +8,10 @@ references: - https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html - https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/07/14 -modified: 2022/10/05 +date: 2020-07-14 +modified: 2022-10-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_tap_driver_installation.yml b/rules/windows/builtin/security/win_security_tap_driver_installation.yml index ff65a76a6c1..8fcc028fd86 100644 --- a/rules/windows/builtin/security/win_security_tap_driver_installation.yml +++ b/rules/windows/builtin/security/win_security_tap_driver_installation.yml @@ -9,8 +9,8 @@ description: | references: - https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers author: Daniil Yugoslavskiy, Ian Davis, oscd.community -date: 2019/10/24 -modified: 2022/11/29 +date: 2019-10-24 +modified: 2022-11-29 tags: - attack.exfiltration - attack.t1048 diff --git a/rules/windows/builtin/security/win_security_teams_suspicious_objectaccess.yml b/rules/windows/builtin/security/win_security_teams_suspicious_objectaccess.yml index e4f35cbe9a6..5fda47dedc8 100644 --- a/rules/windows/builtin/security/win_security_teams_suspicious_objectaccess.yml +++ b/rules/windows/builtin/security/win_security_teams_suspicious_objectaccess.yml @@ -6,9 +6,9 @@ references: - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/ - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens author: '@SerkinValery' -date: 2022/09/16 +date: 2022-09-16 tags: - - attack.credential_access + - attack.credential-access - attack.t1528 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_transf_files_with_cred_data_via_network_shares.yml b/rules/windows/builtin/security/win_security_transf_files_with_cred_data_via_network_shares.yml index 764c26f347c..a29d47668c6 100644 --- a/rules/windows/builtin/security/win_security_transf_files_with_cred_data_via_network_shares.yml +++ b/rules/windows/builtin/security/win_security_transf_files_with_cred_data_via_network_shares.yml @@ -8,10 +8,10 @@ description: Transferring files with well-known filenames (sensitive files with references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment author: Teymur Kheirkhabarov, oscd.community -date: 2019/10/22 -modified: 2021/11/30 +date: 2019-10-22 +modified: 2021-11-30 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.002 - attack.t1003.001 - attack.t1003.003 diff --git a/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml b/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml index b0a7a7c6e9d..d570c0c0345 100644 --- a/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml +++ b/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml @@ -6,10 +6,10 @@ references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732 - https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers author: Florian Roth (Nextron Systems) -date: 2017/03/14 -modified: 2021/01/17 +date: 2017-03-14 +modified: 2021-01-17 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1078 - attack.persistence - attack.t1098 diff --git a/rules/windows/builtin/security/win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml b/rules/windows/builtin/security/win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml index f94c8925333..922817af3b7 100644 --- a/rules/windows/builtin/security/win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml +++ b/rules/windows/builtin/security/win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml @@ -5,11 +5,11 @@ description: The 'LsaRegisterLogonProcess' function verifies that the applicatio references: - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community -date: 2019/10/24 -modified: 2022/12/25 +date: 2019-10-24 +modified: 2022-12-25 tags: - - attack.lateral_movement - - attack.privilege_escalation + - attack.lateral-movement + - attack.privilege-escalation - attack.t1558.003 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_user_creation.yml b/rules/windows/builtin/security/win_security_user_creation.yml index 78d7ba34d5e..9e88f7cc078 100644 --- a/rules/windows/builtin/security/win_security_user_creation.yml +++ b/rules/windows/builtin/security/win_security_user_creation.yml @@ -6,8 +6,8 @@ description: | references: - https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/ author: Patrick Bareiss -date: 2019/04/18 -modified: 2021/01/17 +date: 2019-04-18 +modified: 2021-01-17 tags: - attack.persistence - attack.t1136.001 diff --git a/rules/windows/builtin/security/win_security_user_driver_loaded.yml b/rules/windows/builtin/security/win_security_user_driver_loaded.yml index 4da100b23b5..b136b45deac 100644 --- a/rules/windows/builtin/security/win_security_user_driver_loaded.yml +++ b/rules/windows/builtin/security/win_security_user_driver_loaded.yml @@ -11,10 +11,10 @@ references: - https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673 author: xknow (@xknow_infosec), xorxes (@xor_xes) -date: 2019/04/08 -modified: 2023/01/20 +date: 2019-04-08 +modified: 2023-01-20 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_user_logoff.yml b/rules/windows/builtin/security/win_security_user_logoff.yml index 26b2506d593..d4a82efaa74 100644 --- a/rules/windows/builtin/security/win_security_user_logoff.yml +++ b/rules/windows/builtin/security/win_security_user_logoff.yml @@ -7,7 +7,7 @@ references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647 author: frack113 -date: 2022/10/14 +date: 2022-10-14 tags: - attack.impact - attack.t1531 diff --git a/rules/windows/builtin/security/win_security_vssaudit_secevent_source_registration.yml b/rules/windows/builtin/security/win_security_vssaudit_secevent_source_registration.yml index aa7ac6d0922..0782981c61e 100644 --- a/rules/windows/builtin/security/win_security_vssaudit_secevent_source_registration.yml +++ b/rules/windows/builtin/security/win_security_vssaudit_secevent_source_registration.yml @@ -5,10 +5,10 @@ description: Detects the registration of the security event source VSSAudit. It references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) -date: 2020/10/20 -modified: 2022/04/28 +date: 2020-10-20 +modified: 2022-04-28 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.002 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml b/rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml index 7d4de724c2e..0ab0d4de076 100644 --- a/rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml +++ b/rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml @@ -11,10 +11,10 @@ description: | references: - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ author: '@BarryShooshooga' -date: 2019/10/26 -modified: 2023/11/11 +date: 2019-10-26 +modified: 2023-11-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml b/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml index b7dfbafedf0..b6f0cf9e63e 100644 --- a/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml +++ b/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml @@ -11,10 +11,10 @@ description: | references: - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ author: '@BarryShooshooga, Nasreddine Bencherchali (Nextron Systems)' -date: 2019/10/26 -modified: 2023/11/11 +date: 2019-10-26 +modified: 2023-11-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_deleted.yml b/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_deleted.yml index b207c81b499..8eb1730c244 100644 --- a/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_deleted.yml +++ b/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_deleted.yml @@ -11,10 +11,10 @@ description: | references: - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ author: '@BarryShooshooga' -date: 2019/10/26 -modified: 2023/11/11 +date: 2019-10-26 +modified: 2023-11-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_wmi_persistence.yml b/rules/windows/builtin/security/win_security_wmi_persistence.yml index 6b22aa5111a..f62732b0e9e 100644 --- a/rules/windows/builtin/security/win_security_wmi_persistence.yml +++ b/rules/windows/builtin/security/win_security_wmi_persistence.yml @@ -9,11 +9,11 @@ references: - https://twitter.com/mattifestation/status/899646620148539397 - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ author: Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community -date: 2017/08/22 -modified: 2022/11/29 +date: 2017-08-22 +modified: 2022-11-29 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1546.003 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_wmiprvse_wbemcomn_dll_hijack.yml b/rules/windows/builtin/security/win_security_wmiprvse_wbemcomn_dll_hijack.yml index f5513f12eb7..b7adcd807b7 100644 --- a/rules/windows/builtin/security/win_security_wmiprvse_wbemcomn_dll_hijack.yml +++ b/rules/windows/builtin/security/win_security_wmiprvse_wbemcomn_dll_hijack.yml @@ -5,12 +5,12 @@ description: Detects a threat actor creating a file named `wbemcomn.dll` in the references: - https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) -date: 2020/10/12 -modified: 2022/02/24 +date: 2020-10-12 +modified: 2022-02-24 tags: - attack.execution - attack.t1047 - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_workstation_was_locked.yml b/rules/windows/builtin/security/win_security_workstation_was_locked.yml index 228c87f6808..0c3c3f7f02f 100644 --- a/rules/windows/builtin/security/win_security_workstation_was_locked.yml +++ b/rules/windows/builtin/security/win_security_workstation_was_locked.yml @@ -8,8 +8,8 @@ references: - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800 author: Alexandr Yampolskyi, SOC Prime -date: 2019/03/26 -modified: 2023/12/11 +date: 2019-03-26 +modified: 2023-12-11 tags: - attack.impact # - CSC16 diff --git a/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml b/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml index 7c6db1228e3..cd7efac763a 100644 --- a/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml +++ b/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml @@ -5,10 +5,10 @@ description: Detects Code Integrity (CI) engine blocking Microsoft Defender's pr references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool author: Bhabesh Raj -date: 2022/08/02 -modified: 2022/09/28 +date: 2022-08-02 +modified: 2022-09-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 logsource: product: windows diff --git a/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml b/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml index 3a898b6c972..91d4c259068 100644 --- a/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml +++ b/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml @@ -5,10 +5,10 @@ description: Detects Code Integrity (CI) engine blocking processes from loading references: - https://github.com/nasbench/EVTX-ETW-Resources/blob/45fd5be71a51aa518b1b36d4e1f36af498084e27/ETWEventsList/CSV/Windows11/21H2/W11_21H2_Pro_20220719_22000.795/Providers/Microsoft-Windows-Security-Mitigations.csv author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/03 -modified: 2022/09/28 +date: 2022-08-03 +modified: 2022-09-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 logsource: product: windows diff --git a/rules/windows/builtin/servicebus/win_hybridconnectionmgr_svc_running.yml b/rules/windows/builtin/servicebus/win_hybridconnectionmgr_svc_running.yml index b230cae6fd4..db01cceebd6 100644 --- a/rules/windows/builtin/servicebus/win_hybridconnectionmgr_svc_running.yml +++ b/rules/windows/builtin/servicebus/win_hybridconnectionmgr_svc_running.yml @@ -5,14 +5,14 @@ description: Rule to detect the Hybrid Connection Manager service running on an references: - https://twitter.com/Cyb3rWard0g/status/1381642789369286662 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2021/04/12 -modified: 2022/10/09 +date: 2021-04-12 +modified: 2024-08-05 tags: - attack.persistence - attack.t1554 logsource: product: windows - service: microsoft-servicebus-client + service: microsoft-servicebus-client # Change to servicebus-client once validators are up to date detection: selection: EventID: diff --git a/rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml b/rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml index c91228aeba2..300e42fa672 100644 --- a/rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml +++ b/rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml @@ -5,7 +5,7 @@ description: Detects suspicious application installed by looking at the added sh references: - https://nasbench.medium.com/finding-forensic-goodness-in-obscure-windows-event-logs-60e978ea45a3 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/14 +date: 2022-08-14 tags: - attack.execution logsource: diff --git a/rules/windows/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yml b/rules/windows/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yml index 7405115fe32..45318997bd6 100644 --- a/rules/windows/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yml +++ b/rules/windows/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yml @@ -7,10 +7,10 @@ references: - https://github.com/hhlxf/PrintNightmare - https://github.com/afwu/PrintNightmare author: Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10w -date: 2021/06/30 -modified: 2023/01/02 +date: 2021-06-30 +modified: 2023-01-02 tags: - - attack.credential_access + - attack.credential-access - attack.t1110.001 logsource: product: windows diff --git a/rules/windows/builtin/system/application_popup/win_system_application_sysmon_crash.yml b/rules/windows/builtin/system/application_popup/win_system_application_sysmon_crash.yml index 65e23658907..b3e83bfc551 100644 --- a/rules/windows/builtin/system/application_popup/win_system_application_sysmon_crash.yml +++ b/rules/windows/builtin/system/application_popup/win_system_application_sysmon_crash.yml @@ -5,10 +5,10 @@ description: Detects application popup reporting a failure of the Sysmon service references: - https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1803/W10_1803_Pro_19700101_17134.1/WEPExplorer/Application%20Popup.xml#L36 author: Tim Shelton -date: 2022/04/26 -modified: 2024/01/17 +date: 2022-04-26 +modified: 2024-01-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562 logsource: product: windows diff --git a/rules/windows/builtin/system/lsasrv/win_system_lsasrv_ntlmv1.yml b/rules/windows/builtin/system/lsasrv/win_system_lsasrv_ntlmv1.yml index 9d36b3efb70..d5e0fa9099e 100644 --- a/rules/windows/builtin/system/lsasrv/win_system_lsasrv_ntlmv1.yml +++ b/rules/windows/builtin/system/lsasrv/win_system_lsasrv_ntlmv1.yml @@ -5,11 +5,11 @@ description: Detects the reporting of NTLMv1 being used between a client and ser references: - https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/22H2/W10_22H2_Pro_20230321_19045.2728/WEPExplorer/LsaSrv.xml author: Tim Shelton, Nasreddine Bencherchali (Nextron Systems) -date: 2022/04/26 -modified: 2023/06/06 +date: 2022-04-26 +modified: 2023-06-06 tags: - - attack.defense_evasion - - attack.lateral_movement + - attack.defense-evasion + - attack.lateral-movement - attack.t1550.002 logsource: product: windows diff --git a/rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml b/rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml index cbf709c134e..eebe651bf39 100644 --- a/rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml +++ b/rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml @@ -8,9 +8,9 @@ references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10) - https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/ author: '@SerkinValery' -date: 2024/03/07 +date: 2024-03-07 tags: - - attack.credential_access + - attack.credential-access - attack.t1553.004 logsource: product: windows diff --git a/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml b/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml index 8d519b33e29..e0f83b4a23b 100644 --- a/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml +++ b/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml @@ -7,10 +7,10 @@ references: - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx author: Dimitrios Slamaris -date: 2017/05/15 -modified: 2022/12/25 +date: 2017-05-15 +modified: 2022-12-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 logsource: product: windows diff --git a/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml b/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml index 13ac06e4174..6477e14caad 100644 --- a/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml +++ b/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml @@ -7,10 +7,10 @@ references: - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx author: 'Dimitrios Slamaris, @atc_project (fix)' -date: 2017/05/15 -modified: 2022/12/25 +date: 2017-05-15 +modified: 2022-12-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 logsource: product: windows diff --git a/rules/windows/builtin/system/microsoft_windows_directory_services_sam/win_system_exploit_cve_2021_42287.yml b/rules/windows/builtin/system/microsoft_windows_directory_services_sam/win_system_exploit_cve_2021_42287.yml index 4242b3e893d..b66746f39f0 100644 --- a/rules/windows/builtin/system/microsoft_windows_directory_services_sam/win_system_exploit_cve_2021_42287.yml +++ b/rules/windows/builtin/system/microsoft_windows_directory_services_sam/win_system_exploit_cve_2021_42287.yml @@ -11,10 +11,10 @@ description: | references: - https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/ author: frack113 -date: 2021/12/15 -modified: 2023/04/14 +date: 2021-12-15 +modified: 2023-04-14 tags: - - attack.credential_access + - attack.credential-access - attack.t1558.003 logsource: product: windows diff --git a/rules/windows/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml b/rules/windows/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml index 2d0c1e5f30a..63dddc65fe5 100644 --- a/rules/windows/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml +++ b/rules/windows/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml @@ -5,8 +5,8 @@ description: Detects the invocation of TabTip via CLSID as seen when JuicyPotato references: - https://github.com/antonioCoco/JuicyPotatoNG author: Florian Roth (Nextron Systems) -date: 2022/10/07 -modified: 2023/04/14 +date: 2022-10-07 +modified: 2023-04-14 tags: - attack.execution - attack.t1557.001 diff --git a/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml b/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml index d3e99b675c1..961484a1149 100644 --- a/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml +++ b/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml @@ -2,7 +2,7 @@ title: Eventlog Cleared id: a62b37e0-45d3-48d9-a517-90c1a1b0186b related: - id: f2f01843-e7b8-4f95-a35a-d23584476423 - type: obsoletes + type: obsolete - id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982 type: derived - id: 100ef69e-3327-481c-8e5c-6d80d9507556 @@ -13,10 +13,10 @@ references: - https://twitter.com/deviouspolack/status/832535435960209408 - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 author: Florian Roth (Nextron Systems) -date: 2017/01/10 -modified: 2023/11/15 +date: 2017-01-10 +modified: 2023-11-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.001 - car.2016-04-002 logsource: diff --git a/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml b/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml index b0ebfd71703..a52cbbdbb98 100644 --- a/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml @@ -9,10 +9,10 @@ references: - https://twitter.com/deviouspolack/status/832535435960209408 - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 author: Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems) -date: 2022/05/17 -modified: 2023/11/15 +date: 2022-05-17 +modified: 2023-11-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.001 - car.2016-04-002 logsource: diff --git a/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_cert_use_no_strong_mapping.yml b/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_cert_use_no_strong_mapping.yml index f1621267096..dcc6b71cd3b 100644 --- a/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_cert_use_no_strong_mapping.yml +++ b/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_cert_use_no_strong_mapping.yml @@ -8,9 +8,9 @@ description: | references: - https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16 author: '@br4dy5' -date: 2023/10/09 +date: 2023-10-09 tags: - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: windows service: system diff --git a/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_rc4_downgrade.yml b/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_rc4_downgrade.yml index 9b075ce61ee..9fd6f5b50e9 100644 --- a/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_rc4_downgrade.yml +++ b/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_rc4_downgrade.yml @@ -5,9 +5,9 @@ description: Detects the exploitation of a security bypass and elevation of priv references: - https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d author: Florian Roth (Nextron Systems) -date: 2022/11/09 +date: 2022-11-09 tags: - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: windows service: system diff --git a/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_tgs_no_suitable_encryption_key_found.yml b/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_tgs_no_suitable_encryption_key_found.yml index 1d567589f0f..e87cd0f4fed 100644 --- a/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_tgs_no_suitable_encryption_key_found.yml +++ b/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_tgs_no_suitable_encryption_key_found.yml @@ -8,9 +8,9 @@ references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd348773(v=ws.10) - https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kdc-event-16-27-des-encryption-disabled author: '@SerkinValery' -date: 2024/03/07 +date: 2024-03-07 tags: - - attack.credential_access + - attack.credential-access - attack.t1558.003 logsource: product: windows diff --git a/rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_susp_critical_hive_location_access_bits_cleared.yml b/rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_susp_critical_hive_location_access_bits_cleared.yml index b102505ba2b..2f639342d68 100644 --- a/rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_susp_critical_hive_location_access_bits_cleared.yml +++ b/rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_susp_critical_hive_location_access_bits_cleared.yml @@ -2,7 +2,7 @@ title: Critical Hive In Suspicious Location Access Bits Cleared id: 39f919f3-980b-4e6f-a975-8af7e507ef2b related: - id: 839dd1e8-eda8-4834-8145-01beeee33acd - type: obsoletes + type: obsolete status: test description: | Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset. @@ -11,10 +11,10 @@ description: | references: - https://github.com/nasbench/Misc-Research/blob/b20da2336de0f342d31ef4794959d28c8d3ba5ba/ETW/Microsoft-Windows-Kernel-General.md author: Florian Roth (Nextron Systems) -date: 2017/05/15 -modified: 2024/01/18 +date: 2017-05-15 +modified: 2024-01-18 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.002 logsource: product: windows diff --git a/rules/windows/builtin/system/microsoft_windows_ntfs/win_system_volume_shadow_copy_mount.yml b/rules/windows/builtin/system/microsoft_windows_ntfs/win_system_volume_shadow_copy_mount.yml index 4b19beb712f..f32b7aa939c 100644 --- a/rules/windows/builtin/system/microsoft_windows_ntfs/win_system_volume_shadow_copy_mount.yml +++ b/rules/windows/builtin/system/microsoft_windows_ntfs/win_system_volume_shadow_copy_mount.yml @@ -5,10 +5,10 @@ description: Detects volume shadow copy mount via Windows event log references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) -date: 2020/10/20 -modified: 2022/12/25 +date: 2020-10-20 +modified: 2022-12-25 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.002 logsource: product: windows diff --git a/rules/windows/builtin/system/microsoft_windows_user_profiles_service/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml b/rules/windows/builtin/system/microsoft_windows_user_profiles_service/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml index 770c1aaf58b..04fbf91e3eb 100644 --- a/rules/windows/builtin/system/microsoft_windows_user_profiles_service/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml +++ b/rules/windows/builtin/system/microsoft_windows_user_profiles_service/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml @@ -5,8 +5,8 @@ description: During exploitation of this vulnerability, two logs (Provider_Name: references: - https://packetstormsecurity.com/files/166692/Windows-User-Profile-Service-Privlege-Escalation.html author: Cybex -date: 2022/08/16 -modified: 2023/05/02 +date: 2022-08-16 +modified: 2023-05-02 tags: - attack.execution logsource: diff --git a/rules/windows/builtin/system/microsoft_windows_windows_update_client/win_system_susp_system_update_error.yml b/rules/windows/builtin/system/microsoft_windows_windows_update_client/win_system_susp_system_update_error.yml index eab993b0d42..1df102e8e9a 100644 --- a/rules/windows/builtin/system/microsoft_windows_windows_update_client/win_system_susp_system_update_error.yml +++ b/rules/windows/builtin/system/microsoft_windows_windows_update_client/win_system_susp_system_update_error.yml @@ -6,11 +6,11 @@ description: | references: - https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml author: frack113 -date: 2021/12/04 -modified: 2023/09/07 +date: 2021-12-04 +modified: 2023-09-07 tags: - attack.impact - - attack.resource_development + - attack.resource-development - attack.t1584 logsource: product: windows diff --git a/rules/windows/builtin/system/netlogon/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml b/rules/windows/builtin/system/netlogon/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml index 6896cf4c050..78beaf65e84 100644 --- a/rules/windows/builtin/system/netlogon/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml +++ b/rules/windows/builtin/system/netlogon/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml @@ -6,11 +6,11 @@ references: - https://www.secura.com/blog/zero-logon - https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382 author: 'Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community' -date: 2020/10/13 -modified: 2021/05/30 +date: 2020-10-13 +modified: 2021-05-30 tags: - attack.t1210 - - attack.lateral_movement + - attack.lateral-movement logsource: service: system product: windows diff --git a/rules/windows/builtin/system/netlogon/win_system_vul_cve_2020_1472.yml b/rules/windows/builtin/system/netlogon/win_system_vul_cve_2020_1472.yml index e7863d86186..95c8eaecffd 100644 --- a/rules/windows/builtin/system/netlogon/win_system_vul_cve_2020_1472.yml +++ b/rules/windows/builtin/system/netlogon/win_system_vul_cve_2020_1472.yml @@ -5,10 +5,10 @@ description: Detects that a vulnerable Netlogon secure channel connection was al references: - https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc author: NVISO -date: 2020/09/15 -modified: 2022/12/25 +date: 2020-09-15 +modified: 2022-12-25 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1548 logsource: product: windows diff --git a/rules/windows/builtin/system/ntfs/win_system_ntfs_vuln_exploit.yml b/rules/windows/builtin/system/ntfs/win_system_ntfs_vuln_exploit.yml index de52eb1c457..d4e12c42404 100644 --- a/rules/windows/builtin/system/ntfs/win_system_ntfs_vuln_exploit.yml +++ b/rules/windows/builtin/system/ntfs/win_system_ntfs_vuln_exploit.yml @@ -7,8 +7,8 @@ references: - https://twitter.com/wdormann/status/1347958161609809921 - https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/ author: Florian Roth (Nextron Systems) -date: 2021/01/11 -modified: 2022/12/25 +date: 2021-01-11 +modified: 2022-12-25 tags: - attack.impact - attack.t1499.001 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml b/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml index 6caf3310780..cfc58dc46bc 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml @@ -7,12 +7,12 @@ references: - https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/ - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/ author: Florian Roth (Nextron Systems), Wojciech Lesicki -date: 2021/05/26 -modified: 2022/11/27 +date: 2021-05-26 +modified: 2022-11-27 tags: - attack.execution - - attack.privilege_escalation - - attack.lateral_movement + - attack.privilege-escalation + - attack.lateral-movement - attack.t1021.002 - attack.t1543.003 - attack.t1569.002 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml b/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml index 070b17a6f6a..411f95eabf6 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml @@ -9,10 +9,10 @@ references: - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md author: Ján Trenčanský, frack113 -date: 2020/07/28 -modified: 2024/07/02 +date: 2020-07-28 +modified: 2024-07-02 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/builtin/system/service_control_manager/win_system_hack_smbexec.yml b/rules/windows/builtin/system/service_control_manager/win_system_hack_smbexec.yml index 8a39f3357dd..b3f06d2b3e8 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_hack_smbexec.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_hack_smbexec.yml @@ -7,10 +7,10 @@ references: - https://github.com/fortra/impacket/blob/33058eb2fde6976ea62e04bc7d6b629d64d44712/examples/smbexec.py#L286-L296 - https://github.com/fortra/impacket/blob/edef71f17bc1240f9f8c957bbda98662951ac3ec/examples/smbexec.py#L60 # Old service name author: Omer Faruk Celik -date: 2018/03/20 -modified: 2023/11/09 +date: 2018-03-20 +modified: 2023-11-09 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.execution - attack.t1021.002 - attack.t1569.002 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_clip_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_clip_services.yml index 59e71979882..39b32fed475 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_clip_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_clip_services.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated use of Clip.exe to execute PowerShell references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 26) author: Jonathan Cheong, oscd.community -date: 2020/10/13 -modified: 2023/02/20 +date: 2020-10-13 +modified: 2023-02-20 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_obfuscated_iex_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_obfuscated_iex_services.yml index a5705e02761..e8027d7cc5b 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_obfuscated_iex_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_obfuscated_iex_services.yml @@ -5,10 +5,10 @@ description: Detects all variations of obfuscated powershell IEX invocation code references: - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888 author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community -date: 2019/11/08 -modified: 2022/11/27 +date: 2019-11-08 +modified: 2022-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 logsource: product: windows diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_stdin_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_stdin_services.yml index cb8ed0b06ed..54dcd16fe50 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_stdin_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_stdin_services.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated use of stdin to execute PowerShell references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 25) author: Jonathan Cheong, oscd.community -date: 2020/10/15 -modified: 2022/11/29 +date: 2020-10-15 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_var_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_var_services.yml index 9093a4cd75c..e93da25ac9f 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_var_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_var_services.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated use of Environment Variables to execute PowerShe references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 24) author: Jonathan Cheong, oscd.community -date: 2020/10/15 -modified: 2022/11/29 +date: 2020-10-15 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_compress_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_compress_services.yml index 0ec20cf6bc5..62c23a05d13 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_compress_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_compress_services.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19) author: Timur Zinniatullin, oscd.community -date: 2020/10/18 -modified: 2022/11/29 +date: 2020-10-18 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_rundll_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_rundll_services.yml index 0ba877ee09b..840afa85b0b 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_rundll_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_rundll_services.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated Powershell via RUNDLL LAUNCHER references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23) author: Timur Zinniatullin, oscd.community -date: 2020/10/18 -modified: 2022/11/29 +date: 2020-10-18 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_stdin_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_stdin_services.yml index ddefd3987c7..2c8f22e3067 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_stdin_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_stdin_services.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated Powershell via Stdin in Scripts references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task28) author: Nikita Nazarov, oscd.community -date: 2020/10/12 -modified: 2022/11/29 +date: 2020-10-12 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_clip_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_clip_services.yml index d56f13de0ac..d765a34e303 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_clip_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_clip_services.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated Powershell via use Clip.exe in Scripts references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task29) author: Nikita Nazarov, oscd.community -date: 2020/10/09 -modified: 2022/11/29 +date: 2020-10-09 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_mshta_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_mshta_services.yml index 61226ef7134..3c651c983eb 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_mshta_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_mshta_services.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated Powershell via use MSHTA in Scripts references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31) author: Nikita Nazarov, oscd.community -date: 2020/10/09 -modified: 2022/11/29 +date: 2020-10-09 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_rundll32_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_rundll32_services.yml index f5563464727..0cc6d9f9005 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_rundll32_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_rundll32_services.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated Powershell via use Rundll32 in Scripts references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task30) author: Nikita Nazarov, oscd.community -date: 2020/10/09 -modified: 2022/11/29 +date: 2020-10-09 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_var_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_var_services.yml index a4079482785..36f4c36ec37 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_var_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_var_services.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated Powershell via VAR++ LAUNCHER references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27) author: Timur Zinniatullin, oscd.community -date: 2020/10/13 -modified: 2022/11/29 +date: 2020-10-13 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_krbrelayup_service_installation.yml b/rules/windows/builtin/system/service_control_manager/win_system_krbrelayup_service_installation.yml index f0034102c6b..b19f342ab5e 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_krbrelayup_service_installation.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_krbrelayup_service_installation.yml @@ -5,10 +5,10 @@ description: Detects service creation from KrbRelayUp tool used for privilege es references: - https://github.com/Dec0ne/KrbRelayUp author: Sittikorn S, Tim Shelton -date: 2022/05/11 -modified: 2022/10/05 +date: 2022-05-11 +modified: 2022-10-05 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543 logsource: product: windows diff --git a/rules/windows/builtin/system/service_control_manager/win_system_mal_creddumper.yml b/rules/windows/builtin/system/service_control_manager/win_system_mal_creddumper.yml index 1d7d7ac4666..a99218ab336 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_mal_creddumper.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_mal_creddumper.yml @@ -5,10 +5,10 @@ description: Detects well-known credential dumping tools execution via service e references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community -date: 2017/03/05 -modified: 2022/11/29 +date: 2017-03-05 +modified: 2022-11-29 tags: - - attack.credential_access + - attack.credential-access - attack.execution - attack.t1003.001 - attack.t1003.002 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index 265d3dd5e8e..6292f812565 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -6,10 +6,10 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ author: Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems) -date: 2019/10/26 -modified: 2023/11/15 +date: 2019-10-26 +modified: 2023-11-15 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1134.001 - attack.t1134.002 logsource: diff --git a/rules/windows/builtin/system/service_control_manager/win_system_moriya_rootkit.yml b/rules/windows/builtin/system/service_control_manager/win_system_moriya_rootkit.yml index 27d3ba47b7b..308b986d08a 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_moriya_rootkit.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_moriya_rootkit.yml @@ -5,11 +5,11 @@ description: Detects the use of Moriya rootkit as described in the securelist's references: - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831 author: Bhabesh Raj -date: 2021/05/06 -modified: 2022/11/29 +date: 2021-05-06 +modified: 2022-11-29 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543.003 logsource: product: windows diff --git a/rules/windows/builtin/system/service_control_manager/win_system_powershell_script_installed_as_service.yml b/rules/windows/builtin/system/service_control_manager/win_system_powershell_script_installed_as_service.yml index be4085f9c6b..6a3cafcb1d8 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_powershell_script_installed_as_service.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_powershell_script_installed_as_service.yml @@ -5,8 +5,8 @@ description: Detects powershell script installed as a Service references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: oscd.community, Natalia Shornikova -date: 2020/10/06 -modified: 2022/12/25 +date: 2020-10-06 +modified: 2022-12-25 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_anydesk.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_anydesk.yml index 4d537201809..b791bb29a23 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_anydesk.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_anydesk.yml @@ -5,7 +5,7 @@ description: Detects the installation of the anydesk software service. Which cou references: - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/11 +date: 2022-08-11 tags: - attack.persistence logsource: diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml index baf83193713..45df915de3d 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml @@ -5,7 +5,7 @@ description: Detects CSExec service installation and execution events references: - https://github.com/malcomvetter/CSExec author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/07 +date: 2023-08-07 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_hacktools.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_hacktools.yml index 37789edc510..03db913f664 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_hacktools.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_hacktools.yml @@ -5,8 +5,8 @@ description: Detects installation or execution of services references: - Internal Research author: Florian Roth (Nextron Systems) -date: 2022/03/21 -modified: 2023/08/07 +date: 2022-03-21 +modified: 2023-08-07 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_mesh_agent.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_mesh_agent.yml index b776def8618..e3e0c2f2bc8 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_mesh_agent.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_mesh_agent.yml @@ -5,9 +5,9 @@ description: Detects a Mesh Agent service installation. Mesh Agent is used to re references: - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/11/28 +date: 2022-11-28 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: product: windows diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_netsupport_manager.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_netsupport_manager.yml index 6195191592d..a2b8196102a 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_netsupport_manager.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_netsupport_manager.yml @@ -5,7 +5,7 @@ description: Detects NetSupport Manager service installation on the target syste references: - http://resources.netsupportsoftware.com/resources/manualpdfs/nsm_manual_uk.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/31 +date: 2022-10-31 tags: - attack.persistence logsource: diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_paexec.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_paexec.yml index e8af235b938..16fb2a3d9b2 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_paexec.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_paexec.yml @@ -5,7 +5,7 @@ description: Detects PAExec service installation references: - https://www.poweradmin.com/paexec/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/26 +date: 2022-10-26 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy.yml index 235d7bbf743..0297275ba7f 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy.yml @@ -7,9 +7,9 @@ description: | references: - https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/22 +date: 2022-07-22 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543.003 logsource: product: windows diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy_runner.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy_runner.yml index e0fc962c66d..e73fdcdd425 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy_runner.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy_runner.yml @@ -7,9 +7,9 @@ description: | references: - https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/22 +date: 2022-07-22 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543.003 logsource: product: windows diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_pua_proceshacker.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_pua_proceshacker.yml index 9abe07d8029..ca7f6c3bef3 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_pua_proceshacker.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_pua_proceshacker.yml @@ -5,11 +5,11 @@ description: Detects a ProcessHacker tool that elevated privileges to a very hig references: - https://twitter.com/1kwpeter/status/1397816101455765504 author: Florian Roth (Nextron Systems) -date: 2021/05/27 -modified: 2022/12/25 +date: 2021-05-27 +modified: 2022-12-25 tags: - attack.execution - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543.003 - attack.t1569.002 logsource: diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_remcom.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_remcom.yml index 0cafdc5b2fc..9a9e3ff2026 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_remcom.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_remcom.yml @@ -5,7 +5,7 @@ description: Detects RemCom service installation and execution events references: - https://github.com/kavika13/RemCom/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/07 +date: 2023-08-07 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml index 547e49c51d6..5870fe312cb 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml @@ -8,8 +8,8 @@ description: Detects service installation of different remote access tools softw references: - https://redcanary.com/blog/misbehaving-rats/ author: Connor Martin, Nasreddine Bencherchali -date: 2022/12/23 -modified: 2023/06/22 +date: 2022-12-23 +modified: 2023-06-22 tags: - attack.persistence - attack.t1543.003 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_utilities.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_utilities.yml index 5df7a75d6c2..23b45d5b055 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_utilities.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_utilities.yml @@ -5,7 +5,7 @@ description: Detects Remote Utilities Host service installation on the target sy references: - https://www.remoteutilities.com/support/kb/host-service-won-t-start/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/31 +date: 2022-10-31 tags: - attack.persistence logsource: diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml index 3ed1e197191..cfbdb8c8401 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml @@ -6,10 +6,10 @@ references: - https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/client/command/commands.go#L1231 - https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/25 +date: 2022-08-25 tags: - attack.execution - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543.003 - attack.t1569.002 logsource: diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_sups_unusal_client.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_sups_unusal_client.yml index f1f6aa13642..ad3fc9e5082 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_sups_unusal_client.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_sups_unusal_client.yml @@ -8,10 +8,10 @@ description: Detects a service installed by a client which has PID 0 or whose pa references: - https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html author: Tim Rauch (Nextron Systems), Elastic (idea) -date: 2022/09/15 -modified: 2023/01/04 +date: 2022-09-15 +modified: 2023-01-04 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543 logsource: product: windows diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_susp.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_susp.yml index a945fed5ca1..c9304235a5b 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_susp.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_susp.yml @@ -2,7 +2,7 @@ title: Suspicious Service Installation id: 1d61f71d-59d2-479e-9562-4ff5f4ead16b related: - id: ca83e9f3-657a-45d0-88d6-c1ac280caf53 - type: obsoletes + type: obsolete - id: 26481afe-db26-4228-b264-25a29fe6efc7 type: similar status: test @@ -10,11 +10,11 @@ description: Detects suspicious service installation commands references: - Internal Research author: pH-T (Nextron Systems), Florian Roth (Nextron Systems) -date: 2022/03/18 -modified: 2023/12/04 +date: 2022-03-18 +modified: 2023-12-04 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - car.2013-09-005 - attack.t1543.003 logsource: diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yml index bcd9b1bbcce..2b2493f8242 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yml @@ -6,8 +6,8 @@ references: - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - https://jpcertcc.github.io/ToolAnalysisResultSheet author: Thomas Patzke -date: 2017/06/12 -modified: 2023/08/04 +date: 2017-06-12 +modified: 2023-08-04 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_tacticalrmm.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_tacticalrmm.yml index bb2a9e3e19a..246883fb086 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_tacticalrmm.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_tacticalrmm.yml @@ -5,9 +5,9 @@ description: Detects a TacticalRMM service installation. Tactical RMM is a remot references: - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/11/28 +date: 2022-11-28 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: product: windows diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_tap_driver.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_tap_driver.yml index 940b6985013..8f382c76d1c 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_tap_driver.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_tap_driver.yml @@ -5,8 +5,8 @@ description: Well-known TAP software installation. Possible preparation for data references: - https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers author: Daniil Yugoslavskiy, Ian Davis, oscd.community -date: 2019/10/24 -modified: 2022/12/25 +date: 2019-10-24 +modified: 2022-12-25 tags: - attack.exfiltration - attack.t1048 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_uncommon.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_uncommon.yml index c2a70bee3f9..70611e84677 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_uncommon.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_uncommon.yml @@ -2,7 +2,7 @@ title: Uncommon Service Installation Image Path id: 26481afe-db26-4228-b264-25a29fe6efc7 related: - id: ca83e9f3-657a-45d0-88d6-c1ac280caf53 - type: obsoletes + type: obsolete - id: 1d61f71d-59d2-479e-9562-4ff5f4ead16b type: derived status: test @@ -11,11 +11,11 @@ description: | references: - Internal Research author: Florian Roth (Nextron Systems) -date: 2022/03/18 -modified: 2024/02/09 +date: 2022-03-18 +modified: 2024-02-09 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - car.2013-09-005 - attack.t1543.003 logsource: diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_generic.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_generic.yml index 6eb9322bdbc..6115cacc49f 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_generic.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_generic.yml @@ -8,9 +8,9 @@ description: Detects Windows services that got terminated for whatever reason references: - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/14 +date: 2023-04-14 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows service: system diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_important.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_important.yml index d3886e2626e..3eb452ea3d4 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_important.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_important.yml @@ -8,9 +8,9 @@ description: Detects important or interesting Windows services that got terminat references: - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/14 +date: 2023-04-14 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows service: system diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml index 24ffbd18c3c..e44829b323f 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml @@ -5,9 +5,9 @@ description: Detects important or interesting Windows services that got terminat references: - https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/14 +date: 2023-04-14 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows service: system diff --git a/rules/windows/builtin/system/service_control_manager/win_system_susp_rtcore64_service_install.yml b/rules/windows/builtin/system/service_control_manager/win_system_susp_rtcore64_service_install.yml index 43297d00e09..8296b40e6ef 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_susp_rtcore64_service_install.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_susp_rtcore64_service_install.yml @@ -5,7 +5,7 @@ description: Detects the installation of RTCore service. Which could be an indic references: - https://github.com/br-sn/CheekyBlinder/blob/e1764a8a0e7cda8a3716aefa35799f560686e01c/CheekyBlinder/CheekyBlinder.cpp author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/30 +date: 2022-08-30 tags: - attack.persistence logsource: diff --git a/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder.yml b/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder.yml index 1300592fcac..7ff5299df05 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder.yml @@ -5,11 +5,11 @@ description: Detects service installation in suspicious folder appdata author: pH-T (Nextron Systems) references: - Internal Research -date: 2022/03/18 -modified: 2024/01/18 +date: 2022-03-18 +modified: 2024-01-18 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - car.2013-09-005 - attack.t1543.003 logsource: diff --git a/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder_pattern.yml b/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder_pattern.yml index 9f2a7684286..c4683863067 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder_pattern.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder_pattern.yml @@ -5,11 +5,11 @@ description: Detects service installation with suspicious folder patterns references: - Internal Research author: pH-T (Nextron Systems) -date: 2022/03/18 -modified: 2022/03/24 +date: 2022-03-18 +modified: 2022-03-24 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - car.2013-09-005 - attack.t1543.003 logsource: diff --git a/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_script.yml b/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_script.yml index 9ece1ae07c0..e859d107073 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_script.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_script.yml @@ -5,11 +5,11 @@ description: Detects suspicious service installation scripts references: - Internal Research author: pH-T (Nextron Systems) -date: 2022/03/18 -modified: 2024/03/05 +date: 2022-03-18 +modified: 2024-03-05 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - car.2013-09-005 - attack.t1543.003 logsource: diff --git a/rules/windows/builtin/system/termdd/win_system_rdp_potential_cve_2019_0708.yml b/rules/windows/builtin/system/termdd/win_system_rdp_potential_cve_2019_0708.yml index a0aa3002fd9..4abbd93921c 100644 --- a/rules/windows/builtin/system/termdd/win_system_rdp_potential_cve_2019_0708.yml +++ b/rules/windows/builtin/system/termdd/win_system_rdp_potential_cve_2019_0708.yml @@ -6,10 +6,10 @@ references: - https://github.com/zerosum0x0/CVE-2019-0708 - https://github.com/Ekultek/BlueKeep author: 'Lionel PRAT, Christophe BROCAS, @atc_project (improvements)' -date: 2019/05/24 -modified: 2022/12/25 +date: 2019-05-24 +modified: 2022-12-25 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1210 - car.2013-07-002 logsource: diff --git a/rules/windows/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml b/rules/windows/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml index 0ab9f4d9ee2..247c55c6ec2 100644 --- a/rules/windows/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml +++ b/rules/windows/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml @@ -5,8 +5,8 @@ description: Detects the execution of Scheduled Tasks where the Program being ru references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/05 -modified: 2023/02/07 +date: 2022-12-05 +modified: 2023-02-07 tags: - attack.persistence - attack.t1053.005 diff --git a/rules/windows/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml b/rules/windows/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml index 0a6712f81a1..98b48af795a 100644 --- a/rules/windows/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml +++ b/rules/windows/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml @@ -5,8 +5,8 @@ description: Detects the execution of Scheduled Tasks where the program being ru references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/05 -modified: 2023/02/07 +date: 2022-12-05 +modified: 2023-02-07 tags: - attack.persistence - attack.t1053.005 diff --git a/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml b/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml index 95cd96d8e1f..013f2515707 100644 --- a/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml +++ b/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml @@ -11,8 +11,8 @@ description: | references: - https://www.socinvestigation.com/most-common-windows-event-ids-to-hunt-mind-map/ author: frack113 -date: 2023/01/13 -modified: 2023/02/07 +date: 2023-01-13 +modified: 2023-02-07 tags: - attack.impact - attack.t1489 diff --git a/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml b/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml index 2a9acc56b0e..6667318a659 100644 --- a/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml +++ b/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml @@ -6,9 +6,9 @@ references: - https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg - https://ngrok.com/ author: Florian Roth (Nextron Systems) -date: 2022/04/29 +date: 2022-04-29 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1090 logsource: product: windows diff --git a/rules/windows/builtin/win_alert_mimikatz_keywords.yml b/rules/windows/builtin/win_alert_mimikatz_keywords.yml index 5a985b573fd..99a8a9de0f0 100644 --- a/rules/windows/builtin/win_alert_mimikatz_keywords.yml +++ b/rules/windows/builtin/win_alert_mimikatz_keywords.yml @@ -5,12 +5,12 @@ description: This method detects mimikatz keywords in different Eventlogs (some references: - https://tools.thehacker.recipes/mimikatz/modules author: Florian Roth (Nextron Systems), David ANDRE (additional keywords) -date: 2017/01/10 -modified: 2022/01/05 +date: 2017-01-10 +modified: 2022-01-05 tags: - attack.s0002 - - attack.lateral_movement - - attack.credential_access + - attack.lateral-movement + - attack.credential-access - car.2013-07-001 - car.2019-04-004 - attack.t1003.002 diff --git a/rules/windows/builtin/windefend/win_defender_antimalware_platform_expired.yml b/rules/windows/builtin/windefend/win_defender_antimalware_platform_expired.yml index 75f040b4844..beba99457f5 100644 --- a/rules/windows/builtin/windefend/win_defender_antimalware_platform_expired.yml +++ b/rules/windows/builtin/windefend/win_defender_antimalware_platform_expired.yml @@ -2,7 +2,7 @@ title: Windows Defender Grace Period Expired id: 360a1340-398a-46b6-8d06-99b905dc69d2 related: - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62 - type: obsoletes + type: obsolete status: stable description: | Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled. @@ -11,10 +11,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/ author: Ján Trenčanský, frack113 -date: 2020/07/28 -modified: 2023/11/22 +date: 2020-07-28 +modified: 2023-11-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/builtin/windefend/win_defender_asr_lsass_access.yml b/rules/windows/builtin/windefend/win_defender_asr_lsass_access.yml index 9db77659ac3..a6a1ba4298d 100644 --- a/rules/windows/builtin/windefend/win_defender_asr_lsass_access.yml +++ b/rules/windows/builtin/windefend/win_defender_asr_lsass_access.yml @@ -5,10 +5,10 @@ description: Detects Access to LSASS Process references: - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction author: Markus Neis -date: 2018/08/26 -modified: 2022/08/13 +date: 2018-08-26 +modified: 2022-08-13 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: product: windows diff --git a/rules/windows/builtin/windefend/win_defender_asr_psexec_wmi.yml b/rules/windows/builtin/windefend/win_defender_asr_psexec_wmi.yml index 7561989329b..6abb9df5bb8 100644 --- a/rules/windows/builtin/windefend/win_defender_asr_psexec_wmi.yml +++ b/rules/windows/builtin/windefend/win_defender_asr_psexec_wmi.yml @@ -6,11 +6,11 @@ references: - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands - https://twitter.com/duff22b/status/1280166329660497920 author: Bhabesh Raj -date: 2020/07/14 -modified: 2022/12/25 +date: 2020-07-14 +modified: 2022-12-25 tags: - attack.execution - - attack.lateral_movement + - attack.lateral-movement - attack.t1047 - attack.t1569.002 logsource: diff --git a/rules/windows/builtin/windefend/win_defender_config_change_exclusion_added.yml b/rules/windows/builtin/windefend/win_defender_config_change_exclusion_added.yml index 01079979e5d..9c8054db648 100644 --- a/rules/windows/builtin/windefend/win_defender_config_change_exclusion_added.yml +++ b/rules/windows/builtin/windefend/win_defender_config_change_exclusion_added.yml @@ -5,10 +5,10 @@ description: Detects the Setting of Windows Defender Exclusions references: - https://twitter.com/_nullbind/status/1204923340810543109 author: Christian Burkard (Nextron Systems) -date: 2021/07/06 -modified: 2022/12/06 +date: 2021-07-06 +modified: 2022-12-06 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/builtin/windefend/win_defender_config_change_exploit_guard_tamper.yml b/rules/windows/builtin/windefend/win_defender_config_change_exploit_guard_tamper.yml index bfcc7be3f8f..64df6be559f 100644 --- a/rules/windows/builtin/windefend/win_defender_config_change_exploit_guard_tamper.yml +++ b/rules/windows/builtin/windefend/win_defender_config_change_exploit_guard_tamper.yml @@ -6,10 +6,10 @@ description: | references: - https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/05 -modified: 2022/12/06 +date: 2022-08-05 +modified: 2022-12-06 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/builtin/windefend/win_defender_config_change_sample_submission_consent.yml b/rules/windows/builtin/windefend/win_defender_config_change_sample_submission_consent.yml index fddc68abb5f..06b7726751d 100644 --- a/rules/windows/builtin/windefend/win_defender_config_change_sample_submission_consent.yml +++ b/rules/windows/builtin/windefend/win_defender_config_change_sample_submission_consent.yml @@ -13,9 +13,9 @@ references: - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide - https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/06 +date: 2022-12-06 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/builtin/windefend/win_defender_history_delete.yml b/rules/windows/builtin/windefend/win_defender_history_delete.yml index 1898d982330..e035f90d5c1 100644 --- a/rules/windows/builtin/windefend/win_defender_history_delete.yml +++ b/rules/windows/builtin/windefend/win_defender_history_delete.yml @@ -6,10 +6,10 @@ references: - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus - https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e author: Cian Heasley -date: 2020/08/13 -modified: 2023/11/24 +date: 2020-08-13 +modified: 2023-11-24 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows service: windefend diff --git a/rules/windows/builtin/windefend/win_defender_malware_and_pua_scan_disabled.yml b/rules/windows/builtin/windefend/win_defender_malware_and_pua_scan_disabled.yml index b73bb5b51e0..9250b54aede 100644 --- a/rules/windows/builtin/windefend/win_defender_malware_and_pua_scan_disabled.yml +++ b/rules/windows/builtin/windefend/win_defender_malware_and_pua_scan_disabled.yml @@ -2,7 +2,7 @@ title: Windows Defender Malware And PUA Scanning Disabled id: bc275be9-0bec-4d77-8c8f-281a2df6710f related: - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62 - type: obsoletes + type: obsolete status: stable description: Detects disabling of the Windows Defender feature of scanning for malware and other potentially unwanted software references: @@ -10,10 +10,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/ author: Ján Trenčanský, frack113 -date: 2020/07/28 -modified: 2023/11/22 +date: 2020-07-28 +modified: 2023-11-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/builtin/windefend/win_defender_malware_detected_amsi_source.yml b/rules/windows/builtin/windefend/win_defender_malware_detected_amsi_source.yml index 2d3a914e8ae..e797742bbd6 100644 --- a/rules/windows/builtin/windefend/win_defender_malware_detected_amsi_source.yml +++ b/rules/windows/builtin/windefend/win_defender_malware_detected_amsi_source.yml @@ -5,8 +5,8 @@ description: Detects triggering of AMSI by Windows Defender. references: - https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps author: Bhabesh Raj -date: 2020/09/14 -modified: 2022/12/07 +date: 2020-09-14 +modified: 2022-12-07 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/builtin/windefend/win_defender_real_time_protection_disabled.yml b/rules/windows/builtin/windefend/win_defender_real_time_protection_disabled.yml index ac37b13c72c..65d7a385748 100644 --- a/rules/windows/builtin/windefend/win_defender_real_time_protection_disabled.yml +++ b/rules/windows/builtin/windefend/win_defender_real_time_protection_disabled.yml @@ -2,7 +2,7 @@ title: Windows Defender Real-time Protection Disabled id: b28e58e4-2a72-4fae-bdee-0fbe904db642 related: - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62 - type: obsoletes + type: obsolete status: stable description: | Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initaited this action you might want to reduce it to a "medium" level if this occurs too many times in your environment @@ -11,10 +11,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/ author: Ján Trenčanský, frack113 -date: 2020/07/28 -modified: 2023/11/22 +date: 2020-07-28 +modified: 2023-11-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml b/rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml index 6154f8796c1..cf7a8b23109 100644 --- a/rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml +++ b/rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml @@ -7,10 +7,10 @@ references: - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ - https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346 # Contains the list of Feature Names (use for filtering purposes) author: Nasreddine Bencherchali (Nextron Systems), Christopher Peacock '@securepeacock' (Update) -date: 2023/03/28 -modified: 2023/05/05 +date: 2023-03-28 +modified: 2023-05-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml b/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml index bae44cbf7d7..71b80b1c47c 100644 --- a/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml +++ b/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml @@ -5,9 +5,9 @@ description: Detects the restoration of files from the defender quarantine references: - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/06 +date: 2022-12-06 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml index 4dbb69a59db..0f067419191 100644 --- a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml +++ b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml @@ -13,10 +13,10 @@ references: - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide - https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/06 -modified: 2023/11/24 +date: 2022-12-06 +modified: 2023-11-24 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml b/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml index bde332ed922..eff4df1941e 100644 --- a/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml +++ b/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml @@ -6,10 +6,10 @@ references: - https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide author: Bhabesh Raj, Nasreddine Bencherchali -date: 2021/07/05 -modified: 2022/12/06 +date: 2021-07-05 +modified: 2022-12-06 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/builtin/windefend/win_defender_threat.yml b/rules/windows/builtin/windefend/win_defender_threat.yml index 9740f112d14..cad13d4f4db 100644 --- a/rules/windows/builtin/windefend/win_defender_threat.yml +++ b/rules/windows/builtin/windefend/win_defender_threat.yml @@ -5,7 +5,7 @@ description: Detects actions taken by Windows Defender malware detection engines references: - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus author: Ján Trenčanský -date: 2020/07/28 +date: 2020-07-28 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/builtin/windefend/win_defender_virus_scan_disabled.yml b/rules/windows/builtin/windefend/win_defender_virus_scan_disabled.yml index 30ddbabaa66..e21d92c0934 100644 --- a/rules/windows/builtin/windefend/win_defender_virus_scan_disabled.yml +++ b/rules/windows/builtin/windefend/win_defender_virus_scan_disabled.yml @@ -2,7 +2,7 @@ title: Windows Defender Virus Scanning Feature Disabled id: 686c0b4b-9dd3-4847-9077-d6c1bbe36fcb related: - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62 - type: obsoletes + type: obsolete status: stable description: Detects disabling of the Windows Defender virus scanning feature references: @@ -10,10 +10,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/ author: Ján Trenčanský, frack113 -date: 2020/07/28 -modified: 2023/11/22 +date: 2020-07-28 +modified: 2023-11-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/builtin/wmi/win_wmi_persistence.yml b/rules/windows/builtin/wmi/win_wmi_persistence.yml index 50d6f96cbce..e48c4ca18a4 100644 --- a/rules/windows/builtin/wmi/win_wmi_persistence.yml +++ b/rules/windows/builtin/wmi/win_wmi_persistence.yml @@ -6,11 +6,11 @@ references: - https://twitter.com/mattifestation/status/899646620148539397 - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ author: Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community -date: 2017/08/22 -modified: 2022/02/10 +date: 2017-08-22 +modified: 2022-02-10 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1546.003 logsource: product: windows diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml b/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml index 8c55c588245..1605c54ba0d 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/SBousseaden/status/1090588499517079552 # Deleted - https://github.com/mdsecactivebreach/CACTUSTORCH author: '@SBousseaden (detection), Thomas Patzke (rule)' -date: 2019/02/01 -modified: 2023/05/05 +date: 2019-02-01 +modified: 2023-05-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1055.012 - attack.t1059.005 diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml b/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml index 65d3671a08b..06da54deb50 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml @@ -6,10 +6,10 @@ references: - https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f - https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/ author: Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community -date: 2018/11/30 -modified: 2023/05/05 +date: 2018-11-30 +modified: 2023-05-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1055.001 logsource: product: windows diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml b/rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml index 566018fe94c..89899e23e55 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml @@ -7,10 +7,10 @@ references: - https://github.com/denandz/KeeFarce - https://github.com/GhostPack/KeeThief author: Timon Hackenjos -date: 2022/04/22 -modified: 2023/05/05 +date: 2022-04-22 +modified: 2023-05-05 tags: - - attack.credential_access + - attack.credential-access - attack.t1555.005 logsource: product: windows diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_mstsc_susp_location.yml b/rules/windows/create_remote_thread/create_remote_thread_win_mstsc_susp_location.yml index fce977a4f4f..8581ece3220 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_mstsc_susp_location.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_mstsc_susp_location.yml @@ -7,10 +7,10 @@ description: | references: - https://github.com/S12cybersecurity/RDPCredentialStealer/blob/1b8947cdd065a06c1b62e80967d3c7af895fcfed/APIHookInjectorBin/APIHookInjectorBin/Inject.h#L25 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/07/28 -modified: 2024/01/22 +date: 2023-07-28 +modified: 2024-01-22 tags: - - attack.credential_access + - attack.credential-access logsource: product: windows category: create_remote_thread diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_powershell_lsass.yml b/rules/windows/create_remote_thread/create_remote_thread_win_powershell_lsass.yml index f9ef4cef677..4dde50a9b52 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_powershell_lsass.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_powershell_lsass.yml @@ -2,7 +2,7 @@ title: Potential Credential Dumping Attempt Via PowerShell Remote Thread id: fb656378-f909-47c1-8747-278bf09f4f4f related: - id: 3f07b9d1-2082-4c56-9277-613a621983cc - type: obsoletes + type: obsolete - id: 0f920ebe-7aea-4c54-b202-9aa0c609cfe5 type: similar status: test @@ -10,10 +10,10 @@ description: Detects remote thread creation by PowerShell processes into "lsass. references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: oscd.community, Natalia Shornikova -date: 2020/10/06 -modified: 2022/12/18 +date: 2020-10-06 +modified: 2022-12-18 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: product: windows diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml b/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml index 1ebba8e8c49..1a1dfe74173 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml @@ -8,10 +8,10 @@ description: Detects the creation of a remote thread from a Powershell process i references: - https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html author: Florian Roth (Nextron Systems) -date: 2018/06/25 -modified: 2023/11/10 +date: 2018-06-25 +modified: 2023-11-10 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1218.011 - attack.t1059.001 diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_password_dumper_lsass.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_password_dumper_lsass.yml index 6a1cf6d94fb..c2e1e20aaa6 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_susp_password_dumper_lsass.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_password_dumper_lsass.yml @@ -7,10 +7,10 @@ description: | references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm author: Thomas Patzke -date: 2017/02/19 -modified: 2021/06/21 +date: 2017-02-19 +modified: 2021-06-21 tags: - - attack.credential_access + - attack.credential-access - attack.s0005 - attack.t1003.001 logsource: diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml index 137f6792c5f..99cbf4cf945 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml @@ -9,11 +9,11 @@ references: - Personal research, statistical analysis - https://lolbas-project.github.io author: Perez Diego (@darkquassar), oscd.community -date: 2019/10/27 -modified: 2024/07/15 +date: 2019-10-27 +modified: 2024-07-15 tags: - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.t1055 logsource: product: windows diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_target_shell_application.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_target_shell_application.yml index a7b3226120c..64664432942 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_susp_target_shell_application.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_target_shell_application.yml @@ -8,9 +8,9 @@ references: - https://research.splunk.com/endpoint/10399c1e-f51e-11eb-b920-acde48001122/ - https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/ author: Splunk Research Team -date: 2024/07/29 +date: 2024-07-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1055 logsource: product: windows diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image.yml index ea7fc5d6654..ea5eeaeb666 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image.yml @@ -9,11 +9,11 @@ references: - Personal research, statistical analysis - https://lolbas-project.github.io author: Perez Diego (@darkquassar), oscd.community -date: 2019/10/27 -modified: 2024/07/15 +date: 2019-10-27 +modified: 2024-07-15 tags: - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.t1055 logsource: product: windows diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_target_image.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_target_image.yml index af25b80ee5c..e822c90b848 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_target_image.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_target_image.yml @@ -2,17 +2,17 @@ title: Remote Thread Creation In Uncommon Target Image id: a1a144b7-5c9b-4853-a559-2172be8d4a03 related: - id: f016c716-754a-467f-a39e-63c06f773987 - type: obsoletes + type: obsolete status: experimental description: Detects uncommon target processes for remote thread creation references: - https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection author: Florian Roth (Nextron Systems) -date: 2022/03/16 -modified: 2024/07/15 +date: 2022-03-16 +modified: 2024-07-15 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1055.003 logsource: product: windows diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml b/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml index 2b310f84704..461eb0ae40a 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml @@ -5,10 +5,10 @@ description: Detects a remote thread creation of Ttdinject.exe used as proxy references: - https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/ author: frack113 -date: 2022/05/16 -modified: 2022/06/02 +date: 2022-05-16 +modified: 2022-06-02 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1127 logsource: product: windows diff --git a/rules/windows/create_stream_hash/create_stream_hash_ads_executable.yml b/rules/windows/create_stream_hash/create_stream_hash_ads_executable.yml index adbd3dbb8ff..0b6669d9796 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_ads_executable.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_ads_executable.yml @@ -5,10 +5,10 @@ description: Detects the creation of an ADS (Alternate Data Stream) that contain references: - https://twitter.com/0xrawsec/status/1002478725605273600?s=21 author: Florian Roth (Nextron Systems), @0xrawsec -date: 2018/06/03 -modified: 2023/02/10 +date: 2018-06-03 +modified: 2023-02-10 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.s0139 - attack.t1564.004 logsource: diff --git a/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml b/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml index 24da21b23d9..a23a650d3d6 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml @@ -5,10 +5,10 @@ description: Detects the creation of a suspicious ADS (Alternate Data Stream) fi references: - https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/ author: frack113 -date: 2022/10/22 -modified: 2023/06/12 +date: 2022-10-22 +modified: 2023-06-12 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: create_stream_hash diff --git a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml index a48002d98d6..158c9e898d7 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml @@ -11,10 +11,10 @@ references: - https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/ - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ author: Florian Roth (Nextron Systems) -date: 2022/08/24 -modified: 2024/02/09 +date: 2022-08-24 +modified: 2024-02-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.s0139 - attack.t1564.004 logsource: diff --git a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml index 3157d7de2ca..39a51f17d01 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml @@ -10,10 +10,10 @@ references: - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ author: Florian Roth (Nextron Systems) -date: 2022/08/24 -modified: 2024/02/09 +date: 2022-08-24 +modified: 2024-02-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.s0139 - attack.t1564.004 logsource: diff --git a/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml b/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml index 08ac32bcb76..e6946ffeee5 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml @@ -15,10 +15,10 @@ references: - https://github.com/outflanknl/Dumpert - https://github.com/wavestone-cdt/EDRSandblast author: Florian Roth (Nextron Systems) -date: 2022/08/24 -modified: 2024/01/02 +date: 2022-08-24 +modified: 2024-01-02 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.s0139 - attack.t1564.004 logsource: diff --git a/rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml b/rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml index b53fff6b85a..d31e215fad2 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml @@ -6,10 +6,10 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Regedit/ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f author: Oddvar Moe, Sander Wiebing, oscd.community -date: 2020/10/07 -modified: 2021/11/27 +date: 2020-10-07 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.004 logsource: product: windows diff --git a/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml b/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml index a2ccea6596c..608e8a12170 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml @@ -6,10 +6,10 @@ references: - https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md - https://labs.withsecure.com/publications/detecting-onenote-abuse author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) -date: 2022/09/07 -modified: 2023/02/10 +date: 2022-09-07 +modified: 2023-02-10 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.004 logsource: product: windows diff --git a/rules/windows/create_stream_hash/create_stream_hash_winget_susp_package_source.yml b/rules/windows/create_stream_hash/create_stream_hash_winget_susp_package_source.yml index 1792faecc26..2451eccd3c0 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_winget_susp_package_source.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_winget_susp_package_source.yml @@ -5,9 +5,9 @@ description: Detects potential suspicious winget package installation from a sus references: - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/18 +date: 2023-04-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence logsource: product: windows diff --git a/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml b/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml index d7869180a02..b8187973a5d 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml @@ -6,9 +6,9 @@ references: - https://twitter.com/cyb3rops/status/1659175181695287297 - https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/ author: Florian Roth (Nextron Systems) -date: 2023/05/18 +date: 2023-05-18 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: create_stream_hash diff --git a/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml b/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml index 65ff6870d93..061c818930a 100644 --- a/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml +++ b/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml @@ -8,8 +8,8 @@ description: Detects DNS queries for "anonfiles.com", which is an anonymous file references: - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte author: pH-T (Nextron Systems) -date: 2022/07/15 -modified: 2023/01/16 +date: 2022-07-15 +modified: 2023-01-16 tags: - attack.exfiltration - attack.t1567.002 diff --git a/rules/windows/dns_query/dns_query_win_appinstaller.yml b/rules/windows/dns_query/dns_query_win_appinstaller.yml index 013d7b7e590..7f5a5350dc9 100644 --- a/rules/windows/dns_query/dns_query_win_appinstaller.yml +++ b/rules/windows/dns_query/dns_query_win_appinstaller.yml @@ -10,10 +10,10 @@ references: - https://twitter.com/notwhickey/status/1333900137232523264 - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/ author: frack113 -date: 2021/11/24 -modified: 2023/11/09 +date: 2021-11-24 +modified: 2023-11-09 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: product: windows diff --git a/rules/windows/dns_query/dns_query_win_cloudflared_communication.yml b/rules/windows/dns_query/dns_query_win_cloudflared_communication.yml index 25e3335b897..60ab1f2d500 100644 --- a/rules/windows/dns_query/dns_query_win_cloudflared_communication.yml +++ b/rules/windows/dns_query/dns_query_win_cloudflared_communication.yml @@ -11,9 +11,9 @@ references: - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/ - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/12/20 +date: 2023-12-20 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: category: dns_query diff --git a/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml b/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml index 54b62bfd967..23874013d64 100644 --- a/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml +++ b/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml @@ -15,10 +15,10 @@ references: - https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security - https://cydefops.com/devtunnels-unleashed author: citron_ninja -date: 2023/10/25 -modified: 2023/11/20 +date: 2023-10-25 +modified: 2023-11-20 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: category: dns_query diff --git a/rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml b/rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml index 160adb3f6f8..0c711beac22 100644 --- a/rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml +++ b/rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml @@ -6,8 +6,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/980f3f83fd81f37c1ca9c02dccfd1c3d9f9d0841/atomics/T1016/T1016.md#atomic-test-9---dns-server-discovery-using-nslookup - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/7fcdce70-5205-44d6-9c3a-260e616a2f04 author: frack113 -date: 2022/08/20 -modified: 2023/09/18 +date: 2022-08-20 +modified: 2023-09-18 tags: - attack.discovery - attack.t1482 diff --git a/rules/windows/dns_query/dns_query_win_domain_azurewebsites.yml b/rules/windows/dns_query/dns_query_win_domain_azurewebsites.yml index 20e5eaa7131..314494a80c9 100644 --- a/rules/windows/dns_query/dns_query_win_domain_azurewebsites.yml +++ b/rules/windows/dns_query/dns_query_win_domain_azurewebsites.yml @@ -12,9 +12,9 @@ references: - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/ - https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/06/24 +date: 2024-06-24 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: product: windows diff --git a/rules/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml b/rules/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml index 4529f5c21d2..ee02ba138c5 100644 --- a/rules/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml +++ b/rules/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml @@ -5,8 +5,8 @@ description: Detects Azure Hybrid Connection Manager services querying the Azure references: - https://twitter.com/Cyb3rWard0g/status/1381642789369286662 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2021/04/12 -modified: 2023/01/16 +date: 2021-04-12 +modified: 2023-01-16 tags: - attack.persistence - attack.t1554 diff --git a/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml b/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml index d9acf4aea34..fbd1906e669 100644 --- a/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml +++ b/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml @@ -9,10 +9,10 @@ references: - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/ author: Florian Roth (Nextron Systems) -date: 2021/11/09 -modified: 2023/01/16 +date: 2021-11-09 +modified: 2023-01-16 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.004 logsource: product: windows diff --git a/rules/windows/dns_query/dns_query_win_mega_nz.yml b/rules/windows/dns_query/dns_query_win_mega_nz.yml index 008d8766e4f..ef5fbb5bede 100644 --- a/rules/windows/dns_query/dns_query_win_mega_nz.yml +++ b/rules/windows/dns_query/dns_query_win_mega_nz.yml @@ -8,8 +8,8 @@ description: Detects DNS queries for subdomains related to MEGA sharing website references: - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ author: Aaron Greetham (@beardofbinary) - NCC Group -date: 2021/05/26 -modified: 2023/09/18 +date: 2021-05-26 +modified: 2023-09-18 tags: - attack.exfiltration - attack.t1567.002 diff --git a/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml b/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml index 80b1c3e4e80..ee5288b09c8 100644 --- a/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml +++ b/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml @@ -9,7 +9,7 @@ references: - https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/ - https://malware.guide/browser-hijacker/remove-onelaunch-virus/ author: Josh Nickels -date: 2024/02/26 +date: 2024-02-26 tags: - attack.collection - attack.t1056 diff --git a/rules/windows/dns_query/dns_query_win_regsvr32_dns_query.yml b/rules/windows/dns_query/dns_query_win_regsvr32_dns_query.yml index 99c628e79c5..0cfff5a5316 100644 --- a/rules/windows/dns_query/dns_query_win_regsvr32_dns_query.yml +++ b/rules/windows/dns_query/dns_query_win_regsvr32_dns_query.yml @@ -9,12 +9,12 @@ references: - https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ author: Dmitriy Lifanov, oscd.community -date: 2019/10/25 -modified: 2023/09/18 +date: 2019-10-25 +modified: 2023-09-18 tags: - attack.execution - attack.t1559.001 - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.010 logsource: category: dns_query diff --git a/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml b/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml index 42656d7f212..6ada51a6f2f 100644 --- a/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml +++ b/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml @@ -2,11 +2,11 @@ title: DNS Query To Remote Access Software Domain From Non-Browser App id: 4d07b1f4-cb00-4470-b9f8-b0191d48ff52 related: - id: 71ba22cb-8a01-42e2-a6dd-5bf9b547498f - type: obsoletes + type: obsolete - id: 7c4cf8e0-1362-48b2-a512-b606d2065d7d - type: obsoletes + type: obsolete - id: ed785237-70fa-46f3-83b6-d264d1dc6eb4 - type: obsoletes + type: obsolete status: test description: | An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. @@ -19,10 +19,10 @@ references: - https://redcanary.com/blog/misbehaving-rats/ - https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093 author: frack113, Connor Martin -date: 2022/07/11 -modified: 2023/09/12 +date: 2022-07-11 +modified: 2023-09-12 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: product: windows diff --git a/rules/windows/dns_query/dns_query_win_susp_external_ip_lookup.yml b/rules/windows/dns_query/dns_query_win_susp_external_ip_lookup.yml index 1f83f76fcc8..4a0cf677a76 100644 --- a/rules/windows/dns_query/dns_query_win_susp_external_ip_lookup.yml +++ b/rules/windows/dns_query/dns_query_win_susp_external_ip_lookup.yml @@ -7,8 +7,8 @@ references: - https://twitter.com/neonprimetime/status/1436376497980428318 - https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html author: Brandon George (blog post), Thomas Patzke -date: 2021/07/08 -modified: 2024/03/22 +date: 2021-07-08 +modified: 2024-03-22 tags: - attack.reconnaissance - attack.t1590 diff --git a/rules/windows/dns_query/dns_query_win_teamviewer_domain_query_by_uncommon_app.yml b/rules/windows/dns_query/dns_query_win_teamviewer_domain_query_by_uncommon_app.yml index 08641bace06..6b1368c2c62 100644 --- a/rules/windows/dns_query/dns_query_win_teamviewer_domain_query_by_uncommon_app.yml +++ b/rules/windows/dns_query/dns_query_win_teamviewer_domain_query_by_uncommon_app.yml @@ -5,10 +5,10 @@ description: Detects DNS queries to a TeamViewer domain only resolved by a TeamV references: - https://www.teamviewer.com/en-us/ author: Florian Roth (Nextron Systems) -date: 2022/01/30 -modified: 2023/09/18 +date: 2022-01-30 +modified: 2023-09-18 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: product: windows diff --git a/rules/windows/dns_query/dns_query_win_tor_onion_domain_query.yml b/rules/windows/dns_query/dns_query_win_tor_onion_domain_query.yml index 046b352420f..491ae8541f8 100644 --- a/rules/windows/dns_query/dns_query_win_tor_onion_domain_query.yml +++ b/rules/windows/dns_query/dns_query_win_tor_onion_domain_query.yml @@ -8,10 +8,10 @@ description: Detects DNS queries to an ".onion" address related to Tor routing n references: - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/ author: frack113 -date: 2022/02/20 -modified: 2023/09/18 +date: 2022-02-20 +modified: 2023-09-18 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1090.003 logsource: product: windows diff --git a/rules/windows/dns_query/dns_query_win_ufile_io_query.yml b/rules/windows/dns_query/dns_query_win_ufile_io_query.yml index 3890fad5025..195bc7ba231 100644 --- a/rules/windows/dns_query/dns_query_win_ufile_io_query.yml +++ b/rules/windows/dns_query/dns_query_win_ufile_io_query.yml @@ -8,8 +8,8 @@ description: Detects DNS queries to "ufile.io", which was seen abused by malware references: - https://thedfirreport.com/2021/12/13/diavol-ransomware/ author: yatinwad, TheDFIRReport -date: 2022/06/23 -modified: 2023/09/18 +date: 2022-06-23 +modified: 2023-09-18 tags: - attack.exfiltration - attack.t1567.002 diff --git a/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml b/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml index d03bca54df3..55bb4a6b457 100644 --- a/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml +++ b/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml @@ -15,10 +15,10 @@ references: - https://badoption.eu/blog/2023/01/31/code_c2.html - https://cydefops.com/vscode-data-exfiltration author: citron_ninja -date: 2023/10/25 -modified: 2023/11/20 +date: 2023-10-25 +modified: 2023-11-20 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: category: dns_query diff --git a/rules/windows/driver_load/driver_load_win_mal_drivers.yml b/rules/windows/driver_load/driver_load_win_mal_drivers.yml index 22362077dd5..2562839bf56 100644 --- a/rules/windows/driver_load/driver_load_win_mal_drivers.yml +++ b/rules/windows/driver_load/driver_load_win_mal_drivers.yml @@ -5,10 +5,10 @@ description: Detects loading of known malicious drivers via their hash. references: - https://loldrivers.io/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/18 -modified: 2023/12/02 +date: 2022-08-18 +modified: 2023-12-02 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543.003 - attack.t1068 logsource: diff --git a/rules/windows/driver_load/driver_load_win_mal_drivers_names.yml b/rules/windows/driver_load/driver_load_win_mal_drivers_names.yml index 4fbc90ee395..75976e61dc3 100644 --- a/rules/windows/driver_load/driver_load_win_mal_drivers_names.yml +++ b/rules/windows/driver_load/driver_load_win_mal_drivers_names.yml @@ -5,10 +5,10 @@ description: Detects loading of known malicious drivers via the file name of the references: - https://loldrivers.io/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/03 -modified: 2023/12/02 +date: 2022-10-03 +modified: 2023-12-02 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543.003 - attack.t1068 logsource: diff --git a/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml b/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml index 6524fba28a4..eccbd6cfe6d 100644 --- a/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml +++ b/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml @@ -8,11 +8,11 @@ description: Detects driver load of the Process Hacker tool references: - https://processhacker.sourceforge.io/ author: Florian Roth (Nextron Systems) -date: 2022/11/16 -modified: 2023/05/08 +date: 2022-11-16 +modified: 2023-05-08 tags: - - attack.privilege_escalation - - cve.2021.21551 + - attack.privilege-escalation + - cve.2021-21551 - attack.t1543 logsource: category: driver_load diff --git a/rules/windows/driver_load/driver_load_win_pua_system_informer.yml b/rules/windows/driver_load/driver_load_win_pua_system_informer.yml index 8a220bffb07..10dfa7c4a5c 100644 --- a/rules/windows/driver_load/driver_load_win_pua_system_informer.yml +++ b/rules/windows/driver_load/driver_load_win_pua_system_informer.yml @@ -9,9 +9,9 @@ references: - https://systeminformer.sourceforge.io/ - https://github.com/winsiderss/systeminformer author: Florian Roth (Nextron Systems) -date: 2023/05/08 +date: 2023-05-08 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543 logsource: category: driver_load diff --git a/rules/windows/driver_load/driver_load_win_susp_temp_use.yml b/rules/windows/driver_load/driver_load_win_susp_temp_use.yml index 2e285226b16..034cb49bfee 100644 --- a/rules/windows/driver_load/driver_load_win_susp_temp_use.yml +++ b/rules/windows/driver_load/driver_load_win_susp_temp_use.yml @@ -5,11 +5,11 @@ description: Detects a driver load from a temporary directory references: - Internal Research author: Florian Roth (Nextron Systems) -date: 2017/02/12 -modified: 2021/11/27 +date: 2017-02-12 +modified: 2021-11-27 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543.003 logsource: category: driver_load diff --git a/rules/windows/driver_load/driver_load_win_vuln_drivers.yml b/rules/windows/driver_load/driver_load_win_vuln_drivers.yml index 3ee7abf3661..b883188fe72 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_drivers.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_drivers.yml @@ -5,10 +5,10 @@ description: Detects loading of known vulnerable drivers via their hash. references: - https://loldrivers.io/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/18 -modified: 2023/12/02 +date: 2022-08-18 +modified: 2023-12-02 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543.003 - attack.t1068 logsource: diff --git a/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml b/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml index fbf65d88d67..cf10371c7ec 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml @@ -5,10 +5,10 @@ description: Detects the load of known vulnerable drivers via the file name of t references: - https://loldrivers.io/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/03 -modified: 2023/12/02 +date: 2022-10-03 +modified: 2023-12-02 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543.003 - attack.t1068 logsource: diff --git a/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml index 3f46d363b6a..cd35b93aa20 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml @@ -5,10 +5,10 @@ description: Detects the load of HackSys Extreme Vulnerable Driver which is an i references: - https://github.com/hacksysteam/HackSysExtremeVulnerableDriver author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/18 -modified: 2022/11/19 +date: 2022-08-18 +modified: 2022-11-19 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543.003 logsource: product: windows diff --git a/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml index be896ddb78f..56aa9a0e0ec 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml @@ -6,10 +6,10 @@ references: - https://github.com/xmrig/xmrig/tree/master/bin/WinRing0 - https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/ author: Florian Roth (Nextron Systems) -date: 2022/07/26 -modified: 2022/11/19 +date: 2022-07-26 +modified: 2022-11-19 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543.003 logsource: product: windows diff --git a/rules/windows/driver_load/driver_load_win_windivert.yml b/rules/windows/driver_load/driver_load_win_windivert.yml index 00e79a3d5c3..43a6d033500 100644 --- a/rules/windows/driver_load/driver_load_win_windivert.yml +++ b/rules/windows/driver_load/driver_load_win_windivert.yml @@ -6,11 +6,11 @@ references: - https://reqrypt.org/windivert-doc.html - https://rastamouse.me/ntlm-relaying-via-cobalt-strike/ author: Florian Roth (Nextron Systems) -date: 2021/07/30 -modified: 2022/11/19 +date: 2021-07-30 +modified: 2022-11-19 tags: - attack.collection - - attack.defense_evasion + - attack.defense-evasion - attack.t1599.001 - attack.t1557.001 logsource: diff --git a/rules/windows/file/file_access/file_access_win_susp_credential_manager_access.yml b/rules/windows/file/file_access/file_access_win_susp_credential_manager_access.yml index 8e4278128f3..2a4c3e495c9 100644 --- a/rules/windows/file/file_access/file_access_win_susp_credential_manager_access.yml +++ b/rules/windows/file/file_access/file_access_win_susp_credential_manager_access.yml @@ -8,11 +8,11 @@ references: - https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/11 -modified: 2024/07/29 +date: 2022-10-11 +modified: 2024-07-29 tags: - attack.t1003 - - attack.credential_access + - attack.credential-access logsource: category: file_access product: windows diff --git a/rules/windows/file/file_access/file_access_win_susp_credhist.yml b/rules/windows/file/file_access/file_access_win_susp_credhist.yml index d890dd9b1db..6f4f6cf954c 100644 --- a/rules/windows/file/file_access/file_access_win_susp_credhist.yml +++ b/rules/windows/file/file_access/file_access_win_susp_credhist.yml @@ -8,10 +8,10 @@ references: - https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist - https://www.passcape.com/windows_password_recovery_dpapi_credhist author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/17 -modified: 2024/07/29 +date: 2022-10-17 +modified: 2024-07-29 tags: - - attack.credential_access + - attack.credential-access - attack.t1555.004 logsource: category: file_access diff --git a/rules/windows/file/file_access/file_access_win_susp_crypto_currency_wallets.yml b/rules/windows/file/file_access/file_access_win_susp_crypto_currency_wallets.yml index e11262253f5..cbb3fe64889 100644 --- a/rules/windows/file/file_access/file_access_win_susp_crypto_currency_wallets.yml +++ b/rules/windows/file/file_access/file_access_win_susp_crypto_currency_wallets.yml @@ -7,10 +7,10 @@ description: | references: - Internal Research author: X__Junior (Nextron Systems) -date: 2024/07/29 +date: 2024-07-29 tags: - attack.t1003 - - attack.credential_access + - attack.credential-access logsource: category: file_access product: windows diff --git a/rules/windows/file/file_access/file_access_win_susp_dpapi_master_key_access.yml b/rules/windows/file/file_access/file_access_win_susp_dpapi_master_key_access.yml index b9973ce0a1f..13f0cc5877b 100644 --- a/rules/windows/file/file_access/file_access_win_susp_dpapi_master_key_access.yml +++ b/rules/windows/file/file_access/file_access_win_susp_dpapi_master_key_access.yml @@ -8,10 +8,10 @@ references: - http://blog.harmj0y.net/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/ - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/17 -modified: 2024/07/29 +date: 2022-10-17 +modified: 2024-07-29 tags: - - attack.credential_access + - attack.credential-access - attack.t1555.004 logsource: category: file_access diff --git a/rules/windows/file/file_access/file_access_win_susp_gpo_files.yml b/rules/windows/file/file_access/file_access_win_susp_gpo_files.yml index e555a558dff..c872d1b21f9 100644 --- a/rules/windows/file/file_access/file_access_win_susp_gpo_files.yml +++ b/rules/windows/file/file_access/file_access_win_susp_gpo_files.yml @@ -8,10 +8,10 @@ description: Detects file access requests to potentially sensitive files hosted references: - https://github.com/vletoux/pingcastle author: frack113 -date: 2023/12/21 -modified: 2024/07/29 +date: 2023-12-21 +modified: 2024-07-29 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.006 logsource: category: file_access diff --git a/rules/windows/file/file_access/file_access_win_teams_sensitive_files.yml b/rules/windows/file/file_access/file_access_win_teams_sensitive_files.yml index 21dcd47b2d2..0600f8ec852 100644 --- a/rules/windows/file/file_access/file_access_win_teams_sensitive_files.yml +++ b/rules/windows/file/file_access/file_access_win_teams_sensitive_files.yml @@ -7,9 +7,9 @@ references: - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/ - https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens author: '@SerkinValery' -date: 2024/07/22 +date: 2024-07-22 tags: - - attack.credential_access + - attack.credential-access - attack.t1528 logsource: product: windows diff --git a/rules/windows/file/file_change/file_change_win_2022_timestomping.yml b/rules/windows/file/file_change/file_change_win_2022_timestomping.yml index 2104cca2241..e5630978c84 100644 --- a/rules/windows/file/file_change/file_change_win_2022_timestomping.yml +++ b/rules/windows/file/file_change/file_change_win_2022_timestomping.yml @@ -7,11 +7,11 @@ description: | references: - https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html author: frack113, Florian Roth (Nextron Systems) -date: 2022/08/12 -modified: 2022/10/25 +date: 2022-08-12 +modified: 2022-10-25 tags: - attack.t1070.006 - - attack.defense_evasion + - attack.defense-evasion logsource: category: file_change product: windows diff --git a/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml b/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml index 46f01c03d63..31e14a9e7af 100644 --- a/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml +++ b/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml @@ -8,9 +8,9 @@ description: Detects an unexpected file being modified by dns.exe which my indic references: - https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html author: Tim Rauch (Nextron Systems), Elastic (idea) -date: 2022/09/27 +date: 2022-09-27 tags: - - attack.initial_access + - attack.initial-access - attack.t1133 logsource: category: file_change diff --git a/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml b/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml index 9451c3f517b..faceed8596f 100644 --- a/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml +++ b/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml @@ -6,14 +6,14 @@ references: - https://github.com/hhlxf/PrintNightmare - https://github.com/cube0x0/CVE-2021-1675 author: Bhabesh Raj -date: 2021/07/01 -modified: 2023/02/17 +date: 2021-07-01 +modified: 2023-02-17 tags: - attack.persistence - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574 - - cve.2021.1675 + - cve.2021-1675 logsource: category: file_delete product: windows diff --git a/rules/windows/file/file_delete/file_delete_win_delete_backup_file.yml b/rules/windows/file/file_delete/file_delete_win_delete_backup_file.yml index 413b8e13957..326436b307f 100644 --- a/rules/windows/file/file_delete/file_delete_win_delete_backup_file.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_backup_file.yml @@ -5,8 +5,8 @@ description: Detects deletion of files with extensions often used for backup fil references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-6---windows---delete-backup-files author: frack113 -date: 2022/01/02 -modified: 2023/02/15 +date: 2022-01-02 +modified: 2023-02-15 tags: - attack.impact - attack.t1490 diff --git a/rules/windows/file/file_delete/file_delete_win_delete_event_log_files.yml b/rules/windows/file/file_delete/file_delete_win_delete_event_log_files.yml index 091244733aa..403a5e460f9 100644 --- a/rules/windows/file/file_delete/file_delete_win_delete_event_log_files.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_event_log_files.yml @@ -5,9 +5,9 @@ description: Detects the deletion of the event log files which may indicate an a references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/15 +date: 2023-02-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070 logsource: category: file_delete diff --git a/rules/windows/file/file_delete/file_delete_win_delete_exchange_powershell_logs.yml b/rules/windows/file/file_delete/file_delete_win_delete_exchange_powershell_logs.yml index 37eea57687e..bb89e948a73 100644 --- a/rules/windows/file/file_delete/file_delete_win_delete_exchange_powershell_logs.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_exchange_powershell_logs.yml @@ -5,10 +5,10 @@ description: Detects the deletion of the Exchange PowerShell cmdlet History logs references: - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/26 -modified: 2022/12/30 +date: 2022-10-26 +modified: 2022-12-30 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070 logsource: category: file_delete diff --git a/rules/windows/file/file_delete/file_delete_win_delete_iis_access_logs.yml b/rules/windows/file/file_delete/file_delete_win_delete_iis_access_logs.yml index 7ff51dd6fdc..91bb673ab68 100644 --- a/rules/windows/file/file_delete/file_delete_win_delete_iis_access_logs.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_iis_access_logs.yml @@ -5,10 +5,10 @@ description: Detects the deletion of IIS WebServer access logs which may indicat references: - https://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html author: Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/16 -modified: 2023/02/15 +date: 2022-09-16 +modified: 2023-02-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070 logsource: category: file_delete diff --git a/rules/windows/file/file_delete/file_delete_win_delete_powershell_command_history.yml b/rules/windows/file/file_delete/file_delete_win_delete_powershell_command_history.yml index 6daa4e9e3d0..0308f4c6a87 100644 --- a/rules/windows/file/file_delete/file_delete_win_delete_powershell_command_history.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_powershell_command_history.yml @@ -5,9 +5,9 @@ description: Detects the deletion of the PowerShell console History logs which m references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/15 +date: 2023-02-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070 logsource: category: file_delete diff --git a/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml b/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml index 3e85e23c44f..04fb469d14d 100755 --- a/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml @@ -6,10 +6,10 @@ references: - Internal Research - https://www.group-ib.com/blog/hunting-for-ttps-with-prefetch-files/ author: Cedric MAURUGEON -date: 2021/09/29 -modified: 2024/01/25 +date: 2021-09-29 +modified: 2024-01-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.004 logsource: product: windows diff --git a/rules/windows/file/file_delete/file_delete_win_delete_teamviewer_logs.yml b/rules/windows/file/file_delete/file_delete_win_delete_teamviewer_logs.yml index ddafa5e5953..85992dd16ad 100644 --- a/rules/windows/file/file_delete/file_delete_win_delete_teamviewer_logs.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_teamviewer_logs.yml @@ -5,10 +5,10 @@ description: Detects the deletion of the TeamViewer log files which may indicate references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md author: frack113 -date: 2022/01/16 -modified: 2023/02/15 +date: 2022-01-16 +modified: 2023-02-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.004 logsource: product: windows diff --git a/rules/windows/file/file_delete/file_delete_win_delete_tomcat_logs.yml b/rules/windows/file/file_delete/file_delete_win_delete_tomcat_logs.yml index fdea36cd77f..fe35182c278 100644 --- a/rules/windows/file/file_delete/file_delete_win_delete_tomcat_logs.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_tomcat_logs.yml @@ -6,9 +6,9 @@ references: - Internal Research - https://linuxhint.com/view-tomcat-logs-windows/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/16 +date: 2023-02-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070 logsource: category: file_delete diff --git a/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml b/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml index 026f340d59c..aa9fef98058 100644 --- a/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml +++ b/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml @@ -6,10 +6,10 @@ references: - https://github.com/OTRF/detection-hackathon-apt29/issues/9 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/05/02 -modified: 2023/02/15 +date: 2020-05-02 +modified: 2023-02-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.004 logsource: product: windows diff --git a/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml b/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml index 07911961f8c..ff86977218e 100644 --- a/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml +++ b/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml @@ -8,10 +8,10 @@ description: Detects an unexpected file being deleted by dns.exe which my indica references: - https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html author: Tim Rauch (Nextron Systems), Elastic (idea) -date: 2022/09/27 -modified: 2023/02/15 +date: 2022-09-27 +modified: 2023-02-15 tags: - - attack.initial_access + - attack.initial-access - attack.t1133 logsource: category: file_delete diff --git a/rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml b/rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml index 896c6facffb..ee8646c095f 100644 --- a/rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml +++ b/rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml @@ -9,10 +9,10 @@ references: - https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/ - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/09/04 -modified: 2024/04/26 +date: 2023-09-04 +modified: 2024-04-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.004 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml b/rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml index d4f260a42a8..c96c2bedbb7 100644 --- a/rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml +++ b/rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml @@ -7,11 +7,11 @@ references: - https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/ - https://github.com/fox-it/LDAPFragger author: xknow @xknow_infosec, Tim Shelton -date: 2019/03/24 -modified: 2023/10/18 +date: 2019-03-24 +modified: 2023-10-18 tags: - attack.t1001.003 - - attack.command_and_control + - attack.command-and-control logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml b/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml index 3b5545d298d..44ee10449aa 100644 --- a/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml +++ b/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml @@ -12,8 +12,8 @@ references: - https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf - https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer author: '@ROxPinTeddy' -date: 2020/05/12 -modified: 2022/11/29 +date: 2020-05-12 +modified: 2022-11-29 tags: - attack.discovery - attack.t1046 diff --git a/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml b/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml index 6776f30fd08..d55071c51c7 100644 --- a/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml +++ b/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml @@ -8,10 +8,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows author: frack113 -date: 2022/02/11 -modified: 2024/07/20 +date: 2022-02-11 +modified: 2024-07-20 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml b/rules/windows/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml index e03c4f5b2e5..e54370eee32 100644 --- a/rules/windows/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml +++ b/rules/windows/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml @@ -8,9 +8,9 @@ description: | references: - https://redcanary.com/blog/misbehaving-rats/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/28 +date: 2022-09-28 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_aspnet_temp_files.yml b/rules/windows/file/file_event/file_event_win_aspnet_temp_files.yml index 2807616395c..4e98d7c32e0 100644 --- a/rules/windows/file/file_event/file_event_win_aspnet_temp_files.yml +++ b/rules/windows/file/file_event/file_event_win_aspnet_temp_files.yml @@ -13,7 +13,7 @@ description: | references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/14 +date: 2023-08-14 tags: - attack.execution logsource: diff --git a/rules/windows/file/file_event/file_event_win_bloodhound_collection.yml b/rules/windows/file/file_event/file_event_win_bloodhound_collection.yml index ce90c0b34e3..b5c282e7038 100644 --- a/rules/windows/file/file_event/file_event_win_bloodhound_collection.yml +++ b/rules/windows/file/file_event/file_event_win_bloodhound_collection.yml @@ -5,8 +5,8 @@ description: Detects default file names outputted by the BloodHound collection t references: - https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection author: C.J. May -date: 2022/08/09 -modified: 2023/03/29 +date: 2022-08-09 +modified: 2023-03-29 tags: - attack.discovery - attack.t1087.001 diff --git a/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml b/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml index 69659801c5e..0f9cfc8cb00 100644 --- a/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml +++ b/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml @@ -8,10 +8,10 @@ description: | references: - https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key author: D3F7A5105 -date: 2023/01/02 -modified: 2024/03/26 +date: 2023-01-02 +modified: 2024-03-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.002 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml index 38a6bbd9ab3..62901dc2d14 100644 --- a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml +++ b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml @@ -15,12 +15,12 @@ references: - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ - https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc author: Nasreddine Bencherchali (Nextron Systems), fornotes -date: 2022/12/01 -modified: 2024/01/10 +date: 2022-12-01 +modified: 2024-01-10 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml b/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml index 330142a8dd1..6c030c135aa 100644 --- a/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml +++ b/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml @@ -10,8 +10,8 @@ references: - https://liberty-shell.com/sec/2020/02/25/shim-persistence/ - https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/ author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2021/12/29 -modified: 2023/12/06 +date: 2021-12-29 +modified: 2023-12-06 tags: - attack.persistence - attack.t1547.009 diff --git a/rules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml b/rules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml index 3d2619c84e9..6690529518c 100644 --- a/rules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml +++ b/rules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml @@ -7,8 +7,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md author: frack113 -date: 2021/12/29 -modified: 2022/11/08 +date: 2021-12-29 +modified: 2022-11-08 tags: - attack.persistence - attack.t1546.002 diff --git a/rules/windows/file/file_event/file_event_win_creation_system_dll_files.yml b/rules/windows/file/file_event/file_event_win_creation_system_dll_files.yml index 501229ac92c..709ce43414b 100644 --- a/rules/windows/file/file_event/file_event_win_creation_system_dll_files.yml +++ b/rules/windows/file/file_event/file_event_win_creation_system_dll_files.yml @@ -7,9 +7,9 @@ description: | references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/06/24 +date: 2024-06-24 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.005 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_creation_system_file.yml b/rules/windows/file/file_event/file_event_win_creation_system_file.yml index 2df5a2988f2..78ac9aa95d0 100644 --- a/rules/windows/file/file_event/file_event_win_creation_system_file.yml +++ b/rules/windows/file/file_event/file_event_win_creation_system_file.yml @@ -7,10 +7,10 @@ description: | references: - Internal Research author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) -date: 2020/05/26 -modified: 2024/06/24 +date: 2020-05-26 +modified: 2024-06-24 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.005 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml b/rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml index cf358894ddd..0ba1c9bcf14 100644 --- a/rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml +++ b/rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml @@ -7,7 +7,7 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.009/T1574.009.md author: frack113 -date: 2021/12/30 +date: 2021-12-30 tags: - attack.persistence - attack.t1547.009 diff --git a/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml b/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml index eaeb077ecc8..8be4b713349 100755 --- a/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml +++ b/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml @@ -5,10 +5,10 @@ description: Files with well-known filenames (parts of credential dump software references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment author: Teymur Kheirkhabarov, oscd.community -date: 2019/11/01 -modified: 2022/09/21 +date: 2019-11-01 +modified: 2022-09-21 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 - attack.t1003.002 - attack.t1003.003 diff --git a/rules/windows/file/file_event/file_event_win_cscript_wscript_dropper.yml b/rules/windows/file/file_event/file_event_win_cscript_wscript_dropper.yml index 65eb05e8000..fa29af0b0ed 100644 --- a/rules/windows/file/file_event/file_event_win_cscript_wscript_dropper.yml +++ b/rules/windows/file/file_event/file_event_win_cscript_wscript_dropper.yml @@ -8,8 +8,8 @@ description: Detects a file ending in jse, vbe, js, vba, vbs written by cscript. references: - WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846) author: Tim Shelton -date: 2022/01/10 -modified: 2022/12/02 +date: 2022-01-10 +modified: 2022-12-02 tags: - attack.execution - attack.t1059.005 diff --git a/rules/windows/file/file_event/file_event_win_csexec_service.yml b/rules/windows/file/file_event/file_event_win_csexec_service.yml index 33f9fce2a26..50177ea10be 100644 --- a/rules/windows/file/file_event/file_event_win_csexec_service.yml +++ b/rules/windows/file/file_event/file_event_win_csexec_service.yml @@ -5,7 +5,7 @@ description: Detects default CSExec service filename which indicates CSExec serv references: - https://github.com/malcomvetter/CSExec author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/04 +date: 2023-08-04 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/file/file_event/file_event_win_csharp_compile_artefact.yml b/rules/windows/file/file_event/file_event_win_csharp_compile_artefact.yml index e2d5f5cddb1..210294d6661 100644 --- a/rules/windows/file/file_event/file_event_win_csharp_compile_artefact.yml +++ b/rules/windows/file/file_event/file_event_win_csharp_compile_artefact.yml @@ -8,10 +8,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.004/T1027.004.md#atomic-test-2---dynamic-c-compile author: frack113 -date: 2022/01/09 -modified: 2023/02/17 +date: 2022-01-09 +modified: 2023-02-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027.004 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_dcom_iertutil_dll_hijack.yml b/rules/windows/file/file_event/file_event_win_dcom_iertutil_dll_hijack.yml index 3704cad9538..40ece2f14d9 100644 --- a/rules/windows/file/file_event/file_event_win_dcom_iertutil_dll_hijack.yml +++ b/rules/windows/file/file_event/file_event_win_dcom_iertutil_dll_hijack.yml @@ -2,7 +2,7 @@ title: Potential DCOM InternetExplorer.Application DLL Hijack id: 2f7979ae-f82b-45af-ac1d-2b10e93b0baa related: - id: e554f142-5cf3-4e55-ace9-a1b59e0def65 - type: obsoletes + type: obsolete - id: f354eba5-623b-450f-b073-0b5b2773b6aa type: similar status: test @@ -10,10 +10,10 @@ description: Detects potential DLL hijack of "iertutil.dll" found in the DCOM In references: - https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga -date: 2020/10/12 -modified: 2022/12/18 +date: 2020-10-12 +modified: 2022-12-18 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 - attack.t1021.003 logsource: diff --git a/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml b/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml index f330ff51fe1..2b30a630567 100644 --- a/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml +++ b/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml @@ -8,11 +8,11 @@ references: - https://twitter.com/cyb3rops/status/1552932770464292864 - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/30 +date: 2022-07-30 tags: - attack.persistence - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.t1574.002 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml b/rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml index c689dba2dfd..c445dd4e748 100644 --- a/rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml +++ b/rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml @@ -8,9 +8,9 @@ description: Detects the creation of a file with the ".dmp"/".hdmp" extension by references: - https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/09/07 +date: 2023-09-07 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_errorhandler_persistence.yml b/rules/windows/file/file_event/file_event_win_errorhandler_persistence.yml index 8ebc5922823..b82144c1ede 100644 --- a/rules/windows/file/file_event/file_event_win_errorhandler_persistence.yml +++ b/rules/windows/file/file_event/file_event_win_errorhandler_persistence.yml @@ -8,8 +8,8 @@ references: - https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/ - https://github.com/last-byte/PersistenceSniper author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/09 -modified: 2022/12/19 +date: 2022-08-09 +modified: 2022-12-19 tags: - attack.persistence logsource: diff --git a/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml b/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml index 31e8d469090..3e2f5b73085 100644 --- a/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml +++ b/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml @@ -10,7 +10,7 @@ references: - https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html - https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html author: Florian Roth (Nextron Systems), MSTI (query, idea) -date: 2022/10/01 +date: 2022-10-01 tags: - attack.persistence - attack.t1505.003 diff --git a/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml b/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml index be1e27bb1c8..32fd233972a 100644 --- a/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml +++ b/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml @@ -10,11 +10,11 @@ references: - https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html - https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html author: Florian Roth (Nextron Systems) -date: 2022/10/04 +date: 2022-10-04 tags: - attack.persistence - attack.t1190 - - attack.initial_access + - attack.initial-access - attack.t1505.003 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_gotoopener_artefact.yml b/rules/windows/file/file_event/file_event_win_gotoopener_artefact.yml index 551b26f8f38..772a84e4de9 100644 --- a/rules/windows/file/file_event/file_event_win_gotoopener_artefact.yml +++ b/rules/windows/file/file_event/file_event_win_gotoopener_artefact.yml @@ -8,9 +8,9 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows author: frack113 -date: 2022/02/13 +date: 2022-02-13 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_hktl_crackmapexec_indicators.yml b/rules/windows/file/file_event/file_event_win_hktl_crackmapexec_indicators.yml index 00d263a9011..fba06acf01b 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_crackmapexec_indicators.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_crackmapexec_indicators.yml @@ -2,16 +2,16 @@ title: HackTool - CrackMapExec File Indicators id: 736ffa74-5f6f-44ca-94ef-1c0df4f51d2a related: - id: 9433ff9c-5d3f-4269-99f8-95fc826ea489 - type: obsoletes + type: obsolete status: experimental description: Detects file creation events with filename patterns used by CrackMapExec. references: - https://github.com/byt3bl33d3r/CrackMapExec/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/03/11 -modified: 2024/06/27 +date: 2024-03-11 +modified: 2024-06-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_hktl_dumpert.yml b/rules/windows/file/file_event/file_event_win_hktl_dumpert.yml index 73b9219e1b0..3fdd0e46f6a 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_dumpert.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_dumpert.yml @@ -9,10 +9,10 @@ references: - https://github.com/outflanknl/Dumpert - https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/ author: Florian Roth (Nextron Systems) -date: 2020/02/04 -modified: 2023/05/09 +date: 2020-02-04 +modified: 2023-05-09 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml b/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml index 3102f97e7a2..1debbdd6844 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml @@ -8,12 +8,12 @@ references: - https://github.com/WiredPulse/Invoke-HiveNightmare - https://twitter.com/cube0x0/status/1418920190759378944 author: Florian Roth (Nextron Systems) -date: 2021/07/23 -modified: 2024/06/27 +date: 2021-07-23 +modified: 2024-06-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.001 - - cve.2021.36934 + - cve.2021-36934 logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml b/rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml index d714a210328..f8fc0b1f978 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml @@ -7,10 +7,10 @@ references: - https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs - https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/24 -modified: 2024/06/27 +date: 2022-10-24 +modified: 2024-06-27 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_hktl_krbrelay_remote_ioc.yml b/rules/windows/file/file_event/file_event_win_hktl_krbrelay_remote_ioc.yml index 280e069d796..0fe15d32850 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_krbrelay_remote_ioc.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_krbrelay_remote_ioc.yml @@ -5,9 +5,9 @@ description: Detects the creation of file with specific names used by RemoteKrbR references: - https://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40 author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/06/27 +date: 2024-06-27 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_hktl_mimikatz_files.yml b/rules/windows/file/file_event/file_event_win_hktl_mimikatz_files.yml index 6fb8c2b1eee..b9015624ef5 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_mimikatz_files.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_mimikatz_files.yml @@ -2,17 +2,17 @@ title: HackTool - Mimikatz Kirbi File Creation id: 9e099d99-44c2-42b6-a6d8-54c3545cab29 related: - id: 034affe8-6170-11ec-844f-0f78aa0c4d66 - type: obsoletes + type: obsolete status: test description: Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc. references: - https://cobalt.io/blog/kerberoast-attack-techniques - https://pentestlab.blog/2019/10/21/persistence-security-support-provider/ author: Florian Roth (Nextron Systems), David ANDRE -date: 2021/11/08 -modified: 2024/06/27 +date: 2021-11-08 +modified: 2024-06-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1558 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml b/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml index a9c4faf962b..5fbfb2199e1 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy - https://twitter.com/0gtweet/status/1465282548494487554 author: Florian Roth (Nextron Systems) -date: 2021/11/29 -modified: 2024/06/27 +date: 2021-11-29 +modified: 2024-06-27 tags: - - attack.credential_access + - attack.credential-access logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_hktl_powerup_dllhijacking.yml b/rules/windows/file/file_event/file_event_win_hktl_powerup_dllhijacking.yml index fa8217a5b9f..80560297257 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_powerup_dllhijacking.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_powerup_dllhijacking.yml @@ -8,12 +8,12 @@ description: | references: - https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/ author: Subhash Popuri (@pbssubhash) -date: 2021/08/21 -modified: 2024/06/27 +date: 2021-08-21 +modified: 2024-06-27 tags: - attack.persistence - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.t1574.001 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_hktl_quarkspw_filedump.yml b/rules/windows/file/file_event/file_event_win_hktl_quarkspw_filedump.yml index 5d6f60319a8..4c1832e07ed 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_quarkspw_filedump.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_quarkspw_filedump.yml @@ -5,10 +5,10 @@ description: Detects a dump file written by QuarksPwDump password dumper references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm author: Florian Roth (Nextron Systems) -date: 2018/02/10 -modified: 2024/06/27 +date: 2018-02-10 +modified: 2024-06-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.002 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_hktl_remote_cred_dump.yml b/rules/windows/file/file_event/file_event_win_hktl_remote_cred_dump.yml index 43f2f90a07b..8d1db153977 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_remote_cred_dump.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_remote_cred_dump.yml @@ -6,10 +6,10 @@ references: - https://github.com/Porchetta-Industries/CrackMapExec - https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py author: SecurityAura -date: 2022/11/16 -modified: 2024/06/27 +date: 2022-11-16 +modified: 2024-06-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1003 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_hktl_safetykatz.yml b/rules/windows/file/file_event/file_event_win_hktl_safetykatz.yml index f6950ba7f9e..5c2506edc00 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_safetykatz.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_safetykatz.yml @@ -6,10 +6,10 @@ references: - https://github.com/GhostPack/SafetyKatz - https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63 author: Markus Neis -date: 2018/07/24 -modified: 2024/06/27 +date: 2018-07-24 +modified: 2024-06-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml b/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml index 544b2bb6fe0..a7f0f0d4877 100644 --- a/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml +++ b/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml @@ -6,14 +6,14 @@ references: - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc - https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0 author: Tim Rauch (rule), Elastic (idea) -date: 2022/10/21 +date: 2022-10-21 tags: - attack.t1566 - attack.t1566.001 - - attack.initial_access + - attack.initial-access - attack.t1574 - attack.t1574.001 - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_install_teamviewer_desktop.yml b/rules/windows/file/file_event/file_event_win_install_teamviewer_desktop.yml index d628950fc9e..f6b3b9f858e 100644 --- a/rules/windows/file/file_event/file_event_win_install_teamviewer_desktop.yml +++ b/rules/windows/file/file_event/file_event_win_install_teamviewer_desktop.yml @@ -5,9 +5,9 @@ description: TeamViewer_Desktop.exe is create during install references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-1---teamviewer-files-detected-test-on-windows author: frack113 -date: 2022/01/28 +date: 2022-01-28 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_iphlpapi_dll_sideloading.yml b/rules/windows/file/file_event/file_event_win_iphlpapi_dll_sideloading.yml index b7cf3dd9e6d..8ef35047373 100644 --- a/rules/windows/file/file_event/file_event_win_iphlpapi_dll_sideloading.yml +++ b/rules/windows/file/file_event/file_event_win_iphlpapi_dll_sideloading.yml @@ -7,11 +7,11 @@ description: | references: - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ author: frack113 -date: 2022/08/12 +date: 2022-08-12 tags: - attack.persistence - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.t1574.002 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_iso_file_mount.yml b/rules/windows/file/file_event/file_event_win_iso_file_mount.yml index 6b6bf0cabeb..10b4097ab7a 100644 --- a/rules/windows/file/file_event/file_event_win_iso_file_mount.yml +++ b/rules/windows/file/file_event/file_event_win_iso_file_mount.yml @@ -7,9 +7,9 @@ references: - https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image author: '@sam0x90' -date: 2022/07/30 +date: 2022-07-30 tags: - - attack.initial_access + - attack.initial-access - attack.t1566.001 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_iso_file_recent.yml b/rules/windows/file/file_event/file_event_win_iso_file_recent.yml index 8a71f6b9781..e31805a3181 100644 --- a/rules/windows/file/file_event/file_event_win_iso_file_recent.yml +++ b/rules/windows/file/file_event/file_event_win_iso_file_recent.yml @@ -10,9 +10,9 @@ references: - https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/ - https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/ author: Florian Roth (Nextron Systems) -date: 2022/02/11 +date: 2022-02-11 tags: - - attack.initial_access + - attack.initial-access - attack.t1566.001 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yml b/rules/windows/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yml index bac88772a98..0dbe32a0705 100644 --- a/rules/windows/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yml +++ b/rules/windows/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yml @@ -11,7 +11,7 @@ references: - https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs - https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/08 +date: 2023-02-08 tags: - attack.discovery logsource: diff --git a/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml b/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml index b113fd1fa94..53ac3955b2b 100644 --- a/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml +++ b/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml @@ -2,9 +2,9 @@ title: LSASS Process Memory Dump Files id: a5a2d357-1ab8-4675-a967-ef9990a59391 related: - id: db2110f3-479d-42a6-94fb-d35bc1e46492 - type: obsoletes + type: obsolete - id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a - type: obsoletes + type: obsolete status: test description: Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials. references: @@ -15,10 +15,10 @@ references: - https://github.com/helpsystems/nanodump - https://github.com/CCob/MirrorDump author: Florian Roth (Nextron Systems) -date: 2021/11/15 -modified: 2023/09/05 +date: 2021-11-15 +modified: 2023-09-05 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_lsass_shtinkering.yml b/rules/windows/file/file_event/file_event_win_lsass_shtinkering.yml index 8bb6ac9f944..a9b25e89449 100644 --- a/rules/windows/file/file_event/file_event_win_lsass_shtinkering.yml +++ b/rules/windows/file/file_event/file_event_win_lsass_shtinkering.yml @@ -6,9 +6,9 @@ references: - https://github.com/deepinstinct/Lsass-Shtinkering - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf author: '@pbssubhash' -date: 2022/12/08 +date: 2022-12-08 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_lsass_werfault_dump.yml b/rules/windows/file/file_event/file_event_win_lsass_werfault_dump.yml index 24cd5965a4c..6dd5d888011 100644 --- a/rules/windows/file/file_event/file_event_win_lsass_werfault_dump.yml +++ b/rules/windows/file/file_event/file_event_win_lsass_werfault_dump.yml @@ -5,9 +5,9 @@ description: Detects WerFault creating a dump file with a name that indicates th references: - https://github.com/helpsystems/nanodump author: Florian Roth (Nextron Systems) -date: 2022/06/27 +date: 2022-06-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_mal_adwind.yml b/rules/windows/file/file_event/file_event_win_mal_adwind.yml index ef9c47fe150..7f06143bcd9 100644 --- a/rules/windows/file/file_event/file_event_win_mal_adwind.yml +++ b/rules/windows/file/file_event/file_event_win_mal_adwind.yml @@ -9,8 +9,8 @@ references: - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100 - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf author: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community -date: 2017/11/10 -modified: 2022/12/02 +date: 2017-11-10 +modified: 2022-12-02 tags: - attack.execution - attack.t1059.005 diff --git a/rules/windows/file/file_event/file_event_win_mal_octopus_scanner.yml b/rules/windows/file/file_event/file_event_win_mal_octopus_scanner.yml index 153e0f4d960..5e43a3a0a43 100644 --- a/rules/windows/file/file_event/file_event_win_mal_octopus_scanner.yml +++ b/rules/windows/file/file_event/file_event_win_mal_octopus_scanner.yml @@ -5,8 +5,8 @@ description: Detects Octopus Scanner Malware. references: - https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain author: NVISO -date: 2020/06/09 -modified: 2021/11/27 +date: 2020-06-09 +modified: 2021-11-27 tags: - attack.t1195 - attack.t1195.001 diff --git a/rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml b/rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml index 3d8359b3eea..e19e5061d7c 100644 --- a/rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml +++ b/rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml @@ -6,12 +6,12 @@ references: - https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd - https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/ author: Vadim Varganov, Florian Roth (Nextron Systems) -date: 2022/08/24 -modified: 2023/02/23 +date: 2022-08-24 +modified: 2023-02-23 tags: - attack.persistence - attack.t1547.001 - - cve.2022.30190 + - cve.2022-30190 logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_mysqld_uncommon_file_creation.yml b/rules/windows/file/file_event/file_event_win_mysqld_uncommon_file_creation.yml index d60c5a3fcb8..ac9aeac179b 100644 --- a/rules/windows/file/file_event/file_event_win_mysqld_uncommon_file_creation.yml +++ b/rules/windows/file/file_event/file_event_win_mysqld_uncommon_file_creation.yml @@ -8,9 +8,9 @@ references: - https://asec.ahnlab.com/en/58878/ - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-mysql-malware-infection-via-user-defined-functions-udf/ author: Joseph Kamau -date: 2024/05/27 +date: 2024-05-27 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml b/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml index 2cb7ce899d6..812acbba75b 100644 --- a/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml +++ b/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml @@ -4,7 +4,7 @@ related: - id: 4508a70e-97ef-4300-b62b-ff27992990ea type: derived - id: e4b63079-6198-405c-abd7-3fe8b0ce3263 - type: obsoletes + type: obsolete status: test description: Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context. references: @@ -13,10 +13,10 @@ references: - https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008 - https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html author: frack113, omkar72, oscd.community, Wojciech Lesicki -date: 2022/11/18 -modified: 2023/02/23 +date: 2022-11-18 +modified: 2023-02-23 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml b/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml index 2735b21588f..98b0334b470 100644 --- a/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml +++ b/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml @@ -5,10 +5,10 @@ description: Detects the creation of suspicious files and folders inside the use references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/05 -modified: 2023/02/23 +date: 2022-08-05 +modified: 2023-02-23 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_new_scr_file.yml b/rules/windows/file/file_event/file_event_win_new_scr_file.yml index ba8026ec718..1a10773327b 100644 --- a/rules/windows/file/file_event/file_event_win_new_scr_file.yml +++ b/rules/windows/file/file_event/file_event_win_new_scr_file.yml @@ -5,10 +5,10 @@ description: Detects the creation of screensaver files (.scr) outside of system references: - https://lolbas-project.github.io/lolbas/Libraries/Desk/ author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io' -date: 2022/04/27 -modified: 2023/08/23 +date: 2022-04-27 +modified: 2023-08-23 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml b/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml index 4f2b40f7b63..d98038fb1f1 100644 --- a/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml +++ b/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml @@ -5,8 +5,8 @@ description: Detects creation of new ".dll" files inside the plugins directory o references: - https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/10 -modified: 2023/01/05 +date: 2022-06-10 +modified: 2023-01-05 tags: - attack.persistence logsource: diff --git a/rules/windows/file/file_event/file_event_win_ntds_dit_creation.yml b/rules/windows/file/file_event/file_event_win_ntds_dit_creation.yml index 2828582d32d..76e0a90a910 100644 --- a/rules/windows/file/file_event/file_event_win_ntds_dit_creation.yml +++ b/rules/windows/file/file_event/file_event_win_ntds_dit_creation.yml @@ -5,9 +5,9 @@ description: Detects creation of a file named "ntds.dit" (Active Directory Datab references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/05 +date: 2023-05-05 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.003 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml b/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml index 41820e8d21e..40754437b5b 100644 --- a/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml +++ b/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml @@ -11,10 +11,10 @@ references: - https://pentestlab.blog/tag/ntds-dit/ - https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1 author: Florian Roth (Nextron Systems) -date: 2022/03/11 -modified: 2023/01/05 +date: 2022-03-11 +modified: 2023-01-05 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.003 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_process.yml b/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_process.yml index 6bda3c05c91..109015562a2 100644 --- a/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_process.yml +++ b/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_process.yml @@ -9,10 +9,10 @@ references: - https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/ - https://adsecurity.org/?p=2398 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/01/11 -modified: 2022/07/14 +date: 2022-01-11 +modified: 2022-07-14 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.002 - attack.t1003.003 logsource: diff --git a/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml b/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml index d33c027ce5a..c82677ba248 100644 --- a/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml +++ b/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml @@ -7,10 +7,10 @@ references: - https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1 - https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405 author: Florian Roth (Nextron Systems) -date: 2022/03/11 -modified: 2023/05/05 +date: 2022-03-11 +modified: 2023-05-05 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.003 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_office_addin_persistence.yml b/rules/windows/file/file_event/file_event_win_office_addin_persistence.yml index c66e4c39797..baa9a77fdef 100644 --- a/rules/windows/file/file_event/file_event_win_office_addin_persistence.yml +++ b/rules/windows/file/file_event/file_event_win_office_addin_persistence.yml @@ -7,8 +7,8 @@ references: - https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence - https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md author: NVISO -date: 2020/05/11 -modified: 2023/02/08 +date: 2020-05-11 +modified: 2023-02-08 tags: - attack.persistence - attack.t1137.006 diff --git a/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml b/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml index ab68814cf94..fd9cf1af079 100644 --- a/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml +++ b/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml @@ -9,9 +9,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md - https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/01/23 +date: 2022-01-23 tags: - - attack.initial_access + - attack.initial-access - attack.t1566.001 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml b/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml index 6cbe5139c98..4608d041ff4 100644 --- a/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml +++ b/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml @@ -9,10 +9,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md - https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/01/23 -modified: 2023/04/18 +date: 2022-01-23 +modified: 2023-04-18 tags: - - attack.initial_access + - attack.initial-access - attack.t1566.001 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml b/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml index 9012ab806bc..c65e1d494ea 100644 --- a/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml +++ b/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md - https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2022/01/23 -modified: 2023/02/22 +date: 2022-01-23 +modified: 2023-02-22 tags: - - attack.initial_access + - attack.initial-access - attack.t1566.001 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml b/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml index dce7b494af3..993e86e2e79 100644 --- a/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml +++ b/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml @@ -6,10 +6,10 @@ references: - https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/ - https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/22 -modified: 2023/09/19 +date: 2023-01-22 +modified: 2023-09-19 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml b/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml index 00a6521a761..5d5c4dea3bf 100644 --- a/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml +++ b/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml @@ -10,10 +10,10 @@ references: - https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/ - https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/09 -modified: 2023/02/27 +date: 2023-02-09 +modified: 2023-02-27 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_office_outlook_macro_creation.yml b/rules/windows/file/file_event/file_event_win_office_outlook_macro_creation.yml index 6ae6bf4914e..8331239e983 100644 --- a/rules/windows/file/file_event/file_event_win_office_outlook_macro_creation.yml +++ b/rules/windows/file/file_event/file_event_win_office_outlook_macro_creation.yml @@ -8,11 +8,11 @@ description: Detects the creation of a macro file for Outlook. references: - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ author: '@ScoubiMtl' -date: 2021/04/05 -modified: 2023/02/08 +date: 2021-04-05 +modified: 2023-02-08 tags: - attack.persistence - - attack.command_and_control + - attack.command-and-control - attack.t1137 - attack.t1008 - attack.t1546 diff --git a/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml b/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml index 2ac2594b717..8f7fcc155ed 100644 --- a/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml +++ b/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml @@ -8,8 +8,8 @@ references: - https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form - https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/ author: Tobias Michalski (Nextron Systems) -date: 2021/06/10 -modified: 2023/02/22 +date: 2021-06-10 +modified: 2023-02-22 tags: - attack.persistence - attack.t1137.003 diff --git a/rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml b/rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml index 80c349fe726..31b2b1cf19a 100644 --- a/rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml +++ b/rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml @@ -10,10 +10,10 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53 - https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/08 +date: 2023-02-08 tags: - attack.persistence - - attack.command_and_control + - attack.command-and-control - attack.t1137 - attack.t1008 - attack.t1546 diff --git a/rules/windows/file/file_event/file_event_win_office_publisher_files_in_susp_locations.yml b/rules/windows/file/file_event/file_event_win_office_publisher_files_in_susp_locations.yml index 11ef28ccd3b..726a3c376bf 100644 --- a/rules/windows/file/file_event/file_event_win_office_publisher_files_in_susp_locations.yml +++ b/rules/windows/file/file_event/file_event_win_office_publisher_files_in_susp_locations.yml @@ -5,9 +5,9 @@ description: Detects creation of files with the ".pub" extension in suspicious o references: - https://twitter.com/EmericNasi/status/1623224526220804098 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/08 +date: 2023-02-08 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_office_startup_persistence.yml b/rules/windows/file/file_event/file_event_win_office_startup_persistence.yml index 8d413962b75..9ccb76b249f 100644 --- a/rules/windows/file/file_event/file_event_win_office_startup_persistence.yml +++ b/rules/windows/file/file_event/file_event_win_office_startup_persistence.yml @@ -6,8 +6,8 @@ references: - https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies - https://learn.microsoft.com/en-us/office/troubleshoot/excel/use-startup-folders author: Max Altgelt (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/02 -modified: 2023/06/22 +date: 2022-06-02 +modified: 2023-06-22 tags: - attack.persistence - attack.t1137 diff --git a/rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml b/rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml index de271fcef41..26c7fcbbc03 100644 --- a/rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml +++ b/rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml @@ -6,8 +6,8 @@ references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems) -date: 2021/08/23 -modified: 2023/06/22 +date: 2021-08-23 +modified: 2023-06-22 tags: - attack.t1204.002 - attack.execution diff --git a/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml b/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml index 2ea9b34532e..7acf3d614fa 100644 --- a/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml +++ b/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml @@ -8,10 +8,10 @@ references: - https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3 - https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/05 -modified: 2023/12/13 +date: 2022-06-05 +modified: 2023-12-13 tags: - - attack.resource_development + - attack.resource-development - attack.t1587.001 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_pcre_net_temp_file.yml b/rules/windows/file/file_event/file_event_win_pcre_net_temp_file.yml index 1cefde763de..85c5eb6a904 100644 --- a/rules/windows/file/file_event/file_event_win_pcre_net_temp_file.yml +++ b/rules/windows/file/file_event/file_event_win_pcre_net_temp_file.yml @@ -6,8 +6,8 @@ references: - https://twitter.com/rbmaslen/status/1321859647091970051 - https://twitter.com/tifkin_/status/1321916444557365248 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/10/29 -modified: 2022/10/09 +date: 2020-10-29 +modified: 2022-10-09 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/file/file_event/file_event_win_perflogs_susp_files.yml b/rules/windows/file/file_event/file_event_win_perflogs_susp_files.yml index dca8c2bb922..e1c758f21cd 100644 --- a/rules/windows/file/file_event/file_event_win_perflogs_susp_files.yml +++ b/rules/windows/file/file_event/file_event_win_perflogs_susp_files.yml @@ -6,7 +6,7 @@ references: - Internal Research - https://labs.withsecure.com/publications/fin7-target-veeam-servers author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/05 +date: 2023-05-05 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/file/file_event/file_event_win_powershell_drop_binary_or_script.yml b/rules/windows/file/file_event/file_event_win_powershell_drop_binary_or_script.yml index 265abe5dac9..821f391085e 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_drop_binary_or_script.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_drop_binary_or_script.yml @@ -5,8 +5,8 @@ description: Detects PowerShell creating a binary executable or a script file. references: - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/17 -modified: 2023/05/09 +date: 2023-03-17 +modified: 2023-05-09 tags: - attack.persistence logsource: diff --git a/rules/windows/file/file_event/file_event_win_powershell_drop_powershell.yml b/rules/windows/file/file_event/file_event_win_powershell_drop_powershell.yml index 6bb60c37901..89aaacc7d23 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_drop_powershell.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_drop_powershell.yml @@ -5,7 +5,7 @@ description: Detects PowerShell creating a PowerShell file (.ps1). While often t references: - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution author: frack113 -date: 2023/05/09 +date: 2023-05-09 tags: - attack.persistence logsource: diff --git a/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml b/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml index ab1167ac92c..66b18fd9a5c 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml @@ -27,8 +27,8 @@ references: - https://github.com/adrecon/ADRecon - https://github.com/adrecon/AzureADRecon author: Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein -date: 2018/04/07 -modified: 2024/01/25 +date: 2018-04-07 +modified: 2024-01-25 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/file/file_event/file_event_win_powershell_module_creation.yml b/rules/windows/file/file_event/file_event_win_powershell_module_creation.yml index 98cd38a339d..a808ce7553a 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_module_creation.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_module_creation.yml @@ -6,7 +6,7 @@ references: - Internal Research - https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/09 +date: 2023-05-09 tags: - attack.persistence logsource: diff --git a/rules/windows/file/file_event/file_event_win_powershell_module_susp_creation.yml b/rules/windows/file/file_event/file_event_win_powershell_module_susp_creation.yml index e3ad338f545..f1dd94b1a7b 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_module_susp_creation.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_module_susp_creation.yml @@ -6,7 +6,7 @@ references: - Internal Research - https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/09 +date: 2023-05-09 tags: - attack.persistence logsource: diff --git a/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml b/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml index 1495dbf22c1..bef429acffb 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml @@ -6,8 +6,8 @@ references: - Internal Research - https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/09 -modified: 2023/10/18 +date: 2023-05-09 +modified: 2023-10-18 tags: - attack.persistence logsource: diff --git a/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml b/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml index fb01a98a154..a8b62397fbe 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml @@ -10,8 +10,8 @@ references: - https://redcanary.com/blog/intelligence-insights-october-2021/ - https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder author: Christopher Peacock '@securepeacock', SCYTHE -date: 2021/10/24 -modified: 2023/02/23 +date: 2021-10-24 +modified: 2023-02-23 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml b/rules/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml index 6505f169c5f..7af6c490cad 100644 --- a/rules/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml +++ b/rules/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml @@ -5,10 +5,10 @@ description: Detects the creation of the "PSScriptPolicyTest" PowerShell script references: - https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/01 -modified: 2023/12/11 +date: 2023-06-01 +modified: 2023-12-11 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_rclone_config_files.yml b/rules/windows/file/file_event/file_event_win_rclone_config_files.yml index 28abce2a4ef..2465646919d 100644 --- a/rules/windows/file/file_event/file_event_win_rclone_config_files.yml +++ b/rules/windows/file/file_event/file_event_win_rclone_config_files.yml @@ -5,8 +5,8 @@ description: Detects Rclone config files being created references: - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ author: Aaron Greetham (@beardofbinary) - NCC Group -date: 2021/05/26 -modified: 2023/05/09 +date: 2021-05-26 +modified: 2023-05-09 tags: - attack.exfiltration - attack.t1567.002 diff --git a/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml b/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml index 142f25529da..55ce57aa928 100644 --- a/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml +++ b/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml @@ -6,9 +6,9 @@ references: - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/ - https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/18 +date: 2023-04-18 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_redmimicry_winnti_filedrop.yml b/rules/windows/file/file_event/file_event_win_redmimicry_winnti_filedrop.yml index 1e9b66a504b..afa4893ec73 100644 --- a/rules/windows/file/file_event/file_event_win_redmimicry_winnti_filedrop.yml +++ b/rules/windows/file/file_event/file_event_win_redmimicry_winnti_filedrop.yml @@ -5,10 +5,10 @@ description: Detects files dropped by Winnti as described in RedMimicry Winnti p references: - https://redmimicry.com/posts/redmimicry-winnti/#dropper author: Alexander Rausch -date: 2020/06/24 -modified: 2023/01/05 +date: 2020-06-24 +modified: 2023-01-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_regedit_print_as_pdf.yml b/rules/windows/file/file_event/file_event_win_regedit_print_as_pdf.yml index 424e070fc97..ee665d93975 100644 --- a/rules/windows/file/file_event/file_event_win_regedit_print_as_pdf.yml +++ b/rules/windows/file/file_event/file_event_win_regedit_print_as_pdf.yml @@ -7,9 +7,9 @@ description: | references: - https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/07/08 +date: 2024-07-08 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_remcom_service.yml b/rules/windows/file/file_event/file_event_win_remcom_service.yml index 7aee299ace5..d3381932da1 100644 --- a/rules/windows/file/file_event/file_event_win_remcom_service.yml +++ b/rules/windows/file/file_event/file_event_win_remcom_service.yml @@ -5,7 +5,7 @@ description: Detects default RemCom service filename which indicates RemCom serv references: - https://github.com/kavika13/RemCom/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/04 +date: 2023-08-04 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_artefact.yml b/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_artefact.yml index f65d305408b..42b2463acec 100644 --- a/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_artefact.yml +++ b/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_artefact.yml @@ -8,9 +8,9 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows author: frack113 -date: 2022/02/13 +date: 2022-02-13 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_remote_file.yml b/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_remote_file.yml index cef1d6a5da2..cfda56f4d67 100644 --- a/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_remote_file.yml +++ b/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_remote_file.yml @@ -10,7 +10,7 @@ description: | references: - https://github.com/SigmaHQ/sigma/pull/4467 author: Ali Alwashali -date: 2023/10/10 +date: 2023-10-10 tags: - attack.execution - attack.t1059.003 diff --git a/rules/windows/file/file_event/file_event_win_ripzip_attack.yml b/rules/windows/file/file_event/file_event_win_ripzip_attack.yml index 96e93c58d01..e342ee952fd 100644 --- a/rules/windows/file/file_event/file_event_win_ripzip_attack.yml +++ b/rules/windows/file/file_event/file_event_win_ripzip_attack.yml @@ -8,8 +8,8 @@ description: | references: - https://twitter.com/jonasLyk/status/1549338335243534336?t=CrmPocBGLbDyE4p6zTX1cg&s=19 author: Greg (rule) -date: 2022/07/21 -modified: 2023/01/05 +date: 2022-07-21 +modified: 2023-01-05 tags: - attack.persistence - attack.t1547 diff --git a/rules/windows/file/file_event/file_event_win_sam_dump.yml b/rules/windows/file/file_event/file_event_win_sam_dump.yml index 0f8cc159d22..94d7c14a322 100644 --- a/rules/windows/file/file_event/file_event_win_sam_dump.yml +++ b/rules/windows/file/file_event/file_event_win_sam_dump.yml @@ -9,10 +9,10 @@ references: - https://github.com/HuskyHacks/ShadowSteal - https://github.com/FireFart/hivenightmare author: Florian Roth (Nextron Systems) -date: 2022/02/11 -modified: 2023/01/05 +date: 2022-02-11 +modified: 2023-01-05 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.002 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_sed_file_creation.yml b/rules/windows/file/file_event/file_event_win_sed_file_creation.yml index b84bc8b2b55..3f6c06274b4 100644 --- a/rules/windows/file/file_event/file_event_win_sed_file_creation.yml +++ b/rules/windows/file/file_event/file_event_win_sed_file_creation.yml @@ -13,9 +13,9 @@ references: - https://en.wikipedia.org/wiki/IExpress - https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2024/02/05 +date: 2024-02-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml b/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml index bf7c085233e..a75146a5055 100644 --- a/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml +++ b/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml @@ -5,8 +5,8 @@ description: Detects Windows shells and scripting applications that write files references: - Internal Research author: Florian Roth (Nextron Systems) -date: 2021/11/20 -modified: 2023/03/29 +date: 2021-11-20 +modified: 2023-03-29 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml b/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml index 549e7d54f84..f568846fae7 100644 --- a/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml +++ b/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml @@ -8,10 +8,10 @@ description: Detects Windows executables that write files with suspicious extens references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/12 -modified: 2024/04/15 +date: 2022-08-12 +modified: 2024-04-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml b/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml index 4bebae52976..b7a31674b2a 100644 --- a/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml +++ b/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml @@ -9,8 +9,8 @@ references: - https://github.com/OTRF/detection-hackathon-apt29/issues/12 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.md author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/05/02 -modified: 2022/10/07 +date: 2020-05-02 +modified: 2022-10-07 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml b/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml index 70a12e5a252..e1c77f71794 100644 --- a/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml +++ b/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml @@ -5,10 +5,10 @@ description: Once executed, colorcpl.exe will copy the arbitrary file to c:\wind references: - https://twitter.com/eral4m/status/1480468728324231172?s=20 author: frack113 -date: 2022/01/21 -modified: 2023/01/05 +date: 2022-01-21 +modified: 2023-01-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yml b/rules/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yml index fb060b442fb..ce5a5563961 100644 --- a/rules/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yml +++ b/rules/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yml @@ -5,13 +5,13 @@ description: This rule detects suspicious files created by Microsoft Sync Center references: - https://redcanary.com/blog/intelligence-insights-november-2021/ author: elhoim -date: 2022/04/28 -modified: 2022/06/02 +date: 2022-04-28 +modified: 2022-06-02 tags: - attack.t1055 - attack.t1218 - attack.execution - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_susp_default_gpo_dir_write.yml b/rules/windows/file/file_event/file_event_win_susp_default_gpo_dir_write.yml index dfe23e0156d..b2f55b1e978 100644 --- a/rules/windows/file/file_event/file_event_win_susp_default_gpo_dir_write.yml +++ b/rules/windows/file/file_event/file_event_win_susp_default_gpo_dir_write.yml @@ -5,10 +5,10 @@ description: Detects the creation of copy of suspicious files (EXE/DLL) to the d references: - https://redcanary.com/blog/intelligence-insights-november-2021/ author: elhoim -date: 2022/04/28 +date: 2022-04-28 tags: - attack.t1036.005 - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_susp_desktop_ini.yml b/rules/windows/file/file_event/file_event_win_susp_desktop_ini.yml index 25189fd01fc..1f52f96a14e 100755 --- a/rules/windows/file/file_event/file_event_win_susp_desktop_ini.yml +++ b/rules/windows/file/file_event/file_event_win_susp_desktop_ini.yml @@ -5,8 +5,8 @@ description: Detects unusual processes accessing desktop.ini, which can be lever references: - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/ author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO) -date: 2020/03/19 -modified: 2022/10/07 +date: 2020-03-19 +modified: 2022-10-07 tags: - attack.persistence - attack.t1547.009 diff --git a/rules/windows/file/file_event/file_event_win_susp_desktop_txt.yml b/rules/windows/file/file_event/file_event_win_susp_desktop_txt.yml index deb9a6d80a5..9d95f7b86ad 100644 --- a/rules/windows/file/file_event/file_event_win_susp_desktop_txt.yml +++ b/rules/windows/file/file_event/file_event_win_susp_desktop_txt.yml @@ -5,7 +5,7 @@ description: Ransomware create txt file in the user Desktop references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1486/T1486.md#atomic-test-5---purelocker-ransom-note author: frack113 -date: 2021/12/26 +date: 2021-12-26 tags: - attack.impact - attack.t1486 diff --git a/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml b/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml index 3813a80c33f..f0c261781f5 100644 --- a/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml +++ b/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml @@ -6,10 +6,10 @@ references: - https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/ - https://twitter.com/SBousseaden/status/1278977301745741825 author: Florian Roth (Nextron Systems) -date: 2020/07/03 -modified: 2022/06/02 +date: 2020-07-03 +modified: 2022-06-02 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_susp_diagcab.yml b/rules/windows/file/file_event/file_event_win_susp_diagcab.yml index 54af6a3d40f..345e074a58c 100644 --- a/rules/windows/file/file_event/file_event_win_susp_diagcab.yml +++ b/rules/windows/file/file_event/file_event_win_susp_diagcab.yml @@ -5,9 +5,9 @@ description: Detects the creation of diagcab file, which could be caused by some references: - https://threadreaderapp.com/thread/1533879688141086720.html author: frack113 -date: 2022/06/08 +date: 2022-06-08 tags: - - attack.resource_development + - attack.resource-development logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_susp_double_extension.yml b/rules/windows/file/file_event/file_event_win_susp_double_extension.yml index ff9482d3aba..c277ee5d83a 100644 --- a/rules/windows/file/file_event/file_event_win_susp_double_extension.yml +++ b/rules/windows/file/file_event/file_event_win_susp_double_extension.yml @@ -14,10 +14,10 @@ references: - https://twitter.com/malwrhunterteam/status/1235135745611960321 - https://twitter.com/luc4m/status/1073181154126254080 author: Nasreddine Bencherchali (Nextron Systems), frack113 -date: 2022/06/19 -modified: 2022/11/07 +date: 2022-06-19 +modified: 2022-11-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.007 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_susp_dpapi_backup_and_cert_export_ioc.yml b/rules/windows/file/file_event/file_event_win_susp_dpapi_backup_and_cert_export_ioc.yml index 64e054283fc..25056016f08 100644 --- a/rules/windows/file/file_event/file_event_win_susp_dpapi_backup_and_cert_export_ioc.yml +++ b/rules/windows/file/file_event/file_event_win_susp_dpapi_backup_and_cert_export_ioc.yml @@ -7,7 +7,7 @@ references: - https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/ - https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.Common/Data/DPAPI/DPAPIBackupKey.cs#L28-L32 author: Nounou Mbeiri, Nasreddine Bencherchali (Nextron Systems) -date: 2024/06/26 +date: 2024-06-26 tags: - attack.t1555 - attack.t1552.004 diff --git a/rules/windows/file/file_event/file_event_win_susp_exchange_aspx_write.yml b/rules/windows/file/file_event/file_event_win_susp_exchange_aspx_write.yml index aea283dcfd3..31958dd35fc 100644 --- a/rules/windows/file/file_event/file_event_win_susp_exchange_aspx_write.yml +++ b/rules/windows/file/file_event/file_event_win_susp_exchange_aspx_write.yml @@ -5,9 +5,9 @@ description: Detects suspicious activity in which the MSExchangeMailboxReplicati references: - https://redcanary.com/blog/blackbyte-ransomware/ author: Florian Roth (Nextron Systems) -date: 2022/02/25 +date: 2022-02-25 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - attack.persistence - attack.t1505.003 diff --git a/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml b/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml index 756cc5f60c8..319abdc113e 100644 --- a/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml +++ b/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml @@ -8,10 +8,10 @@ references: - https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae - https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/ author: frack113 -date: 2022/09/05 -modified: 2023/12/11 +date: 2022-09-05 +modified: 2023-12-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_susp_get_variable.yml b/rules/windows/file/file_event/file_event_win_susp_get_variable.yml index 43811dc4e2b..762cb5bb474 100644 --- a/rules/windows/file/file_event/file_event_win_susp_get_variable.yml +++ b/rules/windows/file/file_event/file_event_win_susp_get_variable.yml @@ -9,11 +9,11 @@ references: - https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/ - https://www.joesandbox.com/analysis/465533/0/html author: frack113 -date: 2022/04/23 +date: 2022-04-23 tags: - attack.persistence - attack.t1546 - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml b/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml index 9c942db5f6b..e3380dffd59 100644 --- a/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml +++ b/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml @@ -13,9 +13,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3 author: Scoubi (@ScoubiMtl) -date: 2023/10/09 +date: 2023-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.004 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_susp_homoglyph_filename.yml b/rules/windows/file/file_event/file_event_win_susp_homoglyph_filename.yml index c54c39906f7..8eadfa49d30 100644 --- a/rules/windows/file/file_event/file_event_win_susp_homoglyph_filename.yml +++ b/rules/windows/file/file_event/file_event_win_susp_homoglyph_filename.yml @@ -9,9 +9,9 @@ references: - https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish - http://www.irongeek.com/homoglyph-attack-generator.php author: Micah Babinski, @micahbabinski -date: 2023/05/08 +date: 2023-05-08 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 - attack.t1036.003 # - attack.t1036.008 diff --git a/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_archive.yml b/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_archive.yml index b46e109ea12..284457d6e5c 100644 --- a/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_archive.yml +++ b/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_archive.yml @@ -5,9 +5,9 @@ description: Detects programs on a Windows system that should not write an archi references: - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326 author: frack113, Florian Roth -date: 2022/08/21 +date: 2022-08-21 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml b/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml index 03fc2f92ef7..75ee62d27b1 100644 --- a/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml +++ b/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml @@ -5,10 +5,10 @@ description: Detects programs on a Windows system that should not write executab references: - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326 author: frack113, Florian Roth (Nextron Systems) -date: 2022/08/21 -modified: 2023/06/22 +date: 2022-08-21 +modified: 2023-06-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml b/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml index 3642c3a83e1..2dcdbb8a857 100644 --- a/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml +++ b/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml @@ -5,10 +5,10 @@ description: Detects programs on a Windows system that should not write scripts references: - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326 author: frack113, Florian Roth (Nextron Systems) -date: 2022/08/21 -modified: 2023/06/22 +date: 2022-08-21 +modified: 2023-06-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml b/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml index a70fa7bfbb6..496898d7ff8 100644 --- a/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml +++ b/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml @@ -13,10 +13,10 @@ references: - https://twitter.com/malwrhunterteam/status/1235135745611960321 - https://twitter.com/luc4m/status/1073181154126254080 author: Nasreddine Bencherchali (Nextron Systems), frack113 -date: 2022/11/07 -modified: 2023/10/18 +date: 2022-11-07 +modified: 2023-10-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.007 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml b/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml index 986e75981c9..8c07d9df094 100644 --- a/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml +++ b/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml @@ -6,10 +6,10 @@ references: - https://github.com/OTRF/detection-hackathon-apt29/issues/14 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.md author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/05/02 -modified: 2022/07/07 +date: 2020-05-02 +modified: 2022-07-07 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.004 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml b/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml index a6960507e7d..2d6af15fe07 100644 --- a/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml +++ b/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml @@ -6,11 +6,11 @@ references: - https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/ - https://persistence-info.github.io/Data/powershellprofile.html author: HieuTT35, Nasreddine Bencherchali (Nextron Systems) -date: 2019/10/24 -modified: 2023/10/23 +date: 2019-10-24 +modified: 2023-10-23 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1546.013 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml b/rules/windows/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml index 326fdddf772..c2d2d3e83b8 100755 --- a/rules/windows/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml +++ b/rules/windows/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml @@ -7,11 +7,11 @@ description: | references: - https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ author: xknow (@xknow_infosec), xorxes (@xor_xes) -date: 2019/04/08 -modified: 2022/11/22 +date: 2019-04-08 +modified: 2022-11-22 tags: - attack.t1562.001 - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml b/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml index 2e279f53348..7824a5de1ca 100644 --- a/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml +++ b/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml @@ -9,11 +9,11 @@ references: - https://www.mandiant.com/resources/blog/infected-usb-steal-secrets - https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/ author: X__Junior (Nextron Systems) -date: 2023/07/12 -modified: 2023/12/11 +date: 2023-07-12 +modified: 2023-12-11 tags: - attack.persistence - - attack.defense_evasion + - attack.defense-evasion logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml b/rules/windows/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml index 266eef10295..2c7fb65699d 100644 --- a/rules/windows/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml +++ b/rules/windows/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml @@ -5,9 +5,9 @@ description: Detects the creation of suspcious binary files inside the "\windows references: - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/28 +date: 2022-07-28 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml b/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml index 67b11b2ea71..b0a345cb259 100644 --- a/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml +++ b/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml @@ -8,8 +8,8 @@ description: Detects when a file with a suspicious extension is created in the s references: - https://github.com/last-byte/PersistenceSniper author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/10 -modified: 2023/01/06 +date: 2022-08-10 +modified: 2023-01-06 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/file/file_event/file_event_win_susp_system_interactive_powershell.yml b/rules/windows/file/file_event/file_event_win_susp_system_interactive_powershell.yml index 78de8ee6266..b08d13a1978 100644 --- a/rules/windows/file/file_event/file_event_win_susp_system_interactive_powershell.yml +++ b/rules/windows/file/file_event/file_event_win_susp_system_interactive_powershell.yml @@ -5,8 +5,8 @@ description: Detects the creation of files that indicator an interactive use of references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/PowerSploit_Invoke-Mimikatz.htm author: Florian Roth (Nextron Systems) -date: 2021/12/07 -modified: 2022/08/13 +date: 2021-12-07 +modified: 2022-08-13 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/file/file_event/file_event_win_susp_task_write.yml b/rules/windows/file/file_event/file_event_win_susp_task_write.yml index d85c1b0d9e4..ac377be2935 100644 --- a/rules/windows/file/file_event/file_event_win_susp_task_write.yml +++ b/rules/windows/file/file_event/file_event_win_susp_task_write.yml @@ -5,8 +5,8 @@ description: Detects the creation of tasks from processes executed from suspicio references: - Internal Research author: Florian Roth (Nextron Systems) -date: 2021/11/16 -modified: 2022/01/12 +date: 2021-11-16 +modified: 2022-01-12 tags: - attack.persistence - attack.execution diff --git a/rules/windows/file/file_event/file_event_win_susp_teamviewer_remote_session.yml b/rules/windows/file/file_event/file_event_win_susp_teamviewer_remote_session.yml index 7be47551bc6..3206efcd71a 100644 --- a/rules/windows/file/file_event/file_event_win_susp_teamviewer_remote_session.yml +++ b/rules/windows/file/file_event/file_event_win_susp_teamviewer_remote_session.yml @@ -5,9 +5,9 @@ description: Detects the creation of log files during a TeamViewer remote sessio references: - https://www.teamviewer.com/en-us/ author: Florian Roth (Nextron Systems) -date: 2022/01/30 +date: 2022-01-30 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml b/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml index ad2d7b3910a..04ce7421d4d 100644 --- a/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml +++ b/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml @@ -8,11 +8,11 @@ description: Detects the creation or modification of a vscode related powershell references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/24 -modified: 2023/01/06 +date: 2022-08-24 +modified: 2023-01-06 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1546.013 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_susp_windows_terminal_profile.yml b/rules/windows/file/file_event/file_event_win_susp_windows_terminal_profile.yml index 25dcc3ed117..d633343a48b 100644 --- a/rules/windows/file/file_event/file_event_win_susp_windows_terminal_profile.yml +++ b/rules/windows/file/file_event/file_event_win_susp_windows_terminal_profile.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1547.015/T1547.015.md#atomic-test-1---persistence-by-modifying-windows-terminal-profile - https://twitter.com/nas_bench/status/1550836225652686848 author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2023/07/22 +date: 2023-07-22 tags: - attack.persistence - attack.t1547.015 diff --git a/rules/windows/file/file_event/file_event_win_susp_winsxs_binary_creation.yml b/rules/windows/file/file_event/file_event_win_susp_winsxs_binary_creation.yml index 3f54ec7bde7..34430131cce 100644 --- a/rules/windows/file/file_event/file_event_win_susp_winsxs_binary_creation.yml +++ b/rules/windows/file/file_event/file_event_win_susp_winsxs_binary_creation.yml @@ -8,7 +8,7 @@ description: Detects the creation of binaries in the WinSxS folder by non-system references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/11 +date: 2023-05-11 tags: - attack.execution logsource: diff --git a/rules/windows/file/file_event/file_event_win_sysinternals_livekd_default_dump_name.yml b/rules/windows/file/file_event/file_event_win_sysinternals_livekd_default_dump_name.yml index 7c1a3ac1e2e..353b2c5409d 100644 --- a/rules/windows/file/file_event/file_event_win_sysinternals_livekd_default_dump_name.yml +++ b/rules/windows/file/file_event/file_event_win_sysinternals_livekd_default_dump_name.yml @@ -5,10 +5,10 @@ description: Detects the creation of a file that has the same name as the defaul references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/16 +date: 2023-05-16 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver.yml b/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver.yml index 9a405099da1..01ffd9778b9 100644 --- a/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver.yml +++ b/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver.yml @@ -5,10 +5,10 @@ description: Detects the creation of the LiveKD driver, which is used for live k references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/16 +date: 2023-05-16 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver_susp_creation.yml b/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver_susp_creation.yml index e997ad9c53a..e37be4917c8 100644 --- a/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver_susp_creation.yml +++ b/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver_susp_creation.yml @@ -8,10 +8,10 @@ description: Detects the creation of the LiveKD driver by a process image other references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/16 +date: 2023-05-16 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml b/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml index 60e2e7816a3..9fc433bbfcf 100644 --- a/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml +++ b/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml @@ -10,10 +10,10 @@ references: - https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks - https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/ author: Florian Roth (Nextron Systems) -date: 2023/05/05 +date: 2023-05-05 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1068 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_sysinternals_procmon_driver_susp_creation.yml b/rules/windows/file/file_event/file_event_win_sysinternals_procmon_driver_susp_creation.yml index 8feed78794e..48a834cef7f 100644 --- a/rules/windows/file/file_event/file_event_win_sysinternals_procmon_driver_susp_creation.yml +++ b/rules/windows/file/file_event/file_event_win_sysinternals_procmon_driver_susp_creation.yml @@ -5,10 +5,10 @@ description: Detects creation of the Process Monitor driver by processes other t references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/05 +date: 2023-05-05 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1068 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service.yml b/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service.yml index 70adaaad444..0ec3dfec3f2 100644 --- a/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service.yml +++ b/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service.yml @@ -9,8 +9,8 @@ references: - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - https://jpcertcc.github.io/ToolAnalysisResultSheet author: Thomas Patzke -date: 2017/06/12 -modified: 2022/10/26 +date: 2017-06-12 +modified: 2022-10-26 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service_key.yml b/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service_key.yml index 32facdcd8bd..f901ecaddad 100644 --- a/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service_key.yml +++ b/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service_key.yml @@ -6,11 +6,11 @@ references: - https://aboutdfir.com/the-key-to-identify-psexec/ - https://twitter.com/davisrichardg/status/1616518800584704028 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/21 -modified: 2023/02/23 +date: 2023-01-21 +modified: 2023-02-23 tags: - - attack.lateral_movement - - attack.privilege_escalation + - attack.lateral-movement + - attack.privilege-escalation - attack.execution - attack.persistence - attack.t1136.002 diff --git a/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml b/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml index 3d72231bf21..1516644dd7c 100644 --- a/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml +++ b/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml @@ -6,12 +6,12 @@ references: - https://github.com/binderlabs/DirCreate2System - https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt author: Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash) -date: 2022/12/16 -modified: 2022/12/19 +date: 2022-12-16 +modified: 2022-12-19 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump.yml b/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump.yml index 0fbc2c3c9a0..dd73e1b6929 100644 --- a/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump.yml +++ b/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump.yml @@ -3,11 +3,11 @@ id: 69ca12af-119d-44ed-b50f-a47af0ebc364 status: experimental description: Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager. author: Swachchhanda Shrawan Poudel -date: 2023/10/19 +date: 2023-10-19 references: - https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1003.001/T1003.001.md#L1 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml b/rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml index 7c28e374434..42bda88b129 100755 --- a/rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml +++ b/rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml @@ -5,10 +5,10 @@ description: Detects the usage of tsclient share to place a backdoor on the RDP author: Samir Bousseaden references: - Internal Research -date: 2019/02/21 -modified: 2021/11/27 +date: 2019-02-21 +modified: 2021-11-27 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_uac_bypass_consent_comctl32.yml b/rules/windows/file/file_event/file_event_win_uac_bypass_consent_comctl32.yml index 39aaedb0358..0e8445a1214 100644 --- a/rules/windows/file/file_event/file_event_win_uac_bypass_consent_comctl32.yml +++ b/rules/windows/file/file_event/file_event_win_uac_bypass_consent_comctl32.yml @@ -5,11 +5,11 @@ description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dl references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) -date: 2021/08/23 -modified: 2022/10/09 +date: 2021-08-23 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml b/rules/windows/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml index 2253e434ebd..fe49cca4c1d 100644 --- a/rules/windows/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml +++ b/rules/windows/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml @@ -5,11 +5,11 @@ description: Detects the pattern of UAC Bypass using .NET Code Profiler and mmc. references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) -date: 2021/08/30 -modified: 2022/10/09 +date: 2021-08-30 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml b/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml index 573219361a5..06269ac80a3 100644 --- a/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml +++ b/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml @@ -7,11 +7,11 @@ references: - https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g - https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute author: Antonio Cocomazzi (idea), Florian Roth (Nextron Systems) -date: 2022/04/27 -modified: 2022/11/22 +date: 2022-04-27 +modified: 2022-11-22 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml b/rules/windows/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml index d243bfd64a0..71c0c8144c6 100644 --- a/rules/windows/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml +++ b/rules/windows/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml @@ -5,11 +5,11 @@ description: Detects the creation of a file by "dllhost.exe" in System32 directo references: - https://github.com/Wh04m1001/IDiagnosticProfileUAC author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/03 +date: 2022-07-03 tags: - attack.execution - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_uac_bypass_ieinstal.yml b/rules/windows/file/file_event/file_event_win_uac_bypass_ieinstal.yml index 261a391c022..b78dbe3a44b 100644 --- a/rules/windows/file/file_event/file_event_win_uac_bypass_ieinstal.yml +++ b/rules/windows/file/file_event/file_event_win_uac_bypass_ieinstal.yml @@ -5,11 +5,11 @@ description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64) references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) -date: 2021/08/30 -modified: 2022/10/09 +date: 2021-08-30 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_uac_bypass_msconfig_gui.yml b/rules/windows/file/file_event/file_event_win_uac_bypass_msconfig_gui.yml index 7c002dee7e2..f6377bb2820 100644 --- a/rules/windows/file/file_event/file_event_win_uac_bypass_msconfig_gui.yml +++ b/rules/windows/file/file_event/file_event_win_uac_bypass_msconfig_gui.yml @@ -5,11 +5,11 @@ description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) -date: 2021/08/30 -modified: 2022/10/09 +date: 2021-08-30 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_uac_bypass_ntfs_reparse_point.yml b/rules/windows/file/file_event/file_event_win_uac_bypass_ntfs_reparse_point.yml index 842b6ed0e75..79aef3db6e3 100644 --- a/rules/windows/file/file_event/file_event_win_uac_bypass_ntfs_reparse_point.yml +++ b/rules/windows/file/file_event/file_event_win_uac_bypass_ntfs_reparse_point.yml @@ -5,11 +5,11 @@ description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) -date: 2021/08/30 -modified: 2022/10/09 +date: 2021-08-30 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_uac_bypass_winsat.yml b/rules/windows/file/file_event/file_event_win_uac_bypass_winsat.yml index eb3cc9a6e9f..dbed70ecdea 100644 --- a/rules/windows/file/file_event/file_event_win_uac_bypass_winsat.yml +++ b/rules/windows/file/file_event/file_event_win_uac_bypass_winsat.yml @@ -5,11 +5,11 @@ description: Detects the pattern of UAC Bypass using a path parsing issue in win references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) -date: 2021/08/30 -modified: 2022/10/09 +date: 2021-08-30 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_uac_bypass_wmp.yml b/rules/windows/file/file_event/file_event_win_uac_bypass_wmp.yml index cb58da9fa06..17f08dd10f5 100644 --- a/rules/windows/file/file_event/file_event_win_uac_bypass_wmp.yml +++ b/rules/windows/file/file_event/file_event_win_uac_bypass_wmp.yml @@ -5,11 +5,11 @@ description: Detects the pattern of UAC Bypass using Windows Media Player osksup references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) -date: 2021/08/23 -modified: 2022/10/09 +date: 2021-08-23 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_vhd_download_via_browsers.yml b/rules/windows/file/file_event/file_event_win_vhd_download_via_browsers.yml index 81a99698526..583a4be64f9 100644 --- a/rules/windows/file/file_event/file_event_win_vhd_download_via_browsers.yml +++ b/rules/windows/file/file_event/file_event_win_vhd_download_via_browsers.yml @@ -9,10 +9,10 @@ references: - https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/ - https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/ author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' -date: 2021/10/25 -modified: 2023/05/05 +date: 2021-10-25 +modified: 2023-05-05 tags: - - attack.resource_development + - attack.resource-development - attack.t1587.001 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_vscode_tunnel_remote_creation_artefacts.yml b/rules/windows/file/file_event/file_event_win_vscode_tunnel_remote_creation_artefacts.yml index 99ade0380b0..b514ffe6d52 100644 --- a/rules/windows/file/file_event/file_event_win_vscode_tunnel_remote_creation_artefacts.yml +++ b/rules/windows/file/file_event/file_event_win_vscode_tunnel_remote_creation_artefacts.yml @@ -6,9 +6,9 @@ description: | references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/10/25 +date: 2023-10-25 tags: - - attack.command_and_control + - attack.command-and-control logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_vscode_tunnel_renamed_execution.yml b/rules/windows/file/file_event/file_event_win_vscode_tunnel_renamed_execution.yml index 5bd3aeeb692..ceba72ef558 100644 --- a/rules/windows/file/file_event/file_event_win_vscode_tunnel_renamed_execution.yml +++ b/rules/windows/file/file_event/file_event_win_vscode_tunnel_renamed_execution.yml @@ -7,9 +7,9 @@ references: - https://ipfyx.fr/post/visual-studio-code-tunnel/ - https://badoption.eu/blog/2023/01/31/code_c2.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/10/25 +date: 2023-10-25 tags: - - attack.command_and_control + - attack.command-and-control logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml b/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml index 37bf4288b28..ecbe9131412 100755 --- a/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml +++ b/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml @@ -6,8 +6,8 @@ references: - PT ESC rule and personal experience - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/c95a0a1a2855dc0cd7f7327614545fe30482a636/Upload%20Insecure%20Files/README.md author: Beyu Denis, oscd.community, Tim Shelton, Thurein Oo -date: 2019/10/22 -modified: 2023/10/15 +date: 2019-10-22 +modified: 2023-10-15 tags: - attack.persistence - attack.t1505.003 diff --git a/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml b/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml index fe80eca4388..b36b0b47bec 100644 --- a/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml +++ b/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml @@ -5,10 +5,10 @@ description: Detects WerFault copoed to a suspicious folder, which could be a si references: - https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/ author: frack113 -date: 2022/05/09 +date: 2022-05-09 tags: - attack.persistence - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.001 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml b/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml index a6d2cf763fc..92562c9c03c 100644 --- a/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml +++ b/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml @@ -8,10 +8,10 @@ description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl v references: - https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404 author: Julia Fomina, oscd.community -date: 2020/10/06 -modified: 2022/11/28 +date: 2020-10-06 +modified: 2022-11-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1216 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_wmi_persistence_script_event_consumer_write.yml b/rules/windows/file/file_event/file_event_win_wmi_persistence_script_event_consumer_write.yml index a3bc9e87523..ca9c5ded3fe 100755 --- a/rules/windows/file/file_event/file_event_win_wmi_persistence_script_event_consumer_write.yml +++ b/rules/windows/file/file_event/file_event_win_wmi_persistence_script_event_consumer_write.yml @@ -5,8 +5,8 @@ description: Detects file writes of WMI script event consumer references: - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ author: Thomas Patzke -date: 2018/03/07 -modified: 2021/11/27 +date: 2018-03-07 +modified: 2021-11-27 tags: - attack.t1546.003 - attack.persistence diff --git a/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml b/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml index 3da63d7b03e..a7c4f5a4175 100644 --- a/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml +++ b/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml @@ -6,10 +6,10 @@ references: - https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/ - https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/02 -modified: 2023/03/08 +date: 2022-06-02 +modified: 2023-03-08 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1047 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml b/rules/windows/file/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml index ef8135a39f0..8366dbb92d9 100644 --- a/rules/windows/file/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml +++ b/rules/windows/file/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml @@ -5,12 +5,12 @@ description: Detects a threat actor creating a file named `wbemcomn.dll` in the references: - https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/10/12 -modified: 2022/12/02 +date: 2020-10-12 +modified: 2022-12-02 tags: - attack.execution - attack.t1047 - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml b/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml index 12eb069723a..4386c5a9fae 100644 --- a/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml +++ b/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml @@ -6,10 +6,10 @@ references: - https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c - https://persistence-info.github.io/Data/wpbbin.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/18 +date: 2022-07-18 tags: - attack.persistence - - attack.defense_evasion + - attack.defense-evasion - attack.t1542.001 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_writing_local_admin_share.yml b/rules/windows/file/file_event/file_event_win_writing_local_admin_share.yml index 5925d660993..009f3dae58d 100644 --- a/rules/windows/file/file_event/file_event_win_writing_local_admin_share.yml +++ b/rules/windows/file/file_event/file_event_win_writing_local_admin_share.yml @@ -7,10 +7,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-4---execute-command-writing-output-to-local-admin-share author: frack113 -date: 2022/01/01 -modified: 2022/08/13 +date: 2022-01-01 +modified: 2022-08-13 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1546.002 logsource: product: windows diff --git a/rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml b/rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml index 121cf8c6f1f..4fa27be5355 100644 --- a/rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml +++ b/rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml @@ -14,9 +14,9 @@ references: - https://en.wikipedia.org/wiki/IExpress - https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2024/02/05 +date: 2024-02-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: product: windows diff --git a/rules/windows/file/file_rename/file_rename_win_ransomware.yml b/rules/windows/file/file_rename/file_rename_win_ransomware.yml index b1b6e9a28dc..b9e8dc70d11 100644 --- a/rules/windows/file/file_rename/file_rename_win_ransomware.yml +++ b/rules/windows/file/file_rename/file_rename_win_ransomware.yml @@ -6,8 +6,8 @@ references: - https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/ - https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/ author: frack113 -date: 2022/07/16 -modified: 2023/11/11 +date: 2022-07-16 +modified: 2023-11-11 tags: - attack.impact - attack.t1486 diff --git a/rules/windows/image_load/image_load_cmstp_load_dll_from_susp_location.yml b/rules/windows/image_load/image_load_cmstp_load_dll_from_susp_location.yml index d29daeb85cb..4e29957bd47 100644 --- a/rules/windows/image_load/image_load_cmstp_load_dll_from_susp_location.yml +++ b/rules/windows/image_load/image_load_cmstp_load_dll_from_susp_location.yml @@ -5,10 +5,10 @@ description: Detects cmstp loading "dll" or "ocx" files from suspicious location references: - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/TTPs/Defense%20Evasion/T1218%20-%20Signed%20Binary%20Proxy%20Execution/T1218.003%20-%20CMSTP/Procedures.yaml author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/30 -modified: 2023/02/17 +date: 2022-08-30 +modified: 2023-02-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.003 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml b/rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml index b8bb326b611..c86897f5b3d 100644 --- a/rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml +++ b/rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml @@ -6,10 +6,10 @@ references: - Internal Research - https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/01 -modified: 2023/09/20 +date: 2023-06-01 +modified: 2023-09-20 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: image_load product: windows diff --git a/rules/windows/image_load/image_load_dll_azure_microsoft_account_token_provider_dll_load.yml b/rules/windows/image_load/image_load_dll_azure_microsoft_account_token_provider_dll_load.yml index 6f55aa71c6a..7e744da202d 100644 --- a/rules/windows/image_load/image_load_dll_azure_microsoft_account_token_provider_dll_load.yml +++ b/rules/windows/image_load/image_load_dll_azure_microsoft_account_token_provider_dll_load.yml @@ -7,11 +7,11 @@ description: | references: - https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30 author: Den Iuzvyk -date: 2020/07/15 -modified: 2023/04/18 +date: 2020-07-15 +modified: 2023-04-18 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.002 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml b/rules/windows/image_load/image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml index 9449d14fcb9..7dc49b707ff 100644 --- a/rules/windows/image_load/image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml +++ b/rules/windows/image_load/image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml @@ -5,11 +5,11 @@ description: Detects rundll32 loading a renamed comsvcs.dll to dump process memo references: - https://twitter.com/sbousseaden/status/1555200155351228419 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/14 -modified: 2023/02/17 +date: 2022-08-14 +modified: 2023-02-17 tags: - - attack.credential_access - - attack.defense_evasion + - attack.credential-access + - attack.defense-evasion - attack.t1003.001 logsource: product: windows diff --git a/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml b/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml index 2ca18ef36de..63719049874 100644 --- a/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml +++ b/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml @@ -8,10 +8,10 @@ references: - https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa - https://github.com/S12cybersecurity/RDPCredentialStealer author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/10/20 -modified: 2023/07/28 +date: 2020-10-20 +modified: 2023-07-28 tags: - - attack.credential_access + - attack.credential-access - attack.collection - attack.t1056.002 logsource: diff --git a/rules/windows/image_load/image_load_dll_dbghelp_dbgcore_unsigned_load.yml b/rules/windows/image_load/image_load_dll_dbghelp_dbgcore_unsigned_load.yml index d547f1666ce..6f0e202d3b7 100644 --- a/rules/windows/image_load/image_load_dll_dbghelp_dbgcore_unsigned_load.yml +++ b/rules/windows/image_load/image_load_dll_dbghelp_dbgcore_unsigned_load.yml @@ -13,10 +13,10 @@ references: - https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html - https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6 author: Perez Diego (@darkquassar), oscd.community, Ecco -date: 2019/10/27 -modified: 2022/12/09 +date: 2019-10-27 +modified: 2022-12-09 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_dll_pcre_dotnet_dll_load.yml b/rules/windows/image_load/image_load_dll_pcre_dotnet_dll_load.yml index 8a5b65ec0d0..8f47fc7ccb2 100644 --- a/rules/windows/image_load/image_load_dll_pcre_dotnet_dll_load.yml +++ b/rules/windows/image_load/image_load_dll_pcre_dotnet_dll_load.yml @@ -6,8 +6,8 @@ references: - https://twitter.com/rbmaslen/status/1321859647091970051 - https://twitter.com/tifkin_/status/1321916444557365248 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/10/29 -modified: 2022/10/09 +date: 2020-10-29 +modified: 2022-10-09 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml b/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml index ad640f5bc42..57b56ee490d 100644 --- a/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml +++ b/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml @@ -14,10 +14,10 @@ references: - https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/ - https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html author: Luc Génaux -date: 2023/11/28 +date: 2023-11-28 tags: - attack.impact - - attack.defense_evasion + - attack.defense-evasion - attack.t1486 - attack.t1562.001 logsource: diff --git a/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml b/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml index 62b11f22489..87094ee6545 100644 --- a/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml +++ b/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml @@ -14,10 +14,10 @@ references: - https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/ - https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html author: Luc Génaux -date: 2023/11/28 +date: 2023-11-28 tags: - attack.impact - - attack.defense_evasion + - attack.defense-evasion - attack.t1486 - attack.t1562.001 logsource: diff --git a/rules/windows/image_load/image_load_dll_sdiageng_load_by_msdt.yml b/rules/windows/image_load/image_load_dll_sdiageng_load_by_msdt.yml index 57031a4c98b..6b550b274ca 100644 --- a/rules/windows/image_load/image_load_dll_sdiageng_load_by_msdt.yml +++ b/rules/windows/image_load/image_load_dll_sdiageng_load_by_msdt.yml @@ -5,12 +5,12 @@ description: Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilitie references: - https://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/ author: Greg (rule) -date: 2022/06/17 -modified: 2023/02/17 +date: 2022-06-17 +modified: 2023-02-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 - - cve.2022.30190 + - cve.2022-30190 logsource: category: image_load product: windows diff --git a/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml b/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml index f1af8ce06f0..d00f02f6fb4 100644 --- a/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml +++ b/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml @@ -2,9 +2,9 @@ title: PowerShell Core DLL Loaded By Non PowerShell Process id: 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f related: - id: 867613fb-fa60-4497-a017-a82df74a172c - type: obsoletes + type: obsolete - id: fe6e002f-f244-4278-9263-20e4b593827f - type: obsoletes + type: obsolete status: experimental description: | Detects loading of essential DLLs used by PowerShell by non-PowerShell process. @@ -13,8 +13,8 @@ references: - https://adsecurity.org/?p=2921 - https://github.com/p3nt4/PowerShdll author: Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2019/11/14 -modified: 2024/01/17 +date: 2019-11-14 +modified: 2024-01-17 tags: - attack.t1059.001 - attack.execution diff --git a/rules/windows/image_load/image_load_dll_tttracer_module_load.yml b/rules/windows/image_load/image_load_dll_tttracer_module_load.yml index a6f3981b7c6..b915e2ee9e0 100644 --- a/rules/windows/image_load/image_load_dll_tttracer_module_load.yml +++ b/rules/windows/image_load/image_load_dll_tttracer_module_load.yml @@ -7,11 +7,11 @@ references: - https://twitter.com/mattifestation/status/1196390321783025666 - https://twitter.com/oulusoyum/status/1191329746069655553 author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative' -date: 2020/10/06 -modified: 2022/12/02 +date: 2020-10-06 +modified: 2022-12-02 tags: - - attack.defense_evasion - - attack.credential_access + - attack.defense-evasion + - attack.credential-access - attack.t1218 - attack.t1003.001 logsource: diff --git a/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml b/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml index 2616ddd6d5b..2234e2a9c2b 100644 --- a/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml +++ b/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml @@ -11,10 +11,10 @@ references: - https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add - https://twitter.com/am0nsec/status/1412232114980982787 author: Markus Neis, @markus_neis -date: 2021/07/07 -modified: 2024/03/28 +date: 2021-07-07 +modified: 2024-03-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.impact - attack.t1490 logsource: diff --git a/rules/windows/image_load/image_load_dll_vssapi_susp_load.yml b/rules/windows/image_load/image_load_dll_vssapi_susp_load.yml index 55b5afe0df1..6e51dafd670 100644 --- a/rules/windows/image_load/image_load_dll_vssapi_susp_load.yml +++ b/rules/windows/image_load/image_load_dll_vssapi_susp_load.yml @@ -10,10 +10,10 @@ description: Detects the image load of VSS DLL by uncommon executables references: - https://github.com/ORCx41/DeleteShadowCopies author: frack113 -date: 2022/10/31 -modified: 2023/05/03 +date: 2022-10-31 +modified: 2023-05-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.impact - attack.t1490 logsource: diff --git a/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml b/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml index 00b1114d2bc..3afd9ff24ce 100644 --- a/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml +++ b/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml @@ -10,10 +10,10 @@ description: Detects the image load of VSS DLL by uncommon executables references: - https://github.com/ORCx41/DeleteShadowCopies author: frack113 -date: 2023/02/17 -modified: 2023/03/28 +date: 2023-02-17 +modified: 2023-03-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.impact - attack.t1490 logsource: diff --git a/rules/windows/image_load/image_load_hktl_sharpevtmute.yml b/rules/windows/image_load/image_load_hktl_sharpevtmute.yml index 82bb13b6805..c105113960b 100644 --- a/rules/windows/image_load/image_load_hktl_sharpevtmute.yml +++ b/rules/windows/image_load/image_load_hktl_sharpevtmute.yml @@ -8,10 +8,10 @@ description: Detects the load of EvtMuteHook.dll, a key component of SharpEvtHoo references: - https://github.com/bats3c/EvtMute author: Florian Roth (Nextron Systems) -date: 2022/09/07 -modified: 2023/02/17 +date: 2022-09-07 +modified: 2023-02-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.002 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_hktl_silenttrinity_stager.yml b/rules/windows/image_load/image_load_hktl_silenttrinity_stager.yml index 6ffdc39357e..23b883130a9 100644 --- a/rules/windows/image_load/image_load_hktl_silenttrinity_stager.yml +++ b/rules/windows/image_load/image_load_hktl_silenttrinity_stager.yml @@ -8,10 +8,10 @@ description: Detects SILENTTRINITY stager dll loading activity references: - https://github.com/byt3bl33d3r/SILENTTRINITY author: Aleksey Potapov, oscd.community -date: 2019/10/22 -modified: 2023/02/17 +date: 2019-10-22 +modified: 2023-02-17 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_iexplore_dcom_iertutil_dll_hijack.yml b/rules/windows/image_load/image_load_iexplore_dcom_iertutil_dll_hijack.yml index 40dc3a5b32b..699a29ef17e 100644 --- a/rules/windows/image_load/image_load_iexplore_dcom_iertutil_dll_hijack.yml +++ b/rules/windows/image_load/image_load_iexplore_dcom_iertutil_dll_hijack.yml @@ -2,7 +2,7 @@ title: Potential DCOM InternetExplorer.Application DLL Hijack - Image Load id: f354eba5-623b-450f-b073-0b5b2773b6aa related: - id: e554f142-5cf3-4e55-ace9-a1b59e0def65 - type: obsoletes + type: obsolete - id: 2f7979ae-f82b-45af-ac1d-2b10e93b0baa type: similar status: test @@ -10,10 +10,10 @@ description: Detects potential DLL hijack of "iertutil.dll" found in the DCOM In references: - https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga -date: 2020/10/12 -modified: 2022/12/18 +date: 2020-10-12 +modified: 2022-12-18 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 - attack.t1021.003 logsource: diff --git a/rules/windows/image_load/image_load_lsass_unsigned_image_load.yml b/rules/windows/image_load/image_load_lsass_unsigned_image_load.yml index 41e5508b069..848b25dc177 100644 --- a/rules/windows/image_load/image_load_lsass_unsigned_image_load.yml +++ b/rules/windows/image_load/image_load_lsass_unsigned_image_load.yml @@ -5,10 +5,10 @@ description: Loading unsigned image (DLL, EXE) into LSASS process references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment author: Teymur Kheirkhabarov, oscd.community -date: 2019/10/22 -modified: 2021/11/27 +date: 2019-10-22 +modified: 2021-11-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_office_dotnet_assembly_dll_load.yml b/rules/windows/image_load/image_load_office_dotnet_assembly_dll_load.yml index d8bd720c2db..d1a59a015e4 100644 --- a/rules/windows/image_load/image_load_office_dotnet_assembly_dll_load.yml +++ b/rules/windows/image_load/image_load_office_dotnet_assembly_dll_load.yml @@ -5,8 +5,8 @@ description: Detects any assembly DLL being loaded by an Office Product references: - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 author: Antonlovesdnb -date: 2020/02/19 -modified: 2023/03/29 +date: 2020-02-19 +modified: 2023-03-29 tags: - attack.execution - attack.t1204.002 diff --git a/rules/windows/image_load/image_load_office_dotnet_clr_dll_load.yml b/rules/windows/image_load/image_load_office_dotnet_clr_dll_load.yml index c4146d882dc..b87d418048a 100644 --- a/rules/windows/image_load/image_load_office_dotnet_clr_dll_load.yml +++ b/rules/windows/image_load/image_load_office_dotnet_clr_dll_load.yml @@ -5,8 +5,8 @@ description: Detects CLR DLL being loaded by an Office Product references: - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 author: Antonlovesdnb -date: 2020/02/19 -modified: 2023/03/29 +date: 2020-02-19 +modified: 2023-03-29 tags: - attack.execution - attack.t1204.002 diff --git a/rules/windows/image_load/image_load_office_dotnet_gac_dll_load.yml b/rules/windows/image_load/image_load_office_dotnet_gac_dll_load.yml index 609e80c54a9..88adfb4e1f2 100644 --- a/rules/windows/image_load/image_load_office_dotnet_gac_dll_load.yml +++ b/rules/windows/image_load/image_load_office_dotnet_gac_dll_load.yml @@ -5,8 +5,8 @@ description: Detects any GAC DLL being loaded by an Office Product references: - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 author: Antonlovesdnb -date: 2020/02/19 -modified: 2023/02/10 +date: 2020-02-19 +modified: 2023-02-10 tags: - attack.execution - attack.t1204.002 diff --git a/rules/windows/image_load/image_load_office_dsparse_dll_load.yml b/rules/windows/image_load/image_load_office_dsparse_dll_load.yml index a856ebb601f..de679c38dc0 100644 --- a/rules/windows/image_load/image_load_office_dsparse_dll_load.yml +++ b/rules/windows/image_load/image_load_office_dsparse_dll_load.yml @@ -5,8 +5,8 @@ description: Detects DSParse DLL being loaded by an Office Product references: - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 author: Antonlovesdnb -date: 2020/02/19 -modified: 2023/03/28 +date: 2020-02-19 +modified: 2023-03-28 tags: - attack.execution - attack.t1204.002 diff --git a/rules/windows/image_load/image_load_office_excel_xll_susp_load.yml b/rules/windows/image_load/image_load_office_excel_xll_susp_load.yml index 148d0e35407..454bc4afaa3 100644 --- a/rules/windows/image_load/image_load_office_excel_xll_susp_load.yml +++ b/rules/windows/image_load/image_load_office_excel_xll_susp_load.yml @@ -9,7 +9,7 @@ references: - https://www.mandiant.com/resources/blog/lnk-between-browsers - https://wazuh.com/blog/detecting-xll-files-used-for-dropping-fin7-jssloader-with-wazuh/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/12 +date: 2023-05-12 tags: - attack.execution - attack.t1204.002 diff --git a/rules/windows/image_load/image_load_office_kerberos_dll_load.yml b/rules/windows/image_load/image_load_office_kerberos_dll_load.yml index 76a84462649..84477d43c7b 100644 --- a/rules/windows/image_load/image_load_office_kerberos_dll_load.yml +++ b/rules/windows/image_load/image_load_office_kerberos_dll_load.yml @@ -5,8 +5,8 @@ description: Detects Kerberos DLL being loaded by an Office Product references: - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 author: Antonlovesdnb -date: 2020/02/19 -modified: 2023/03/28 +date: 2020-02-19 +modified: 2023-03-28 tags: - attack.execution - attack.t1204.002 diff --git a/rules/windows/image_load/image_load_office_outlook_outlvba_load.yml b/rules/windows/image_load/image_load_office_outlook_outlvba_load.yml index 5baba0a40a9..1b4d4a53583 100644 --- a/rules/windows/image_load/image_load_office_outlook_outlvba_load.yml +++ b/rules/windows/image_load/image_load_office_outlook_outlvba_load.yml @@ -5,8 +5,8 @@ description: Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=58 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/08 -modified: 2024/03/12 +date: 2023-02-08 +modified: 2024-03-12 tags: - attack.execution - attack.t1204.002 diff --git a/rules/windows/image_load/image_load_office_powershell_dll_load.yml b/rules/windows/image_load/image_load_office_powershell_dll_load.yml index 3c2235cb8ad..dc079ebdf6f 100644 --- a/rules/windows/image_load/image_load_office_powershell_dll_load.yml +++ b/rules/windows/image_load/image_load_office_powershell_dll_load.yml @@ -5,9 +5,9 @@ description: Detects PowerShell core DLL being loaded by an Office Product references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/01 +date: 2023-06-01 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: image_load product: windows diff --git a/rules/windows/image_load/image_load_office_vbadll_load.yml b/rules/windows/image_load/image_load_office_vbadll_load.yml index 79f9f7a336e..f0c5f557312 100644 --- a/rules/windows/image_load/image_load_office_vbadll_load.yml +++ b/rules/windows/image_load/image_load_office_vbadll_load.yml @@ -5,8 +5,8 @@ description: Detects VB DLL's loaded by an office application. Which could indic references: - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 author: Antonlovesdnb -date: 2020/02/19 -modified: 2023/02/10 +date: 2020-02-19 +modified: 2023-02-10 tags: - attack.execution - attack.t1204.002 diff --git a/rules/windows/image_load/image_load_rundll32_remote_share_load.yml b/rules/windows/image_load/image_load_rundll32_remote_share_load.yml index e93b5aac5db..9baad06a019 100644 --- a/rules/windows/image_load/image_load_rundll32_remote_share_load.yml +++ b/rules/windows/image_load/image_load_rundll32_remote_share_load.yml @@ -6,7 +6,7 @@ references: - https://github.com/gabe-k/themebleed - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/09/18 +date: 2023-09-18 tags: - attack.execution - attack.t1204.002 diff --git a/rules/windows/image_load/image_load_scrcons_wmi_scripteventconsumer.yml b/rules/windows/image_load/image_load_scrcons_wmi_scripteventconsumer.yml index dcccdb92636..071f91318a5 100644 --- a/rules/windows/image_load/image_load_scrcons_wmi_scripteventconsumer.yml +++ b/rules/windows/image_load/image_load_scrcons_wmi_scripteventconsumer.yml @@ -7,11 +7,11 @@ references: - https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/ - https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/09/02 -modified: 2023/02/22 +date: 2020-09-02 +modified: 2023-02-22 tags: - - attack.lateral_movement - - attack.privilege_escalation + - attack.lateral-movement + - attack.privilege-escalation - attack.persistence - attack.t1546.003 logsource: diff --git a/rules/windows/image_load/image_load_side_load_7za.yml b/rules/windows/image_load/image_load_side_load_7za.yml index 739d1f9cfa9..4faf84a0dd5 100644 --- a/rules/windows/image_load/image_load_side_load_7za.yml +++ b/rules/windows/image_load/image_load_side_load_7za.yml @@ -5,11 +5,11 @@ description: Detects potential DLL sideloading of "7za.dll" references: - https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d author: X__Junior -date: 2023/06/09 +date: 2023-06-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml b/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml index e9fcc62a14a..a2f892cc0c4 100644 --- a/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml +++ b/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml @@ -6,7 +6,7 @@ references: - https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/ author: X__Junior (Nextron Systems) -date: 2023/07/11 +date: 2023-07-11 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/image_load/image_load_side_load_antivirus.yml b/rules/windows/image_load/image_load_side_load_antivirus.yml index b5b3a05f458..15226359ef4 100644 --- a/rules/windows/image_load/image_load_side_load_antivirus.yml +++ b/rules/windows/image_load/image_load_side_load_antivirus.yml @@ -5,12 +5,12 @@ description: Detects potential DLL sideloading of DLLs that are part of antiviru references: - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) -date: 2022/08/17 -modified: 2023/03/13 +date: 2022-08-17 +modified: 2023-03-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_appverifui.yml b/rules/windows/image_load/image_load_side_load_appverifui.yml index 43932ba19da..b87a29a9575 100644 --- a/rules/windows/image_load/image_load_side_load_appverifui.yml +++ b/rules/windows/image_load/image_load_side_load_appverifui.yml @@ -5,10 +5,10 @@ description: Detects potential DLL sideloading of "appverifUI.dll" references: - https://web.archive.org/web/20220519091349/https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/ author: X__Junior (Nextron Systems) -date: 2023/06/20 +date: 2023-06-20 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml b/rules/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml index 0cc29e9717f..f1def71c499 100644 --- a/rules/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml +++ b/rules/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml @@ -5,10 +5,10 @@ description: Detects potential DLL sideloading activity via the Aruba Networks V references: - https://twitter.com/wdormann/status/1616581559892545537?t=XLCBO9BziGzD7Bmbt8oMEQ&s=09 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/22 -modified: 2023/03/15 +date: 2023-01-22 +modified: 2023-03-15 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.persistence - attack.t1574.001 - attack.t1574.002 diff --git a/rules/windows/image_load/image_load_side_load_avkkid.yml b/rules/windows/image_load/image_load_side_load_avkkid.yml index 34f5dcc903e..346b5183393 100644 --- a/rules/windows/image_load/image_load_side_load_avkkid.yml +++ b/rules/windows/image_load/image_load_side_load_avkkid.yml @@ -5,10 +5,10 @@ description: Detects potential DLL sideloading of "AVKkid.dll" references: - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/ author: X__Junior (Nextron Systems) -date: 2023/08/03 +date: 2023-08-03 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_ccleaner_du.yml b/rules/windows/image_load/image_load_side_load_ccleaner_du.yml index aa4e08c8301..a5176e11898 100644 --- a/rules/windows/image_load/image_load_side_load_ccleaner_du.yml +++ b/rules/windows/image_load/image_load_side_load_ccleaner_du.yml @@ -5,11 +5,11 @@ description: Detects potential DLL sideloading of "CCleanerDU.dll" references: - https://lab52.io/blog/2344-2/ author: X__Junior (Nextron Systems) -date: 2023/07/13 +date: 2023-07-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml b/rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml index eac6adb4aee..ded2e6d5f42 100644 --- a/rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml +++ b/rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml @@ -5,11 +5,11 @@ description: Detects potential DLL sideloading of "CCleanerReactivator.dll" references: - https://lab52.io/blog/2344-2/ author: X__Junior -date: 2023/07/13 +date: 2023-07-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_chrome_frame_helper.yml b/rules/windows/image_load/image_load_side_load_chrome_frame_helper.yml index 29a3c5e73eb..20339c6b009 100644 --- a/rules/windows/image_load/image_load_side_load_chrome_frame_helper.yml +++ b/rules/windows/image_load/image_load_side_load_chrome_frame_helper.yml @@ -5,12 +5,12 @@ description: Detects potential DLL sideloading of "chrome_frame_helper.dll" references: - https://hijacklibs.net/entries/3rd_party/google/chrome_frame_helper.html author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) -date: 2022/08/17 -modified: 2023/05/15 +date: 2022-08-17 +modified: 2023-05-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_classicexplorer32.yml b/rules/windows/image_load/image_load_side_load_classicexplorer32.yml index 83cd1887958..11632562c8f 100644 --- a/rules/windows/image_load/image_load_side_load_classicexplorer32.yml +++ b/rules/windows/image_load/image_load_side_load_classicexplorer32.yml @@ -6,11 +6,11 @@ references: - https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets - https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/ author: frack113 -date: 2022/12/13 +date: 2022-12-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_comctl32.yml b/rules/windows/image_load/image_load_side_load_comctl32.yml index 49127775f16..9a1b0163824 100644 --- a/rules/windows/image_load/image_load_side_load_comctl32.yml +++ b/rules/windows/image_load/image_load_side_load_comctl32.yml @@ -6,12 +6,12 @@ references: - https://github.com/binderlabs/DirCreate2System - https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt author: Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash) -date: 2022/12/16 -modified: 2022/12/19 +date: 2022-12-16 +modified: 2022-12-19 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_coregen.yml b/rules/windows/image_load/image_load_side_load_coregen.yml index 454209dd137..dca2161600f 100644 --- a/rules/windows/image_load/image_load_side_load_coregen.yml +++ b/rules/windows/image_load/image_load_side_load_coregen.yml @@ -5,9 +5,9 @@ description: Detect usage of DLL "coregen.exe" (Microsoft CoreCLR Native Image G references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Coregen/ author: frack113 -date: 2022/12/31 +date: 2022-12-31 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.t1055 logsource: diff --git a/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location.yml index f39e67c66f1..d5423eff0f1 100644 --- a/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location.yml @@ -6,9 +6,9 @@ references: - https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/ - https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/ author: Anish Bogati -date: 2024/01/09 +date: 2024-01-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 logsource: product: windows diff --git a/rules/windows/image_load/image_load_side_load_dbgcore.yml b/rules/windows/image_load/image_load_side_load_dbgcore.yml index c2f9fd7c7ea..bcdcc72dc61 100644 --- a/rules/windows/image_load/image_load_side_load_dbgcore.yml +++ b/rules/windows/image_load/image_load_side_load_dbgcore.yml @@ -5,12 +5,12 @@ description: Detects DLL sideloading of "dbgcore.dll" references: - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) -date: 2022/10/25 -modified: 2023/05/05 +date: 2022-10-25 +modified: 2023-05-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_dbghelp.yml b/rules/windows/image_load/image_load_side_load_dbghelp.yml index 9857aa7b51e..d807b4d56ac 100644 --- a/rules/windows/image_load/image_load_side_load_dbghelp.yml +++ b/rules/windows/image_load/image_load_side_load_dbghelp.yml @@ -5,12 +5,12 @@ description: Detects potential DLL sideloading of "dbghelp.dll" references: - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) -date: 2022/10/25 -modified: 2023/05/05 +date: 2022-10-25 +modified: 2023-05-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_dbgmodel.yml b/rules/windows/image_load/image_load_side_load_dbgmodel.yml index 6b772ead8d7..0f2e3ed3cc7 100644 --- a/rules/windows/image_load/image_load_side_load_dbgmodel.yml +++ b/rules/windows/image_load/image_load_side_load_dbgmodel.yml @@ -5,10 +5,10 @@ description: Detects potential DLL sideloading of "DbgModel.dll" references: - https://hijacklibs.net/entries/microsoft/built-in/dbgmodel.html author: Gary Lobermier -date: 2024/07/11 -modified: 2024/08/06 +date: 2024-07-11 +modified: 2024-07-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 logsource: product: windows @@ -27,8 +27,6 @@ detection: ImageLoaded|startswith: - 'C:\Program Files (x86)\Windows Kits\' - 'C:\Program Files\Windows Kits\' - filter_optional_dell_instrumentation: - ImageLoaded|startswith: 'C:\Program Files\Dell\DTP\InstrumentationSubAgent\' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Legitimate applications loading their own versions of the DLL mentioned in this rule diff --git a/rules/windows/image_load/image_load_side_load_eacore.yml b/rules/windows/image_load/image_load_side_load_eacore.yml index 876836a5d49..9314e7fae18 100644 --- a/rules/windows/image_load/image_load_side_load_eacore.yml +++ b/rules/windows/image_load/image_load_side_load_eacore.yml @@ -5,10 +5,10 @@ description: Detects potential DLL sideloading of "EACore.dll" references: - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/ author: X__Junior (Nextron Systems) -date: 2023/08/03 +date: 2023-08-03 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_edputil.yml b/rules/windows/image_load/image_load_side_load_edputil.yml index 68731a236bc..a19fcf60c42 100644 --- a/rules/windows/image_load/image_load_side_load_edputil.yml +++ b/rules/windows/image_load/image_load_side_load_edputil.yml @@ -5,10 +5,10 @@ description: Detects potential DLL sideloading of "edputil.dll" references: - https://alternativeto.net/news/2023/5/cybercriminals-use-wordpad-vulnerability-to-spread-qbot-malware/ author: X__Junior (Nextron Systems) -date: 2023/06/09 +date: 2023-06-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index 3c8aec1b3ad..925ca00288b 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -9,12 +9,12 @@ references: - https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md # XForceIR (SideLoadHunter Project), Chris Spehn (research WFH Dridex) - https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/14 -modified: 2024/07/11 +date: 2022-08-14 +modified: 2024-07-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_goopdate.yml b/rules/windows/image_load/image_load_side_load_goopdate.yml index 9552d33e125..42e49f6e1cd 100644 --- a/rules/windows/image_load/image_load_side_load_goopdate.yml +++ b/rules/windows/image_load/image_load_side_load_goopdate.yml @@ -5,11 +5,11 @@ description: Detects potential DLL sideloading of "goopdate.dll", a DLL used by references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/15 -modified: 2023/05/20 +date: 2023-05-15 +modified: 2023-05-20 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_gup_libcurl.yml b/rules/windows/image_load/image_load_side_load_gup_libcurl.yml index dbeeef9cdc0..834dd848ed5 100644 --- a/rules/windows/image_load/image_load_side_load_gup_libcurl.yml +++ b/rules/windows/image_load/image_load_side_load_gup_libcurl.yml @@ -5,11 +5,11 @@ description: Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/05 +date: 2023-05-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_iviewers.yml b/rules/windows/image_load/image_load_side_load_iviewers.yml index 15b734624fe..859d20d33f3 100644 --- a/rules/windows/image_load/image_load_side_load_iviewers.yml +++ b/rules/windows/image_load/image_load_side_load_iviewers.yml @@ -5,10 +5,10 @@ description: Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object references: - https://www.secureworks.com/research/shadowpad-malware-analysis author: X__Junior (Nextron Systems) -date: 2023/03/21 +date: 2023-03-21 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_jsschhlp.yml b/rules/windows/image_load/image_load_side_load_jsschhlp.yml index 3137b1d31ec..7872dcc9e07 100644 --- a/rules/windows/image_load/image_load_side_load_jsschhlp.yml +++ b/rules/windows/image_load/image_load_side_load_jsschhlp.yml @@ -6,11 +6,11 @@ references: - https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/ - http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp author: frack113 -date: 2022/12/14 +date: 2022-12-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_keyscrambler.yml b/rules/windows/image_load/image_load_side_load_keyscrambler.yml index 9b7edcbd4d1..b197ad7f42d 100644 --- a/rules/windows/image_load/image_load_side_load_keyscrambler.yml +++ b/rules/windows/image_load/image_load_side_load_keyscrambler.yml @@ -14,10 +14,10 @@ references: - https://twitter.com/Max_Mal_/status/1775222576639291859 - https://twitter.com/DTCERT/status/1712785426895839339 author: Swachchhanda Shrawan Poudel -date: 2024/04/15 +date: 2024-04-15 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_libvlc.yml b/rules/windows/image_load/image_load_side_load_libvlc.yml index e2c12979a55..ee3b425c378 100644 --- a/rules/windows/image_load/image_load_side_load_libvlc.yml +++ b/rules/windows/image_load/image_load_side_load_libvlc.yml @@ -6,11 +6,11 @@ references: - https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html - https://hijacklibs.net/entries/3rd_party/vlc/libvlc.html author: X__Junior -date: 2023/04/17 +date: 2023-04-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_mfdetours.yml b/rules/windows/image_load/image_load_side_load_mfdetours.yml index 671b016a52d..fa986098ed5 100644 --- a/rules/windows/image_load/image_load_side_load_mfdetours.yml +++ b/rules/windows/image_load/image_load_side_load_mfdetours.yml @@ -5,10 +5,10 @@ description: Detects potential DLL sideloading of "mfdetours.dll". While using " references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/03 +date: 2023-08-03 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_mfdetours_unsigned.yml b/rules/windows/image_load/image_load_side_load_mfdetours_unsigned.yml index fd2fb734c0d..660c57b4997 100644 --- a/rules/windows/image_load/image_load_side_load_mfdetours_unsigned.yml +++ b/rules/windows/image_load/image_load_side_load_mfdetours_unsigned.yml @@ -8,10 +8,10 @@ description: Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mft references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/11 +date: 2023-08-11 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_mpsvc.yml b/rules/windows/image_load/image_load_side_load_mpsvc.yml index 5f092c94c79..32c21d88b3b 100644 --- a/rules/windows/image_load/image_load_side_load_mpsvc.yml +++ b/rules/windows/image_load/image_load_side_load_mpsvc.yml @@ -5,9 +5,9 @@ description: Detects potential DLL sideloading of "MpSvc.dll". references: - https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema -date: 2024/07/11 +date: 2024-07-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 logsource: product: windows diff --git a/rules/windows/image_load/image_load_side_load_mscorsvc.yml b/rules/windows/image_load/image_load_side_load_mscorsvc.yml index 7ac8b8ee63b..f42eabb62e6 100644 --- a/rules/windows/image_load/image_load_side_load_mscorsvc.yml +++ b/rules/windows/image_load/image_load_side_load_mscorsvc.yml @@ -5,9 +5,9 @@ description: Detects potential DLL sideloading of "mscorsvc.dll". references: - https://hijacklibs.net/entries/microsoft/built-in/mscorsvc.html author: Wietze Beukema -date: 2024/07/11 +date: 2024-07-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 logsource: product: windows diff --git a/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml b/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml index 13fa3f4902d..4377162937e 100644 --- a/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml +++ b/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml @@ -4,7 +4,7 @@ related: - id: df6ecb8b-7822-4f4b-b412-08f524b4576c # FileEvent rule type: similar - id: 602a1f13-c640-4d73-b053-be9a2fa58b77 - type: obsoletes + type: obsolete status: test description: | Detects DLL sideloading of system DLLs that are not present on the system by default (at least not in system directories). @@ -17,12 +17,12 @@ references: - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ - http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html author: Nasreddine Bencherchali (Nextron Systems), SBousseaden -date: 2022/12/09 -modified: 2024/01/10 +date: 2022-12-09 +modified: 2024-01-10 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_office_dlls.yml b/rules/windows/image_load/image_load_side_load_office_dlls.yml index 494e9718fce..433fe897c48 100644 --- a/rules/windows/image_load/image_load_side_load_office_dlls.yml +++ b/rules/windows/image_load/image_load_side_load_office_dlls.yml @@ -5,12 +5,12 @@ description: Detects DLL sideloading of DLLs that are part of Microsoft Office f references: - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) -date: 2022/08/17 -modified: 2023/03/15 +date: 2022-08-17 +modified: 2023-03-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_rcdll.yml b/rules/windows/image_load/image_load_side_load_rcdll.yml index c7cd048a15a..18fe5ab030f 100644 --- a/rules/windows/image_load/image_load_side_load_rcdll.yml +++ b/rules/windows/image_load/image_load_side_load_rcdll.yml @@ -5,11 +5,11 @@ description: Detects potential DLL sideloading of rcdll.dll references: - https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html author: X__Junior (Nextron Systems) -date: 2023/03/13 -modified: 2023/03/15 +date: 2023-03-13 +modified: 2023-03-15 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_rjvplatform_default_location.yml b/rules/windows/image_load/image_load_side_load_rjvplatform_default_location.yml index 031f8a2564c..82a8348a9d2 100644 --- a/rules/windows/image_load/image_load_side_load_rjvplatform_default_location.yml +++ b/rules/windows/image_load/image_load_side_load_rjvplatform_default_location.yml @@ -5,10 +5,10 @@ description: Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.ex references: - https://twitter.com/0gtweet/status/1666716511988330499 author: X__Junior (Nextron Systems) -date: 2023/06/09 +date: 2023-06-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_rjvplatform_non_default_location.yml b/rules/windows/image_load/image_load_side_load_rjvplatform_non_default_location.yml index 9736f91c35f..62ee11ef89a 100644 --- a/rules/windows/image_load/image_load_side_load_rjvplatform_non_default_location.yml +++ b/rules/windows/image_load/image_load_side_load_rjvplatform_non_default_location.yml @@ -5,10 +5,10 @@ description: Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemRe references: - https://twitter.com/0gtweet/status/1666716511988330499 author: X__Junior (Nextron Systems) -date: 2023/06/09 +date: 2023-06-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_robform.yml b/rules/windows/image_load/image_load_side_load_robform.yml index 59ae90ce250..cb21de68c9f 100644 --- a/rules/windows/image_load/image_load_side_load_robform.yml +++ b/rules/windows/image_load/image_load_side_load_robform.yml @@ -7,10 +7,10 @@ references: - https://twitter.com/t3ft3lb/status/1656194831830401024 - https://www.roboform.com/ author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/14 +date: 2023-05-14 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_shell_chrome_api.yml b/rules/windows/image_load/image_load_side_load_shell_chrome_api.yml index 0c9ae6115aa..68dc08a1cb8 100644 --- a/rules/windows/image_load/image_load_side_load_shell_chrome_api.yml +++ b/rules/windows/image_load/image_load_side_load_shell_chrome_api.yml @@ -11,11 +11,11 @@ references: - https://mobile.twitter.com/0gtweet/status/1564131230941122561 - https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/01 +date: 2022-12-01 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_shelldispatch.yml b/rules/windows/image_load/image_load_side_load_shelldispatch.yml index 2893eaa8ece..c876bcecd73 100644 --- a/rules/windows/image_load/image_load_side_load_shelldispatch.yml +++ b/rules/windows/image_load/image_load_side_load_shelldispatch.yml @@ -5,10 +5,10 @@ description: Detects potential DLL sideloading of "ShellDispatch.dll" references: - https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ author: X__Junior (Nextron Systems) -date: 2023/06/20 +date: 2023-06-20 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_smadhook.yml b/rules/windows/image_load/image_load_side_load_smadhook.yml index 5b658877606..802667860d2 100644 --- a/rules/windows/image_load/image_load_side_load_smadhook.yml +++ b/rules/windows/image_load/image_load_side_load_smadhook.yml @@ -6,10 +6,10 @@ references: - https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/ - https://www.qurium.org/alerts/targeted-malware-against-crph/ author: X__Junior (Nextron Systems) -date: 2023/06/01 +date: 2023-06-01 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_solidpdfcreator.yml b/rules/windows/image_load/image_load_side_load_solidpdfcreator.yml index c0952513125..ad41e349926 100644 --- a/rules/windows/image_load/image_load_side_load_solidpdfcreator.yml +++ b/rules/windows/image_load/image_load_side_load_solidpdfcreator.yml @@ -5,10 +5,10 @@ description: Detects potential DLL sideloading of "SolidPDFCreator.dll" references: - https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/ author: X__Junior (Nextron Systems) -date: 2023/05/07 +date: 2023-05-07 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_third_party.yml b/rules/windows/image_load/image_load_side_load_third_party.yml index 9ab4d20ec0f..4df49fa4b57 100644 --- a/rules/windows/image_load/image_load_side_load_third_party.yml +++ b/rules/windows/image_load/image_load_side_load_third_party.yml @@ -5,11 +5,11 @@ description: Detects DLL sideloading of DLLs that are part of third party softwa references: - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) -date: 2022/08/17 +date: 2022-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_ualapi.yml b/rules/windows/image_load/image_load_side_load_ualapi.yml index f5055f21849..78c049a4af1 100644 --- a/rules/windows/image_load/image_load_side_load_ualapi.yml +++ b/rules/windows/image_load/image_load_side_load_ualapi.yml @@ -5,11 +5,11 @@ description: The Fax service attempts to load ualapi.dll, which is non-existent. references: - https://windows-internals.com/faxing-your-way-to-system/ author: NVISO -date: 2020/05/04 -modified: 2022/06/02 +date: 2020-05-04 +modified: 2022-06-02 tags: - attack.persistence - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_vivaldi_elf.yml b/rules/windows/image_load/image_load_side_load_vivaldi_elf.yml index 3baab600a52..56f9e2afaa9 100644 --- a/rules/windows/image_load/image_load_side_load_vivaldi_elf.yml +++ b/rules/windows/image_load/image_load_side_load_vivaldi_elf.yml @@ -5,10 +5,10 @@ description: Detects potential DLL sideloading of "vivaldi_elf.dll" references: - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/ author: X__Junior (Nextron Systems) -date: 2023/08/03 +date: 2023-08-03 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_vmguestlib.yml b/rules/windows/image_load/image_load_side_load_vmguestlib.yml index 5ec9b20647c..3d0e32d46c1 100644 --- a/rules/windows/image_load/image_load_side_load_vmguestlib.yml +++ b/rules/windows/image_load/image_load_side_load_vmguestlib.yml @@ -5,11 +5,11 @@ description: Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service. references: - https://decoded.avast.io/martinchlumecky/png-steganography/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/01 +date: 2022-12-01 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_signed.yml b/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_signed.yml index 1be2d7b8515..78944169f8a 100644 --- a/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_signed.yml +++ b/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_signed.yml @@ -8,11 +8,11 @@ description: Detects potential DLL sideloading of a signed dbghelp.dll by the Sy references: - https://techcommunity.microsoft.com/t5/sysinternals-blog/zoomit-v7-1-procdump-2-0-for-linux-process-explorer-v17-05/ba-p/3884766 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/09/05 +date: 2023-09-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_unsigned.yml b/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_unsigned.yml index 0135e93a9da..40e2b80ab6e 100644 --- a/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_unsigned.yml +++ b/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_unsigned.yml @@ -8,12 +8,12 @@ description: Detects potential DLL sideloading of an unsigned dbghelp.dll by the references: - https://techcommunity.microsoft.com/t5/sysinternals-blog/zoomit-v7-1-procdump-2-0-for-linux-process-explorer-v17-05/ba-p/3884766 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/07/28 -modified: 2023/09/05 +date: 2023-07-28 +modified: 2023-09-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_vmware_xfer.yml b/rules/windows/image_load/image_load_side_load_vmware_xfer.yml index ce13045665c..75844eb559f 100644 --- a/rules/windows/image_load/image_load_side_load_vmware_xfer.yml +++ b/rules/windows/image_load/image_load_side_load_vmware_xfer.yml @@ -5,10 +5,10 @@ description: Detects loading of a DLL by the VMware Xfer utility from the non-de references: - https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/02 -modified: 2023/02/17 +date: 2022-08-02 +modified: 2023-02-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 logsource: product: windows diff --git a/rules/windows/image_load/image_load_side_load_waveedit.yml b/rules/windows/image_load/image_load_side_load_waveedit.yml index 2caa069bee9..a73e81239ed 100644 --- a/rules/windows/image_load/image_load_side_load_waveedit.yml +++ b/rules/windows/image_load/image_load_side_load_waveedit.yml @@ -5,10 +5,10 @@ description: Detects potential DLL sideloading of "waveedit.dll", which is part references: - https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html author: X__Junior (Nextron Systems) -date: 2023/06/14 +date: 2023-06-14 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_wazuh.yml b/rules/windows/image_load/image_load_side_load_wazuh.yml index 700461cc940..1974d30e718 100644 --- a/rules/windows/image_load/image_load_side_load_wazuh.yml +++ b/rules/windows/image_load/image_load_side_load_wazuh.yml @@ -5,12 +5,12 @@ description: Detects potential DLL side loading of DLLs that are part of the Waz references: - https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html author: X__Junior (Nextron Systems) -date: 2023/03/13 -modified: 2023/05/12 +date: 2023-03-13 +modified: 2023-05-12 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_side_load_windows_defender.yml b/rules/windows/image_load/image_load_side_load_windows_defender.yml index d0d150a9f59..8b23344d3b6 100644 --- a/rules/windows/image_load/image_load_side_load_windows_defender.yml +++ b/rules/windows/image_load/image_load_side_load_windows_defender.yml @@ -8,10 +8,10 @@ description: Detects potential sideloading of "mpclient.dll" by Windows Defender references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool author: Bhabesh Raj -date: 2022/08/02 -modified: 2023/08/04 +date: 2022-08-02 +modified: 2023-08-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 logsource: product: windows diff --git a/rules/windows/image_load/image_load_side_load_wwlib.yml b/rules/windows/image_load/image_load_side_load_wwlib.yml index 7de9b90e1d7..c4faf0d290b 100644 --- a/rules/windows/image_load/image_load_side_load_wwlib.yml +++ b/rules/windows/image_load/image_load_side_load_wwlib.yml @@ -7,10 +7,10 @@ references: - https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/ - https://securelist.com/apt-luminousmoth/103332/ author: X__Junior (Nextron Systems) -date: 2023/05/18 +date: 2023-05-18 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.001 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_spoolsv_dll_load.yml b/rules/windows/image_load/image_load_spoolsv_dll_load.yml index f5a521003bc..aefe1fa4d02 100644 --- a/rules/windows/image_load/image_load_spoolsv_dll_load.yml +++ b/rules/windows/image_load/image_load_spoolsv_dll_load.yml @@ -6,15 +6,15 @@ references: - https://github.com/hhlxf/PrintNightmare - https://github.com/ly4k/SpoolFool author: FPT.EagleEye, Thomas Patzke (improvements) -date: 2021/06/29 -modified: 2022/06/02 +date: 2021-06-29 +modified: 2022-06-02 tags: - attack.persistence - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574 - - cve.2021.1675 - - cve.2021.34527 + - cve.2021-1675 + - cve.2021-34527 logsource: category: image_load product: windows diff --git a/rules/windows/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml b/rules/windows/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml index 17cb4cb364a..6340e33d1b9 100644 --- a/rules/windows/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml +++ b/rules/windows/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml @@ -5,7 +5,7 @@ description: Detects unsigned module load by ClickOnce application. references: - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 author: '@SerkinValery' -date: 2023/06/08 +date: 2023-06-08 tags: - attack.persistence - attack.t1574.002 diff --git a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml index a1206b18ddb..0c7e23829de 100644 --- a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml +++ b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml @@ -5,10 +5,10 @@ description: Detects when a system process (i.e. located in system32, syswow64, references: - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea) author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/17 -modified: 2023/09/18 +date: 2022-07-17 +modified: 2023-09-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070 logsource: product: windows diff --git a/rules/windows/image_load/image_load_susp_python_image_load.yml b/rules/windows/image_load/image_load_susp_python_image_load.yml index 0523dd935a0..16cac663694 100644 --- a/rules/windows/image_load/image_load_susp_python_image_load.yml +++ b/rules/windows/image_load/image_load_susp_python_image_load.yml @@ -6,10 +6,10 @@ references: - https://www.py2exe.org/ - https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/ author: Patrick St. John, OTR (Open Threat Research) -date: 2020/05/03 -modified: 2023/09/18 +date: 2020-05-03 +modified: 2023-09-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027.002 logsource: product: windows diff --git a/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml b/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml index c2614032082..81117a5f3e1 100644 --- a/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml +++ b/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml @@ -8,11 +8,11 @@ references: - https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html - https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008 author: omkar72, oscd.community -date: 2020/10/14 -modified: 2023/02/23 +date: 2020-10-14 +modified: 2023-02-23 tags: - attack.execution - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1055 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_susp_unsigned_dll.yml b/rules/windows/image_load/image_load_susp_unsigned_dll.yml index ee8a11a737e..cce9bc1f3ba 100644 --- a/rules/windows/image_load/image_load_susp_unsigned_dll.yml +++ b/rules/windows/image_load/image_load_susp_unsigned_dll.yml @@ -9,12 +9,12 @@ references: - https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql - https://unit42.paloaltonetworks.com/unsigned-dlls/?web_view=true author: Swachchhanda Shrawan Poudel -date: 2024/02/28 -modified: 2024/03/07 +date: 2024-02-28 +modified: 2024-03-07 tags: - attack.t1218.011 - attack.t1218.010 - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: image_load diff --git a/rules/windows/image_load/image_load_thor_unsigned_execution.yml b/rules/windows/image_load/image_load_thor_unsigned_execution.yml index ae14adc82ed..3ea1fd03338 100644 --- a/rules/windows/image_load/image_load_thor_unsigned_execution.yml +++ b/rules/windows/image_load/image_load_thor_unsigned_execution.yml @@ -5,9 +5,9 @@ description: Detects loading and execution of an unsigned thor scanner binary. references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/10/29 +date: 2023-10-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml b/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml index 707f91f5bc3..e2537d28bda 100644 --- a/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml +++ b/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml @@ -6,11 +6,11 @@ references: - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC - https://twitter.com/wdormann/status/1547583317410607110 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/17 -modified: 2022/07/25 +date: 2022-07-17 +modified: 2022-07-25 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: product: windows diff --git a/rules/windows/image_load/image_load_uac_bypass_via_dism.yml b/rules/windows/image_load/image_load_uac_bypass_via_dism.yml index 5391b965c29..47fc585fa83 100644 --- a/rules/windows/image_load/image_load_uac_bypass_via_dism.yml +++ b/rules/windows/image_load/image_load_uac_bypass_via_dism.yml @@ -5,12 +5,12 @@ description: Attempts to load dismcore.dll after dropping it references: - https://steemit.com/utopian-io/@ah101/uac-bypassing-utility author: oscd.community, Dmitry Uchakin -date: 2020/10/06 -modified: 2022/12/25 +date: 2020-10-06 +modified: 2022-12-25 tags: - attack.persistence - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 - attack.t1574.002 logsource: diff --git a/rules/windows/image_load/image_load_wmi_persistence_commandline_event_consumer.yml b/rules/windows/image_load/image_load_wmi_persistence_commandline_event_consumer.yml index 112e85ffe4e..3f27a9f9625 100755 --- a/rules/windows/image_load/image_load_wmi_persistence_commandline_event_consumer.yml +++ b/rules/windows/image_load/image_load_wmi_persistence_commandline_event_consumer.yml @@ -5,8 +5,8 @@ description: Detects WMI command line event consumers references: - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ author: Thomas Patzke -date: 2018/03/07 -modified: 2021/11/27 +date: 2018-03-07 +modified: 2021-11-27 tags: - attack.t1546.003 - attack.persistence diff --git a/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml b/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml index 8a234d11b38..b63428a62a3 100644 --- a/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml +++ b/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml @@ -7,10 +7,10 @@ references: - https://twitter.com/dez_/status/986614411711442944 - https://lolbas-project.github.io/lolbas/Binaries/Wmic/ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/10/17 -modified: 2022/10/13 +date: 2020-10-17 +modified: 2022-10-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1220 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml b/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml index dfa50af4b92..da018cc3c68 100644 --- a/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml +++ b/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml @@ -5,12 +5,12 @@ description: Detects a threat actor creating a file named `wbemcomn.dll` in the references: - https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/10/12 -modified: 2022/10/09 +date: 2020-10-12 +modified: 2022-10-09 tags: - attack.execution - attack.t1047 - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 logsource: product: windows diff --git a/rules/windows/image_load/image_load_wsman_provider_image_load.yml b/rules/windows/image_load/image_load_wsman_provider_image_load.yml index 8327bffa06f..e8f4c1f1fd2 100644 --- a/rules/windows/image_load/image_load_wsman_provider_image_load.yml +++ b/rules/windows/image_load/image_load_wsman_provider_image_load.yml @@ -8,12 +8,12 @@ references: - https://learn.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture - https://github.com/bohops/WSMan-WinRM author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/06/24 -modified: 2022/10/07 +date: 2020-06-24 +modified: 2022-10-07 tags: - attack.execution - attack.t1059.001 - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.003 logsource: category: image_load diff --git a/rules/windows/network_connection/net_connection_win_addinutil_initiated.yml b/rules/windows/network_connection/net_connection_win_addinutil_initiated.yml index 3ddc1770a47..9b50abcc362 100644 --- a/rules/windows/network_connection/net_connection_win_addinutil_initiated.yml +++ b/rules/windows/network_connection/net_connection_win_addinutil_initiated.yml @@ -7,10 +7,10 @@ description: | references: - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) -date: 2023/09/18 -modified: 2024/07/16 +date: 2023-09-18 +modified: 2024-07-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_certutil_initiated_connection.yml b/rules/windows/network_connection/net_connection_win_certutil_initiated_connection.yml index 92f2fed0d93..e60ba56af40 100644 --- a/rules/windows/network_connection/net_connection_win_certutil_initiated_connection.yml +++ b/rules/windows/network_connection/net_connection_win_certutil_initiated_connection.yml @@ -7,10 +7,10 @@ description: | references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil author: frack113, Florian Roth (Nextron Systems) -date: 2022/09/02 -modified: 2024/05/31 +date: 2022-09-02 +modified: 2024-05-31 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_cmstp_initiated_connection.yml b/rules/windows/network_connection/net_connection_win_cmstp_initiated_connection.yml index b61d4530736..a0dbaff1573 100644 --- a/rules/windows/network_connection/net_connection_win_cmstp_initiated_connection.yml +++ b/rules/windows/network_connection/net_connection_win_cmstp_initiated_connection.yml @@ -7,10 +7,10 @@ description: | references: - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/30 -modified: 2024/05/31 +date: 2022-08-30 +modified: 2024-05-31 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.003 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_dialer_initiated_connection.yml b/rules/windows/network_connection/net_connection_win_dialer_initiated_connection.yml index a3c3c3e6384..25a7e282785 100644 --- a/rules/windows/network_connection/net_connection_win_dialer_initiated_connection.yml +++ b/rules/windows/network_connection/net_connection_win_dialer_initiated_connection.yml @@ -11,7 +11,7 @@ references: - https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/ - https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html author: CertainlyP -date: 2024/04/26 +date: 2024-04-26 tags: - attack.execution - attack.t1071.001 diff --git a/rules/windows/network_connection/net_connection_win_domain_azurewebsites.yml b/rules/windows/network_connection/net_connection_win_domain_azurewebsites.yml index c098c9c5cc0..84e2304f990 100644 --- a/rules/windows/network_connection/net_connection_win_domain_azurewebsites.yml +++ b/rules/windows/network_connection/net_connection_win_domain_azurewebsites.yml @@ -12,10 +12,10 @@ references: - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/ - https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/06/24 -modified: 2024/07/16 +date: 2024-06-24 +modified: 2024-07-16 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1102 - attack.t1102.001 logsource: diff --git a/rules/windows/network_connection/net_connection_win_domain_cloudflared_communication.yml b/rules/windows/network_connection/net_connection_win_domain_cloudflared_communication.yml index d4130bdaf6c..a524c3a52a7 100644 --- a/rules/windows/network_connection/net_connection_win_domain_cloudflared_communication.yml +++ b/rules/windows/network_connection/net_connection_win_domain_cloudflared_communication.yml @@ -12,10 +12,10 @@ references: - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/ - Internal Research author: Kamran Saifullah, Nasreddine Bencherchali (Nextron Systems) -date: 2024/05/27 +date: 2024-05-27 tags: - attack.exfiltration - - attack.command_and_control + - attack.command-and-control - attack.t1567.001 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_domain_crypto_mining_pools.yml b/rules/windows/network_connection/net_connection_win_domain_crypto_mining_pools.yml index f90c1ef96cf..d24349bd84e 100644 --- a/rules/windows/network_connection/net_connection_win_domain_crypto_mining_pools.yml +++ b/rules/windows/network_connection/net_connection_win_domain_crypto_mining_pools.yml @@ -7,8 +7,8 @@ references: - https://github.com/stamparm/maltrail/blob/3ea70459b9559134449423c0a7d8b965ac5c40ea/trails/static/suspicious/crypto_mining.txt - https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2021/10/26 -modified: 2024/01/19 +date: 2021-10-26 +modified: 2024-01-19 tags: - attack.impact - attack.t1496 diff --git a/rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml b/rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml index 17d1e842eec..f40a7f06aff 100644 --- a/rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml +++ b/rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml @@ -2,7 +2,7 @@ title: Potential Dead Drop Resolvers id: 297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7 related: - id: d7b09985-95a3-44be-8450-b6eadf49833e - type: obsoletes + type: obsolete status: test description: | Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks. @@ -15,10 +15,10 @@ references: - https://twitter.com/kleiton0x7e/status/1600567316810551296 - https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al author: Sorina Ionescu, X__Junior (Nextron Systems) -date: 2022/08/17 -modified: 2024/07/16 +date: 2022-08-17 +modified: 2024-07-16 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1102 - attack.t1102.001 logsource: diff --git a/rules/windows/network_connection/net_connection_win_domain_devtunnels.yml b/rules/windows/network_connection/net_connection_win_domain_devtunnels.yml index 33680cfd9a2..23efcc69ae1 100644 --- a/rules/windows/network_connection/net_connection_win_domain_devtunnels.yml +++ b/rules/windows/network_connection/net_connection_win_domain_devtunnels.yml @@ -15,7 +15,7 @@ references: - https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security - https://cydefops.com/devtunnels-unleashed author: Kamran Saifullah -date: 2023/11/20 +date: 2023-11-20 tags: - attack.exfiltration - attack.t1567.001 diff --git a/rules/windows/network_connection/net_connection_win_domain_dropbox_api.yml b/rules/windows/network_connection/net_connection_win_domain_dropbox_api.yml index 99515f2c68f..3bc61cb9007 100644 --- a/rules/windows/network_connection/net_connection_win_domain_dropbox_api.yml +++ b/rules/windows/network_connection/net_connection_win_domain_dropbox_api.yml @@ -6,9 +6,9 @@ references: - https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb - https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east author: Florian Roth (Nextron Systems) -date: 2022/04/20 +date: 2022-04-20 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_domain_external_ip_lookup.yml b/rules/windows/network_connection/net_connection_win_domain_external_ip_lookup.yml index 50b45d283b3..86927b8a05e 100644 --- a/rules/windows/network_connection/net_connection_win_domain_external_ip_lookup.yml +++ b/rules/windows/network_connection/net_connection_win_domain_external_ip_lookup.yml @@ -11,8 +11,8 @@ references: - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ - https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html author: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/24 -modified: 2024/03/22 +date: 2023-04-24 +modified: 2024-03-22 tags: - attack.discovery - attack.t1016 diff --git a/rules/windows/network_connection/net_connection_win_domain_google_api_non_browser_access.yml b/rules/windows/network_connection/net_connection_win_domain_google_api_non_browser_access.yml index 2e846b444f3..43339167966 100644 --- a/rules/windows/network_connection/net_connection_win_domain_google_api_non_browser_access.yml +++ b/rules/windows/network_connection/net_connection_win_domain_google_api_non_browser_access.yml @@ -10,10 +10,10 @@ references: - https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/ - https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/ author: Gavin Knapp -date: 2023/05/01 -modified: 2024/07/16 +date: 2023-05-01 +modified: 2024-07-16 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1102 logsource: product: windows diff --git a/rules/windows/network_connection/net_connection_win_domain_localtonet_tunnel.yml b/rules/windows/network_connection/net_connection_win_domain_localtonet_tunnel.yml index 782baaf2aa2..cc682c73f40 100644 --- a/rules/windows/network_connection/net_connection_win_domain_localtonet_tunnel.yml +++ b/rules/windows/network_connection/net_connection_win_domain_localtonet_tunnel.yml @@ -9,9 +9,9 @@ references: - https://localtonet.com/documents/supported-tunnels - https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications author: Andreas Braathen (mnemonic.io) -date: 2024/06/17 +date: 2024-06-17 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1572 - attack.t1090 - attack.t1102 diff --git a/rules/windows/network_connection/net_connection_win_domain_mega_nz.yml b/rules/windows/network_connection/net_connection_win_domain_mega_nz.yml index a9441f991c6..dcac5db849d 100644 --- a/rules/windows/network_connection/net_connection_win_domain_mega_nz.yml +++ b/rules/windows/network_connection/net_connection_win_domain_mega_nz.yml @@ -8,8 +8,8 @@ references: - https://megatools.megous.com/ - https://www.mandiant.com/resources/russian-targeting-gov-business author: Florian Roth (Nextron Systems) -date: 2021/12/06 -modified: 2024/05/31 +date: 2021-12-06 +modified: 2024-05-31 tags: - attack.exfiltration - attack.t1567.001 diff --git a/rules/windows/network_connection/net_connection_win_domain_ngrok.yml b/rules/windows/network_connection/net_connection_win_domain_ngrok.yml index 4f7be14ae42..83ba1695ad9 100644 --- a/rules/windows/network_connection/net_connection_win_domain_ngrok.yml +++ b/rules/windows/network_connection/net_connection_win_domain_ngrok.yml @@ -14,8 +14,8 @@ references: - https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/ - https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf author: Florian Roth (Nextron Systems) -date: 2022/07/16 -modified: 2023/11/17 +date: 2022-07-16 +modified: 2023-11-17 tags: - attack.exfiltration - attack.t1567.001 diff --git a/rules/windows/network_connection/net_connection_win_domain_ngrok_tunnel.yml b/rules/windows/network_connection/net_connection_win_domain_ngrok_tunnel.yml index cf0a21dc431..e5cbbf19c24 100644 --- a/rules/windows/network_connection/net_connection_win_domain_ngrok_tunnel.yml +++ b/rules/windows/network_connection/net_connection_win_domain_ngrok_tunnel.yml @@ -12,11 +12,11 @@ references: - https://twitter.com/hakluke/status/1587733971814977537/photo/1 - https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent author: Florian Roth (Nextron Systems) -date: 2022/11/03 -modified: 2024/02/02 +date: 2022-11-03 +modified: 2024-02-02 tags: - attack.exfiltration - - attack.command_and_control + - attack.command-and-control - attack.t1567 - attack.t1568.002 - attack.t1572 diff --git a/rules/windows/network_connection/net_connection_win_domain_notion_api_susp_communication.yml b/rules/windows/network_connection/net_connection_win_domain_notion_api_susp_communication.yml index 954d0a76361..c1d89c1abdd 100644 --- a/rules/windows/network_connection/net_connection_win_domain_notion_api_susp_communication.yml +++ b/rules/windows/network_connection/net_connection_win_domain_notion_api_susp_communication.yml @@ -6,9 +6,9 @@ references: - https://github.com/mttaggart/OffensiveNotion - https://medium.com/@huskyhacks.mk/we-put-a-c2-in-your-notetaking-app-offensivenotion-3e933bace332 author: Gavin Knapp -date: 2023/05/03 +date: 2023-05-03 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1102 logsource: product: windows diff --git a/rules/windows/network_connection/net_connection_win_domain_portmap.yml b/rules/windows/network_connection/net_connection_win_domain_portmap.yml index fe10804fd7a..b5650a472ab 100644 --- a/rules/windows/network_connection/net_connection_win_domain_portmap.yml +++ b/rules/windows/network_connection/net_connection_win_domain_portmap.yml @@ -7,10 +7,10 @@ references: - https://github.com/rapid7/metasploit-framework/issues/11337 - https://pro.twitter.com/JaromirHorejsi/status/1795001037746761892/photo/2 author: Florian Roth (Nextron Systems) -date: 2024/05/31 +date: 2024-05-31 tags: - attack.t1041 - - attack.command_and_control + - attack.command-and-control - attack.t1090.002 - attack.exfiltration logsource: diff --git a/rules/windows/network_connection/net_connection_win_domain_telegram_api_non_browser_access.yml b/rules/windows/network_connection/net_connection_win_domain_telegram_api_non_browser_access.yml index 2a97eba532c..103832d2f5d 100644 --- a/rules/windows/network_connection/net_connection_win_domain_telegram_api_non_browser_access.yml +++ b/rules/windows/network_connection/net_connection_win_domain_telegram_api_non_browser_access.yml @@ -5,9 +5,9 @@ description: Detects an a non-browser process interacting with the Telegram API references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/19 +date: 2023-05-19 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1102 logsource: product: windows diff --git a/rules/windows/network_connection/net_connection_win_domain_vscode_tunnel_connection.yml b/rules/windows/network_connection/net_connection_win_domain_vscode_tunnel_connection.yml index 64c07283510..1c5a7826e81 100644 --- a/rules/windows/network_connection/net_connection_win_domain_vscode_tunnel_connection.yml +++ b/rules/windows/network_connection/net_connection_win_domain_vscode_tunnel_connection.yml @@ -15,7 +15,7 @@ references: - https://badoption.eu/blog/2023/01/31/code_c2.html - https://cydefops.com/vscode-data-exfiltration author: Kamran Saifullah -date: 2023/11/20 +date: 2023-11-20 tags: - attack.exfiltration - attack.t1567.001 diff --git a/rules/windows/network_connection/net_connection_win_eqnedt.yml b/rules/windows/network_connection/net_connection_win_eqnedt.yml index eaaa6135467..b5281ab49e1 100755 --- a/rules/windows/network_connection/net_connection_win_eqnedt.yml +++ b/rules/windows/network_connection/net_connection_win_eqnedt.yml @@ -7,8 +7,8 @@ references: - https://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet/ - https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/ author: Max Altgelt (Nextron Systems) -date: 2022/04/14 -modified: 2024/05/31 +date: 2022-04-14 +modified: 2024-05-31 tags: - attack.execution - attack.t1203 diff --git a/rules/windows/network_connection/net_connection_win_imewdbld.yml b/rules/windows/network_connection/net_connection_win_imewdbld.yml index 9fd3669665b..6da3034e262 100644 --- a/rules/windows/network_connection/net_connection_win_imewdbld.yml +++ b/rules/windows/network_connection/net_connection_win_imewdbld.yml @@ -10,10 +10,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download - https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/ author: frack113 -date: 2022/01/22 -modified: 2023/11/09 +date: 2022-01-22 +modified: 2023-11-09 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_notepad.yml b/rules/windows/network_connection/net_connection_win_notepad.yml index e7c6138f752..eba8e4b2108 100644 --- a/rules/windows/network_connection/net_connection_win_notepad.yml +++ b/rules/windows/network_connection/net_connection_win_notepad.yml @@ -9,12 +9,12 @@ references: - https://web.archive.org/web/20200219102749/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf - https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet author: EagleEye Team -date: 2020/05/14 -modified: 2024/02/02 +date: 2020-05-14 +modified: 2024-02-02 tags: - - attack.command_and_control + - attack.command-and-control - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1055 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_office_outbound_non_local_ip.yml b/rules/windows/network_connection/net_connection_win_office_outbound_non_local_ip.yml index 267e3a11f02..5104cbdf952 100644 --- a/rules/windows/network_connection/net_connection_win_office_outbound_non_local_ip.yml +++ b/rules/windows/network_connection/net_connection_win_office_outbound_non_local_ip.yml @@ -9,8 +9,8 @@ references: - https://corelight.com/blog/detecting-cve-2021-42292 - https://learn.microsoft.com/de-de/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems) -date: 2021/11/10 -modified: 2024/07/02 +date: 2021-11-10 +modified: 2024-07-02 tags: - attack.execution - attack.t1203 diff --git a/rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml b/rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml index f4857d9c41e..17b78e6749f 100644 --- a/rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml +++ b/rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml @@ -5,11 +5,11 @@ description: Detects an office suit application (Word, Excel, PowerPoint, Outloo references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2023/07/12 -modified: 2024/07/02 +date: 2023-07-12 +modified: 2024-07-02 tags: - - attack.defense_evasion - - attack.command_and_control + - attack.defense-evasion + - attack.command-and-control logsource: category: network_connection product: windows diff --git a/rules/windows/network_connection/net_connection_win_python.yml b/rules/windows/network_connection/net_connection_win_python.yml index 5312bbe489c..6053c2409b3 100644 --- a/rules/windows/network_connection/net_connection_win_python.yml +++ b/rules/windows/network_connection/net_connection_win_python.yml @@ -6,8 +6,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python - https://pypi.org/project/scapy/ author: frack113 -date: 2021/12/10 -modified: 2023/09/07 +date: 2021-12-10 +modified: 2023-09-07 tags: - attack.discovery - attack.t1046 diff --git a/rules/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml b/rules/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml index 9c7f596890b..d481ed71e37 100644 --- a/rules/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml +++ b/rules/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml @@ -7,10 +7,10 @@ description: | references: - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 author: Markus Neis -date: 2019/05/15 -modified: 2024/02/09 +date: 2019-05-15 +modified: 2024-02-09 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.001 - car.2013-07-002 logsource: diff --git a/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml b/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml index b570a67a44c..d6880ddf085 100755 --- a/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml +++ b/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml @@ -5,12 +5,12 @@ description: Detects svchost hosting RDP termsvcs communicating with the loopbac references: - https://twitter.com/cyb3rops/status/1096842275437625346 author: Samir Bousseaden -date: 2019/02/16 -modified: 2024/03/12 +date: 2019-02-16 +modified: 2024-03-12 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1572 - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.001 - car.2013-07-002 logsource: diff --git a/rules/windows/network_connection/net_connection_win_rdp_to_http.yml b/rules/windows/network_connection/net_connection_win_rdp_to_http.yml index 622013fd352..77e2fb64fd0 100644 --- a/rules/windows/network_connection/net_connection_win_rdp_to_http.yml +++ b/rules/windows/network_connection/net_connection_win_rdp_to_http.yml @@ -6,12 +6,12 @@ references: - https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg - https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling author: Florian Roth (Nextron Systems) -date: 2022/04/29 -modified: 2022/07/14 +date: 2022-04-29 +modified: 2022-07-14 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1572 - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.001 - car.2013-07-002 logsource: diff --git a/rules/windows/network_connection/net_connection_win_regasm_network_activity.yml b/rules/windows/network_connection/net_connection_win_regasm_network_activity.yml index d7ed1e67816..9e8f31ad41f 100644 --- a/rules/windows/network_connection/net_connection_win_regasm_network_activity.yml +++ b/rules/windows/network_connection/net_connection_win_regasm_network_activity.yml @@ -7,9 +7,9 @@ references: - https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/ - https://lolbas-project.github.io/lolbas/Binaries/Regasm/ author: frack113 -date: 2024/04/25 +date: 2024-04-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.009 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml b/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml index 1a4c8601e37..5dbeb025249 100644 --- a/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml +++ b/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml @@ -6,12 +6,12 @@ references: - https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ author: Dmitriy Lifanov, oscd.community -date: 2019/10/25 -modified: 2023/09/18 +date: 2019-10-25 +modified: 2023-09-18 tags: - attack.execution - attack.t1559.001 - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.010 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml b/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml index e5dbfcfbd49..d00b4686ae9 100755 --- a/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml +++ b/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml @@ -5,10 +5,10 @@ description: Detects a rundll32 that communicates with public IP addresses references: - https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100 author: Florian Roth (Nextron Systems) -date: 2017/11/04 -modified: 2024/03/13 +date: 2017-11-04 +modified: 2024-03-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 - attack.execution logsource: diff --git a/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml b/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml index 6e69126ad01..3899bdcfc14 100644 --- a/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml +++ b/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml @@ -5,8 +5,8 @@ description: Detects a possible remote connections to Silenttrinity c2 references: - https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/ author: Kiran kumar s, oscd.community -date: 2020/10/11 -modified: 2022/10/05 +date: 2020-10-11 +modified: 2022-10-05 tags: - attack.execution - attack.t1127.001 diff --git a/rules/windows/network_connection/net_connection_win_susp_binary_no_cmdline.yml b/rules/windows/network_connection/net_connection_win_susp_binary_no_cmdline.yml index 7705c88ce33..e262eb9d2a3 100644 --- a/rules/windows/network_connection/net_connection_win_susp_binary_no_cmdline.yml +++ b/rules/windows/network_connection/net_connection_win_susp_binary_no_cmdline.yml @@ -5,9 +5,9 @@ description: Detects suspicious network connections made by a well-known Windows references: - https://redcanary.com/blog/raspberry-robin/ author: Florian Roth (Nextron Systems) -date: 2022/07/03 +date: 2022-07-03 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: network_connection product: windows diff --git a/rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml b/rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml index f9377998510..5e44c393396 100644 --- a/rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml +++ b/rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml @@ -2,7 +2,7 @@ title: Network Communication Initiated To File Sharing Domains From Process Loca id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97 related: - id: 635dbb88-67b3-4b41-9ea5-a3af2dd88153 - type: obsoletes + type: obsolete status: test description: Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains. references: @@ -12,10 +12,10 @@ references: - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2018/08/30 -modified: 2024/05/31 +date: 2018-08-30 +modified: 2024-05-31 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_susp_initiated_uncommon_or_suspicious_locations.yml b/rules/windows/network_connection/net_connection_win_susp_initiated_uncommon_or_suspicious_locations.yml index 3783590d96a..9de239a105c 100644 --- a/rules/windows/network_connection/net_connection_win_susp_initiated_uncommon_or_suspicious_locations.yml +++ b/rules/windows/network_connection/net_connection_win_susp_initiated_uncommon_or_suspicious_locations.yml @@ -6,10 +6,10 @@ description: | references: - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2017/03/19 -modified: 2024/05/31 +date: 2017-03-19 +modified: 2024-05-31 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_susp_malware_callback_port.yml b/rules/windows/network_connection/net_connection_win_susp_malware_callback_port.yml index 43f89f0cacf..c4ca683a0e0 100644 --- a/rules/windows/network_connection/net_connection_win_susp_malware_callback_port.yml +++ b/rules/windows/network_connection/net_connection_win_susp_malware_callback_port.yml @@ -9,11 +9,11 @@ description: | references: - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo author: Florian Roth (Nextron Systems) -date: 2017/03/19 -modified: 2024/03/12 +date: 2017-03-19 +modified: 2024-03-12 tags: - attack.persistence - - attack.command_and_control + - attack.command-and-control - attack.t1571 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_susp_malware_callback_ports_uncommon.yml b/rules/windows/network_connection/net_connection_win_susp_malware_callback_ports_uncommon.yml index 348cce37269..50c9e76f627 100644 --- a/rules/windows/network_connection/net_connection_win_susp_malware_callback_ports_uncommon.yml +++ b/rules/windows/network_connection/net_connection_win_susp_malware_callback_ports_uncommon.yml @@ -8,11 +8,11 @@ description: Detects programs that connect to uncommon destination ports references: - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo author: Florian Roth (Nextron Systems) -date: 2017/03/19 -modified: 2024/03/12 +date: 2017-03-19 +modified: 2024-03-12 tags: - attack.persistence - - attack.command_and_control + - attack.command-and-control - attack.t1571 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml b/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml index 59a4e0243cf..46380d22f7d 100755 --- a/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml +++ b/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml @@ -9,12 +9,12 @@ description: | references: - https://github.com/GhostPack/Rubeus author: Ilyas Ochkov, oscd.community -date: 2019/10/24 -modified: 2024/03/15 +date: 2019-10-24 +modified: 2024-03-15 tags: - - attack.credential_access + - attack.credential-access - attack.t1558 - - attack.lateral_movement + - attack.lateral-movement - attack.t1550.003 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml b/rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml index 6f32a2967a1..4297d9aa2b6 100644 --- a/rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml +++ b/rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml @@ -5,13 +5,13 @@ description: Detects suspicious connections from Microsoft Sync Center to non-pr references: - https://redcanary.com/blog/intelligence-insights-november-2021/ author: elhoim -date: 2022/04/28 -modified: 2024/03/12 +date: 2022-04-28 +modified: 2024-03-12 tags: - attack.t1055 - attack.t1218 - attack.execution - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml b/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml index 53fbd9b2542..b5ca6e43e58 100644 --- a/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml +++ b/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml @@ -8,8 +8,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp - https://www.ietf.org/rfc/rfc2821.txt author: frack113 -date: 2022/01/07 -modified: 2022/09/21 +date: 2022-01-07 +modified: 2022-09-21 tags: - attack.exfiltration - attack.t1048.003 diff --git a/rules/windows/network_connection/net_connection_win_susp_remote_powershell_session.yml b/rules/windows/network_connection/net_connection_win_susp_remote_powershell_session.yml index 82a8222e1c2..19300c97b11 100644 --- a/rules/windows/network_connection/net_connection_win_susp_remote_powershell_session.yml +++ b/rules/windows/network_connection/net_connection_win_susp_remote_powershell_session.yml @@ -7,12 +7,12 @@ description: | references: - https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/09/12 -modified: 2024/02/02 +date: 2019-09-12 +modified: 2024-02-02 tags: - attack.execution - attack.t1059.001 - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.006 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_winlogon_net_connections.yml b/rules/windows/network_connection/net_connection_win_winlogon_net_connections.yml index 763bdd2cd52..01839c496ed 100644 --- a/rules/windows/network_connection/net_connection_win_winlogon_net_connections.yml +++ b/rules/windows/network_connection/net_connection_win_winlogon_net_connections.yml @@ -5,12 +5,12 @@ description: Detects a "winlogon.exe" process that initiate network communicatio references: - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ author: Christopher Peacock @securepeacock, SCYTHE @scythe_io -date: 2023/04/28 -modified: 2024/03/12 +date: 2023-04-28 +modified: 2024-03-12 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - - attack.command_and_control + - attack.command-and-control - attack.t1218.011 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_wordpad_uncommon_ports.yml b/rules/windows/network_connection/net_connection_win_wordpad_uncommon_ports.yml index cabee0abaac..1bf18ed773e 100644 --- a/rules/windows/network_connection/net_connection_win_wordpad_uncommon_ports.yml +++ b/rules/windows/network_connection/net_connection_win_wordpad_uncommon_ports.yml @@ -7,11 +7,11 @@ description: | references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit author: X__Junior (Nextron Systems) -date: 2023/07/12 -modified: 2023/12/15 +date: 2023-07-12 +modified: 2023-12-15 tags: - - attack.defense_evasion - - attack.command_and_control + - attack.defense-evasion + - attack.command-and-control logsource: category: network_connection product: windows diff --git a/rules/windows/network_connection/net_connection_win_wscript_cscript_local_connection.yml b/rules/windows/network_connection/net_connection_win_wscript_cscript_local_connection.yml index b1f4b436922..23f9a4f32c1 100644 --- a/rules/windows/network_connection/net_connection_win_wscript_cscript_local_connection.yml +++ b/rules/windows/network_connection/net_connection_win_wscript_cscript_local_connection.yml @@ -9,10 +9,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md author: frack113 -date: 2022/08/28 -modified: 2024/05/31 +date: 2022-08-28 +modified: 2024-05-31 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_wscript_cscript_outbound_connection.yml b/rules/windows/network_connection/net_connection_win_wscript_cscript_outbound_connection.yml index 6955acf7cb0..9117d6ba365 100644 --- a/rules/windows/network_connection/net_connection_win_wscript_cscript_outbound_connection.yml +++ b/rules/windows/network_connection/net_connection_win_wscript_cscript_outbound_connection.yml @@ -8,10 +8,10 @@ description: Detects a script interpreter wscript/cscript opening a network conn references: - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md author: frack113, Florian Roth (Nextron Systems) -date: 2022/08/28 -modified: 2024/03/13 +date: 2022-08-28 +modified: 2024-03-13 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml b/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml index 9f88256d418..523e8bff014 100644 --- a/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml +++ b/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml @@ -7,10 +7,10 @@ description: | references: - https://dtm.uk/wuauclt/ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/10/12 -modified: 2024/03/12 +date: 2020-10-12 +modified: 2024-03-12 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: network_connection diff --git a/rules/windows/pipe_created/pipe_created_adfs_namedpipe_connection_uncommon_tool.yml b/rules/windows/pipe_created/pipe_created_adfs_namedpipe_connection_uncommon_tool.yml index e654198f32f..bcfb88b1f39 100644 --- a/rules/windows/pipe_created/pipe_created_adfs_namedpipe_connection_uncommon_tool.yml +++ b/rules/windows/pipe_created/pipe_created_adfs_namedpipe_connection_uncommon_tool.yml @@ -9,8 +9,8 @@ references: - https://o365blog.com/post/adfs/ - https://github.com/Azure/SimuLand author: Roberto Rodriguez @Cyb3rWard0g -date: 2021/10/08 -modified: 2023/11/30 +date: 2021-10-08 +modified: 2023-11-30 tags: - attack.collection - attack.t1005 diff --git a/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml b/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml index 6648ba357de..4c9fb5a0ad7 100644 --- a/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml @@ -14,11 +14,11 @@ references: - https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/ - https://redcanary.com/threat-detection-report/threats/cobalt-strike/ author: Florian Roth (Nextron Systems), Wojciech Lesicki -date: 2021/05/25 -modified: 2022/10/31 +date: 2021-05-25 +modified: 2022-10-31 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1055 logsource: product: windows diff --git a/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_re.yml b/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_re.yml index 92d3ffa906a..696f89a8113 100644 --- a/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_re.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_re.yml @@ -11,11 +11,11 @@ references: - https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 - https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752 author: Florian Roth (Nextron Systems) -date: 2021/07/30 -modified: 2022/12/31 +date: 2021-07-30 +modified: 2022-12-31 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1055 logsource: product: windows diff --git a/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml b/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml index 4fa8cf1a21f..25fa2b5eb5d 100644 --- a/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml @@ -11,11 +11,11 @@ references: - https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 - https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752 author: Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems) -date: 2021/07/30 -modified: 2024/01/26 +date: 2021-07-30 +modified: 2024-01-26 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1055 - stp.1k logsource: diff --git a/rules/windows/pipe_created/pipe_created_hktl_coercedpotato.yml b/rules/windows/pipe_created/pipe_created_hktl_coercedpotato.yml index 950af41ab7f..9773510d21e 100644 --- a/rules/windows/pipe_created/pipe_created_hktl_coercedpotato.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_coercedpotato.yml @@ -6,10 +6,10 @@ references: - https://blog.hackvens.fr/articles/CoercedPotato.html - https://github.com/hackvens/CoercedPotato author: Florian Roth (Nextron Systems) -date: 2023/10/11 +date: 2023-10-11 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1055 logsource: product: windows diff --git a/rules/windows/pipe_created/pipe_created_hktl_diagtrack_eop.yml b/rules/windows/pipe_created/pipe_created_hktl_diagtrack_eop.yml index aa9a5eec263..4f0eccd5293 100644 --- a/rules/windows/pipe_created/pipe_created_hktl_diagtrack_eop.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_diagtrack_eop.yml @@ -5,10 +5,10 @@ description: Detects creation of default named pipe used by the DiagTrackEoP POC references: - https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L22 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/03 -modified: 2023/08/07 +date: 2022-08-03 +modified: 2023-08-07 tags: - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: windows category: pipe_created diff --git a/rules/windows/pipe_created/pipe_created_hktl_efspotato.yml b/rules/windows/pipe_created/pipe_created_hktl_efspotato.yml index 6cde19667ef..fd269f15d2e 100644 --- a/rules/windows/pipe_created/pipe_created_hktl_efspotato.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_efspotato.yml @@ -6,11 +6,11 @@ references: - https://twitter.com/SBousseaden/status/1429530155291193354?s=20 - https://github.com/zcgonvh/EfsPotato author: Florian Roth (Nextron Systems) -date: 2021/08/23 -modified: 2023/12/21 +date: 2021-08-23 +modified: 2023-12-21 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1055 logsource: product: windows diff --git a/rules/windows/pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml b/rules/windows/pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml index abf6b6a52ba..43c21739758 100644 --- a/rules/windows/pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml @@ -6,10 +6,10 @@ references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118103000/75/hunting-for-credentials-dumping-in-windows-environment-57-2048.jpg?cb=1666035799 author: Teymur Kheirkhabarov, oscd.community -date: 2019/11/01 -modified: 2023/08/07 +date: 2019-11-01 +modified: 2023-08-07 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 - attack.t1003.002 - attack.t1003.004 diff --git a/rules/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yml b/rules/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yml index 59a901f45ce..d0e50988d39 100644 --- a/rules/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yml @@ -5,11 +5,11 @@ description: Detects creation of default named pipes used by the Koh tool references: - https://github.com/GhostPack/Koh/blob/0283d9f3f91cf74732ad377821986cfcb088e20a/Clients/BOF/KohClient.c#L12 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/08 -modified: 2023/08/07 +date: 2022-07-08 +modified: 2023-08-07 tags: - - attack.privilege_escalation - - attack.credential_access + - attack.privilege-escalation + - attack.credential-access - attack.t1528 - attack.t1134.001 logsource: diff --git a/rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml b/rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml index a94d7d66bfa..72e24f9b52d 100644 --- a/rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml +++ b/rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml @@ -9,8 +9,8 @@ references: - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html - https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton -date: 2019/09/12 -modified: 2023/10/18 +date: 2019-09-12 +modified: 2023-10-18 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/pipe_created/pipe_created_powershell_execution_pipe.yml b/rules/windows/pipe_created/pipe_created_powershell_execution_pipe.yml index bbaaa695242..79c3a26baf3 100644 --- a/rules/windows/pipe_created/pipe_created_powershell_execution_pipe.yml +++ b/rules/windows/pipe_created/pipe_created_powershell_execution_pipe.yml @@ -9,8 +9,8 @@ references: - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html - https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2019/09/12 -modified: 2023/11/30 +date: 2019-09-12 +modified: 2023-11-30 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/pipe_created/pipe_created_pua_csexec_default_pipe.yml b/rules/windows/pipe_created/pipe_created_pua_csexec_default_pipe.yml index 0de5e667822..0a54de8d086 100644 --- a/rules/windows/pipe_created/pipe_created_pua_csexec_default_pipe.yml +++ b/rules/windows/pipe_created/pipe_created_pua_csexec_default_pipe.yml @@ -2,17 +2,17 @@ title: PUA - CSExec Default Named Pipe id: f318b911-ea88-43f4-9281-0de23ede628e related: - id: 9e77ed63-2ecf-4c7b-b09d-640834882028 - type: obsoletes + type: obsolete status: test description: Detects default CSExec pipe creation references: - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view - https://github.com/malcomvetter/CSExec author: Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/07 -modified: 2023/11/30 +date: 2023-08-07 +modified: 2023-11-30 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 - attack.execution - attack.t1569.002 diff --git a/rules/windows/pipe_created/pipe_created_pua_paexec_default_pipe.yml b/rules/windows/pipe_created/pipe_created_pua_paexec_default_pipe.yml index a892c04f1fc..eb71923d502 100644 --- a/rules/windows/pipe_created/pipe_created_pua_paexec_default_pipe.yml +++ b/rules/windows/pipe_created/pipe_created_pua_paexec_default_pipe.yml @@ -6,7 +6,7 @@ references: - https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Command%20and%20Control/C2-NamedPipe.md - https://github.com/poweradminllc/PAExec author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/26 +date: 2022-10-26 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/pipe_created/pipe_created_pua_remcom_default_pipe.yml b/rules/windows/pipe_created/pipe_created_pua_remcom_default_pipe.yml index f67e262027d..a443d1d35c0 100644 --- a/rules/windows/pipe_created/pipe_created_pua_remcom_default_pipe.yml +++ b/rules/windows/pipe_created/pipe_created_pua_remcom_default_pipe.yml @@ -2,17 +2,17 @@ title: PUA - RemCom Default Named Pipe id: d36f87ea-c403-44d2-aa79-1a0ac7c24456 related: - id: 9e77ed63-2ecf-4c7b-b09d-640834882028 - type: obsoletes + type: obsolete status: test description: Detects default RemCom pipe creation references: - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view - https://github.com/kavika13/RemCom author: Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/07 -modified: 2023/11/30 +date: 2023-08-07 +modified: 2023-11-30 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 - attack.execution - attack.t1569.002 diff --git a/rules/windows/pipe_created/pipe_created_scrcons_wmi_consumer_namedpipe.yml b/rules/windows/pipe_created/pipe_created_scrcons_wmi_consumer_namedpipe.yml index 0f67a0112c2..c6f56ca33e8 100644 --- a/rules/windows/pipe_created/pipe_created_scrcons_wmi_consumer_namedpipe.yml +++ b/rules/windows/pipe_created/pipe_created_scrcons_wmi_consumer_namedpipe.yml @@ -5,8 +5,8 @@ description: Detects the WMI Event Consumer service scrcons.exe creating a named references: - https://github.com/RiccardoAncarani/LiquidSnake author: Florian Roth (Nextron Systems) -date: 2021/09/01 -modified: 2023/11/30 +date: 2021-09-01 +modified: 2023-11-30 tags: - attack.t1047 - attack.execution diff --git a/rules/windows/pipe_created/pipe_created_susp_malicious_namedpipes.yml b/rules/windows/pipe_created/pipe_created_susp_malicious_namedpipes.yml index 0dbc9a1322b..5b59086a037 100644 --- a/rules/windows/pipe_created/pipe_created_susp_malicious_namedpipes.yml +++ b/rules/windows/pipe_created/pipe_created_susp_malicious_namedpipes.yml @@ -16,11 +16,11 @@ references: - https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/ - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ author: Florian Roth (Nextron Systems), blueteam0ps, elhoim -date: 2017/11/06 -modified: 2023/08/07 +date: 2017-11-06 +modified: 2023-08-07 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1055 logsource: product: windows diff --git a/rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml b/rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml index f0c2647aa12..7283f7dc412 100644 --- a/rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml +++ b/rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml @@ -9,8 +9,8 @@ references: - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - https://jpcertcc.github.io/ToolAnalysisResultSheet author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/04 -modified: 2023/09/20 +date: 2022-08-04 +modified: 2023-09-20 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml b/rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml index d9eca12c881..b932cc27792 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml @@ -8,8 +8,8 @@ description: Detects a powershell download cradle using nslookup. This cradle us references: - https://twitter.com/Alh4zr3d/status/1566489367232651264 author: Sai Prashanth Pulisetti @pulisettis, Aishwarya Singam -date: 2022/12/10 -modified: 2023/10/27 +date: 2022-12-10 +modified: 2023-10-27 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml b/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml index bfa26c5d151..b56f9a71421 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml @@ -6,8 +6,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md - https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods author: frack113 -date: 2021/06/03 -modified: 2023/10/27 +date: 2021-06-03 +modified: 2023-10-27 tags: - attack.impact - attack.t1490 diff --git a/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml b/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml index 64c6ba91956..5cdf48d1f25 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml @@ -5,10 +5,10 @@ description: Detects PowerShell downgrade attack by comparing the host versions references: - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/ author: Florian Roth (Nextron Systems), Lee Holmes (idea), Harish Segar (improvements) -date: 2017/03/22 -modified: 2023/10/27 +date: 2017-03-22 +modified: 2023-10-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1059.001 logsource: diff --git a/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml b/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml index 33e8e6c726e..ff8dcf7b8d3 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml @@ -5,10 +5,10 @@ description: Detects PowerShell called from an executable by the version mismatc references: - https://adsecurity.org/?p=2921 author: Sean Metcalf (source), Florian Roth (Nextron Systems) -date: 2017/03/05 -modified: 2023/10/27 +date: 2017-03-05 +modified: 2023-10-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1059.001 logsource: diff --git a/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml b/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml index 77bb134ef21..22f331217cd 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml @@ -10,10 +10,10 @@ references: - https://github.com/besimorhino/powercat - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md author: frack113 -date: 2021/07/21 -modified: 2023/10/27 +date: 2021-07-21 +modified: 2023-10-27 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1095 logsource: product: windows diff --git a/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml b/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml index fed0599dc0f..98d6a90b42e 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml @@ -8,12 +8,12 @@ description: Detects remote PowerShell sessions references: - https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/08/10 -modified: 2024/01/03 +date: 2019-08-10 +modified: 2024-01-03 tags: - attack.execution - attack.t1059.001 - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.006 logsource: product: windows diff --git a/rules/windows/powershell/powershell_classic/posh_pc_remotefxvgpudisablement_abuse.yml b/rules/windows/powershell/powershell_classic/posh_pc_remotefxvgpudisablement_abuse.yml index a3519da4bd6..3194b0bf0a5 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_remotefxvgpudisablement_abuse.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_remotefxvgpudisablement_abuse.yml @@ -13,10 +13,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md - https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2021/07/13 -modified: 2023/05/09 +date: 2021-07-13 +modified: 2023-05-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: product: windows diff --git a/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml b/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml index b60b0031e9b..44700a9376b 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml @@ -5,8 +5,8 @@ description: Detects renamed powershell references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: Harish Segar, frack113 -date: 2020/06/29 -modified: 2023/10/27 +date: 2020-06-29 +modified: 2023-10-27 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml b/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml index fbda1dbb9c0..012d059f0b2 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml @@ -8,8 +8,8 @@ description: Detects suspicious PowerShell download command references: - https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html author: Florian Roth (Nextron Systems) -date: 2017/03/05 -modified: 2023/10/27 +date: 2017-03-05 +modified: 2023-10-27 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml b/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml index 8b92aee5190..983de0d924b 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml @@ -5,8 +5,8 @@ description: Adversaries may attempt to get a listing of network connections to references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell author: frack113 -date: 2021/12/10 -modified: 2023/10/27 +date: 2021-12-10 +modified: 2023-10-27 tags: - attack.discovery - attack.t1049 diff --git a/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml b/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml index d2e570ff584..48299f21774 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml @@ -15,8 +15,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a author: Nasreddine Bencherchali (Nextron Systems), frack113 -date: 2021/07/20 -modified: 2023/12/18 +date: 2021-07-20 +modified: 2023-12-18 tags: - attack.collection - attack.t1074.001 diff --git a/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml b/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml index 2738c82cd10..27851bd1bb5 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml @@ -8,10 +8,10 @@ description: Attempting to disable scheduled scanning and other parts of Windows references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2021/06/07 -modified: 2024/01/02 +date: 2021-06-07 +modified: 2024-01-02 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml b/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml index 46601476bdc..3ce5fb0c8eb 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml @@ -7,12 +7,12 @@ references: - https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/ - https://github.com/bohops/WSMan-WinRM author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/06/24 -modified: 2023/10/27 +date: 2020-06-24 +modified: 2023-10-27 tags: - attack.execution - attack.t1059.001 - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.003 logsource: product: windows diff --git a/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml b/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml index 5049ca66997..c54a451470b 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml @@ -5,8 +5,8 @@ description: Detects suspicious powershell process which includes bxor command, references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=46 author: Teymur Kheirkhabarov, Harish Segar (rule) -date: 2020/06/29 -modified: 2023/10/27 +date: 2020-06-29 +modified: 2023-10-27 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml b/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml index c3a3cb8ede5..4e0014adb9b 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml @@ -12,7 +12,7 @@ references: - https://twitter.com/cyb3rops/status/1617108657166061568?s=20 - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges author: Nasreddine Bencherchali (Nextron Systems), frack113 -date: 2023/01/22 +date: 2023-01-22 tags: - attack.reconnaissance - attack.discovery diff --git a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml index c0168b529d2..e9463f1d93c 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml @@ -5,8 +5,8 @@ description: Detects alternate PowerShell hosts potentially bypassing detections references: - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/08/11 -modified: 2022/12/13 +date: 2019-08-11 +modified: 2022-12-13 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml b/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml index 5b57f422def..7b09772124e 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml @@ -13,8 +13,8 @@ references: - https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/ - https://www.mdeditor.tw/pl/pgRt author: 'ok @securonix invrep_de, oscd.community' -date: 2020/10/09 -modified: 2022/12/25 +date: 2020-10-09 +modified: 2022-12-25 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml b/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml index 6e5e09e3e20..9c3786d0f71 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml @@ -8,10 +8,10 @@ description: Detects keywords that could indicate clearing PowerShell history references: - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community -date: 2019/10/25 -modified: 2022/12/02 +date: 2019-10-25 +modified: 2022-12-02 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.003 logsource: product: windows diff --git a/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml b/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml index 638b59f898a..d32d2da4344 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml @@ -9,10 +9,10 @@ references: - https://github.com/OTRF/detection-hackathon-apt29/issues/8 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.md author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/05/02 -modified: 2022/12/25 +date: 2020-05-02 +modified: 2022-12-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1140 logsource: product: windows diff --git a/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml b/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml index 091b8e453dd..d8f72dc8cde 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml @@ -4,7 +4,7 @@ related: - id: f331aa1f-8c53-4fc3-b083-cc159bc971cb type: similar - id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2 - type: obsoletes + type: obsolete status: test description: Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance references: @@ -26,8 +26,8 @@ references: - https://github.com/DarkCoderSc/PowerRunAsSystem/ - https://github.com/besimorhino/powercat author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/23 -modified: 2024/01/25 +date: 2023-01-23 +modified: 2024-01-25 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml b/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml index 372a274b5a6..cf3587a59dd 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml @@ -6,9 +6,9 @@ references: - https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/ - https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md author: Florian Roth (Nextron Systems) -date: 2022/03/16 +date: 2022-03-16 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.003 logsource: product: windows diff --git a/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml b/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml index 12c523d36c6..b522bfc412f 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml @@ -6,8 +6,8 @@ references: - https://github.com/OTRF/detection-hackathon-apt29/issues/16 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.md author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/05/02 -modified: 2023/01/04 +date: 2020-05-02 +modified: 2023-01-04 tags: - attack.collection - attack.t1115 diff --git a/rules/windows/powershell/powershell_module/posh_pm_hktl_evil_winrm_execution.yml b/rules/windows/powershell/powershell_module/posh_pm_hktl_evil_winrm_execution.yml index 26964ffb071..2a5248dfb6d 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_hktl_evil_winrm_execution.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_hktl_evil_winrm_execution.yml @@ -7,9 +7,9 @@ references: - https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb - https://github.com/search?q=repo%3AHackplayers%2Fevil-winrm++shell.run%28&type=code author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/02/25 +date: 2024-02-25 tags: - - attack.lateral_movement + - attack.lateral-movement logsource: product: windows category: ps_module diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml index 35f24e169b3..e98b232759a 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml @@ -8,10 +8,10 @@ description: Detects Obfuscated use of Clip.exe to execute PowerShell references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 26) author: Jonathan Cheong, oscd.community -date: 2020/10/13 -modified: 2024/04/05 +date: 2020-10-13 +modified: 2024-04-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml index 9b235eb1ae2..c5e142a2048 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml @@ -8,10 +8,10 @@ description: Detects all variations of obfuscated powershell IEX invocation code references: - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888 author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community -date: 2019/11/08 -modified: 2022/12/31 +date: 2019-11-08 +modified: 2022-12-31 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml index 2c4daaf021b..e3e44252f63 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml @@ -8,10 +8,10 @@ description: Detects Obfuscated use of stdin to execute PowerShell references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 25) author: Jonathan Cheong, oscd.community -date: 2020/10/15 -modified: 2024/04/05 +date: 2020-10-15 +modified: 2024-04-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml index b0959c6e6c7..b6a26623b33 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml @@ -8,10 +8,10 @@ description: Detects Obfuscated use of Environment Variables to execute PowerShe references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 24) author: Jonathan Cheong, oscd.community -date: 2020/10/15 -modified: 2024/04/05 +date: 2020-10-15 +modified: 2024-04-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml index e11e2faa124..9aee02152c9 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml @@ -8,10 +8,10 @@ description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19) author: Timur Zinniatullin, oscd.community -date: 2020/10/18 -modified: 2022/11/29 +date: 2020-10-18 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml index 1ec8d250718..bd9360ea69b 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml @@ -8,10 +8,10 @@ description: Detects Obfuscated Powershell via RUNDLL LAUNCHER references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23) author: Timur Zinniatullin, oscd.community -date: 2020/10/18 -modified: 2022/11/29 +date: 2020-10-18 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml index 53738e64656..c5347f19d05 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml @@ -8,10 +8,10 @@ description: Detects Obfuscated Powershell via Stdin in Scripts references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task28) author: Nikita Nazarov, oscd.community -date: 2020/10/12 -modified: 2024/04/05 +date: 2020-10-12 +modified: 2024-04-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml index e78c5e3a712..79bc122e438 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml @@ -8,10 +8,10 @@ description: Detects Obfuscated Powershell via use Clip.exe in Scripts references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task29) author: Nikita Nazarov, oscd.community -date: 2020/10/09 -modified: 2024/04/05 +date: 2020-10-09 +modified: 2024-04-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml index 5984513a787..940888d109f 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml @@ -8,10 +8,10 @@ description: Detects Obfuscated Powershell via use MSHTA in Scripts references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31) author: Nikita Nazarov, oscd.community -date: 2020/10/08 -modified: 2023/01/04 +date: 2020-10-08 +modified: 2023-01-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml index 9b2d8a2e093..158e22d3259 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml @@ -8,10 +8,10 @@ description: Detects Obfuscated Powershell via use Rundll32 in Scripts references: - https://github.com/SigmaHQ/sigma/issues/1009 author: Nikita Nazarov, oscd.community -date: 2019/10/08 -modified: 2022/11/29 +date: 2019-10-08 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml index b8c764d3a92..e6d4d3f880b 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml @@ -8,10 +8,10 @@ description: Detects Obfuscated Powershell via VAR++ LAUNCHER references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27) author: Timur Zinniatullin, oscd.community -date: 2020/10/13 -modified: 2024/04/05 +date: 2020-10-13 +modified: 2024-04-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml b/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml index 03375b4ec88..45dddc69564 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml @@ -27,8 +27,8 @@ references: - https://github.com/adrecon/ADRecon - https://github.com/adrecon/AzureADRecon author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/20 -modified: 2024/01/25 +date: 2023-01-20 +modified: 2024-01-25 tags: - attack.execution - attack.discovery diff --git a/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml b/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml index ca747ba77c9..ddc9fe3a515 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml @@ -5,12 +5,12 @@ description: Detects remote PowerShell sessions references: - https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton -date: 2019/08/10 -modified: 2023/01/20 +date: 2019-08-10 +modified: 2023-01-20 tags: - attack.execution - attack.t1059.001 - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.006 logsource: product: windows diff --git a/rules/windows/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml b/rules/windows/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml index c5b7cae9831..636653cc3ec 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml @@ -13,10 +13,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md - https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 author: Nasreddine Bencherchali (Nextron Systems), frack113 -date: 2021/07/13 -modified: 2023/05/09 +date: 2021-07-13 +modified: 2023-05-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: product: windows diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml index 464b4218d17..b7554b77310 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml @@ -8,8 +8,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md author: frack113 -date: 2021/12/15 -modified: 2023/01/20 +date: 2021-12-15 +modified: 2023-01-20 tags: - attack.discovery - attack.t1069.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml index c9731f4b999..0c18c449a31 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml @@ -9,8 +9,8 @@ references: - https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0 - https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0 author: Florian Roth (Nextron Systems) -date: 2017/03/05 -modified: 2023/01/20 +date: 2017-03-05 +modified: 2023-01-20 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml index 356d6022033..11a53006dc8 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml @@ -5,8 +5,8 @@ description: Adversaries may attempt to get a listing of network connections to references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell author: frack113 -date: 2021/12/10 -modified: 2022/12/02 +date: 2021-12-10 +modified: 2022-12-02 tags: - attack.discovery - attack.t1049 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml index 9859cbf492a..20e1295f717 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml @@ -10,8 +10,8 @@ description: Detects suspicious PowerShell invocation command parameters references: - Internal Research author: Florian Roth (Nextron Systems) -date: 2017/03/12 -modified: 2023/01/03 +date: 2017-03-12 +modified: 2023-01-03 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml index 1d4efbe0458..43295b3fafa 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml @@ -2,7 +2,7 @@ title: Suspicious PowerShell Invocations - Specific - PowerShell Module id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090 related: - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c - type: obsoletes + type: obsolete - id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71 type: similar - id: 536e2947-3729-478c-9903-745aaffe60d2 @@ -12,8 +12,8 @@ description: Detects suspicious PowerShell invocation command parameters references: - Internal Research author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro -date: 2017/03/05 -modified: 2023/01/05 +date: 2017-03-05 +modified: 2023-01-05 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml index 4d8c034ea48..75ce90e6d12 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml @@ -8,8 +8,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md author: frack113 -date: 2021/12/12 -modified: 2022/12/25 +date: 2021-12-12 +modified: 2022-12-25 tags: - attack.discovery - attack.t1069.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml index ae4146ecd9e..0bf434c52db 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml @@ -8,9 +8,9 @@ references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1 - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ author: frack113 -date: 2022/02/21 +date: 2022-02-21 tags: - - attack.initial_access + - attack.initial-access - attack.t1078 logsource: product: windows diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml index 768222f8c23..274c237f43f 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml @@ -8,8 +8,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md author: frack113 -date: 2021/12/15 -modified: 2022/12/02 +date: 2021-12-15 +modified: 2022-12-02 tags: - attack.discovery - attack.t1069.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml index 8ef177de6c4..0f2590b09ae 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml @@ -15,8 +15,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a author: Nasreddine Bencherchali (Nextron Systems), frack113 -date: 2021/07/20 -modified: 2023/12/18 +date: 2021-07-20 +modified: 2023-12-18 tags: - attack.collection - attack.t1074.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml b/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml index f5ec9eb4f3a..055c015eb46 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml @@ -10,10 +10,10 @@ description: Detects SyncAppvPublishingServer process execution which usually ut references: - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ author: 'Ensar Şamil, @sblmsrsn, OSCD Community' -date: 2020/10/05 -modified: 2022/12/02 +date: 2020-10-05 +modified: 2022-12-02 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml b/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml index df3893d2b41..1d100d37021 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml @@ -9,12 +9,12 @@ references: - https://o365blog.com/aadinternals/ - https://github.com/Gerenios/AADInternals author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/23 +date: 2022-12-23 tags: - attack.execution - attack.reconnaissance - attack.discovery - - attack.credential_access + - attack.credential-access - attack.impact logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml b/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml index 8f8c411ef61..502c190eff9 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml @@ -2,7 +2,7 @@ title: Access to Browser Login Data id: fc028194-969d-4122-8abe-0470d5b8f12f related: - id: 98f4c75c-3089-44f3-b733-b327b9cd9c9d - type: obsoletes + type: obsolete - id: 47147b5b-9e17-4d76-b8d2-7bac24c5ce1b type: similar status: test @@ -13,9 +13,9 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md author: frack113 -date: 2022/01/30 +date: 2022-01-30 tags: - - attack.credential_access + - attack.credential-access - attack.t1555.003 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml b/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml index 25c9abb2ac6..5b9befc36b8 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml @@ -12,7 +12,7 @@ references: - https://twitter.com/cyb3rops/status/1617108657166061568?s=20 - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges author: frack113, Nasreddine Bencherchali -date: 2023/01/22 +date: 2023-01-22 tags: - attack.reconnaissance - attack.discovery diff --git a/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml b/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml index 2cb5b6a8c42..1d5556964f6 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml @@ -8,8 +8,8 @@ references: - https://twitter.com/NathanMcNulty/status/1569497348841287681 - https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps author: Borna Talebi -date: 2021/09/14 -modified: 2022/10/09 +date: 2021-09-14 +modified: 2022-10-09 tags: - attack.impact - attack.t1565 diff --git a/rules/windows/powershell/powershell_script/posh_ps_add_windows_capability.yml b/rules/windows/powershell/powershell_script/posh_ps_add_windows_capability.yml index 58f21aee39d..d5dd3b75b01 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_add_windows_capability.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_add_windows_capability.yml @@ -9,8 +9,8 @@ references: - https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell - https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/22 -modified: 2023/05/09 +date: 2023-01-22 +modified: 2023-05-09 tags: - attack.execution logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml b/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml index 19ff119b495..2765eb5ff2b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml @@ -6,8 +6,8 @@ references: - https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1 - https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319 author: Bhabesh Raj -date: 2021/07/16 -modified: 2022/09/06 +date: 2021-07-16 +modified: 2022-09-06 tags: - attack.discovery - attack.execution diff --git a/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml b/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml index 88b5a7ee2cc..c9f3c473ad1 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml @@ -6,9 +6,9 @@ references: - https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/ - https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA author: Florian Roth (Nextron Systems) -date: 2022/11/09 +date: 2022-11-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 - attack.execution logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml b/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml index 7973d890ca6..cd0093f3309 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml @@ -8,10 +8,10 @@ description: Detects usage of special strings/null bits in order to potentially references: - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/04 -modified: 2023/05/09 +date: 2023-01-04 +modified: 2023-05-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml b/rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml index 4460862a957..1f6492137d1 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml @@ -5,12 +5,12 @@ description: Detects Silence EmpireDNSAgent as described in the Group-IP report references: - https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf author: Alina Stepchenkova, Group-IB, oscd.community -date: 2019/11/01 -modified: 2023/04/03 +date: 2019-11-01 +modified: 2023-04-03 tags: - attack.execution - attack.t1059.001 - - attack.command_and_control + - attack.command-and-control - attack.t1071.004 - attack.t1572 - attack.impact diff --git a/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml b/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml index f664d84bfb5..3f6ae24d2a8 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting - https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/ author: frack113 -date: 2022/03/17 +date: 2022-03-17 tags: - attack.discovery - attack.t1033 diff --git a/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml b/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml index eddd5f9c470..44f2ee0c26e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml @@ -5,7 +5,7 @@ description: Detects potential exfiltration attempt via audio file using PowerSh references: - https://github.com/gtworek/PSBits/blob/e97cbbb173b31cbc4d37244d3412de0a114dacfb/NoDLP/bin2wav.ps1 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/16 +date: 2023-01-16 tags: - attack.exfiltration logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml b/rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml index f08297092d9..0b3358a8fec 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml @@ -5,8 +5,8 @@ description: Once established within a system or network, an adversary may use a references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md author: frack113 -date: 2021/07/28 -modified: 2022/12/25 +date: 2021-07-28 +modified: 2022-12-25 tags: - attack.collection - attack.t1119 diff --git a/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml b/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml index c58fbaacea2..5edb0360f84 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml @@ -7,8 +7,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-6---windows-screen-capture-copyfromscreen author: frack113 -date: 2021/12/28 -modified: 2022/07/07 +date: 2021-12-28 +modified: 2022-07-07 tags: - attack.collection - attack.t1113 diff --git a/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml b/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml index bcf979e40e3..508ec7b6de7 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml @@ -8,10 +8,10 @@ description: Detects keywords that could indicate clearing PowerShell history references: - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community -date: 2022/01/25 -modified: 2022/12/02 +date: 2022-01-25 +modified: 2022-12-02 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.003 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml b/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml index 1f131eaf9b3..ca0993df1bb 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml @@ -7,10 +7,10 @@ references: - https://www.shellhacks.com/clear-history-powershell/ - https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics author: Austin Songer @austinsonger -date: 2021/11/25 -modified: 2022/12/25 +date: 2021-11-25 +modified: 2022-12-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070 - attack.t1070.003 logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml b/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml index 09a89d40e3a..8bf8d45ec6f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task author: frack113 -date: 2021/12/28 +date: 2021-12-28 tags: - attack.persistence - attack.t1053.005 diff --git a/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml b/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml index 9d0735a99ca..256a31a2e5e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml @@ -10,7 +10,7 @@ references: - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/ - https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/11/17 +date: 2022-11-17 tags: - attack.discovery - attack.t1033 diff --git a/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml b/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml index 3ef60efa8c2..7619adb069d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml @@ -5,10 +5,10 @@ description: Uses PowerShell to install/copy a file into a system directory such references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1556.002/T1556.002.md#atomic-test-1---install-and-register-password-filter-dll author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2021/12/27 -modified: 2024/01/22 +date: 2021-12-27 +modified: 2024-01-22 tags: - - attack.credential_access + - attack.credential-access - attack.t1556.002 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml b/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml index 4b77b059141..5698717009e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml @@ -10,7 +10,7 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.012/T1574.012.md#atomic-test-3---registry-free-process-scope-cor_profiler author: frack113 -date: 2021/12/30 +date: 2021-12-30 tags: - attack.persistence - attack.t1574.012 diff --git a/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml b/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml index 1a61b9f010f..d4006e0c095 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml @@ -5,8 +5,8 @@ description: Detects creation of a local user via PowerShell references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md author: '@ROxPinTeddy' -date: 2020/04/11 -modified: 2022/12/25 +date: 2020-04-11 +modified: 2022-12-25 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml b/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml index a80a8b0c440..40ffef90be3 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml @@ -6,9 +6,9 @@ references: - https://attack.mitre.org/datasources/DS0005/ - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7 author: frack113 -date: 2022/01/12 +date: 2022-01-12 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.003 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml b/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml index 06e25930793..5969b4001f0 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml @@ -8,10 +8,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md - https://techgenix.com/malicious-powershell-scripts-evade-detection/ author: frack113, Duc.Le-GTSC -date: 2021/08/03 -modified: 2022/03/03 +date: 2021-08-03 +modified: 2022-03-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1497.001 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml b/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml index a5b94198be2..5e74c9db979 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml @@ -5,7 +5,7 @@ description: Enumerates Active Directory to determine computers that are joined references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher author: frack113 -date: 2022/02/12 +date: 2022-02-12 tags: - attack.discovery - attack.t1018 diff --git a/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml b/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml index a3b95a5ed7e..84c43caf4b4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml @@ -8,7 +8,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell - https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0 author: frack113 -date: 2021/12/28 +date: 2021-12-28 tags: - attack.persistence - attack.t1136.002 diff --git a/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml b/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml index 1c001b47cb5..16ef6d8a0ab 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml @@ -5,9 +5,9 @@ description: Detects scripts or commands that disabled the Powershell command hi references: - https://twitter.com/DissectMalware/status/1062879286749773824 author: Ali Alwashali -date: 2022/08/21 +date: 2022-08-21 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.003 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml b/rules/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml index bac28693fab..549bdc9634f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml @@ -8,9 +8,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md - https://learn.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps author: frack113 -date: 2022/09/10 +date: 2022-09-10 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml b/rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml index 5560c705ac6..42ff73e0159 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml @@ -5,9 +5,9 @@ description: Detects usage of "Reflection.Assembly" load functions to dynamicall references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50 author: frack113 -date: 2022/12/25 +date: 2022-12-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1620 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml b/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml index 9b7fcf1e28e..33e7ff77b2a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml @@ -9,9 +9,9 @@ references: - https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0 - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57 author: frack113 -date: 2022/12/25 +date: 2022-12-25 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_dsinternals_cmdlets.yml b/rules/windows/powershell/powershell_script/posh_ps_dsinternals_cmdlets.yml index 79c8344b7a8..3e53dbe855e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_dsinternals_cmdlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_dsinternals_cmdlets.yml @@ -10,7 +10,7 @@ description: | references: - https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1 author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/06/26 +date: 2024-06-26 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml b/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml index 182a9dd0702..f53ba1e5fe2 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml @@ -7,10 +7,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md author: frack113 -date: 2021/12/20 -modified: 2022/12/25 +date: 2021-12-20 +modified: 2022-12-25 tags: - - attack.credential_access + - attack.credential-access - attack.t1555 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml b/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml index 69582d08a84..5155106b384 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml @@ -6,9 +6,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2 author: frack113 -date: 2022/01/07 +date: 2022-01-07 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.006 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml b/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml index 96cd0f46c81..f0d5f0203f5 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml @@ -12,10 +12,10 @@ references: - https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system - https://learn.microsoft.com/en-us/windows/wsl/install-on-server author: frack113 -date: 2022/09/10 -modified: 2022/12/29 +date: 2022-09-10 +modified: 2022-12-29 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml b/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml index 3217f716d81..50c81e0f6eb 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml @@ -7,10 +7,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md author: frack113 -date: 2021/12/20 -modified: 2022/12/25 +date: 2021-12-20 +modified: 2022-12-25 tags: - - attack.credential_access + - attack.credential-access - attack.t1555 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml b/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml index 58c82cffef0..73a9f778e7c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml @@ -8,10 +8,10 @@ description: Detects usage of powershell cmdlets to disable or remove ETW trace references: - https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/28 -modified: 2022/11/25 +date: 2022-06-28 +modified: 2022-11-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070 - attack.t1562.006 - car.2016-04-002 diff --git a/rules/windows/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml b/rules/windows/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml index c5db18fcb04..67c4f256669 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml @@ -5,7 +5,7 @@ description: Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMT references: - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/26 +date: 2022-10-26 tags: - attack.exfiltration logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_export_certificate.yml b/rules/windows/powershell/powershell_script/posh_ps_export_certificate.yml index b2c88e84a53..06664b1cdd1 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_export_certificate.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_export_certificate.yml @@ -10,10 +10,10 @@ references: - https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html author: Florian Roth (Nextron Systems) -date: 2021/04/23 -modified: 2023/05/18 +date: 2021-04-23 +modified: 2023-05-18 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.004 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml b/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml index d43feb7e115..7c3ad03b14b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml @@ -8,9 +8,9 @@ description: Detects attempts of decoding a base64 Gzip archive in a PowerShell references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43 author: frack113 -date: 2022/12/23 +date: 2022-12-23 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1132.001 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml b/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml index 59cfec8772d..fccff1d2fdc 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml @@ -9,7 +9,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4 author: frack113 -date: 2021/12/30 +date: 2021-12-30 tags: - attack.persistence - attack.t1574.011 diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml b/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml index c33ca7f3638..28aceb18ed9 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml @@ -7,8 +7,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md - https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1087.002/T1087.002.md author: frack113 -date: 2022/03/17 -modified: 2023/07/08 +date: 2022-03-17 +modified: 2023-07-08 tags: - attack.discovery - attack.t1018 diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_adgroup.yml b/rules/windows/powershell/powershell_script/posh_ps_get_adgroup.yml index d0776b6d126..7f366216229 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_get_adgroup.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_get_adgroup.yml @@ -5,8 +5,8 @@ description: Detects usage of the "Get-AdGroup" cmdlet to enumerate Groups withi references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md author: frack113 -date: 2022/03/17 -modified: 2022/11/17 +date: 2022-03-17 +modified: 2022-11-17 tags: - attack.discovery - attack.t1069.002 diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml b/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml index df694491277..8e20acd0fd9 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml @@ -8,9 +8,9 @@ references: - https://www.powershellgallery.com/packages/DSInternals - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount author: frack113 -date: 2022/02/06 +date: 2022-02-06 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.006 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml b/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml index 0b0acc4b2df..dd63a2504ef 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml @@ -8,8 +8,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md author: frack113 -date: 2021/12/13 -modified: 2022/12/25 +date: 2021-12-13 +modified: 2022-12-25 tags: - attack.discovery - attack.t1217 diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_process_security_software_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_get_process_security_software_discovery.yml index ec9455f00fa..118cfd53206 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_get_process_security_software_discovery.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_get_process_security_software_discovery.yml @@ -7,8 +7,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-2---security-software-discovery---powershell author: frack113, Anish Bogati, Nasreddine Bencherchali (Nextron Systems) -date: 2021/12/16 -modified: 2023/10/24 +date: 2021-12-16 +modified: 2023-10-24 tags: - attack.discovery - attack.t1518.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml b/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml index 60528cd72c7..1c525bf0d5f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml @@ -10,12 +10,12 @@ references: - https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html - https://github.com/GhostPack/Rubeus author: Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems) -date: 2023/04/27 +date: 2023-04-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1003 - attack.t1558.003 - - attack.lateral_movement + - attack.lateral-movement - attack.t1550.003 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml b/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml index 22994a2e658..b2ac4e5772d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml @@ -7,7 +7,7 @@ status: experimental description: | Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation. author: Swachchhanda Shrawan Poudel -date: 2023/12/04 +date: 2023-12-04 references: - https://github.com/S3cur3Th1sSh1t/WinPwn - https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841 @@ -15,11 +15,11 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md - https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team tags: - - attack.credential_access - - attack.defense_evasion + - attack.credential-access + - attack.defense-evasion - attack.discovery - attack.execution - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1046 - attack.t1082 - attack.t1106 diff --git a/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml b/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml index cd22c1aed0b..17de4eaa465 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml @@ -5,7 +5,7 @@ description: Detects call to "Win32_QuickFixEngineering" in order to enumerate i references: - https://github.com/411Hall/JAWS/blob/233f142fcb1488172aa74228a666f6b3c5c48f1d/jaws-enum.ps1 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/21 +date: 2022-06-21 tags: - attack.discovery logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml b/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml index 298c852d149..a07d5087dc3 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml @@ -5,8 +5,8 @@ description: Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp author: 'Bartlomiej Czyz @bczyz1, oscd.community' -date: 2020/10/10 -modified: 2022/12/25 +date: 2020-10-10 +modified: 2022-12-25 tags: - attack.exfiltration - attack.t1048.003 diff --git a/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml b/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml index 2d4a229c484..c4bc3e0cdb0 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml @@ -8,8 +8,8 @@ description: Detects powershell scripts that import modules from suspicious dire references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/07 -modified: 2023/01/10 +date: 2022-07-07 +modified: 2023-01-10 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml b/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml index 3a102abf4dc..01e1b815423 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml @@ -9,10 +9,10 @@ references: - https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package - https://twitter.com/WindowsDocs/status/1620078135080325122 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/31 +date: 2023-01-31 tags: - attack.persistence - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml index 9171a83ae17..4b601118a25 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml @@ -6,9 +6,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.4 author: frack113 -date: 2022/01/07 +date: 2022-01-07 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.006 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml index d11c2be8798..bfafe53e6b5 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh - https://github.com/Arno0x/DNSExfiltrator author: frack113 -date: 2022/01/07 +date: 2022-01-07 tags: - attack.exfiltration - attack.t1048 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml index b948669e99b..426ffdf1dea 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated use of Clip.exe to execute PowerShell references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 26) author: Jonathan Cheong, oscd.community -date: 2020/10/13 -modified: 2024/04/05 +date: 2020-10-13 +modified: 2024-04-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml index cb348064347..f0ab351d15d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml @@ -5,10 +5,10 @@ description: Detects all variations of obfuscated powershell IEX invocation code references: - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888 author: 'Daniel Bohannon (@Mandiant/@FireEye), oscd.community' -date: 2019/11/08 -modified: 2022/12/31 +date: 2019-11-08 +modified: 2022-12-31 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml index 7915effcca7..30647587e4a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated use of stdin to execute PowerShell references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 25) author: Jonathan Cheong, oscd.community -date: 2020/10/15 -modified: 2024/04/05 +date: 2020-10-15 +modified: 2024-04-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml index 5a76116cefe..89f2619860c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated use of Environment Variables to execute PowerShe references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 24) author: Jonathan Cheong, oscd.community -date: 2020/10/15 -modified: 2024/04/05 +date: 2020-10-15 +modified: 2024-04-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml index 045bc20c0a4..77c4fabb6ea 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19) author: Timur Zinniatullin, oscd.community -date: 2020/10/18 -modified: 2022/11/29 +date: 2020-10-18 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml index c2bacdaebd5..afb1a74a41c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated Powershell via RUNDLL LAUNCHER references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23) author: Timur Zinniatullin, oscd.community -date: 2020/10/18 -modified: 2022/11/29 +date: 2020-10-18 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml index 3b39dfd4801..d2054c49759 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated Powershell via Stdin in Scripts references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task28) author: Nikita Nazarov, oscd.community -date: 2020/10/12 -modified: 2024/04/05 +date: 2020-10-12 +modified: 2024-04-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml index 15d3e29c9dd..30be1457ee7 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated Powershell via use Clip.exe in Scripts references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task29) author: Nikita Nazarov, oscd.community -date: 2020/10/09 -modified: 2024/04/15 +date: 2020-10-09 +modified: 2024-04-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml index 1a9c97915c3..d067fb3d352 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated Powershell via use MSHTA in Scripts references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31) author: Nikita Nazarov, oscd.community -date: 2020/10/08 -modified: 2022/11/29 +date: 2020-10-08 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml index ffc3ba0e67e..eb45ff619d8 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated Powershell via use Rundll32 in Scripts references: - https://github.com/SigmaHQ/sigma/issues/1009 author: Nikita Nazarov, oscd.community -date: 2019/10/08 -modified: 2022/11/29 +date: 2019-10-08 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml index 0f357ea7c60..ce008e13fad 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated Powershell via VAR++ LAUNCHER references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27) author: Timur Zinniatullin, oscd.community -date: 2020/10/13 -modified: 2024/04/05 +date: 2020-10-13 +modified: 2024-04-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml b/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml index 695430b9d42..8a6ee575d1c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml @@ -6,8 +6,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1 author: frack113 -date: 2021/07/30 -modified: 2022/07/11 +date: 2021-07-30 +modified: 2022-07-11 tags: - attack.collection - attack.t1056.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_localuser.yml b/rules/windows/powershell/powershell_script/posh_ps_localuser.yml index e5a1937eb25..daa33de6cd6 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_localuser.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_localuser.yml @@ -8,7 +8,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1 author: frack113 -date: 2021/12/28 +date: 2021-12-28 tags: - attack.persistence - attack.t1098 diff --git a/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml b/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml index db9d14a311c..560b8df38b7 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml @@ -11,7 +11,7 @@ references: - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1 - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/26 +date: 2022-10-26 tags: - attack.exfiltration logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml index c09dd22f05f..c031ddeb6bd 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml @@ -6,9 +6,9 @@ related: - id: 02030f2f-6199-49ec-b258-ea71b07e03dc type: similar - id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf - type: obsoletes + type: obsolete - id: 83083ac6-1816-4e76-97d7-59af9a9ae46e - type: obsoletes + type: obsolete status: test description: Detects Commandlet names from well-known PowerShell exploitation frameworks references: @@ -31,8 +31,8 @@ references: - https://github.com/adrecon/ADRecon - https://github.com/adrecon/AzureADRecon author: Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer -date: 2017/03/05 -modified: 2024/01/25 +date: 2017-03-05 +modified: 2024-01-25 tags: - attack.execution - attack.discovery diff --git a/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml index 5840887aa54..eb820aa7e5b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml @@ -5,8 +5,8 @@ description: Detects keywords from well-known PowerShell exploitation frameworks references: - https://adsecurity.org/?p=2921 author: Sean Metcalf (source), Florian Roth (Nextron Systems) -date: 2017/03/05 -modified: 2023/06/20 +date: 2017-03-05 +modified: 2023-06-20 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml b/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml index 17198668160..f1d50eef42e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml @@ -5,8 +5,8 @@ description: Detects usage of a PowerShell command to dump the live memory of a references: - https://learn.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo?view=windowsserver2022-ps author: Max Altgelt (Nextron Systems) -date: 2021/09/21 -modified: 2022/12/25 +date: 2021-09-21 +modified: 2022-12-25 tags: - attack.t1003 logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml b/rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml index e4988d8d0b3..a9ec8b80fa9 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml @@ -8,10 +8,10 @@ description: Detect malicious GPO modifications can be used to implement many ot references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md author: frack113 -date: 2022/08/19 +date: 2022-08-19 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1484.001 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml b/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml index dada94543f8..7e5db6acd3c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml @@ -10,8 +10,8 @@ references: - https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85) - https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html author: frack113, MatilJ -date: 2022/01/19 -modified: 2022/05/19 +date: 2022-01-19 +modified: 2022-05-19 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml index e5656f1e924..eb95954f6a4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml @@ -5,8 +5,8 @@ description: Detects Commandlet names and arguments from the Nishang exploitatio references: - https://github.com/samratashok/nishang author: Alec Costello -date: 2019/05/16 -modified: 2023/01/16 +date: 2019-05-16 +modified: 2023-01-16 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml b/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml index 577a2fa3d97..a711e434d6a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml @@ -6,10 +6,10 @@ references: - https://web.archive.org/web/20220614030603/http://www.powertheshell.com/ntfsstreams/ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md author: Sami Ruohonen -date: 2018/07/24 -modified: 2022/12/25 +date: 2018-07-24 +modified: 2022-12-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.004 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml b/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml index fd7d866732f..ca3d9cb76ff 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml @@ -7,7 +7,7 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137.006/T1137.006.md author: frack113 -date: 2021/12/28 +date: 2021-12-28 tags: - attack.persistence - attack.t1137.006 diff --git a/rules/windows/powershell/powershell_script/posh_ps_packet_capture.yml b/rules/windows/powershell/powershell_script/posh_ps_packet_capture.yml index cb70c5b3b7e..c79bc329976 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_packet_capture.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_packet_capture.yml @@ -10,9 +10,9 @@ references: - https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/7b8935fe4c82cb64d61343de1a8b2e38dd968534/handbooks/10_post_exploitation.md - https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13 author: frack113 -date: 2024/05/12 +date: 2024-05-12 tags: - - attack.credential_access + - attack.credential-access - attack.discovery - attack.t1040 logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml b/rules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml index bf32622be1a..a5ab8dde3f9 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml @@ -5,9 +5,9 @@ description: Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a references: - https://www.elastic.co/guide/en/security/current/potential-invoke-mimikatz-powershell-script.html#potential-invoke-mimikatz-powershell-script author: Tim Rauch, Elastic (idea) -date: 2022/09/28 +date: 2022-09-28 tags: - - attack.credential_access + - attack.credential-access - attack.t1003 logsource: category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml index 6c8009e0f8a..cfecbf06f19 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml @@ -11,8 +11,8 @@ references: - https://thedfirreport.com/2020/10/08/ryuks-return - https://adsecurity.org/?p=2277 author: Bhabesh Raj -date: 2021/05/18 -modified: 2023/11/22 +date: 2021-05-18 +modified: 2023-11-22 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml b/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml index b8aa7b5980e..7514d977004 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/JohnLaTwC/status/850381440629981184 - https://t.co/ezOTGy1a1G author: John Lambert (idea), Florian Roth (Nextron Systems) -date: 2017/04/09 -modified: 2022/12/25 +date: 2017-04-09 +modified: 2022-12-25 tags: - - attack.credential_access + - attack.credential-access - attack.execution - attack.t1059.001 logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_psasyncshell.yml b/rules/windows/powershell/powershell_script/posh_ps_psasyncshell.yml index 2e9ee1d894f..ca870a18c56 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_psasyncshell.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_psasyncshell.yml @@ -5,7 +5,7 @@ description: Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell w references: - https://github.com/JoelGMSec/PSAsyncShell author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/04 +date: 2022-10-04 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_psattack.yml b/rules/windows/powershell/powershell_script/posh_ps_psattack.yml index d7d673c6b87..0c9a503d4da 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_psattack.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_psattack.yml @@ -5,8 +5,8 @@ description: Detects the use of PSAttack PowerShell hack tool references: - https://adsecurity.org/?p=2921 author: Sean Metcalf (source), Florian Roth (Nextron Systems) -date: 2017/03/05 -modified: 2022/12/25 +date: 2017-03-05 +modified: 2022-12-25 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml b/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml index 65dba886070..2627fb5207d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml @@ -8,8 +8,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4 author: frack113 -date: 2022/01/06 -modified: 2023/01/02 +date: 2022-01-06 +modified: 2023-01-02 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml b/rules/windows/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml index cccdd23f261..4eaa754bdb3 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml @@ -13,9 +13,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md - https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/09 +date: 2023-05-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml b/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml index ae14fb3c20a..5571476ac76 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml @@ -8,9 +8,9 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell author: frack113 -date: 2021/12/28 +date: 2021-12-28 tags: - - attack.credential_access + - attack.credential-access - attack.t1558.003 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml b/rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml index 6e40bbde91c..e940b8c6891 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml @@ -6,7 +6,7 @@ references: - https://www.fortypoundhead.com/showcontent.asp?artid=24022 - https://labs.withsecure.com/publications/fin7-target-veeam-servers author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/05 +date: 2023-05-05 tags: - attack.exfiltration - attack.t1020 diff --git a/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml b/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml index cc64fc6d081..93133559664 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml @@ -5,10 +5,10 @@ description: Adversaries may install a root certificate on a compromised system references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md author: 'oscd.community, @redcanary, Zach Stanford @svch0st' -date: 2020/10/10 -modified: 2022/12/02 +date: 2020-10-10 +modified: 2022-12-02 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1553.004 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml b/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml index 7a8af323c0f..be52955d51a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml @@ -6,9 +6,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso - https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps author: frack113 -date: 2022/02/01 +date: 2022-02-01 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1553.005 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml b/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml index f12cb087b47..db994e6be4e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml @@ -7,8 +7,8 @@ references: - https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4 author: frack113 -date: 2022/01/07 -modified: 2023/05/04 +date: 2022-01-07 +modified: 2023-05-04 tags: - attack.exfiltration - attack.t1020 diff --git a/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml b/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml index 6ae6b02f854..0d9e4e175ab 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml @@ -9,7 +9,7 @@ references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4 - https://www.ietf.org/rfc/rfc2821.txt author: frack113 -date: 2022/09/26 +date: 2022-09-26 tags: - attack.exfiltration - attack.t1048.003 diff --git a/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml index e99d4963bff..2bf49673951 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml @@ -8,7 +8,7 @@ description: Detect adversaries enumerate sensitive files references: - https://twitter.com/malmoeb/status/1570814999370801158 author: frack113 -date: 2022/09/16 +date: 2022-09-16 tags: - attack.discovery - attack.t1083 diff --git a/rules/windows/powershell/powershell_script/posh_ps_set_acl.yml b/rules/windows/powershell/powershell_script/posh_ps_set_acl.yml index aca0db52632..f84e60065d0 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_set_acl.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_set_acl.yml @@ -12,9 +12,9 @@ description: Detects PowerShell scripts set ACL to of a file or a folder references: - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2023/07/18 +date: 2023-07-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1222 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_set_acl_susp_location.yml b/rules/windows/powershell/powershell_script/posh_ps_set_acl_susp_location.yml index ff1923b702f..0634508bf77 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_set_acl_susp_location.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_set_acl_susp_location.yml @@ -13,9 +13,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1 author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2023/07/18 +date: 2023-07-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1222 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml index 2334290a1f9..68b7b35f975 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml @@ -14,8 +14,8 @@ references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4 - https://adsecurity.org/?p=2604 author: frack113 -date: 2021/10/20 -modified: 2023/12/14 +date: 2021-10-20 +modified: 2023-12-14 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml b/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml index c0726ebd308..3e8d10bb12e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml @@ -5,11 +5,11 @@ description: Detects Base64 encoded Shellcode references: - https://twitter.com/cyb3rops/status/1063072865992523776 author: David Ledbetter (shellcode), Florian Roth (Nextron Systems) -date: 2018/11/17 -modified: 2024/01/25 +date: 2018-11-17 +modified: 2024-01-25 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1055 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml index 2bca32e4342..4f3df16022b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml @@ -5,8 +5,8 @@ description: Detects Commandlet names from ShellIntel exploitation scripts. references: - https://github.com/Shellntel/scripts/ author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) -date: 2021/08/09 -modified: 2023/01/02 +date: 2021-08-09 +modified: 2023-01-02 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml index 63206ed5316..d322b909de6 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml @@ -6,8 +6,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md - https://github.com/harleyQu1nn/AggressorScripts # AVQuery.cna author: Nikita Nazarov, oscd.community -date: 2020/10/16 -modified: 2022/12/02 +date: 2020-10-16 +modified: 2022-12-02 tags: - attack.discovery - attack.t1518 diff --git a/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml b/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml index df055784638..27e19fa41b2 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml @@ -5,10 +5,10 @@ description: Storing files in Alternate Data Stream (ADS) similar to Astaroth ma references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md author: frack113 -date: 2021/09/02 -modified: 2022/12/25 +date: 2021-09-02 +modified: 2022-12-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.004 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml index ca6e9f06485..d9dd0139a26 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml @@ -5,11 +5,11 @@ description: Detects usage of certain functions and keywords that are used to ma references: - https://github.com/HarmJ0y/DAMP author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/05 +date: 2023-01-05 tags: - attack.persistence - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml index d3365ee8939..52799cf751f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml @@ -8,8 +8,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md author: frack113 -date: 2021/12/15 -modified: 2022/12/25 +date: 2021-12-15 +modified: 2022-12-25 tags: - attack.discovery - attack.t1069.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml index 2e09e11bd8b..6e07be9999f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml @@ -8,9 +8,9 @@ description: Detects specific techniques often seen used inside of PowerShell sc references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/09 +date: 2023-01-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1027 - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml index d675dec70b7..dc82ea86f49 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml @@ -10,9 +10,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md - https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/12 +date: 2022-09-12 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.001 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml index cb51c1f3763..e338edd5500 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md - https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents author: frack113 -date: 2022/03/17 +date: 2022-03-17 tags: - attack.discovery - attack.t1083 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml index 9cfed3da8d1..cc0f92bf795 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml @@ -9,8 +9,8 @@ references: - https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0 - https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0 author: Florian Roth (Nextron Systems) -date: 2017/03/05 -modified: 2022/12/02 +date: 2017-03-05 +modified: 2022-12-02 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml index 6720d4c95d3..eab7b12dcf8 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml @@ -10,7 +10,7 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.003/T1059.003.md#atomic-test-1---create-and-execute-batch-script author: frack113 -date: 2022/01/02 +date: 2022-01-02 tags: - attack.execution - attack.t1059.003 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml index f2ebf2f61f4..393e8ff15d1 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml @@ -8,10 +8,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md author: frack113 -date: 2021/12/19 -modified: 2022/12/25 +date: 2021-12-19 +modified: 2022-12-25 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.001 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml index 9db17e0c8c1..332bb627c1f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml @@ -6,9 +6,9 @@ references: - https://twitter.com/nas_bench/status/1537919885031772161 - https://lolbas-project.github.io/lolbas/Binaries/Msdt/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/21 +date: 2022-06-21 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml index a20c53e924c..96f84a70b1c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy - https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps author: frack113 -date: 2022/03/17 +date: 2022-03-17 tags: - attack.discovery - attack.t1201 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml index 34be6f290cf..9f941ab3605 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script author: frack113 -date: 2022/04/04 +date: 2022-04-04 tags: - attack.discovery - attack.t1033 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml index 8d4366eff43..6465f1ba549 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md - https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps author: frack113 -date: 2022/06/04 +date: 2022-06-04 tags: - attack.discovery - attack.t1615 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml index e2eade20fbe..5eb73535304 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.4 author: frack113 -date: 2022/03/17 +date: 2022-03-17 tags: - attack.discovery - attack.t1057 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml index af6de71d8d0..a3bbd10b823 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml @@ -5,10 +5,10 @@ description: Detects a Get-Process command on lsass process, which is in almost references: - https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211 author: Florian Roth (Nextron Systems) -date: 2021/04/23 -modified: 2022/12/25 +date: 2021-04-23 +modified: 2022-12-25 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml index 870104f2f79..c0c3b0969f3 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml @@ -5,9 +5,9 @@ description: Detects suspicious Powershell code that execute COM Objects references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md#atomic-test-2---powershell-execute-com-object author: frack113 -date: 2022/04/02 +date: 2022-04-02 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.persistence - attack.t1546.015 logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml index 61aaac7d187..887132e8d91 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml @@ -6,9 +6,9 @@ references: - https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine author: frack113 -date: 2022/04/09 +date: 2022-04-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.006 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml index cc2a63ed517..ef64da6697b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml @@ -10,8 +10,8 @@ description: Detects suspicious PowerShell invocation command parameters references: - Internal Research author: Florian Roth (Nextron Systems) -date: 2017/03/12 -modified: 2023/01/03 +date: 2017-03-12 +modified: 2023-01-03 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml index 34266d9b0d5..06a092d4101 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml @@ -2,7 +2,7 @@ title: Suspicious PowerShell Invocations - Specific id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71 related: - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c - type: obsoletes + type: obsolete - id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090 type: similar - id: 536e2947-3729-478c-9903-745aaffe60d2 @@ -12,8 +12,8 @@ description: Detects suspicious PowerShell invocation command parameters references: - Internal Research author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro -date: 2017/03/05 -modified: 2023/01/05 +date: 2017-03-05 +modified: 2023-01-05 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml index fcb2b047ab0..2bdf61bd4f4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml @@ -7,10 +7,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#t1071001---web-protocols author: frack113 -date: 2022/01/23 -modified: 2023/01/02 +date: 2022-01-23 +modified: 2023-01-02 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml index bd2258ed6eb..d7bf33fc4f5 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml @@ -5,10 +5,10 @@ description: Open a handle on the drive volume via the \\.\ DOS device path spec references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1006/T1006.md author: frack113 -date: 2022/01/09 -modified: 2022/03/05 +date: 2022-01-09 +modified: 2022-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.003 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml index f794f04bdc0..aefed153495 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml @@ -8,10 +8,10 @@ references: - https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content - https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/04 +date: 2023-01-04 tags: - attack.collection - - attack.credential_access + - attack.credential-access - attack.t1056.001 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml index adf5411b289..2eae0679ea3 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml @@ -8,8 +8,8 @@ references: - https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1 - https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7 author: Florian Roth (Nextron Systems), Perez Diego (@darkquassar), Tuan Le (NCSGroup) -date: 2019/02/11 -modified: 2023/04/21 +date: 2019-02-11 +modified: 2023-04-21 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml index 030b8af3964..5f134bf6b03 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml @@ -8,8 +8,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md author: frack113 -date: 2021/12/12 -modified: 2022/11/25 +date: 2021-12-12 +modified: 2022-11-25 tags: - attack.discovery - attack.t1069.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml index b9159bcbeb9..09ba6270cd8 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml @@ -7,8 +7,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1114.001/T1114.001.md author: frack113 -date: 2021/07/21 -modified: 2022/12/25 +date: 2021-07-21 +modified: 2022-12-25 tags: - attack.collection - attack.t1114.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml index 4d88e77e01a..0e583178ab4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml @@ -6,9 +6,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image - https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps author: frack113 -date: 2022/02/01 +date: 2022-02-01 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1553.005 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml index 9ccd81c1018..31925e6b91c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml @@ -5,10 +5,10 @@ description: Detects when when a mounted share is removed. Adversaries may remov references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md author: 'oscd.community, @redcanary, Zach Stanford @svch0st' -date: 2020/10/08 -modified: 2022/12/25 +date: 2020-10-08 +modified: 2022-12-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.005 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml index 221bea012d1..78ec28c36f7 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml @@ -7,9 +7,9 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.001/T1110.001.md#atomic-test-2---brute-force-credentials-of-single-active-directory-domain-user-via-ldap-against-domain-controller-ntlm-or-kerberos author: frack113 -date: 2021/12/27 +date: 2021-12-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1110.001 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml index 91fddbbdd5b..a17579ab427 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml @@ -6,9 +6,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2 author: frack113 -date: 2022/08/13 +date: 2022-08-13 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml index 87f8ce42180..36a4f4d3a8f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml @@ -5,9 +5,9 @@ description: Detects powershell scripts that creates sockets/listeners which cou references: - https://github.com/Arno0x/PowerShellScripts/blob/a6b7d5490fbf0b20f91195838f3a11156724b4f7/proxyTunnel.ps1 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/08 +date: 2022-07-08 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1090 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml index 0478af77bb9..c5ec3b7f1f8 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml @@ -5,8 +5,8 @@ description: Once established within a system or network, an adversary may use a references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md author: frack113 -date: 2021/07/30 -modified: 2022/12/25 +date: 2021-07-30 +modified: 2022-12-25 tags: - attack.collection - attack.t1119 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml index 3bfd4bef0e9..c069a19129a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml @@ -7,7 +7,7 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group author: frack113 -date: 2021/12/26 +date: 2021-12-26 tags: - attack.impact - attack.t1531 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml index a2dd9ddeab3..b1fc54d3799 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml @@ -9,11 +9,11 @@ references: - https://twitter.com/Alh4zr3d/status/1580925761996828672 - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/24 +date: 2022-10-24 tags: - attack.persistence - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.011 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml index cffcb7dfaa3..e04bfd65d1c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml @@ -8,9 +8,9 @@ description: Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a references: - https://github.com/1337Rin/Swag-PSO author: frack113 -date: 2023/01/08 +date: 2023-01-08 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1027 - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml index f46c20b0813..25f9a78a5d4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml @@ -8,8 +8,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md author: frack113 -date: 2021/12/15 -modified: 2022/12/25 +date: 2021-12-15 +modified: 2022-12-25 tags: - attack.discovery - attack.t1069.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml index cb59bdadee6..5a89b714d0f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml @@ -6,9 +6,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2 - https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926 author: frack113 -date: 2022/01/23 +date: 2022-01-23 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1573 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml index 26025072284..8d786a3fe5b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml @@ -6,9 +6,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7 author: frack113 -date: 2022/01/15 +date: 2022-01-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.003 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml index 245a48799df..ecb92378064 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml @@ -6,9 +6,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2 author: frack113 -date: 2022/02/01 +date: 2022-02-01 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1553.005 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml index 39e937a11e5..74e82f481d7 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml @@ -7,7 +7,7 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1491.001/T1491.001.md author: frack113 -date: 2021/12/26 +date: 2021-12-26 tags: - attack.impact - attack.t1491.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml index 7dd77e5433c..c72ca7b6d20 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml @@ -5,8 +5,8 @@ description: Adversaries may attempt to gather information about attached periph references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1120/T1120.md author: frack113 -date: 2021/08/23 -modified: 2022/12/25 +date: 2021-08-23 +modified: 2022-12-25 tags: - attack.discovery - attack.t1120 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml index d5631ed9fb7..77f58851cfe 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml @@ -5,8 +5,8 @@ description: Deletes Windows Volume Shadow Copies with PowerShell code and Get-W references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell author: frack113 -date: 2021/12/26 -modified: 2022/12/02 +date: 2021-12-26 +modified: 2022-12-02 tags: - attack.impact - attack.t1490 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml index ffc48d66386..353a02da625 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml @@ -11,8 +11,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell - https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html author: Tim Rauch -date: 2022/09/20 -modified: 2022/12/02 +date: 2022-09-20 +modified: 2022-12-02 tags: - attack.impact - attack.t1490 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml index c18e3b00f35..c92d3e3d90c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml @@ -7,10 +7,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.003/T1564.003.md author: frack113, Tim Shelton (fp AWS) -date: 2021/10/20 -modified: 2023/01/03 +date: 2021-10-20 +modified: 2023-01-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.003 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml index d1fa4ef1fce..0fcb4965a8c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml @@ -5,9 +5,9 @@ description: Detects usage of the "Write-EventLog" cmdlet with 'RawData' flag. T references: - https://www.blackhillsinfosec.com/windows-event-logs-for-red-teams/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/16 +date: 2022-08-16 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml index 1023cd6ee10..a46f33410bd 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml @@ -15,8 +15,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a author: Nasreddine Bencherchali (Nextron Systems), frack113 -date: 2021/07/20 -modified: 2023/12/18 +date: 2021-07-20 +modified: 2023-12-18 tags: - attack.collection - attack.t1074.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml b/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml index 88486a63c14..0f9c662e676 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml @@ -10,10 +10,10 @@ description: Detects SyncAppvPublishingServer process execution which usually ut references: - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ author: 'Ensar Şamil, @sblmsrsn, OSCD Community' -date: 2020/10/05 -modified: 2022/12/25 +date: 2020-10-05 +modified: 2022-12-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_rem_mp.yml b/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_rem_mp.yml index 92f900613ad..8b52a2f8fdf 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_rem_mp.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_rem_mp.yml @@ -8,9 +8,9 @@ description: Detects attempts to remove Windows Defender configuration using the references: - https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/05 +date: 2022-08-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml b/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml index 5e897c20429..9cb659232b9 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml @@ -10,10 +10,10 @@ references: - https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://bidouillesecurity.com/disable-windows-defender-in-powershell/ author: frack113, elhoim, Tim Shelton (fps, alias support), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) -date: 2022/01/16 -modified: 2024/01/02 +date: 2022-01-16 +modified: 2024-01-02 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml b/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml index cf9b793c3db..32c1a27d074 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml @@ -8,9 +8,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell - https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps author: frack113 -date: 2022/01/23 +date: 2022-01-23 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1571 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml b/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml index 915f754d8a3..9ee1b160328 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml @@ -8,10 +8,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md - https://www.offensive-security.com/metasploit-unleashed/timestomp/ author: frack113 -date: 2021/08/03 -modified: 2022/12/25 +date: 2021-08-03 +modified: 2022-12-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.006 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml b/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml index fe4cc6b8385..87fc5a937c3 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml @@ -8,10 +8,10 @@ description: Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation references: - https://github.com/danielbohannon/Invoke-Obfuscation author: frack113 -date: 2022/12/27 -modified: 2024/08/11 +date: 2022-12-27 +modified: 2023-03-24 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027.009 logsource: product: windows @@ -23,13 +23,11 @@ detection: # IN`V`o`Ke-eXp`ResSIOn (Ne`W-ob`ject Net.WebClient).DownloadString # &('In'+'voke-Expressi'+'o'+'n') (.('New-Ob'+'jec'+'t') Net.WebClient).DownloadString # &("{2}{3}{0}{4}{1}"-f 'e','Expression','I','nvok','-') (&("{0}{1}{2}"-f'N','ew-O','bject') Net.WebClient).DownloadString + # ${e`Nv:pATh} - ScriptBlockText|re: '\w+`(\w+|-|.)`[\w+|\s]' # - ScriptBlockText|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme - ScriptBlockText|re: '"(\{\d\}){2,}"\s*-f' # trigger on at least two placeholders. One might be used for legitimate string formatting - # ${e`Nv:pATh} - - ScriptBlockText|re: '(?i)\$\{`?e`?n`?v`?:`?p`?a`?t`?h`?\}' - filter_envpath: - ScriptBlockText|contains: '${env:path}' # TODO: Fix this. See https://github.com/SigmaHQ/sigma/pull/4964 + - ScriptBlockText|re: '\$\{((e|n|v)*`(e|n|v)*)+:path\}|\$\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\}|\$\{env:((p|a|t|h)*`(p|a|t|h)*)+\}' filter_chocolatey: ScriptBlockText|contains: - 'it will return true or false instead' # Chocolatey install script https://github.com/chocolatey/chocolatey diff --git a/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml b/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml index 95d5efe2466..f7faac2c2f3 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml @@ -9,7 +9,7 @@ references: - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/11/17 +date: 2022-11-17 tags: - attack.discovery - attack.t1033 diff --git a/rules/windows/powershell/powershell_script/posh_ps_user_profile_tampering.yml b/rules/windows/powershell/powershell_script/posh_ps_user_profile_tampering.yml index ce3c334f7d6..e30da0ae3c5 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_user_profile_tampering.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_user_profile_tampering.yml @@ -5,11 +5,11 @@ description: Detects calls to "Add-Content" cmdlet in order to modify the conten references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.013/T1546.013.md author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2021/08/18 -modified: 2023/05/04 +date: 2021-08-18 +modified: 2023-05-04 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1546.013 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml b/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml index e20dd9a2823..4d359a9ff6a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml @@ -9,11 +9,11 @@ references: - https://twitter.com/Alh4zr3d/status/1580925761996828672 - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/17 +date: 2022-10-17 tags: - attack.persistence - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.011 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml b/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml index 91e7f0c9a75..eccd8d6d5c3 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml @@ -6,9 +6,9 @@ references: - https://www.pwndefend.com/2021/02/15/retrieving-passwords-from-veeam-backup-servers/ - https://labs.withsecure.com/publications/fin7-target-veeam-servers author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/04 +date: 2023-05-04 tags: - - attack.credential_access + - attack.credential-access logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml b/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml index 0ac2eb869f9..c978e406732 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml @@ -9,8 +9,8 @@ references: - https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/ - https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell author: James Pemberton / @4A616D6573 -date: 2019/10/24 -modified: 2023/01/10 +date: 2019-10-24 +modified: 2023-01-10 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml b/rules/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml index f8547cc4191..e04378b01bc 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml @@ -5,9 +5,9 @@ description: Detects usage of the WMI class "Win32_NTEventlogFile" in a potentia references: - https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85) author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/07/13 +date: 2023-07-13 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: ps_script product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml b/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml index 68ee1f4e972..19f6887f7c2 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml @@ -5,9 +5,9 @@ description: Detects the execution of an MSI file using PowerShell and the WMI W references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md author: frack113 -date: 2022/04/24 +date: 2022-04-24 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.007 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml b/rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml index 51dd93bdc8b..0e7f21b905e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml @@ -8,8 +8,8 @@ description: Detects use of WinAPI functions in PowerShell scripts references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: Nasreddine Bencherchali (Nextron Systems), Nikita Nazarov, oscd.community -date: 2020/10/06 -modified: 2023/06/20 +date: 2020-10-06 +modified: 2023-06-20 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml b/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml index 7d65f5d126f..79fa2ee1d8b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml @@ -8,10 +8,10 @@ description: Detects modifications to the Windows Defender configuration setting references: - https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html author: Tim Rauch, Elastic (idea) -date: 2022/09/16 -modified: 2022/11/26 +date: 2022-09-16 +modified: 2022-11-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562 - attack.execution - attack.t1059 diff --git a/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml b/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml index 2c7295a0f18..beb48f1293c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml @@ -12,10 +12,10 @@ references: - http://woshub.com/manage-windows-firewall-powershell/ - https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html author: Austin Songer @austinsonger -date: 2021/10/12 -modified: 2022/12/30 +date: 2021-10-12 +modified: 2022-12-30 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml b/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml index 3e99e1e1e83..d27184e87ca 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml @@ -9,8 +9,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md author: Timur Zinniatullin, oscd.community -date: 2019/10/21 -modified: 2022/07/07 +date: 2019-10-21 +modified: 2022-07-07 tags: - attack.persistence - attack.t1547.004 diff --git a/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml b/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml index 12e28077de1..65e4256eb98 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md - https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545 author: frack113 -date: 2021/08/19 -modified: 2022/12/25 +date: 2021-08-19 +modified: 2022-12-25 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1546.003 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml b/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml index 10b86b50462..6805a376cff 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml @@ -10,8 +10,8 @@ references: - https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1 - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/20 -modified: 2022/11/25 +date: 2022-06-20 +modified: 2022-11-25 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml b/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml index 8bd67af54f5..758bcb49fdd 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml @@ -5,8 +5,8 @@ description: Detects parameters used by WMImplant references: - https://github.com/FortyNorthSecurity/WMImplant author: NVISO -date: 2020/03/26 -modified: 2022/12/25 +date: 2020-03-26 +modified: 2022-12-25 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml b/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml index abefd5c8216..80bcb9136a9 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml @@ -10,9 +10,9 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41 - https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115 author: frack113 -date: 2022/12/23 +date: 2022-12-23 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1553.004 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml b/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml index 12d6d22135e..c8f5b33265b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml @@ -8,8 +8,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-8---powershell-xml-requests author: frack113 -date: 2022/01/19 -modified: 2023/01/19 +date: 2022-01-19 +modified: 2023-01-19 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_access/proc_access_win_cmstp_execution_by_access.yml b/rules/windows/process_access/proc_access_win_cmstp_execution_by_access.yml index 6df45ed4253..7dc77b126a3 100755 --- a/rules/windows/process_access/proc_access_win_cmstp_execution_by_access.yml +++ b/rules/windows/process_access/proc_access_win_cmstp_execution_by_access.yml @@ -5,10 +5,10 @@ description: Detects various indicators of Microsoft Connection Manager Profile references: - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ author: Nik Seetharaman -date: 2018/07/16 -modified: 2021/06/27 +date: 2018-07-16 +modified: 2021-06-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.003 - attack.execution - attack.t1559.001 diff --git a/rules/windows/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml b/rules/windows/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml index cdc017c600b..c200b011f9c 100644 --- a/rules/windows/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml +++ b/rules/windows/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml @@ -6,12 +6,12 @@ references: - https://github.com/boku7/injectAmsiBypass - https://github.com/boku7/spawn author: Christian Burkard (Nextron Systems) -date: 2021/08/04 -modified: 2023/11/28 +date: 2021-08-04 +modified: 2023-11-28 tags: - attack.execution - attack.t1106 - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_access diff --git a/rules/windows/process_access/proc_access_win_hktl_generic_access.yml b/rules/windows/process_access/proc_access_win_hktl_generic_access.yml index fd21e20f157..d25f8ad0020 100644 --- a/rules/windows/process_access/proc_access_win_hktl_generic_access.yml +++ b/rules/windows/process_access/proc_access_win_hktl_generic_access.yml @@ -6,9 +6,9 @@ references: - https://jsecurity101.medium.com/bypassing-access-mask-auditing-strategies-480fb641c158 - https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel -date: 2023/11/27 +date: 2023-11-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 - attack.s0002 logsource: diff --git a/rules/windows/process_access/proc_access_win_hktl_handlekatz_lsass_access.yml b/rules/windows/process_access/proc_access_win_hktl_handlekatz_lsass_access.yml index 63ee38f016b..d7c3559fcda 100644 --- a/rules/windows/process_access/proc_access_win_hktl_handlekatz_lsass_access.yml +++ b/rules/windows/process_access/proc_access_win_hktl_handlekatz_lsass_access.yml @@ -5,12 +5,12 @@ description: Detects HandleKatz opening LSASS to duplicate its handle to later d references: - https://github.com/codewhitesec/HandleKatz author: Bhabesh Raj (rule), @thefLinkk -date: 2022/06/27 -modified: 2023/11/28 +date: 2022-06-27 +modified: 2023-11-28 tags: - attack.execution - attack.t1106 - - attack.defense_evasion + - attack.defense-evasion - attack.t1003.001 logsource: category: process_access diff --git a/rules/windows/process_access/proc_access_win_hktl_littlecorporal_generated_maldoc.yml b/rules/windows/process_access/proc_access_win_hktl_littlecorporal_generated_maldoc.yml index 30ac5e826ea..a036b8fc347 100644 --- a/rules/windows/process_access/proc_access_win_hktl_littlecorporal_generated_maldoc.yml +++ b/rules/windows/process_access/proc_access_win_hktl_littlecorporal_generated_maldoc.yml @@ -5,8 +5,8 @@ description: Detects the process injection of a LittleCorporal generated Maldoc. references: - https://github.com/connormcgarr/LittleCorporal author: Christian Burkard (Nextron Systems) -date: 2021/08/09 -modified: 2023/11/28 +date: 2021-08-09 +modified: 2023-11-28 tags: - attack.execution - attack.t1204.002 diff --git a/rules/windows/process_access/proc_access_win_hktl_sysmonente.yml b/rules/windows/process_access/proc_access_win_hktl_sysmonente.yml index d2a5f9bebef..7f498ae2166 100644 --- a/rules/windows/process_access/proc_access_win_hktl_sysmonente.yml +++ b/rules/windows/process_access/proc_access_win_hktl_sysmonente.yml @@ -7,10 +7,10 @@ references: - https://github.com/codewhitesec/SysmonEnte/ - https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png author: Florian Roth (Nextron Systems) -date: 2022/09/07 -modified: 2023/11/28 +date: 2022-09-07 +modified: 2023-11-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.002 logsource: category: process_access diff --git a/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml b/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml index 41bf35d0838..c94c97585bf 100755 --- a/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml +++ b/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/shantanukhande/status/1229348874298388484 - https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/10/20 -modified: 2023/11/29 +date: 2020-10-20 +modified: 2023-11-29 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: category: process_access diff --git a/rules/windows/process_access/proc_access_win_lsass_dump_keyword_image.yml b/rules/windows/process_access/proc_access_win_lsass_dump_keyword_image.yml index b3a870172e5..11e50bcc9c2 100644 --- a/rules/windows/process_access/proc_access_win_lsass_dump_keyword_image.yml +++ b/rules/windows/process_access/proc_access_win_lsass_dump_keyword_image.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/_xpn_/status/1491557187168178176 - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz author: Florian Roth (Nextron Systems) -date: 2022/02/10 -modified: 2023/11/29 +date: 2022-02-10 +modified: 2023-11-29 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 - attack.s0002 logsource: diff --git a/rules/windows/process_access/proc_access_win_lsass_memdump.yml b/rules/windows/process_access/proc_access_win_lsass_memdump.yml index c8d8aa0b7d6..bf8053d1212 100755 --- a/rules/windows/process_access/proc_access_win_lsass_memdump.yml +++ b/rules/windows/process_access/proc_access_win_lsass_memdump.yml @@ -10,10 +10,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md - https://research.splunk.com/endpoint/windows_possible_credential_dumping/ author: Samir Bousseaden, Michael Haag -date: 2019/04/03 -modified: 2024/03/02 +date: 2019-04-03 +modified: 2024-03-02 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 - attack.s0002 logsource: diff --git a/rules/windows/process_access/proc_access_win_lsass_python_based_tool.yml b/rules/windows/process_access/proc_access_win_lsass_python_based_tool.yml index ff24d962c4e..bbf0f1dff02 100644 --- a/rules/windows/process_access/proc_access_win_lsass_python_based_tool.yml +++ b/rules/windows/process_access/proc_access_win_lsass_python_based_tool.yml @@ -2,19 +2,19 @@ title: Credential Dumping Activity By Python Based Tool id: f8be3e82-46a3-4e4e-ada5-8e538ae8b9c9 related: - id: 4b9a8556-99c4-470b-a40c-9c8d02c77ed0 - type: obsoletes + type: obsolete - id: 7186e989-4ed7-4f4e-a656-4674b9e3e48b - type: obsoletes + type: obsolete status: stable description: Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz. references: - https://twitter.com/bh4b3sh/status/1303674603819081728 - https://github.com/skelsec/pypykatz author: Bhabesh Raj, Jonhnathan Ribeiro -date: 2023/11/27 -modified: 2023/11/29 +date: 2023-11-27 +modified: 2023-11-29 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 - attack.s0349 logsource: diff --git a/rules/windows/process_access/proc_access_win_lsass_remote_access_trough_winrm.yml b/rules/windows/process_access/proc_access_win_lsass_remote_access_trough_winrm.yml index 7a3cc46c6a3..49bb3d20f05 100644 --- a/rules/windows/process_access/proc_access_win_lsass_remote_access_trough_winrm.yml +++ b/rules/windows/process_access/proc_access_win_lsass_remote_access_trough_winrm.yml @@ -5,14 +5,14 @@ description: Detects remote access to the LSASS process via WinRM. This could be references: - https://pentestlab.blog/2018/05/15/lateral-movement-winrm/ author: Patryk Prauze - ING Tech -date: 2019/05/20 -modified: 2023/11/29 +date: 2019-05-20 +modified: 2023-11-29 tags: - - attack.credential_access + - attack.credential-access - attack.execution - attack.t1003.001 - attack.t1059.001 - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.006 - attack.s0002 logsource: diff --git a/rules/windows/process_access/proc_access_win_lsass_seclogon_access.yml b/rules/windows/process_access/proc_access_win_lsass_seclogon_access.yml index a7ee70a3324..909a3d46cf7 100644 --- a/rules/windows/process_access/proc_access_win_lsass_seclogon_access.yml +++ b/rules/windows/process_access/proc_access_win_lsass_seclogon_access.yml @@ -7,9 +7,9 @@ references: - https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml - https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html author: Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/29 +date: 2022-06-29 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: category: process_access diff --git a/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml b/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml index 7ab396f1e3f..6e8dd7f0083 100644 --- a/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml +++ b/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml @@ -12,10 +12,10 @@ references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community -date: 2021/11/22 -modified: 2023/11/29 +date: 2021-11-22 +modified: 2023-11-29 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 - attack.s0002 logsource: diff --git a/rules/windows/process_access/proc_access_win_lsass_werfault.yml b/rules/windows/process_access/proc_access_win_lsass_werfault.yml index 882813b6d32..7d158814c8b 100644 --- a/rules/windows/process_access/proc_access_win_lsass_werfault.yml +++ b/rules/windows/process_access/proc_access_win_lsass_werfault.yml @@ -5,10 +5,10 @@ description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke- references: - https://github.com/helpsystems/nanodump/commit/578116faea3d278d53d70ea932e2bbfe42569507 author: Florian Roth (Nextron Systems) -date: 2012/06/27 -modified: 2023/11/29 +date: 2012-06-27 +modified: 2023-11-29 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 - attack.s0002 logsource: diff --git a/rules/windows/process_access/proc_access_win_lsass_whitelisted_process_names.yml b/rules/windows/process_access/proc_access_win_lsass_whitelisted_process_names.yml index 51e310eb74e..2bfc07d1773 100644 --- a/rules/windows/process_access/proc_access_win_lsass_whitelisted_process_names.yml +++ b/rules/windows/process_access/proc_access_win_lsass_whitelisted_process_names.yml @@ -8,10 +8,10 @@ references: - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz - https://twitter.com/mrd0x/status/1460597833917251595 author: Florian Roth (Nextron Systems) -date: 2022/02/10 -modified: 2023/11/29 +date: 2022-02-10 +modified: 2023-11-29 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 - attack.s0002 logsource: diff --git a/rules/windows/process_access/proc_access_win_susp_all_access_uncommon_target.yml b/rules/windows/process_access/proc_access_win_susp_all_access_uncommon_target.yml index a522dde7df5..8fbecdd5e78 100644 --- a/rules/windows/process_access/proc_access_win_susp_all_access_uncommon_target.yml +++ b/rules/windows/process_access/proc_access_win_susp_all_access_uncommon_target.yml @@ -6,10 +6,10 @@ description: | references: - https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights author: Nasreddine Bencherchali (Nextron Systems), frack113 -date: 2024/05/27 +date: 2024-05-27 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1055.011 logsource: category: process_access diff --git a/rules/windows/process_access/proc_access_win_susp_direct_ntopenprocess_call.yml b/rules/windows/process_access/proc_access_win_susp_direct_ntopenprocess_call.yml index 4308363af1c..c4d80b40f5f 100644 --- a/rules/windows/process_access/proc_access_win_susp_direct_ntopenprocess_call.yml +++ b/rules/windows/process_access/proc_access_win_susp_direct_ntopenprocess_call.yml @@ -5,8 +5,8 @@ description: Detects potential calls to NtOpenProcess directly from NTDLL. references: - https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6 author: Christian Burkard (Nextron Systems), Tim Shelton (FP) -date: 2021/07/28 -modified: 2023/12/13 +date: 2021-07-28 +modified: 2023-12-13 tags: - attack.execution - attack.t1106 diff --git a/rules/windows/process_access/proc_access_win_svchost_credential_dumping.yml b/rules/windows/process_access/proc_access_win_svchost_credential_dumping.yml index 991906f4cea..d3ca01d426d 100644 --- a/rules/windows/process_access/proc_access_win_svchost_credential_dumping.yml +++ b/rules/windows/process_access/proc_access_win_svchost_credential_dumping.yml @@ -5,8 +5,8 @@ description: Detects when a process tries to access the memory of svchost to pot references: - Internal Research author: Florent Labouyrie -date: 2021/04/30 -modified: 2022/10/09 +date: 2021-04-30 +modified: 2022-10-09 tags: - attack.t1548 logsource: diff --git a/rules/windows/process_access/proc_access_win_svchost_susp_access_request.yml b/rules/windows/process_access/proc_access_win_svchost_susp_access_request.yml index 1fd357197cb..6c2323dcd27 100644 --- a/rules/windows/process_access/proc_access_win_svchost_susp_access_request.yml +++ b/rules/windows/process_access/proc_access_win_svchost_susp_access_request.yml @@ -6,10 +6,10 @@ references: - https://github.com/hlldz/Invoke-Phant0m - https://twitter.com/timbmsft/status/900724491076214784 author: Tim Burrell -date: 2020/01/02 -modified: 2023/01/30 +date: 2020-01-02 +modified: 2023-01-30 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.002 logsource: category: process_access diff --git a/rules/windows/process_access/proc_access_win_uac_bypass_editionupgrademanagerobj.yml b/rules/windows/process_access/proc_access_win_uac_bypass_editionupgrademanagerobj.yml index 8d0246b6b22..987d861b36c 100644 --- a/rules/windows/process_access/proc_access_win_uac_bypass_editionupgrademanagerobj.yml +++ b/rules/windows/process_access/proc_access_win_uac_bypass_editionupgrademanagerobj.yml @@ -6,11 +6,11 @@ references: - https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/ - https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611 author: oscd.community, Dmitry Uchakin -date: 2020/10/07 -modified: 2023/11/30 +date: 2020-10-07 +modified: 2023-11-30 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: process_access diff --git a/rules/windows/process_access/proc_access_win_uac_bypass_wow64_logger.yml b/rules/windows/process_access/proc_access_win_uac_bypass_wow64_logger.yml index 4f845f93f72..9f7066aa1ca 100644 --- a/rules/windows/process_access/proc_access_win_uac_bypass_wow64_logger.yml +++ b/rules/windows/process_access/proc_access_win_uac_bypass_wow64_logger.yml @@ -5,11 +5,11 @@ description: Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack ( references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) -date: 2021/08/23 -modified: 2022/10/09 +date: 2021-08-23 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: process_access diff --git a/rules/windows/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml b/rules/windows/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml index 24a958d6409..1bf1f46831d 100644 --- a/rules/windows/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml +++ b/rules/windows/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml @@ -8,8 +8,8 @@ description: Detects execution of 7z in order to compress a file with a ".dmp"/" references: - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/27 -modified: 2023/09/12 +date: 2022-09-27 +modified: 2023-09-12 tags: - attack.collection - attack.t1560.001 diff --git a/rules/windows/process_creation/proc_creation_win_7zip_password_compression.yml b/rules/windows/process_creation/proc_creation_win_7zip_password_compression.yml index a32f1a038db..79788510840 100644 --- a/rules/windows/process_creation/proc_creation_win_7zip_password_compression.yml +++ b/rules/windows/process_creation/proc_creation_win_7zip_password_compression.yml @@ -5,8 +5,8 @@ description: An adversary may compress or encrypt data that is collected prior t references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md author: frack113 -date: 2021/07/27 -modified: 2023/03/13 +date: 2021-07-27 +modified: 2023-03-13 tags: - attack.collection - attack.t1560.001 diff --git a/rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml b/rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml index e1ff2063ddb..8450812a736 100644 --- a/rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml +++ b/rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml @@ -6,9 +6,9 @@ description: | references: - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html author: Nasreddine Bencherchali (Nextron Systems), Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) -date: 2023/09/18 +date: 2023-09-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml b/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml index dbbe9071827..c70f6ce8086 100644 --- a/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml @@ -6,9 +6,9 @@ description: | references: - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) -date: 2023/09/18 +date: 2023-09-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml b/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml index 3f07b90bfe3..ae897ea9b18 100644 --- a/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml +++ b/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml @@ -6,9 +6,9 @@ description: | references: - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) -date: 2023/09/18 +date: 2023-09-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml b/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml index 23bf8f40882..9ea4a0beaa3 100644 --- a/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml @@ -5,9 +5,9 @@ description: Detects execution of the Add-In deployment cache updating utility ( references: - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) -date: 2023/09/18 +date: 2023-09-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml b/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml index b8baf532dbd..6111dab76a0 100644 --- a/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml +++ b/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml @@ -7,10 +7,10 @@ references: - https://twitter.com/nas_bench/status/1534916659676422152 - https://twitter.com/nas_bench/status/1534915321856917506 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/09 -modified: 2023/06/23 +date: 2022-06-09 +modified: 2023-06-23 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1003.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml b/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml index 13ec22dff46..182896e7d36 100644 --- a/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml @@ -11,10 +11,10 @@ references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/ - https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension - https://twitter.com/jseerden/status/1247985304667066373/photo/1 -date: 2022/12/24 -modified: 2024/08/07 +date: 2022-12-24 +modified: 2024-08-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml b/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml index 3e0a1ff9bec..062ae65ff90 100644 --- a/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml @@ -11,10 +11,10 @@ references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/ - https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension - https://twitter.com/jseerden/status/1247985304667066373/photo/1 -date: 2022/12/24 -modified: 2024/08/07 +date: 2022-12-24 +modified: 2024-08-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml b/rules/windows/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml index 51575fa0633..cbe99b2c055 100644 --- a/rules/windows/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml @@ -9,11 +9,11 @@ description: | references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Appvlp/ author: Sreeman -date: 2020/03/13 -modified: 2023/11/09 +date: 2020-03-13 +modified: 2023-11-09 tags: - attack.t1218 - - attack.defense_evasion + - attack.defense-evasion - attack.execution logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_aspnet_compiler_exectuion.yml b/rules/windows/process_creation/proc_creation_win_aspnet_compiler_exectuion.yml index 1a5e35c469c..15924415e71 100644 --- a/rules/windows/process_creation/proc_creation_win_aspnet_compiler_exectuion.yml +++ b/rules/windows/process_creation/proc_creation_win_aspnet_compiler_exectuion.yml @@ -13,10 +13,10 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/ - https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ author: frack113 -date: 2021/11/24 -modified: 2023/08/14 +date: 2021-11-24 +modified: 2023-08-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1127 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml index 24ce16161ba..b23cbc09355 100644 --- a/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml @@ -13,9 +13,9 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/ - https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/14 +date: 2023-08-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1127 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml b/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml index b886495a809..c26ac7019ad 100644 --- a/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml +++ b/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml @@ -13,9 +13,9 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/ - https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/14 +date: 2023-08-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1127 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml b/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml index 17a6f805a65..ec59ed03d04 100644 --- a/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md - https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -date: 2019/10/24 -modified: 2021/11/27 +date: 2019-10-24 +modified: 2021-11-27 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1053.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_atbroker_uncommon_ats_execution.yml b/rules/windows/process_creation/proc_creation_win_atbroker_uncommon_ats_execution.yml index 47228e2a1d8..4bc4bd394d9 100644 --- a/rules/windows/process_creation/proc_creation_win_atbroker_uncommon_ats_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_atbroker_uncommon_ats_execution.yml @@ -6,10 +6,10 @@ references: - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ - https://lolbas-project.github.io/lolbas/Binaries/Atbroker/ author: Mateusz Wydra, oscd.community -date: 2020/10/12 -modified: 2024/03/06 +date: 2020-10-12 +modified: 2024-03-06 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml b/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml index d94dbea8f45..269778d1b0d 100644 --- a/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml +++ b/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml @@ -6,10 +6,10 @@ references: - https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/ - https://www.uptycs.com/blog/lolbins-are-no-laughing-matter author: Sami Ruohonen -date: 2019/01/16 -modified: 2023/03/14 +date: 2019-01-16 +modified: 2023-03-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml b/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml index f5999be8c19..ecdf6b7bdd2 100644 --- a/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml +++ b/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml @@ -11,10 +11,10 @@ references: - https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0 - https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/28 -modified: 2023/03/14 +date: 2022-06-28 +modified: 2023-03-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_auditpol_nt_resource_kit_usage.yml b/rules/windows/process_creation/proc_creation_win_auditpol_nt_resource_kit_usage.yml index 4cce466988e..42071ee0e47 100644 --- a/rules/windows/process_creation/proc_creation_win_auditpol_nt_resource_kit_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_auditpol_nt_resource_kit_usage.yml @@ -10,10 +10,10 @@ description: | references: - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Windows%202000%20Resource%20Kit%20Tools/AuditPol author: Nasreddine Bencherchali (Nextron Systems) -date: 2021/12/18 -modified: 2023/02/21 +date: 2021-12-18 +modified: 2023-02-21 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_auditpol_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_auditpol_susp_execution.yml index 45b1d2d6a08..5a340da7e7f 100644 --- a/rules/windows/process_creation/proc_creation_win_auditpol_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_auditpol_susp_execution.yml @@ -10,10 +10,10 @@ description: | references: - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ author: Janantha Marasinghe (https://github.com/blueteam0ps) -date: 2021/02/02 -modified: 2023/02/22 +date: 2021-02-02 +modified: 2023-02-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_bash_command_execution.yml b/rules/windows/process_creation/proc_creation_win_bash_command_execution.yml index a39005eaf96..0540e644d27 100644 --- a/rules/windows/process_creation/proc_creation_win_bash_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_bash_command_execution.yml @@ -10,10 +10,10 @@ description: | references: - https://lolbas-project.github.io/lolbas/Binaries/Bash/ author: frack113 -date: 2021/11/24 -modified: 2023/08/15 +date: 2021-11-24 +modified: 2023-08-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml b/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml index 378564506d5..e6df1d1bd00 100644 --- a/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml @@ -12,9 +12,9 @@ references: - https://linux.die.net/man/1/bash - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/15 +date: 2023-08-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml b/rules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml index c0027a638b9..821fe1ccd7c 100644 --- a/rules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml +++ b/rules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml @@ -6,8 +6,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md - https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -date: 2019/10/24 -modified: 2023/02/15 +date: 2019-10-24 +modified: 2023-02-15 tags: - attack.impact - attack.t1490 diff --git a/rules/windows/process_creation/proc_creation_win_bcdedit_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_bcdedit_susp_execution.yml index 5b03cb5932d..51d43a13f40 100644 --- a/rules/windows/process_creation/proc_creation_win_bcdedit_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_bcdedit_susp_execution.yml @@ -6,10 +6,10 @@ references: - https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set - https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2 author: '@neu5ron' -date: 2019/02/07 -modified: 2023/02/15 +date: 2019-02-07 +modified: 2023-02-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070 - attack.persistence - attack.t1542.003 diff --git a/rules/windows/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml b/rules/windows/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml index 8570b2fa38a..422d784fd49 100644 --- a/rules/windows/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml @@ -9,11 +9,11 @@ references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/ - https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/16 +date: 2023-08-16 tags: - attack.execution - attack.t1059.005 - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.t1202 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_bginfo_uncommon_child_process.yml b/rules/windows/process_creation/proc_creation_win_bginfo_uncommon_child_process.yml index 6bf4be7d413..4104b174c71 100644 --- a/rules/windows/process_creation/proc_creation_win_bginfo_uncommon_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_bginfo_uncommon_child_process.yml @@ -9,12 +9,12 @@ references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/ - https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/ author: Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community -date: 2019/10/26 -modified: 2023/08/16 +date: 2019-10-26 +modified: 2023-08-16 tags: - attack.execution - attack.t1059.005 - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.t1202 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_bitlockertogo_execution.yml b/rules/windows/process_creation/proc_creation_win_bitlockertogo_execution.yml index 84032ab2b30..11e43cab358 100644 --- a/rules/windows/process_creation/proc_creation_win_bitlockertogo_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_bitlockertogo_execution.yml @@ -12,9 +12,9 @@ references: - https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/ - https://bazaar.abuse.ch/sample/64e6605496919cd76554915cbed88e56fdec10dec6523918a631754664b8c8d3/ author: Josh Nickels, mttaggart -date: 2024/07/11 +date: 2024-07-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml index ac01be01d95..8a1d6ac4a5b 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml @@ -7,10 +7,10 @@ references: - https://isc.sans.edu/diary/22264 - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ author: Michael Haag, FPT.EagleEye -date: 2017/03/09 -modified: 2023/02/15 +date: 2017-03-09 +modified: 2023-02-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1197 - attack.s0190 diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml index 1ed2acbb914..abecda37809 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml @@ -11,10 +11,10 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/ author: Florian Roth (Nextron Systems) -date: 2022/06/28 -modified: 2023/02/15 +date: 2022-06-28 +modified: 2023-02-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1197 - attack.s0190 diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml index 6404a63a664..007beb6bdac 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml @@ -10,10 +10,10 @@ references: - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ author: Florian Roth (Nextron Systems) -date: 2022/06/28 -modified: 2024/02/09 +date: 2022-06-28 +modified: 2024-02-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1197 - attack.s0190 diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml index d90c4f3d1e9..8ba27639a7d 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml @@ -7,10 +7,10 @@ references: - https://isc.sans.edu/diary/22264 - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/28 -modified: 2023/05/30 +date: 2022-06-28 +modified: 2023-05-30 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1197 - attack.s0190 diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml index 1938cbbd12d..7cc0cb97f97 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml @@ -8,10 +8,10 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/28 -modified: 2023/05/30 +date: 2022-06-28 +modified: 2023-05-30 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1197 - attack.s0190 diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml index 029d092f53d..bf3dcef7da8 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml @@ -8,10 +8,10 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/28 -modified: 2023/02/15 +date: 2022-06-28 +modified: 2023-02-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1197 - attack.s0190 diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml index 00145c3f718..f450bd6d2fc 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml @@ -11,10 +11,10 @@ references: - http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html - https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394 author: Sreeman -date: 2020/10/29 -modified: 2024/01/25 +date: 2020-10-29 +modified: 2024-01-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1197 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml index 557cdcec130..25650868ef4 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml @@ -11,9 +11,9 @@ references: - https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/ - https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/23 +date: 2022-12-23 tags: - - attack.credential_access + - attack.credential-access - attack.t1185 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml index 2c16c8aa48b..4290aad212c 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml @@ -9,9 +9,9 @@ references: - https://twitter.com/mrd0x/status/1478234484881436672?s=12 - https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/09/12 +date: 2023-09-12 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml index 1503072b3a3..a90052b9c25 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml @@ -9,10 +9,10 @@ references: - https://twitter.com/mrd0x/status/1478234484881436672?s=12 - https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html author: Sreeman, Florian Roth (Nextron Systems) -date: 2022/01/04 -modified: 2023/05/12 +date: 2022-01-04 +modified: 2023-05-12 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml index 8319387bda8..0624aa3ebe6 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml @@ -10,8 +10,8 @@ references: - https://emkc.org/s/RJjuLa - https://www.mandiant.com/resources/blog/lnk-between-browsers author: Aedan Russell, frack113, X__Junior (Nextron Systems) -date: 2022/06/19 -modified: 2023/11/28 +date: 2022-06-19 +modified: 2023-11-28 tags: - attack.persistence - attack.t1176 diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml index d1331368d0c..9502bfcf2e1 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml @@ -5,7 +5,7 @@ description: Detects the execution of a Chromium based browser process with the references: - https://www.zscaler.com/blogs/security-research/steal-it-campaign author: X__Junior (Nextron Systems) -date: 2023/09/11 +date: 2023-09-11 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml index 3fbed6e5eaf..504d235589f 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml @@ -10,8 +10,8 @@ references: - https://emkc.org/s/RJjuLa - https://www.mandiant.com/resources/blog/lnk-between-browsers author: Aedan Russell, frack113, X__Junior (Nextron Systems) -date: 2022/06/19 -modified: 2023/11/28 +date: 2022-06-19 +modified: 2023-11-28 tags: - attack.persistence - attack.t1176 diff --git a/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download.yml b/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download.yml index a2c0f412229..b93a5b353b6 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/mrd0x/status/1478116126005641220 - https://lolbas-project.github.io/lolbas/Binaries/Msedge/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/01/11 -modified: 2023/11/09 +date: 2022-01-11 +modified: 2023-11-09 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml b/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml index 94c889d7f56..7199a169aab 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml @@ -11,10 +11,10 @@ references: - https://github.com/defaultnamehere/cookie_crimes/ - https://github.com/wunderwuzzi23/firefox-cookiemonster author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/27 -modified: 2022/12/23 +date: 2022-07-27 +modified: 2022-12-23 tags: - - attack.credential_access + - attack.credential-access - attack.t1185 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_browsers_tor_execution.yml b/rules/windows/process_creation/proc_creation_win_browsers_tor_execution.yml index 952906e58e0..2584b566def 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_tor_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_tor_execution.yml @@ -5,10 +5,10 @@ description: Detects the use of Tor or Tor-Browser to connect to onion routing n references: - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/ author: frack113 -date: 2022/02/20 -modified: 2023/02/13 +date: 2022-02-20 +modified: 2023-02-13 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1090.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml b/rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml index d0be2aabea7..8c264e6d5c8 100644 --- a/rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml @@ -6,10 +6,10 @@ description: | references: - https://twitter.com/ItsReallyNick/status/1094080242686312448 author: Florian Roth (Nextron Systems) -date: 2019/02/09 -modified: 2023/11/09 +date: 2019-02-09 +modified: 2023-11-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_cdb_arbitrary_command_execution.yml b/rules/windows/process_creation/proc_creation_win_cdb_arbitrary_command_execution.yml index d17f3dcfdaa..0de84472d0e 100644 --- a/rules/windows/process_creation/proc_creation_win_cdb_arbitrary_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cdb_arbitrary_command_execution.yml @@ -7,12 +7,12 @@ references: - https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html - https://twitter.com/nas_bench/status/1534957360032120833 author: Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2019/10/26 -modified: 2024/04/22 +date: 2019-10-26 +modified: 2024-04-22 tags: - attack.execution - attack.t1106 - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.t1127 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_certmgr_certificate_installation.yml b/rules/windows/process_creation/proc_creation_win_certmgr_certificate_installation.yml index 226bce9b770..ecadab35c3a 100644 --- a/rules/windows/process_creation/proc_creation_win_certmgr_certificate_installation.yml +++ b/rules/windows/process_creation/proc_creation_win_certmgr_certificate_installation.yml @@ -4,7 +4,7 @@ related: - id: 42821614-9264-4761-acfc-5772c3286f76 type: derived - id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc - type: obsoletes + type: obsolete status: test description: | Detects execution of "certmgr" with the "add" flag in order to install a new certificate on the system. @@ -13,9 +13,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md - https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/ author: oscd.community, @redcanary, Zach Stanford @svch0st -date: 2023/03/05 +date: 2023-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1553.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_certoc_download.yml b/rules/windows/process_creation/proc_creation_win_certoc_download.yml index 4ae525bbdf0..64c7d57d60a 100644 --- a/rules/windows/process_creation/proc_creation_win_certoc_download.yml +++ b/rules/windows/process_creation/proc_creation_win_certoc_download.yml @@ -8,10 +8,10 @@ description: Detects when a user downloads a file by using CertOC.exe references: - https://lolbas-project.github.io/lolbas/Binaries/Certoc/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/05/16 -modified: 2023/10/18 +date: 2022-05-16 +modified: 2023-10-18 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_certoc_download_direct_ip.yml b/rules/windows/process_creation/proc_creation_win_certoc_download_direct_ip.yml index b0e8ea59898..c00e0f69406 100644 --- a/rules/windows/process_creation/proc_creation_win_certoc_download_direct_ip.yml +++ b/rules/windows/process_creation/proc_creation_win_certoc_download_direct_ip.yml @@ -8,9 +8,9 @@ description: Detects when a user downloads a file from an IP based URL using Cer references: - https://lolbas-project.github.io/lolbas/Binaries/Certoc/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/10/18 +date: 2023-10-18 tags: - - attack.command_and_control + - attack.command-and-control - attack.execution - attack.t1105 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml b/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml index 20d92cafd92..a72bfabe946 100644 --- a/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml @@ -10,10 +10,10 @@ references: - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2 - https://lolbas-project.github.io/lolbas/Binaries/Certoc/ author: Austin Songer @austinsonger -date: 2021/10/23 -modified: 2024/03/05 +date: 2021-10-23 +modified: 2024-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml b/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml index 0e1f850a60c..edc542a539d 100644 --- a/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml +++ b/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml @@ -10,10 +10,10 @@ references: - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2 - https://lolbas-project.github.io/lolbas/Binaries/Certoc/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/15 -modified: 2024/03/05 +date: 2023-02-15 +modified: 2024-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_certutil_certificate_installation.yml b/rules/windows/process_creation/proc_creation_win_certutil_certificate_installation.yml index 00ae0c0b680..d97c7467fa2 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_certificate_installation.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_certificate_installation.yml @@ -4,7 +4,7 @@ related: - id: 42821614-9264-4761-acfc-5772c3286f76 type: derived - id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc - type: obsoletes + type: obsolete status: test description: | Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system. @@ -12,10 +12,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md author: oscd.community, @redcanary, Zach Stanford @svch0st -date: 2023/03/05 -modified: 2024/03/05 +date: 2023-03-05 +modified: 2024-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1553.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_certutil_decode.yml b/rules/windows/process_creation/proc_creation_win_certutil_decode.yml index 17e40b7b614..9f6655c1d2c 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_decode.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_decode.yml @@ -10,10 +10,10 @@ references: - https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil - https://lolbas-project.github.io/lolbas/Binaries/Certutil/ author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community -date: 2023/02/15 -modified: 2024/03/05 +date: 2023-02-15 +modified: 2024-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_certutil_download.yml b/rules/windows/process_creation/proc_creation_win_certutil_download.yml index b008ba1fd8f..d9e77b38cb2 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_download.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_download.yml @@ -12,9 +12,9 @@ references: - https://twitter.com/egre55/status/1087685529016193025 - https://lolbas-project.github.io/lolbas/Binaries/Certutil/ author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/15 +date: 2023-02-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml b/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml index 1ad97531b52..53f947fee9a 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml @@ -15,9 +15,9 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Certutil/ - https://twitter.com/_JohnHammond/status/1708910264261980634 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/15 +date: 2023-02-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml index 40be7869b40..afb604f263b 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml @@ -15,10 +15,10 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Certutil/ - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/15 -modified: 2024/02/09 +date: 2023-02-15 +modified: 2024-02-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_certutil_encode.yml b/rules/windows/process_creation/proc_creation_win_certutil_encode.yml index 2b523b57567..2994f73f423 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_encode.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_encode.yml @@ -7,10 +7,10 @@ references: - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ - https://lolbas-project.github.io/lolbas/Binaries/Certutil/ author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2019/02/24 -modified: 2024/03/05 +date: 2019-02-24 +modified: 2024-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml index 7d1ea21b242..98edaf1a986 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml @@ -11,10 +11,10 @@ references: - https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior - https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/15 -modified: 2024/03/05 +date: 2023-05-15 +modified: 2024-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml index 3e9e09894ec..6f1fae87e99 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml @@ -11,10 +11,10 @@ references: - https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior - https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/15 -modified: 2024/03/05 +date: 2023-05-15 +modified: 2024-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_certutil_export_pfx.yml b/rules/windows/process_creation/proc_creation_win_certutil_export_pfx.yml index f7121ebbbe1..37df08c3333 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_export_pfx.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_export_pfx.yml @@ -5,10 +5,10 @@ description: Detects the execution of the certutil with the "exportPFX" flag whi references: - https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/15 -modified: 2024/03/05 +date: 2023-02-15 +modified: 2024-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml b/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml index 1e69c0c26db..0797a090dcc 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml @@ -5,10 +5,10 @@ description: Detects possible NTLM coercion via certutil using the 'syncwithWU' references: - https://github.com/LOLBAS-Project/LOLBAS/issues/243 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/01 -modified: 2023/02/14 +date: 2022-09-01 +modified: 2023-02-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml b/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml index b86bf5de7d6..d86cf13668d 100644 --- a/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml +++ b/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml @@ -6,8 +6,8 @@ references: - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/ - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp author: _pete_0, TheDFIRReport -date: 2022/02/21 -modified: 2024/03/05 +date: 2022-02-21 +modified: 2024-03-05 tags: - attack.discovery - attack.t1614.001 diff --git a/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch.yml b/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch.yml index 8e9c366224f..d45645ffa3f 100644 --- a/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch.yml +++ b/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch.yml @@ -6,11 +6,11 @@ references: - https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers - https://twitter.com/cglyer/status/1183756892952248325 author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community -date: 2019/10/14 -modified: 2023/03/07 +date: 2019-10-14 +modified: 2023-03-07 tags: - attack.t1036 - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml b/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml index a47f891713a..fbcb5aa638b 100644 --- a/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml +++ b/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml @@ -8,8 +8,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-3---overwrite-deleted-data-on-c-drive author: frack113 -date: 2021/12/26 -modified: 2023/02/21 +date: 2021-12-26 +modified: 2023-02-21 tags: - attack.impact - attack.t1485 diff --git a/rules/windows/process_creation/proc_creation_win_citrix_trolleyexpress_procdump.yml b/rules/windows/process_creation/proc_creation_win_citrix_trolleyexpress_procdump.yml index 7802fd26153..e5e5da84e84 100644 --- a/rules/windows/process_creation/proc_creation_win_citrix_trolleyexpress_procdump.yml +++ b/rules/windows/process_creation/proc_creation_win_citrix_trolleyexpress_procdump.yml @@ -6,12 +6,12 @@ references: - https://twitter.com/_xpn_/status/1491557187168178176 - https://www.youtube.com/watch?v=Ie831jF0bb0 author: Florian Roth (Nextron Systems) -date: 2022/02/10 -modified: 2022/05/13 +date: 2022-02-10 +modified: 2022-05-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_clip_execution.yml b/rules/windows/process_creation/proc_creation_win_clip_execution.yml index 9c5faf4197e..cbfa3cbaea6 100644 --- a/rules/windows/process_creation/proc_creation_win_clip_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_clip_execution.yml @@ -6,8 +6,8 @@ references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/clip - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md author: frack113 -date: 2021/07/27 -modified: 2023/02/21 +date: 2021-07-27 +modified: 2023-02-21 tags: - attack.collection - attack.t1115 diff --git a/rules/windows/process_creation/proc_creation_win_cloudflared_portable_execution.yml b/rules/windows/process_creation/proc_creation_win_cloudflared_portable_execution.yml index 5a7a1c1ff4c..e0a35f2da37 100644 --- a/rules/windows/process_creation/proc_creation_win_cloudflared_portable_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cloudflared_portable_execution.yml @@ -11,9 +11,9 @@ references: - https://github.com/cloudflare/cloudflared/releases author: Nasreddine Bencherchali (Nextron Systems) tags: - - attack.command_and_control + - attack.command-and-control - attack.t1090.001 -date: 2023/12/20 +date: 2023-12-20 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml b/rules/windows/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml index 12305388ebc..3c8194c9783 100644 --- a/rules/windows/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml @@ -17,9 +17,9 @@ references: - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/ author: Sajid Nawaz Khan tags: - - attack.command_and_control + - attack.command-and-control - attack.t1090.001 -date: 2023/12/20 +date: 2023-12-20 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml b/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml index 0d7fbad446f..3ebc4087d97 100644 --- a/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml +++ b/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml @@ -6,10 +6,10 @@ references: - https://github.com/cloudflare/cloudflared - https://developers.cloudflare.com/cloudflare-one/connections/connect-apps author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/17 -modified: 2023/12/21 +date: 2023-05-17 +modified: 2023-12-21 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1102 - attack.t1090 - attack.t1572 diff --git a/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml b/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml index 633b1069bbe..f3661aa4b01 100644 --- a/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml +++ b/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml @@ -7,10 +7,10 @@ references: - https://github.com/cloudflare/cloudflared - https://developers.cloudflare.com/cloudflare-one/connections/connect-apps author: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/17 -modified: 2023/12/20 +date: 2023-05-17 +modified: 2023-12-20 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1102 - attack.t1090 - attack.t1572 diff --git a/rules/windows/process_creation/proc_creation_win_cmd_assoc_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_assoc_execution.yml index 8504c8c0f5b..15f2e831274 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_assoc_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_assoc_execution.yml @@ -10,8 +10,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.001/T1546.001.md author: Timur Zinniatullin, oscd.community -date: 2019/10/21 -modified: 2023/03/06 +date: 2019-10-21 +modified: 2023-03-06 tags: - attack.persistence - attack.t1546.001 diff --git a/rules/windows/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml b/rules/windows/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml index 09b8c38ac5e..b0ab2ab46e4 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml @@ -10,8 +10,8 @@ description: | references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/28 -modified: 2023/03/06 +date: 2022-06-28 +modified: 2023-03-06 tags: - attack.persistence - attack.t1546.001 diff --git a/rules/windows/process_creation/proc_creation_win_cmd_copy_dmp_from_share.yml b/rules/windows/process_creation/proc_creation_win_cmd_copy_dmp_from_share.yml index 1ca643dc6f6..6ef76af1cce 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_copy_dmp_from_share.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_copy_dmp_from_share.yml @@ -5,10 +5,10 @@ description: Detects usage of the copy builtin cmd command to copy files with th references: - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/27 -modified: 2023/09/12 +date: 2022-09-27 +modified: 2023-09-12 tags: - - attack.credential_access + - attack.credential-access logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml b/rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml index 566d90709ec..4d0659da7c9 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml @@ -5,12 +5,12 @@ description: Adversaries can use curl to download payloads remotely and execute references: - https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983 # Dead Link author: Sreeman, Nasreddine Bencherchali (Nextron Systems) -date: 2020/01/13 -modified: 2024/03/05 +date: 2020-01-13 +modified: 2024-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml index 8f0dc1a1828..cd2fd267545 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml @@ -10,10 +10,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase author: frack113 -date: 2022/01/15 -modified: 2024/03/05 +date: 2022-01-15 +modified: 2024-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml b/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml index fdde9d91f8a..3af2a401b3f 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml @@ -6,10 +6,10 @@ references: - https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase author: frack113 , X__Junior (Nextron Systems) -date: 2021/12/02 -modified: 2023/09/11 +date: 2021-12-02 +modified: 2023-09-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml index 186f688a6cc..d655a8c8540 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml @@ -6,8 +6,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md author: frack113 -date: 2021/12/13 -modified: 2024/04/14 +date: 2021-12-13 +modified: 2024-04-14 tags: - attack.discovery - attack.t1217 diff --git a/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml b/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml index f81862b0a67..10b14b51cab 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml @@ -6,8 +6,8 @@ references: - https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf - https://github.com/danielbohannon/Invoke-DOSfuscation author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2022/02/15 -modified: 2023/03/06 +date: 2022-02-15 +modified: 2023-03-06 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_cmd_http_appdata.yml b/rules/windows/process_creation/proc_creation_win_cmd_http_appdata.yml index 58ec2c6f1c3..b4c3ceb0c80 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_http_appdata.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_http_appdata.yml @@ -6,11 +6,11 @@ references: - https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100 - https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100 author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community -date: 2019/01/16 -modified: 2021/11/27 +date: 2019-01-16 +modified: 2021-11-27 tags: - attack.execution - - attack.command_and_control + - attack.command-and-control - attack.t1059.003 - attack.t1059.001 - attack.t1105 diff --git a/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml b/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml index 53266fba6ad..41a6959c29b 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md - https://ss64.com/nt/mklink.html author: frack113 -date: 2022/12/11 -modified: 2022/12/20 +date: 2022-12-11 +modified: 2022-12-20 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.persistence - attack.t1546.008 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml b/rules/windows/process_creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml index b8f367cbef6..1fc6e8164ab 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml @@ -5,10 +5,10 @@ description: Shadow Copies storage symbolic link creation using operating system references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment author: Teymur Kheirkhabarov, oscd.community -date: 2019/10/22 -modified: 2023/03/06 +date: 2019-10-22 +modified: 2023-03-06 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.002 - attack.t1003.003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml b/rules/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml index 79f44dfeffc..52f4ae19996 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml @@ -6,8 +6,8 @@ references: - https://twitter.com/ShadowChasing1/status/1552595370961944576 - https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior author: pH-T (Nextron Systems) -date: 2022/09/01 -modified: 2023/02/21 +date: 2022-09-01 +modified: 2023-02-21 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_cmd_no_space_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_no_space_execution.yml index 8af94c79549..8b8a40c7dd4 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_no_space_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_no_space_execution.yml @@ -8,8 +8,8 @@ references: - https://twitter.com/cyb3rops/status/1562072617552678912 - https://ss64.com/nt/cmd.html author: Florian Roth (Nextron Systems) -date: 2022/08/23 -modified: 2023/03/06 +date: 2022-08-23 +modified: 2023-03-06 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_cmd_ntdllpipe_redirect.yml b/rules/windows/process_creation/proc_creation_win_cmd_ntdllpipe_redirect.yml index b741b98d0c2..15c2ee23186 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_ntdllpipe_redirect.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_ntdllpipe_redirect.yml @@ -5,10 +5,10 @@ description: Detects command that type the content of ntdll.dll to a different f references: - https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe author: Florian Roth (Nextron Systems) -date: 2022/03/05 -modified: 2023/03/07 +date: 2022-03-05 +modified: 2023-03-07 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_cmd_path_traversal.yml b/rules/windows/process_creation/proc_creation_win_cmd_path_traversal.yml index c77506e5f2f..1241ffbace3 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_path_traversal.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_path_traversal.yml @@ -6,8 +6,8 @@ references: - https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/ - https://twitter.com/Oddvarmoe/status/1270633613449723905 author: xknow @xknow_infosec, Tim Shelton -date: 2020/06/11 -modified: 2023/03/06 +date: 2020-06-11 +modified: 2023-03-06 tags: - attack.execution - attack.t1059.003 diff --git a/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml index b1b53e96f05..abbed65b2dd 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml @@ -6,10 +6,10 @@ description: | references: - Internal Research author: X__Junior (Nextron Systems) -date: 2023/07/18 -modified: 2024/03/06 +date: 2023-07-18 +modified: 2024-03-06 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml index 23ab4e0eb20..717b4fd9249 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml @@ -8,10 +8,10 @@ references: - https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware author: Ilya Krestinichev -date: 2022/11/03 -modified: 2024/03/05 +date: 2022-11-03 +modified: 2024-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml b/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml index 0f15e3a0b4d..baa9d935549 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml @@ -12,10 +12,10 @@ description: | references: - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/12 -modified: 2024/03/19 +date: 2022-07-12 +modified: 2024-03-19 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml index 13f0a14a4fa..6f297d0bbd0 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml @@ -10,10 +10,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase author: frack113 -date: 2022/01/15 -modified: 2023/03/07 +date: 2022-01-15 +modified: 2023-03-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml b/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml index 48f0b7638a8..2987d6abfa4 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml @@ -7,8 +7,8 @@ references: - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection - https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/ author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) -date: 2021/08/09 -modified: 2023/03/07 +date: 2021-08-09 +modified: 2023-03-07 tags: - attack.impact - attack.t1490 diff --git a/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml b/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml index e90aba9a10c..e94cf40d716 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml @@ -2,14 +2,14 @@ title: Read Contents From Stdin Via Cmd.EXE id: 241e802a-b65e-484f-88cd-c2dc10f9206d related: - id: 00a4bacd-6db4-46d5-9258-a7d5ebff4003 - type: obsoletes + type: obsolete status: test description: Detect the use of "<" to read and potentially execute a file via cmd.exe references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md - https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/07 +date: 2023-03-07 tags: - attack.execution - attack.t1059.003 diff --git a/rules/windows/process_creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml index 4d70886e81b..f74847d3352 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml @@ -8,10 +8,10 @@ description: Detects the usage and installation of a backdoor that uses an optio references: - https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community -date: 2018/03/15 -modified: 2023/03/07 +date: 2018-03-15 +modified: 2023-03-07 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.persistence - attack.t1546.008 - car.2014-11-003 diff --git a/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml b/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml index 850e973cafe..e838850bc4e 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml @@ -9,11 +9,11 @@ references: - https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf - https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors author: Sreeman -date: 2020/02/18 -modified: 2023/03/07 +date: 2020-02-18 +modified: 2023-03-07 tags: - attack.t1546.008 - - attack.privilege_escalation + - attack.privilege-escalation logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_cmd_type_arbitrary_file_download.yml b/rules/windows/process_creation/proc_creation_win_cmd_type_arbitrary_file_download.yml index 267ab088b7d..3c72867d69a 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_type_arbitrary_file_download.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_type_arbitrary_file_download.yml @@ -5,9 +5,9 @@ description: Detects usage of the "type" command to download/upload data from We references: - https://mr0range.com/a-new-lolbin-using-the-windows-type-command-to-upload-download-files-81d7b6179e22 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/14 +date: 2022-12-14 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml b/rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml index f08878e392c..322622e2f6b 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml @@ -5,8 +5,8 @@ description: Detects suspicious parent process for cmd.exe references: - https://www.elastic.co/guide/en/security/current/unusual-parent-process-for-cmd.exe.html author: Tim Rauch, Elastic (idea) -date: 2022/09/21 -modified: 2023/12/05 +date: 2022-09-21 +modified: 2023-12-05 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml b/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml index c215c1b2097..8dee296e292 100644 --- a/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml +++ b/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml @@ -7,10 +7,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/03 -modified: 2024/03/05 +date: 2023-02-03 +modified: 2024-03-05 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.005 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml b/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml index 67582ff73b4..207afb47da5 100644 --- a/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml @@ -7,10 +7,10 @@ references: - https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx - https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1003.005/T1003.005.md#atomic-test-1---cached-credential-dump-via-cmdkey author: jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2019/01/16 -modified: 2024/03/05 +date: 2019-01-16 +modified: 2024-03-05 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.005 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_cmdl32_arbitrary_file_download.yml b/rules/windows/process_creation/proc_creation_win_cmdl32_arbitrary_file_download.yml index 50534593f68..744a4b5a390 100644 --- a/rules/windows/process_creation/proc_creation_win_cmdl32_arbitrary_file_download.yml +++ b/rules/windows/process_creation/proc_creation_win_cmdl32_arbitrary_file_download.yml @@ -10,11 +10,11 @@ references: - https://twitter.com/SwiftOnSecurity/status/1455897435063074824 - https://github.com/LOLBAS-Project/LOLBAS/pull/151 author: frack113 -date: 2021/11/03 -modified: 2024/04/22 +date: 2021-11-03 +modified: 2024-04-22 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.t1202 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_cmstp_execution_by_creation.yml b/rules/windows/process_creation/proc_creation_win_cmstp_execution_by_creation.yml index 33e0a62f78f..85bf2196780 100644 --- a/rules/windows/process_creation/proc_creation_win_cmstp_execution_by_creation.yml +++ b/rules/windows/process_creation/proc_creation_win_cmstp_execution_by_creation.yml @@ -5,10 +5,10 @@ description: Detects various indicators of Microsoft Connection Manager Profile references: - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ author: Nik Seetharaman -date: 2018/07/16 -modified: 2020/12/23 +date: 2018-07-16 +modified: 2020-12-23 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1218.003 - attack.g0069 diff --git a/rules/windows/process_creation/proc_creation_win_configsecuritypolicy_download_file.yml b/rules/windows/process_creation/proc_creation_win_configsecuritypolicy_download_file.yml index cc5dd05fb39..08764ff140b 100644 --- a/rules/windows/process_creation/proc_creation_win_configsecuritypolicy_download_file.yml +++ b/rules/windows/process_creation/proc_creation_win_configsecuritypolicy_download_file.yml @@ -8,8 +8,8 @@ description: | references: - https://lolbas-project.github.io/lolbas/Binaries/ConfigSecurityPolicy/ author: frack113 -date: 2021/11/26 -modified: 2022/05/16 +date: 2021-11-26 +modified: 2022-05-16 tags: - attack.exfiltration - attack.t1567 diff --git a/rules/windows/process_creation/proc_creation_win_conhost_headless_powershell.yml b/rules/windows/process_creation/proc_creation_win_conhost_headless_powershell.yml index e8481af00cf..d2705819e73 100644 --- a/rules/windows/process_creation/proc_creation_win_conhost_headless_powershell.yml +++ b/rules/windows/process_creation/proc_creation_win_conhost_headless_powershell.yml @@ -10,9 +10,9 @@ description: | references: - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software author: Matt Anderson (Huntress) -date: 2024/07/23 +date: 2024-07-23 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1059.001 - attack.t1059.003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml b/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml index 13816ccf8ee..7e412b26610 100644 --- a/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml +++ b/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml @@ -7,9 +7,9 @@ references: - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/ - https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control author: frack113 -date: 2022/12/09 +date: 2022-12-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_conhost_path_traversal.yml b/rules/windows/process_creation/proc_creation_win_conhost_path_traversal.yml index c7b09d2bed0..2bc8b3ce857 100644 --- a/rules/windows/process_creation/proc_creation_win_conhost_path_traversal.yml +++ b/rules/windows/process_creation/proc_creation_win_conhost_path_traversal.yml @@ -5,7 +5,7 @@ description: detects the usage of path traversal in conhost.exe indicating possi references: - https://pentestlab.blog/2020/07/06/indirect-command-execution/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/14 +date: 2022-06-14 tags: - attack.execution - attack.t1059.003 diff --git a/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml index 9b1a6c212bb..06b2331c2a8 100644 --- a/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml @@ -5,10 +5,10 @@ description: Detects uncommon "conhost" child processes. This could be a sign of references: - http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ author: omkar72 -date: 2020/10/25 -modified: 2023/12/11 +date: 2020-10-25 +modified: 2023-12-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_conhost_uncommon_parent.yml b/rules/windows/process_creation/proc_creation_win_conhost_uncommon_parent.yml index f1b546fa4d3..fa0de1e382a 100644 --- a/rules/windows/process_creation/proc_creation_win_conhost_uncommon_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_conhost_uncommon_parent.yml @@ -5,8 +5,8 @@ description: Detects when the Console Window Host (conhost.exe) process is spawn references: - https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html author: Tim Rauch, Elastic (idea) -date: 2022/09/28 -modified: 2023/03/29 +date: 2022-09-28 +modified: 2023-03-29 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_control_panel_item.yml b/rules/windows/process_creation/proc_creation_win_control_panel_item.yml index f3948552cbd..fe73817dfcb 100644 --- a/rules/windows/process_creation/proc_creation_win_control_panel_item.yml +++ b/rules/windows/process_creation/proc_creation_win_control_panel_item.yml @@ -5,11 +5,11 @@ description: Detects the malicious use of a control panel item references: - https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_) -date: 2020/06/22 -modified: 2023/10/11 +date: 2020-06-22 +modified: 2023-10-11 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.002 - attack.persistence - attack.t1546 diff --git a/rules/windows/process_creation/proc_creation_win_createdump_lolbin_execution.yml b/rules/windows/process_creation/proc_creation_win_createdump_lolbin_execution.yml index ca97bd4f80e..41b18b34d4f 100644 --- a/rules/windows/process_creation/proc_creation_win_createdump_lolbin_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_createdump_lolbin_execution.yml @@ -9,10 +9,10 @@ references: - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/ - https://twitter.com/bopin2020/status/1366400799199272960 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/01/04 -modified: 2022/08/19 +date: 2022-01-04 +modified: 2022-08-19 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 - attack.t1003.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml b/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml index ee026d154f8..2db27cb340b 100644 --- a/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml +++ b/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml @@ -9,10 +9,10 @@ references: - https://twitter.com/gN3mes1s/status/1206874118282448897 - https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems) -date: 2019/08/24 -modified: 2024/05/27 +date: 2019-08-24 +modified: 2024-05-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml b/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml index 234b243c2a1..50c5dc8cc9b 100644 --- a/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml @@ -7,13 +7,13 @@ references: - https://reaqta.com/2017/11/short-journey-darkvnc/ - https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) -date: 2019/02/11 -modified: 2024/05/27 +date: 2019-02-11 +modified: 2024-05-27 tags: - attack.execution - attack.t1059.005 - attack.t1059.007 - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.005 - attack.t1027.004 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_csi_execution.yml b/rules/windows/process_creation/proc_creation_win_csi_execution.yml index ef3010a15ad..a3f5e0697c3 100644 --- a/rules/windows/process_creation/proc_creation_win_csi_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_csi_execution.yml @@ -8,12 +8,12 @@ references: - https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/ - https://twitter.com/Z3Jpa29z/status/1317545798981324801 author: Konstantin Grishchenko, oscd.community -date: 2020/10/17 -modified: 2022/07/11 +date: 2020-10-17 +modified: 2022-07-11 tags: - attack.execution - attack.t1072 - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_csi_use_of_csharp_console.yml b/rules/windows/process_creation/proc_creation_win_csi_use_of_csharp_console.yml index ed8be9d7b1a..ead6375ab6c 100644 --- a/rules/windows/process_creation/proc_creation_win_csi_use_of_csharp_console.yml +++ b/rules/windows/process_creation/proc_creation_win_csi_use_of_csharp_console.yml @@ -5,8 +5,8 @@ description: Detects the execution of CSharp interactive console by PowerShell references: - https://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/ author: Michael R. (@nahamike01) -date: 2020/03/08 -modified: 2022/07/14 +date: 2020-03-08 +modified: 2022-07-14 tags: - attack.execution - attack.t1127 diff --git a/rules/windows/process_creation/proc_creation_win_csvde_export.yml b/rules/windows/process_creation/proc_creation_win_csvde_export.yml index 11d34cd80f0..b007a3dd8ed 100644 --- a/rules/windows/process_creation/proc_creation_win_csvde_export.yml +++ b/rules/windows/process_creation/proc_creation_win_csvde_export.yml @@ -8,7 +8,7 @@ references: - https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit - https://redcanary.com/blog/msix-installers/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/14 +date: 2023-03-14 tags: - attack.exfiltration - attack.discovery diff --git a/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking.yml b/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking.yml index a993af3f72c..796cb83829b 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking.yml @@ -5,7 +5,7 @@ description: Detects execution of "curl.exe" with the "-c" flag in order to save references: - https://curl.se/docs/manpage.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/07/27 +date: 2023-07-27 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml b/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml index 10da8a72133..c47022bc2e8 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml @@ -6,7 +6,7 @@ references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/07/27 +date: 2023-07-27 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml b/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml index 89f690ac354..7b0b7dce1fd 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml @@ -10,7 +10,7 @@ references: - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv - https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/10/18 +date: 2023-10-18 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml b/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml index dd2190a9aae..7a9688040a0 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml @@ -7,7 +7,7 @@ references: - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv - https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/07/27 +date: 2023-07-27 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml index 0a7cdcc02f9..dd57b6b9da2 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml @@ -6,8 +6,8 @@ references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/05 -modified: 2024/02/09 +date: 2023-05-05 +modified: 2024-02-09 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml b/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml index 5069b28e086..8c3360a749c 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml @@ -5,7 +5,7 @@ description: Detects execution of "curl.exe" with the "--insecure" flag. references: - https://curl.se/docs/manpage.html author: X__Junior (Nextron Systems) -date: 2023/06/30 +date: 2023-06-30 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml b/rules/windows/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml index 6082f5f5eca..eac8b3bf203 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml @@ -5,7 +5,7 @@ description: Detects execution of "curl.exe" with the "insecure" flag over proxy references: - https://curl.se/docs/manpage.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/07/27 +date: 2023-07-27 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_curl_local_file_read.yml b/rules/windows/process_creation/proc_creation_win_curl_local_file_read.yml index f9fefc3b6ad..257c0f0f795 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_local_file_read.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_local_file_read.yml @@ -5,7 +5,7 @@ description: Detects execution of "curl.exe" with the "file://" protocol handler references: - https://curl.se/docs/manpage.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/07/27 +date: 2023-07-27 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml b/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml index d29a2bf73f1..13ff16ec549 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml @@ -14,10 +14,10 @@ references: - https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/ - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1105/T1105.md#atomic-test-18---curl-download-file author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2020/07/03 -modified: 2023/02/21 +date: 2020-07-03 +modified: 2023-02-21 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml b/rules/windows/process_creation/proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml index bac9b8e55b0..2fcbe4e8788 100644 --- a/rules/windows/process_creation/proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml @@ -9,10 +9,10 @@ references: - https://twitter.com/gN3mes1s/status/1222095963789111296 - https://twitter.com/gN3mes1s/status/1222095371175911424 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2020/01/28 -modified: 2024/04/22 +date: 2020-01-28 +modified: 2024-04-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1055.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_defaultpack_uncommon_child_process.yml b/rules/windows/process_creation/proc_creation_win_defaultpack_uncommon_child_process.yml index 93d335e4d47..5d885ec0095 100644 --- a/rules/windows/process_creation/proc_creation_win_defaultpack_uncommon_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_defaultpack_uncommon_child_process.yml @@ -6,11 +6,11 @@ references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/ - https://www.echotrail.io/insights/search/defaultpack.exe author: frack113 -date: 2022/12/31 -modified: 2024/04/22 +date: 2022-12-31 +modified: 2024-04-22 tags: - attack.t1218 - - attack.defense_evasion + - attack.defense-evasion - attack.execution logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml b/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml index 09aef9696e4..1ff0da2c88f 100644 --- a/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml +++ b/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml @@ -5,9 +5,9 @@ description: Detects the desktopimgdownldr utility being used to download a remo references: - https://www.elastic.co/guide/en/security/current/remote-file-download-via-desktopimgdownldr-utility.html author: Tim Rauch, Elastic (idea) -date: 2022/09/27 +date: 2022-09-27 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml index e3bd3dc0078..209d21b099a 100644 --- a/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml @@ -6,10 +6,10 @@ references: - https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/ - https://twitter.com/SBousseaden/status/1278977301745741825 author: Florian Roth (Nextron Systems) -date: 2020/07/03 -modified: 2021/11/27 +date: 2020-07-03 +modified: 2021-11-27 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml b/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml index 3fec8ca31c6..84ffa860a5b 100644 --- a/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml +++ b/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml @@ -11,10 +11,10 @@ references: - https://mobile.twitter.com/0gtweet/status/1564131230941122561 - https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html author: '@gott_cyber' -date: 2022/08/29 -modified: 2023/02/04 +date: 2022-08-29 +modified: 2023-02-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml b/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml index 94b671b3d76..63ce60c8acc 100644 --- a/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml @@ -6,11 +6,11 @@ references: - https://twitter.com/mrd0x/status/1460815932402679809 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devinit/ author: Florian Roth (Nextron Systems) -date: 2022/01/11 -modified: 2023/04/06 +date: 2022-01-11 +modified: 2023-04-06 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml b/rules/windows/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml index a801cacd0b7..7e91b656d16 100644 --- a/rules/windows/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml @@ -5,10 +5,10 @@ description: Detects potentially suspicious child processes of a ClickOnce deplo references: - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/12 +date: 2023-06-12 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_dirlister_execution.yml b/rules/windows/process_creation/proc_creation_win_dirlister_execution.yml index 1d197418c2a..047fd42fde1 100644 --- a/rules/windows/process_creation/proc_creation_win_dirlister_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dirlister_execution.yml @@ -6,8 +6,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1083/T1083.md - https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/ author: frack113 -date: 2022/08/20 -modified: 2023/02/04 +date: 2022-08-20 +modified: 2023-02-04 tags: - attack.discovery - attack.t1083 diff --git a/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml b/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml index 4aa24565c43..0b50eabbbad 100644 --- a/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml +++ b/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml @@ -20,9 +20,9 @@ references: - https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware - https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/09/15 +date: 2023-09-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml b/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml index 1253c0d2152..68c22c51fae 100644 --- a/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml +++ b/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml @@ -22,10 +22,10 @@ references: - https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware - https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/09/15 -modified: 2024/03/05 +date: 2023-09-15 +modified: 2024-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml b/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml index 99993fcd70f..e551880bb51 100644 --- a/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml +++ b/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml @@ -20,10 +20,10 @@ references: - https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware - https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/09/15 +date: 2023-09-15 modifier: 2024/03/05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml b/rules/windows/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml index 7cb6ce17e46..4d0bb87c1a9 100644 --- a/rules/windows/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml +++ b/rules/windows/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml @@ -5,9 +5,9 @@ description: Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from references: - https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/02 +date: 2022-08-02 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml b/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml index 09c74587a44..0caeaa9b743 100644 --- a/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml @@ -7,10 +7,10 @@ references: - https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08 - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/27 -modified: 2023/05/15 +date: 2022-06-27 +modified: 2023-05-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1055 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml b/rules/windows/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml index 70b5088455a..ca0d6d52c00 100644 --- a/rules/windows/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml @@ -6,12 +6,12 @@ references: - https://github.com/iagox86/dnscat2 - https://github.com/yarrick/iodine author: Daniil Yugoslavskiy, oscd.community -date: 2019/10/24 -modified: 2021/11/27 +date: 2019-10-24 +modified: 2021-11-27 tags: - attack.exfiltration - attack.t1048.001 - - attack.command_and_control + - attack.command-and-control - attack.t1071.004 - attack.t1132.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_dns_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_dns_susp_child_process.yml index 81d7c3cb93c..296b9029203 100644 --- a/rules/windows/process_creation/proc_creation_win_dns_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_dns_susp_child_process.yml @@ -5,10 +5,10 @@ description: Detects an unexpected process spawning from dns.exe which may indic references: - https://www.elastic.co/guide/en/security/current/unusual-child-process-of-dns-exe.html author: Tim Rauch, Elastic (idea) -date: 2022/09/27 -modified: 2023/02/05 +date: 2022-09-27 +modified: 2023-02-05 tags: - - attack.initial_access + - attack.initial-access - attack.t1133 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml b/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml index dde5693d0e0..e6783940844 100644 --- a/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml @@ -7,8 +7,8 @@ references: - https://learn.microsoft.com/en-us/azure/dns/dns-zones-records - https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/ author: '@gott_cyber' -date: 2022/07/31 -modified: 2023/02/04 +date: 2022-07-31 +modified: 2023-02-04 tags: - attack.discovery - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml b/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml index 100c2b6f6a8..cc56541a032 100644 --- a/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml @@ -11,10 +11,10 @@ references: - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 - https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html author: Florian Roth (Nextron Systems) -date: 2017/05/08 -modified: 2023/02/05 +date: 2017-05-08 +modified: 2023-02-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 - attack.t1112 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_dnx_execute_csharp_code.yml b/rules/windows/process_creation/proc_creation_win_dnx_execute_csharp_code.yml index 33143a5f9a3..e4bc4b2dd4e 100644 --- a/rules/windows/process_creation/proc_creation_win_dnx_execute_csharp_code.yml +++ b/rules/windows/process_creation/proc_creation_win_dnx_execute_csharp_code.yml @@ -8,10 +8,10 @@ references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/ - https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/ author: Beyu Denis, oscd.community -date: 2019/10/26 -modified: 2024/04/24 +date: 2019-10-26 +modified: 2024-04-24 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.t1027.004 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_dotnet_arbitrary_dll_csproj_execution.yml b/rules/windows/process_creation/proc_creation_win_dotnet_arbitrary_dll_csproj_execution.yml index 77030d5b11e..aeb4ed7cdb0 100644 --- a/rules/windows/process_creation/proc_creation_win_dotnet_arbitrary_dll_csproj_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dotnet_arbitrary_dll_csproj_execution.yml @@ -7,10 +7,10 @@ references: - https://twitter.com/_felamos/status/1204705548668555264 - https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/ author: Beyu Denis, oscd.community -date: 2020/10/18 -modified: 2024/04/24 +date: 2020-10-18 +modified: 2024-04-24 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml b/rules/windows/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml index 89c798b1c14..816fc05d7dd 100644 --- a/rules/windows/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml @@ -5,10 +5,10 @@ description: Detects commandline arguments for executing a child process via dot references: - https://twitter.com/bohops/status/1740022869198037480 author: Jimmy Bayne (@bohops) -date: 2024/01/02 +date: 2024-01-02 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_dotnetdump_memory_dump.yml b/rules/windows/process_creation/proc_creation_win_dotnetdump_memory_dump.yml index cfda2a9a757..51eb013f8f0 100644 --- a/rules/windows/process_creation/proc_creation_win_dotnetdump_memory_dump.yml +++ b/rules/windows/process_creation/proc_creation_win_dotnetdump_memory_dump.yml @@ -7,9 +7,9 @@ references: - https://learn.microsoft.com/en-us/dotnet/core/diagnostics/dotnet-dump#dotnet-dump-collect - https://twitter.com/bohops/status/1635288066909966338 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/14 +date: 2023-03-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml b/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml index 324f94a53eb..81f65698a22 100644 --- a/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml @@ -10,8 +10,8 @@ references: - https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/ - https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/19 -modified: 2023/09/29 +date: 2023-01-19 +modified: 2023-09-29 tags: - attack.discovery logsource: diff --git a/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml b/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml index b64926ce257..67b75a3c734 100644 --- a/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml @@ -10,8 +10,8 @@ references: - https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/ - https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/19 -modified: 2023/09/29 +date: 2023-01-19 +modified: 2023-09-29 tags: - attack.discovery logsource: diff --git a/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml b/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml index 47e1ec620ef..df47bf12cff 100644 --- a/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml +++ b/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml @@ -6,10 +6,10 @@ references: - https://ss64.com/nt/dsacls.html - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11) author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/20 -modified: 2023/02/04 +date: 2022-06-20 +modified: 2023-02-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml b/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml index e9bdca041b0..0bba9c4ee43 100644 --- a/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml +++ b/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml @@ -7,10 +7,10 @@ references: - https://ss64.com/nt/dsacls.html - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11) author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/20 -modified: 2023/02/04 +date: 2022-06-20 +modified: 2023-02-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_dsim_remove.yml b/rules/windows/process_creation/proc_creation_win_dsim_remove.yml index 435472c69ba..97cdc01e7a2 100644 --- a/rules/windows/process_creation/proc_creation_win_dsim_remove.yml +++ b/rules/windows/process_creation/proc_creation_win_dsim_remove.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism - https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html author: frack113 -date: 2022/01/16 -modified: 2022/08/26 +date: 2022-01-16 +modified: 2022-08-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery.yml b/rules/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery.yml index 575af9a806e..14f203af001 100644 --- a/rules/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery.yml @@ -4,15 +4,15 @@ related: - id: b23fcb74-b1cb-4ff7-a31d-bfe2a7ba453b type: similar - id: 77815820-246c-47b8-9741-e0def3f57308 - type: obsoletes + type: obsolete status: test description: Detects execution of "dsquery.exe" for domain trust discovery references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md - https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb?gi=41b97a644843 author: E.M. Anhaus, Tony Lambert, oscd.community, omkar72 -date: 2019/10/24 -modified: 2023/02/02 +date: 2019-10-24 +modified: 2023-02-02 tags: - attack.discovery - attack.t1482 diff --git a/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml b/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml index 283c1167542..2af1bcea572 100644 --- a/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml +++ b/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/0gtweet/status/1474899714290208777?s=12 - https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace author: Florian Roth (Nextron Systems) -date: 2021/12/28 +date: 2021-12-28 tags: - attack.discovery - attack.t1082 diff --git a/rules/windows/process_creation/proc_creation_win_dump64_defender_av_bypass_rename.yml b/rules/windows/process_creation/proc_creation_win_dump64_defender_av_bypass_rename.yml index 113588db5d1..104c0b40f58 100644 --- a/rules/windows/process_creation/proc_creation_win_dump64_defender_av_bypass_rename.yml +++ b/rules/windows/process_creation/proc_creation_win_dump64_defender_av_bypass_rename.yml @@ -7,10 +7,10 @@ description: | references: - https://twitter.com/mrd0x/status/1460597833917251595 author: Austin Songer @austinsonger, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2021/11/26 -modified: 2024/06/21 +date: 2021-11-26 +modified: 2024-06-21 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml b/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml index 4c370714e7d..497798d7a9d 100644 --- a/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml @@ -8,10 +8,10 @@ references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/ - https://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) -date: 2022/04/06 -modified: 2023/04/12 +date: 2022-04-06 +modified: 2023-04-12 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 - attack.t1003.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml index aff50762f35..15534509ce7 100644 --- a/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml @@ -7,10 +7,10 @@ references: - https://twitter.com/mrd0x/status/1511489821247684615 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/ author: Florian Roth (Nextron Systems) -date: 2022/04/06 -modified: 2023/04/12 +date: 2022-04-06 +modified: 2023-04-12 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 - attack.t1003.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_esentutl_params.yml b/rules/windows/process_creation/proc_creation_win_esentutl_params.yml index 3f2a5aab587..791025f543e 100644 --- a/rules/windows/process_creation/proc_creation_win_esentutl_params.yml +++ b/rules/windows/process_creation/proc_creation_win_esentutl_params.yml @@ -7,10 +7,10 @@ references: - https://attack.mitre.org/software/S0404/ - https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/ author: sam0x90 -date: 2021/08/06 -modified: 2022/10/09 +date: 2021-08-06 +modified: 2022-10-09 tags: - - attack.credential_access + - attack.credential-access - attack.t1003 - attack.t1003.003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml b/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml index 3f125fcd873..1a47a6aa81d 100644 --- a/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml +++ b/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml @@ -8,10 +8,10 @@ references: - https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/ - https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community -date: 2019/10/22 -modified: 2024/06/04 +date: 2019-10-22 +modified: 2024-06-04 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.002 - attack.t1003.003 - car.2013-07-001 diff --git a/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml b/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml index 1bd7d732f1a..577be195e0d 100644 --- a/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml +++ b/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml @@ -7,8 +7,8 @@ references: - https://redcanary.com/threat-detection-report/threats/qbot/ - https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/ author: frack113 -date: 2022/02/13 -modified: 2024/03/05 +date: 2022-02-13 +modified: 2024-03-05 tags: - attack.collection - attack.t1005 diff --git a/rules/windows/process_creation/proc_creation_win_eventvwr_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_eventvwr_susp_child_process.yml index ce5ff6c94c3..4d16403bf34 100644 --- a/rules/windows/process_creation/proc_creation_win_eventvwr_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_eventvwr_susp_child_process.yml @@ -9,11 +9,11 @@ references: - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ - https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100 author: Florian Roth (Nextron Systems) -date: 2017/03/19 -modified: 2023/09/28 +date: 2017-03-19 +modified: 2023-09-28 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 - car.2019-04-001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml b/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml index c697a7e85c3..53a7bca6ac6 100644 --- a/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml +++ b/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml @@ -6,10 +6,10 @@ references: - https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll - https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/ author: Bhabesh Raj, X__Junior (Nextron Systems) -date: 2021/07/30 -modified: 2024/03/05 +date: 2021-07-30 +modified: 2024-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml b/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml index 7e4717f2ed7..9e114355f86 100644 --- a/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml +++ b/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml @@ -10,10 +10,10 @@ references: - https://twitter.com/nas_bench/status/1535322450858233858 - https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber -date: 2019/06/29 -modified: 2024/06/04 +date: 2019-06-29 +modified: 2024-06-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_explorer_nouaccheck.yml b/rules/windows/process_creation/proc_creation_win_explorer_nouaccheck.yml index 789647d77b3..71ef80b1b5e 100644 --- a/rules/windows/process_creation/proc_creation_win_explorer_nouaccheck.yml +++ b/rules/windows/process_creation/proc_creation_win_explorer_nouaccheck.yml @@ -5,10 +5,10 @@ description: Detects suspicious starts of explorer.exe that use the /NOUACCHECK references: - https://twitter.com/ORCA6665/status/1496478087244095491 author: Florian Roth (Nextron Systems) -date: 2022/02/23 -modified: 2022/04/21 +date: 2022-02-23 +modified: 2022-04-21 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_findstr_download.yml b/rules/windows/process_creation/proc_creation_win_findstr_download.yml index f602c5230bb..6b74583968f 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_download.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_download.yml @@ -2,7 +2,7 @@ title: Remote File Download Via Findstr.EXE id: 587254ee-a24b-4335-b3cd-065c0f1f4baa related: - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f - type: obsoletes + type: obsolete status: experimental description: | Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry. @@ -11,10 +11,10 @@ references: - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) -date: 2020/10/05 -modified: 2024/03/05 +date: 2020-10-05 +modified: 2024-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.t1564.004 - attack.t1552.001 diff --git a/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml b/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml index 0da44623449..16078117426 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml @@ -5,10 +5,10 @@ description: Look for the encrypted cpassword value within Group Policy Preferen references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.006/T1552.006.md#atomic-test-1---gpp-passwords-findstr author: frack113 -date: 2021/12/27 -modified: 2023/11/11 +date: 2021-12-27 +modified: 2023-11-11 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.006 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml b/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml index ff08d80a118..edae85ac7cc 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml @@ -5,10 +5,10 @@ description: Detects usage of findstr to identify and execute a lnk file as seen references: - https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/ author: Trent Liffick -date: 2020/05/01 -modified: 2024/01/15 +date: 2020-05-01 +modified: 2024-01-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 - attack.t1202 - attack.t1027.003 diff --git a/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml b/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml index 05abffbc69b..511c660720d 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml @@ -5,10 +5,10 @@ description: Detects findstring commands that include the keyword lsass, which i references: - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1 author: Florian Roth (Nextron Systems) -date: 2022/08/12 -modified: 2024/06/04 +date: 2022-08-12 +modified: 2024-06-04 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.006 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml b/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml index a7608c4c4e8..8cda1589441 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml @@ -7,10 +7,10 @@ description: | references: - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/12 -modified: 2023/11/11 +date: 2022-08-12 +modified: 2023-11-11 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.006 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml b/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml index 39b6bfabb67..0bef6f4db88 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml @@ -12,8 +12,8 @@ references: - https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf - https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html author: Nasreddine Bencherchali (Nextron Systems), frack113 -date: 2023/07/06 -modified: 2024/06/27 +date: 2023-07-06 +modified: 2024-06-27 tags: - attack.discovery - attack.t1057 diff --git a/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml b/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml index d4656b0d2fc..818da4f4ee6 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml @@ -12,8 +12,8 @@ references: - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ - https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf author: Nasreddine Bencherchali (Nextron Systems), frack113 -date: 2023/10/20 -modified: 2023/11/14 +date: 2023-10-20 +modified: 2023-11-14 tags: - attack.discovery - attack.t1518.001 diff --git a/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml b/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml index 741d35c9082..f584edbd743 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml @@ -2,7 +2,7 @@ title: Insensitive Subfolder Search Via Findstr.EXE id: 04936b66-3915-43ad-a8e5-809eadfd1141 related: - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f - type: obsoletes + type: obsolete status: experimental description: | Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands. @@ -11,10 +11,10 @@ references: - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) -date: 2020/10/05 -modified: 2024/03/05 +date: 2020-10-05 +modified: 2024-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.t1564.004 - attack.t1552.001 diff --git a/rules/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml b/rules/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml index 6ee265561e9..073f4670fa0 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml @@ -5,8 +5,8 @@ description: Detects usage of "findstr" with the argument "385201". Which could references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-5---security-software-discovery---sysmon-service author: frack113 -date: 2021/12/16 -modified: 2023/11/14 +date: 2021-12-16 +modified: 2023-11-14 tags: - attack.discovery - attack.t1518.001 diff --git a/rules/windows/process_creation/proc_creation_win_finger_execution.yml b/rules/windows/process_creation/proc_creation_win_finger_execution.yml index 0643d3b328f..d2e22093a13 100644 --- a/rules/windows/process_creation/proc_creation_win_finger_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_finger_execution.yml @@ -10,10 +10,10 @@ references: - https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/ - http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt author: Florian Roth (Nextron Systems), omkar72, oscd.community -date: 2021/02/24 -modified: 2024/06/27 +date: 2021-02-24 +modified: 2024-06-27 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver.yml b/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver.yml index 4af9111064d..f5acdd95655 100644 --- a/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver.yml +++ b/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver.yml @@ -9,10 +9,10 @@ references: - https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon - https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/13 -modified: 2024/06/24 +date: 2023-02-13 +modified: 2024-06-24 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070 - attack.t1562 - attack.t1562.002 diff --git a/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver_sysmon.yml b/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver_sysmon.yml index 343e3895812..dcf7818c2da 100644 --- a/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver_sysmon.yml +++ b/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver_sysmon.yml @@ -8,10 +8,10 @@ description: Detects possible Sysmon filter driver unloaded via fltmc.exe references: - https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon author: Kirill Kiryanov, oscd.community -date: 2019/10/23 -modified: 2023/02/13 +date: 2019-10-23 +modified: 2023-02-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070 - attack.t1562 - attack.t1562.002 diff --git a/rules/windows/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml b/rules/windows/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml index 7054dfbcb6c..dc0b6d50886 100644 --- a/rules/windows/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml +++ b/rules/windows/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml @@ -6,9 +6,9 @@ description: | references: - https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/ author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati -date: 2024/01/05 +date: 2024-01-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_forfiles_proxy_execution_.yml b/rules/windows/process_creation/proc_creation_win_forfiles_proxy_execution_.yml index c3336eab401..f564e4e08ab 100644 --- a/rules/windows/process_creation/proc_creation_win_forfiles_proxy_execution_.yml +++ b/rules/windows/process_creation/proc_creation_win_forfiles_proxy_execution_.yml @@ -2,9 +2,9 @@ title: Forfiles Command Execution id: 9aa5106d-bce3-4b13-86df-3a20f1d5cf0b related: - id: a85cf4e3-56ee-4e79-adeb-789f8fb209a8 - type: obsoletes + type: obsolete - id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02 - type: obsoletes + type: obsolete status: test description: | Detects the execution of "forfiles" with the "/c" flag. @@ -14,8 +14,8 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Forfiles/ - https://pentestlab.blog/2020/07/06/indirect-command-execution/ author: Tim Rauch, Elastic, E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -date: 2022/06/14 -modified: 2024/03/05 +date: 2022-06-14 +modified: 2024-03-05 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_format_uncommon_filesystem_load.yml b/rules/windows/process_creation/proc_creation_win_format_uncommon_filesystem_load.yml index 63b21f5f1aa..72744875802 100644 --- a/rules/windows/process_creation/proc_creation_win_format_uncommon_filesystem_load.yml +++ b/rules/windows/process_creation/proc_creation_win_format_uncommon_filesystem_load.yml @@ -7,10 +7,10 @@ references: - https://twitter.com/0gtweet/status/1477925112561209344 - https://twitter.com/wdormann/status/1478011052130459653?s=20 author: Florian Roth (Nextron Systems) -date: 2022/01/04 -modified: 2024/05/13 +date: 2022-01-04 +modified: 2024-05-13 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_fsi_fsharp_code_execution.yml b/rules/windows/process_creation/proc_creation_win_fsi_fsharp_code_execution.yml index 98d753ae91e..8cebaf1e4a1 100644 --- a/rules/windows/process_creation/proc_creation_win_fsi_fsharp_code_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_fsi_fsharp_code_execution.yml @@ -10,8 +10,8 @@ references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/ - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/ author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io -date: 2022/06/02 -modified: 2024/04/23 +date: 2022-06-02 +modified: 2024-04-23 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml b/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml index 887b4673f2f..20d69f6bc91 100644 --- a/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml +++ b/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml @@ -6,8 +6,8 @@ references: - Turla has used fsutil fsinfo drives to list connected drives. - https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' -date: 2022/03/29 -modified: 2022/07/14 +date: 2022-03-29 +modified: 2022-07-14 tags: - attack.discovery - attack.t1120 diff --git a/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml b/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml index 93e8d66c37c..35129d96059 100644 --- a/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml +++ b/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml @@ -8,8 +8,8 @@ references: - https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware - https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior author: frack113 -date: 2022/03/02 -modified: 2023/01/19 +date: 2022-03-02 +modified: 2023-01-19 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml b/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml index 46f44207104..f085115075f 100644 --- a/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml @@ -11,10 +11,10 @@ references: - https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md - https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt author: Ecco, E.M. Anhaus, oscd.community -date: 2019/09/26 -modified: 2023/09/09 +date: 2019-09-26 +modified: 2023-09-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.impact - attack.t1070 - attack.t1485 diff --git a/rules/windows/process_creation/proc_creation_win_ftp_arbitrary_command_execution.yml b/rules/windows/process_creation/proc_creation_win_ftp_arbitrary_command_execution.yml index e38e71d3e29..e021183ff3c 100644 --- a/rules/windows/process_creation/proc_creation_win_ftp_arbitrary_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_ftp_arbitrary_command_execution.yml @@ -5,12 +5,12 @@ description: Detects execution of "ftp.exe" script with the "-s" or "/s" flag an references: - https://lolbas-project.github.io/lolbas/Binaries/Ftp/ author: Victor Sergeev, oscd.community -date: 2020/10/09 -modified: 2024/04/23 +date: 2020-10-09 +modified: 2024-04-23 tags: - attack.execution - attack.t1059 - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml b/rules/windows/process_creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml index 9e7b1738e04..a41238ad6d8 100644 --- a/rules/windows/process_creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml +++ b/rules/windows/process_creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml @@ -5,10 +5,10 @@ description: Detects execution of GfxDownloadWrapper.exe with a URL as an argume references: - https://lolbas-project.github.io/lolbas/HonorableMentions/GfxDownloadWrapper/ author: Victor Sergeev, oscd.community -date: 2020/10/09 -modified: 2023/10/18 +date: 2020-10-09 +modified: 2023-10-18 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_git_susp_clone.yml b/rules/windows/process_creation/proc_creation_win_git_susp_clone.yml index e74fcc261f8..8a454f7a653 100644 --- a/rules/windows/process_creation/proc_creation_win_git_susp_clone.yml +++ b/rules/windows/process_creation/proc_creation_win_git_susp_clone.yml @@ -5,8 +5,8 @@ description: Detects execution of "git" in order to clone a remote repository th references: - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/03 -modified: 2023/01/10 +date: 2023-01-03 +modified: 2023-01-10 tags: - attack.reconnaissance - attack.t1593.003 diff --git a/rules/windows/process_creation/proc_creation_win_googleupdate_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_googleupdate_susp_child_process.yml index 4163f3cdb7e..a59b6e7046e 100644 --- a/rules/windows/process_creation/proc_creation_win_googleupdate_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_googleupdate_susp_child_process.yml @@ -8,10 +8,10 @@ description: Detects potentially suspicious child processes of "GoogleUpdate.exe references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/15 -modified: 2023/05/22 +date: 2023-05-15 +modified: 2023-05-22 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml index 53ce96a32ce..a4e96b4d5bd 100644 --- a/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml @@ -7,7 +7,7 @@ references: - https://www.gpg4win.de/documentation.html - https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/09 +date: 2023-08-09 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml index 9366d857c7b..269720f17b7 100644 --- a/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml @@ -7,7 +7,7 @@ references: - https://www.gpg4win.de/documentation.html - https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/09 +date: 2023-08-09 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml index 1dbc87389db..f413b31b2a6 100644 --- a/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml @@ -7,8 +7,8 @@ references: - https://securelist.com/locked-out/68960/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/06 -modified: 2023/11/10 +date: 2023-08-06 +modified: 2023-11-10 tags: - attack.impact - attack.t1486 diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_susp_location.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_susp_location.yml index fe700842659..5888fe767e6 100644 --- a/rules/windows/process_creation/proc_creation_win_gpg4win_susp_location.yml +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_susp_location.yml @@ -6,8 +6,8 @@ references: - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html - https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/ author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) -date: 2022/11/30 -modified: 2023/08/09 +date: 2022-11-30 +modified: 2023-08-09 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_gpresult_execution.yml b/rules/windows/process_creation/proc_creation_win_gpresult_execution.yml index 3f702123bdd..358a4eb0471 100644 --- a/rules/windows/process_creation/proc_creation_win_gpresult_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_gpresult_execution.yml @@ -8,7 +8,7 @@ references: - https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/ - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf author: frack113 -date: 2022/05/01 +date: 2022-05-01 tags: - attack.discovery - attack.t1615 diff --git a/rules/windows/process_creation/proc_creation_win_gup_arbitrary_binary_execution.yml b/rules/windows/process_creation/proc_creation_win_gup_arbitrary_binary_execution.yml index 02780e158e0..dae358dc6d9 100644 --- a/rules/windows/process_creation/proc_creation_win_gup_arbitrary_binary_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_gup_arbitrary_binary_execution.yml @@ -5,8 +5,8 @@ description: Detects execution of the Notepad++ updater (gup) to launch other co references: - https://twitter.com/nas_bench/status/1535322445439180803 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/10 -modified: 2023/03/02 +date: 2022-06-10 +modified: 2023-03-02 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_gup_download.yml b/rules/windows/process_creation/proc_creation_win_gup_download.yml index 7c6a789e1f0..7fe50587727 100644 --- a/rules/windows/process_creation/proc_creation_win_gup_download.yml +++ b/rules/windows/process_creation/proc_creation_win_gup_download.yml @@ -5,10 +5,10 @@ description: Detects execution of the Notepad++ updater (gup) from a process oth references: - https://twitter.com/nas_bench/status/1535322182863179776 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/10 -modified: 2023/03/02 +date: 2022-06-10 +modified: 2023-03-02 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_gup_suspicious_execution.yml b/rules/windows/process_creation/proc_creation_win_gup_suspicious_execution.yml index c7d027552f0..fbb48966611 100644 --- a/rules/windows/process_creation/proc_creation_win_gup_suspicious_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_gup_suspicious_execution.yml @@ -5,10 +5,10 @@ description: Detects execution of the Notepad++ updater in a suspicious director references: - https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html author: Florian Roth (Nextron Systems) -date: 2019/02/06 -modified: 2022/08/13 +date: 2019-02-06 +modified: 2022-08-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml b/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml index 0f224554a20..382358d0d0d 100644 --- a/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml @@ -7,10 +7,10 @@ references: - https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html - https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37 author: E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community -date: 2019/10/24 -modified: 2023/12/11 +date: 2019-10-24 +modified: 2023-12-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml b/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml index ce18c5800c9..efe011a66bc 100644 --- a/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml @@ -7,10 +7,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md - https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/29 -modified: 2024/01/31 +date: 2022-09-29 +modified: 2024-01-31 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml index 7ac22893eb1..14afcd59be8 100644 --- a/rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml @@ -8,12 +8,12 @@ references: - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/ - https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37 author: Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems) -date: 2020/04/01 -modified: 2023/04/12 +date: 2020-04-01 +modified: 2023-04-12 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - - attack.initial_access + - attack.initial-access - attack.t1047 - attack.t1059.001 - attack.t1059.003 diff --git a/rules/windows/process_creation/proc_creation_win_hh_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_hh_susp_execution.yml index 33a2dccde15..af99a64095b 100644 --- a/rules/windows/process_creation/proc_creation_win_hh_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_hh_susp_execution.yml @@ -8,12 +8,12 @@ references: - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/ - https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37 author: Maxim Pavlunin -date: 2020/04/01 -modified: 2023/04/12 +date: 2020-04-01 +modified: 2023-04-12 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - - attack.initial_access + - attack.initial-access - attack.t1047 - attack.t1059.001 - attack.t1059.003 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_adcspwn.yml b/rules/windows/process_creation/proc_creation_win_hktl_adcspwn.yml index 51d1b02f52b..c81e653fc50 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_adcspwn.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_adcspwn.yml @@ -5,10 +5,10 @@ description: Detects command line parameters used by ADCSPwn, a tool to escalate references: - https://github.com/bats3c/ADCSPwn author: Florian Roth (Nextron Systems) -date: 2021/07/31 -modified: 2023/02/04 +date: 2021-07-31 +modified: 2023-02-04 tags: - - attack.credential_access + - attack.credential-access - attack.t1557.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml b/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml index b53d6d6157f..085829b5ec8 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml @@ -6,8 +6,8 @@ references: - https://github.com/BloodHoundAD/BloodHound - https://github.com/BloodHoundAD/SharpHound author: Florian Roth (Nextron Systems) -date: 2019/12/20 -modified: 2023/02/04 +date: 2019-12-20 +modified: 2023-02-04 tags: - attack.discovery - attack.t1087.001 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_c3_rundll32_pattern.yml b/rules/windows/process_creation/proc_creation_win_hktl_c3_rundll32_pattern.yml index 04907e81320..c1b5e3c5dcd 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_c3_rundll32_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_c3_rundll32_pattern.yml @@ -5,10 +5,10 @@ description: F-Secure C3 produces DLLs with a default exported StartNodeRelay fu references: - https://github.com/FSecureLABS/C3/blob/11a081fd3be2aaf2a879f6b6e9a96ecdd24966ef/Src/NodeRelayDll/NodeRelayDll.cpp#L12 author: Alfie Champion (ajpc500) -date: 2021/06/02 -modified: 2023/03/05 +date: 2021-06-02 +modified: 2023-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_certify.yml b/rules/windows/process_creation/proc_creation_win_hktl_certify.yml index 84a39e8dd30..a57729b7fdd 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_certify.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_certify.yml @@ -5,11 +5,11 @@ description: Detects Certify a tool for Active Directory certificate abuse based references: - https://github.com/GhostPack/Certify author: pH-T (Nextron Systems) -date: 2023/04/17 -modified: 2023/04/25 +date: 2023-04-17 +modified: 2023-04-25 tags: - attack.discovery - - attack.credential_access + - attack.credential-access - attack.t1649 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_certipy.yml b/rules/windows/process_creation/proc_creation_win_hktl_certipy.yml index caec8a5de72..de7bd5c6c80 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_certipy.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_certipy.yml @@ -5,10 +5,10 @@ description: Detects Certipy a tool for Active Directory Certificate Services en references: - https://github.com/ly4k/Certipy author: pH-T (Nextron Systems) -date: 2023/04/17 +date: 2023-04-17 tags: - attack.discovery - - attack.credential_access + - attack.credential-access - attack.t1649 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml b/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml index 29ddf26bb18..c601a3e5fd6 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml @@ -10,8 +10,8 @@ references: - https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/ - https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/ author: _pete_0, TheDFIRReport -date: 2022/05/06 -modified: 2023/01/30 +date: 2022-05-06 +modified: 2023-01-30 tags: - attack.execution - attack.t1059.003 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml b/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml index f9aed5927b5..298c43f123c 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml @@ -10,8 +10,8 @@ references: - https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/ - https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/ author: _pete_0, TheDFIRReport -date: 2022/05/06 -modified: 2023/01/30 +date: 2022-05-06 +modified: 2023-01-30 tags: - attack.execution - attack.t1059.003 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml b/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml index 3b37c360902..3df521b9b84 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml @@ -7,10 +7,10 @@ references: - https://redcanary.com/threat-detection-report/ - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/ author: Wojciech Lesicki -date: 2021/06/01 -modified: 2022/09/16 +date: 2021-06-01 +modified: 2022-09-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml b/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml index 694d519b72c..cc501c20fa8 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml @@ -6,8 +6,8 @@ references: - https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/ - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2021/07/27 -modified: 2023/03/29 +date: 2021-07-27 +modified: 2023-03-29 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml b/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml index 096f53342db..d8e5173d0c1 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml @@ -6,11 +6,11 @@ references: - https://github.com/hackvens/CoercedPotato - https://blog.hackvens.fr/articles/CoercedPotato.html author: Florian Roth (Nextron Systems) -date: 2023/10/11 -modified: 2024/04/15 +date: 2023-10-11 +modified: 2024-04-15 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1055 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_covenant.yml b/rules/windows/process_creation/proc_creation_win_hktl_covenant.yml index 5ec08dd588b..697cc70ef03 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_covenant.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_covenant.yml @@ -5,11 +5,11 @@ description: Detects suspicious command lines used in Covenant luanchers references: - https://posts.specterops.io/covenant-v0-5-eee0507b85ba author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community -date: 2020/06/04 -modified: 2023/02/21 +date: 2020-06-04 +modified: 2023-02-21 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1059.001 - attack.t1564.003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml b/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml index cca1a32265c..1717316306b 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml @@ -8,13 +8,13 @@ references: - https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz - https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject author: Florian Roth (Nextron Systems) -date: 2022/02/25 -modified: 2023/03/08 +date: 2022-02-25 +modified: 2023-03-08 tags: - attack.execution - attack.persistence - - attack.privilege_escalation - - attack.credential_access + - attack.privilege-escalation + - attack.credential-access - attack.discovery - attack.t1047 - attack.t1053 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution_patterns.yml b/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution_patterns.yml index 4b26f2ea0c9..dbcd9463f8b 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution_patterns.yml @@ -5,8 +5,8 @@ description: Detects various execution patterns of the CrackMapExec pentesting f references: - https://github.com/byt3bl33d3r/CrackMapExec author: Thomas Patzke -date: 2020/05/22 -modified: 2023/11/06 +date: 2020-05-22 +modified: 2023-11-06 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_patterns.yml b/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_patterns.yml index 369687d9360..f2530cd417d 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_patterns.yml @@ -5,10 +5,10 @@ description: Detects suspicious process patterns found in logs when CrackMapExec references: - https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass author: Florian Roth (Nextron Systems) -date: 2022/03/12 -modified: 2023/02/13 +date: 2022-03-12 +modified: 2023-02-13 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml b/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml index 669167d038b..8c091513121 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml @@ -6,12 +6,12 @@ references: - https://github.com/byt3bl33d3r/CrackMapExec - https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242 author: Thomas Patzke -date: 2020/05/22 -modified: 2023/02/21 +date: 2020-05-22 +modified: 2023-02-21 tags: - attack.execution - attack.t1059.001 - - attack.defense_evasion + - attack.defense-evasion - attack.t1027.005 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml b/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml index 715c6debd96..843f4ac159d 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml @@ -5,10 +5,10 @@ description: Detects the use of CreateMiniDump hack tool used to dump the LSASS references: - https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass author: Florian Roth (Nextron Systems) -date: 2019/12/22 -modified: 2023/02/04 +date: 2019-12-22 +modified: 2023-02-04 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_dinjector.yml b/rules/windows/process_creation/proc_creation_win_hktl_dinjector.yml index a69efe9cbe6..6acd285472e 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_dinjector.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_dinjector.yml @@ -5,10 +5,10 @@ description: Detects the use of the Dinject PowerShell cradle based on the speci references: - https://github.com/snovvcrash/DInjector # Original got deleted. This is a fork author: Florian Roth (Nextron Systems) -date: 2021/12/07 -modified: 2023/02/04 +date: 2021-12-07 +modified: 2023-02-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1055 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_dumpert.yml b/rules/windows/process_creation/proc_creation_win_hktl_dumpert.yml index 14826a15a08..8f1ea5d8091 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_dumpert.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_dumpert.yml @@ -6,10 +6,10 @@ references: - https://github.com/outflanknl/Dumpert - https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/ author: Florian Roth (Nextron Systems) -date: 2020/02/04 -modified: 2023/02/04 +date: 2020-02-04 +modified: 2023-02-04 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_edrsilencer.yml b/rules/windows/process_creation/proc_creation_win_hktl_edrsilencer.yml index ed84c742657..892d06cad45 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_edrsilencer.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_edrsilencer.yml @@ -6,9 +6,9 @@ description: | references: - https://github.com/netero1010/EDRSilencer author: '@gott_cyber' -date: 2024/01/02 +date: 2024-01-02 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml b/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml index dc3e5cb3932..33df633ea2f 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml @@ -8,8 +8,8 @@ references: - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178 - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64 author: Florian Roth (Nextron Systems) -date: 2019/04/20 -modified: 2023/02/21 +date: 2019-04-20 +modified: 2023-02-21 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml b/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml index 15dcf5b4bdf..f22779db308 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml @@ -6,11 +6,11 @@ references: - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64 - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64 author: Ecco -date: 2019/08/30 -modified: 2023/02/21 +date: 2019-08-30 +modified: 2023-02-21 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 - car.2019-04-001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_evil_winrm.yml b/rules/windows/process_creation/proc_creation_win_hktl_evil_winrm.yml index af091c58d2f..d9a966ac03f 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_evil_winrm.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_evil_winrm.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm - https://github.com/Hackplayers/evil-winrm author: frack113 -date: 2022/01/07 -modified: 2023/02/13 +date: 2022-01-07 +modified: 2023-02-13 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.006 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml b/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml index 81e75455eaa..a1d8ff8d8a4 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml @@ -5,10 +5,10 @@ description: Detects the execution of different Windows based hacktools via thei references: - Internal Research author: Florian Roth (Nextron Systems) -date: 2022/03/04 -modified: 2024/02/07 +date: 2022-03-04 +modified: 2024-02-07 tags: - - attack.credential_access + - attack.credential-access - attack.t1588.002 - attack.t1003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml b/rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml index c004defeed7..b35264e67b7 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml @@ -6,10 +6,10 @@ references: - https://github.com/cube0x0 - https://www.virustotal.com/gui/search/metadata%253ACube0x0/files author: Florian Roth (Nextron Systems) -date: 2022/04/27 -modified: 2024/01/15 +date: 2022-04-27 +modified: 2024-01-15 tags: - - attack.credential_access + - attack.credential-access - attack.t1588.002 - attack.t1003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_gmer.yml b/rules/windows/process_creation/proc_creation_win_hktl_gmer.yml index c38491eaa66..37472dfda27 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_gmer.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_gmer.yml @@ -5,10 +5,10 @@ description: Detects the execution GMER tool based on image and hash fields. references: - http://www.gmer.net/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/05 -modified: 2023/02/13 +date: 2022-10-05 +modified: 2023-02-13 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml b/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml index 23097cff214..96532d62d1c 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml @@ -5,10 +5,10 @@ description: Detects the use of HandleKatz, a tool that demonstrates the usage o references: - https://github.com/codewhitesec/HandleKatz author: Florian Roth (Nextron Systems) -date: 2022/08/18 -modified: 2024/04/15 +date: 2022-08-18 +modified: 2024-04-15 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_hashcat.yml b/rules/windows/process_creation/proc_creation_win_hktl_hashcat.yml index adda780a05b..615e6155846 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_hashcat.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_hashcat.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.002/T1110.002.md#atomic-test-1---password-cracking-with-hashcat - https://hashcat.net/wiki/doku.php?id=hashcat author: frack113 -date: 2021/12/27 -modified: 2023/02/04 +date: 2021-12-27 +modified: 2023-02-04 tags: - - attack.credential_access + - attack.credential-access - attack.t1110.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml b/rules/windows/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml index d69f34f7fd6..947c546a759 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml @@ -6,10 +6,10 @@ references: - https://github.com/HiwinCN/HTran - https://github.com/cw1997/NATBypass author: Florian Roth (Nextron Systems) -date: 2022/12/27 -modified: 2023/02/04 +date: 2022-12-27 +modified: 2023-02-04 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1090 - attack.s0040 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_hydra.yml b/rules/windows/process_creation/proc_creation_win_hktl_hydra.yml index 1af0c852d51..a9e1eabf682 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_hydra.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_hydra.yml @@ -5,10 +5,10 @@ description: Detects command line parameters used by Hydra password guessing hac references: - https://github.com/vanhauser-thc/thc-hydra author: Vasiliy Burov -date: 2020/10/05 -modified: 2023/02/04 +date: 2020-10-05 +modified: 2023-02-04 tags: - - attack.credential_access + - attack.credential-access - attack.t1110 - attack.t1110.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml b/rules/windows/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml index 9dce5f86463..ec92357ae5f 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml @@ -2,7 +2,7 @@ title: HackTool - Potential Impacket Lateral Movement Activity id: 10c14723-61c7-4c75-92ca-9af245723ad2 related: - id: e31f89f7-36fb-4697-8ab6-48823708353b - type: obsoletes + type: obsolete status: stable description: Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework references: @@ -12,12 +12,12 @@ references: - https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py - https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html author: Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch -date: 2019/09/03 -modified: 2023/02/21 +date: 2019-09-03 +modified: 2023-02-21 tags: - attack.execution - attack.t1047 - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_impacket_tools.yml b/rules/windows/process_creation/proc_creation_win_hktl_impacket_tools.yml index b61f064bf71..ba09a995122 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_impacket_tools.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_impacket_tools.yml @@ -5,8 +5,8 @@ description: Detects the execution of different compiled Windows binaries of the references: - https://github.com/ropnop/impacket_static_binaries/releases/tag/0.9.21-dev-binaries author: Florian Roth (Nextron Systems) -date: 2021/07/24 -modified: 2023/02/07 +date: 2021-07-24 +modified: 2023-02-07 tags: - attack.execution - attack.t1557.001 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml b/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml index 5f1d7cf3b3c..6e60530eb8a 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml @@ -6,11 +6,11 @@ references: - https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/ - https://github.com/sensepost/impersonate author: Sai Prashanth Pulisetti @pulisettis -date: 2022/12/21 -modified: 2023/02/08 +date: 2022-12-21 +modified: 2023-02-08 tags: - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.t1134.001 - attack.t1134.003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml b/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml index a8fbcc37512..37c01a64ef0 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml @@ -6,10 +6,10 @@ references: - https://github.com/Kevin-Robertson/Inveigh - https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/24 -modified: 2023/02/04 +date: 2022-10-24 +modified: 2023-02-04 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_clip.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_clip.yml index 24f14b03c1e..5d7bb7a5696 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_clip.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_clip.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated use of Clip.exe to execute PowerShell references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 26) author: Jonathan Cheong, oscd.community -date: 2020/10/13 -modified: 2022/11/17 +date: 2020-10-13 +modified: 2022-11-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml index fea743c8f95..eb1e4b8249b 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml @@ -5,10 +5,10 @@ description: Detects all variations of obfuscated powershell IEX invocation code references: - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888 author: 'Daniel Bohannon (@Mandiant/@FireEye), oscd.community' -date: 2019/11/08 -modified: 2022/12/31 +date: 2019-11-08 +modified: 2022-12-31 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_stdin.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_stdin.yml index 1b8b10d8852..18d7cd61216 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_stdin.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_stdin.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated use of stdin to execute PowerShell references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 25) author: Jonathan Cheong, oscd.community -date: 2020/10/15 -modified: 2024/04/15 +date: 2020-10-15 +modified: 2024-04-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_var.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_var.yml index ef47ac6d0d2..034cd19e5a7 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_var.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_var.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated use of Environment Variables to execute PowerShe references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 24) author: Jonathan Cheong, oscd.community -date: 2020/10/15 -modified: 2024/04/15 +date: 2020-10-15 +modified: 2024-04-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.yml index 4516306fbb9..47119154d05 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19) author: Timur Zinniatullin, oscd.community -date: 2020/10/18 -modified: 2022/12/29 +date: 2020-10-18 +modified: 2022-12-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml index 053957e01a6..bd09bdfeedf 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated Powershell via Stdin in Scripts references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task28) author: Nikita Nazarov, oscd.community -date: 2020/10/12 -modified: 2024/04/16 +date: 2020-10-12 +modified: 2024-04-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml index 9fb519d45c9..369ecbeab21 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated Powershell via use Clip.exe in Scripts references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task29) author: Nikita Nazarov, oscd.community -date: 2020/10/09 -modified: 2024/04/15 +date: 2020-10-09 +modified: 2024-04-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml index 9d636d2ce41..1f5d9dd1d24 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated Powershell via use MSHTA in Scripts references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31) author: Nikita Nazarov, oscd.community -date: 2020/10/08 -modified: 2022/03/08 +date: 2020-10-08 +modified: 2022-03-08 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_var.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_var.yml index d237f85aaae..da74b71d144 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_var.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_var.yml @@ -5,10 +5,10 @@ description: Detects Obfuscated Powershell via VAR++ LAUNCHER references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27) author: Timur Zinniatullin, oscd.community -date: 2020/10/13 -modified: 2022/11/16 +date: 2020-10-13 +modified: 2022-11-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml b/rules/windows/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml index d16f4c0f7ae..17c75eab564 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml @@ -6,8 +6,8 @@ references: - https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool - https://web.archive.org/web/20220514073704/https://github.com/ch2sh/Jlaive author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk) -date: 2022/05/24 -modified: 2023/02/22 +date: 2022-05-24 +modified: 2023-02-22 tags: - attack.execution - attack.t1059.003 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_koadic.yml b/rules/windows/process_creation/proc_creation_win_hktl_koadic.yml index 1e1dde1afd7..1e2eefeb2b3 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_koadic.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_koadic.yml @@ -7,8 +7,8 @@ references: - https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js - https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/ author: wagga, Jonhnathan Ribeiro, oscd.community -date: 2020/01/12 -modified: 2023/02/11 +date: 2020-01-12 +modified: 2023-02-11 tags: - attack.execution - attack.t1059.003 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_krbrelay.yml b/rules/windows/process_creation/proc_creation_win_hktl_krbrelay.yml index 61164e308b6..09b7334ec5a 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_krbrelay.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_krbrelay.yml @@ -5,10 +5,10 @@ description: Detects the use of KrbRelay, a Kerberos relaying tool references: - https://github.com/cube0x0/KrbRelay author: Florian Roth (Nextron Systems) -date: 2022/04/27 -modified: 2023/02/04 +date: 2022-04-27 +modified: 2023-02-04 tags: - - attack.credential_access + - attack.credential-access - attack.t1558.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_krbrelay_remote.yml b/rules/windows/process_creation/proc_creation_win_hktl_krbrelay_remote.yml index 78235d26c86..849d82957bc 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_krbrelay_remote.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_krbrelay_remote.yml @@ -6,9 +6,9 @@ description: | references: - https://github.com/CICADA8-Research/RemoteKrbRelay author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/06/27 +date: 2024-06-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1558.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml b/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml index 9d9670d3277..46f3cb68ee5 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml @@ -5,12 +5,12 @@ description: Detects KrbRelayUp used to perform a universal no-fix local privile references: - https://github.com/Dec0ne/KrbRelayUp author: Florian Roth (Nextron Systems) -date: 2022/04/26 -modified: 2023/02/04 +date: 2022-04-26 +modified: 2023-02-04 tags: - - attack.credential_access + - attack.credential-access - attack.t1558.003 - - attack.lateral_movement + - attack.lateral-movement - attack.t1550.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_lazagne.yml b/rules/windows/process_creation/proc_creation_win_hktl_lazagne.yml index 0f92953ea77..c12af326b95 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_lazagne.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_lazagne.yml @@ -11,9 +11,9 @@ references: - https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/ - https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/800c0e06571993a54e39571cf27fd474dcc5c0bc/2017/2017.11.14.Muddying_the_Water/muddying-the-water-targeted-attacks.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/06/24 +date: 2024-06-24 tags: - - attack.credential_access + - attack.credential-access logsource: product: windows service: windows diff --git a/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml b/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml index e99a0ef71f9..0562b0755b1 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml @@ -6,11 +6,11 @@ references: - https://www.localpotato.com/localpotato_html/LocalPotato.html - https://github.com/decoder-it/LocalPotato author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/14 +date: 2023-02-14 tags: - - attack.defense_evasion - - attack.privilege_escalation - - cve.2023.21746 + - attack.defense-evasion + - attack.privilege-escalation + - cve.2023-21746 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml b/rules/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml index 98da1b85ee4..3594d11157a 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml @@ -6,10 +6,10 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ author: Teymur Kheirkhabarov, Ecco, Florian Roth -date: 2019/10/26 -modified: 2023/02/05 +date: 2019-10-26 +modified: 2023-02-05 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1134.001 - attack.t1134.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml b/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml index 9bc185ef3c5..a453891bfb0 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml @@ -6,10 +6,10 @@ references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - https://tools.thehacker.recipes/mimikatz/modules author: Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton -date: 2019/10/22 -modified: 2023/02/21 +date: 2019-10-22 +modified: 2023-02-21 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 - attack.t1003.002 - attack.t1003.004 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml b/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml index 0a4956b864a..73034df1690 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml @@ -7,8 +7,8 @@ references: - https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/ - https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali -date: 2022/10/10 -modified: 2023/02/13 +date: 2022-10-10 +modified: 2023-02-13 tags: - attack.execution - attack.discovery diff --git a/rules/windows/process_creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.yml b/rules/windows/process_creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.yml index e7146fa84d2..dfb6833e7a4 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.yml @@ -6,12 +6,12 @@ references: - https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1 - https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py author: Markus Neis, @Karneades -date: 2018/03/06 -modified: 2023/03/03 +date: 2018-03-06 +modified: 2023-03-03 tags: - attack.execution - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.s0111 - attack.g0022 - attack.g0060 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml b/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml index b5a73187499..bb0e9d6bf37 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml @@ -8,10 +8,10 @@ references: - https://twitter.com/gbti_sa/status/1249653895900602375?lang=en - https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/11/29 -modified: 2023/02/04 +date: 2022-11-29 +modified: 2023-02-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_hktl_purplesharp_indicators.yml b/rules/windows/process_creation/proc_creation_win_hktl_purplesharp_indicators.yml index e8d60b70ae1..19015d3d236 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_purplesharp_indicators.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_purplesharp_indicators.yml @@ -5,11 +5,11 @@ description: Detects the execution of the PurpleSharp adversary simulation tool references: - https://github.com/mvelazc0/PurpleSharp author: Florian Roth (Nextron Systems) -date: 2021/06/18 -modified: 2023/02/05 +date: 2021-06-18 +modified: 2023-02-05 tags: - attack.t1587 - - attack.resource_development + - attack.resource-development logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_hktl_pypykatz.yml b/rules/windows/process_creation/proc_creation_win_hktl_pypykatz.yml index 6f2c3af10b9..bde4bd34d2a 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_pypykatz.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_pypykatz.yml @@ -6,10 +6,10 @@ references: - https://github.com/skelsec/pypykatz - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz author: frack113 -date: 2022/01/05 -modified: 2023/02/05 +date: 2022-01-05 +modified: 2023-02-05 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_quarks_pwdump.yml b/rules/windows/process_creation/proc_creation_win_hktl_quarks_pwdump.yml index 24ffc8da4d6..5bdf4d969eb 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_quarks_pwdump.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_quarks_pwdump.yml @@ -6,10 +6,10 @@ references: - https://github.com/quarkslab/quarkspwdump - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/05 -modified: 2023/02/05 +date: 2022-09-05 +modified: 2023-02-05 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_redmimicry_winnti_playbook.yml b/rules/windows/process_creation/proc_creation_win_hktl_redmimicry_winnti_playbook.yml index b7f7a45d017..133f60fe959 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_redmimicry_winnti_playbook.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_redmimicry_winnti_playbook.yml @@ -5,11 +5,11 @@ description: Detects actions caused by the RedMimicry Winnti playbook a automate references: - https://redmimicry.com/posts/redmimicry-winnti/ author: Alexander Rausch -date: 2020/06/24 -modified: 2023/03/01 +date: 2020-06-24 +modified: 2023-03-01 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1106 - attack.t1059.003 - attack.t1218.011 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml b/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml index 7677ba59bad..73463a3fa8a 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml @@ -10,8 +10,8 @@ references: - https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire - https://www.localpotato.com/ author: Florian Roth (Nextron Systems) -date: 2021/07/24 -modified: 2023/02/14 +date: 2021-07-24 +modified: 2023-02-14 tags: - attack.execution - attack.t1557.001 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml b/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml index 7d8d1f594b4..97f88c95311 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml @@ -10,13 +10,13 @@ references: - https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html - https://github.com/GhostPack/Rubeus author: Florian Roth (Nextron Systems) -date: 2018/12/19 -modified: 2023/04/20 +date: 2018-12-19 +modified: 2023-04-20 tags: - - attack.credential_access + - attack.credential-access - attack.t1003 - attack.t1558.003 - - attack.lateral_movement + - attack.lateral-movement - attack.t1550.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_safetykatz.yml b/rules/windows/process_creation/proc_creation_win_hktl_safetykatz.yml index e5518ac0ab9..6a2a9c3a745 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_safetykatz.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_safetykatz.yml @@ -5,10 +5,10 @@ description: Detects the execution of the hacktool SafetyKatz via PE information references: - https://github.com/GhostPack/SafetyKatz author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/20 -modified: 2023/02/04 +date: 2022-10-20 +modified: 2023-02-04 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_secutyxploded.yml b/rules/windows/process_creation/proc_creation_win_hktl_secutyxploded.yml index a4dff503acb..7503d68108f 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_secutyxploded.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_secutyxploded.yml @@ -6,10 +6,10 @@ references: - https://securityxploded.com/ - https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/ author: Florian Roth (Nextron Systems) -date: 2018/12/19 -modified: 2023/02/04 +date: 2018-12-19 +modified: 2023-02-04 tags: - - attack.credential_access + - attack.credential-access - attack.t1555 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml b/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml index 41e01b54413..3adbb501d27 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml @@ -8,10 +8,10 @@ references: - https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing - https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files author: Florian Roth (Nextron Systems) -date: 2022/07/23 -modified: 2023/03/07 +date: 2022-07-23 +modified: 2023-03-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1134.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharp_chisel.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharp_chisel.yml index 598e2f82cdf..097e9a5e76e 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharp_chisel.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharp_chisel.yml @@ -9,10 +9,10 @@ references: - https://github.com/shantanu561993/SharpChisel - https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/05 -modified: 2023/02/13 +date: 2022-09-05 +modified: 2023-02-13 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1090.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharp_dpapi_execution.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharp_dpapi_execution.yml index 99234e780d5..5694f244700 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharp_dpapi_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharp_dpapi_execution.yml @@ -7,10 +7,10 @@ description: | references: - https://github.com/GhostPack/SharpDPAPI author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/06/26 +date: 2024-06-26 tags: - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.t1134.001 - attack.t1134.003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharp_impersonation.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharp_impersonation.yml index edef0dfdd86..3ec2ca55f26 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharp_impersonation.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharp_impersonation.yml @@ -9,11 +9,11 @@ references: - https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/ - https://github.com/S3cur3Th1sSh1t/SharpImpersonation author: Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/27 -modified: 2023/02/13 +date: 2022-12-27 +modified: 2023-02-13 tags: - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.t1134.001 - attack.t1134.003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharp_ldap_monitor.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharp_ldap_monitor.yml index 2d3b65c8335..38f9a1c08a7 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharp_ldap_monitor.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharp_ldap_monitor.yml @@ -5,8 +5,8 @@ description: Detects execution of the SharpLDAPmonitor. Which can monitor the cr references: - https://github.com/p0dalirius/LDAPmonitor author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/30 -modified: 2023/02/14 +date: 2022-12-30 +modified: 2023-02-14 tags: - attack.discovery logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml index 3058094de2d..c6d3e2565d5 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml @@ -6,8 +6,8 @@ references: - https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit - https://github.com/mandiant/SharPersist author: Florian Roth (Nextron Systems) -date: 2022/09/15 -modified: 2023/02/04 +date: 2022-09-15 +modified: 2023-02-04 tags: - attack.persistence - attack.t1053 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharpevtmute.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharpevtmute.yml index 65c57c13365..51a8b2457b2 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharpevtmute.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharpevtmute.yml @@ -8,10 +8,10 @@ description: Detects the use of SharpEvtHook, a tool that tampers with the Windo references: - https://github.com/bats3c/EvtMute author: Florian Roth (Nextron Systems) -date: 2022/09/07 -modified: 2023/02/14 +date: 2022-09-07 +modified: 2023-02-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.002 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharpldapwhoami.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharpldapwhoami.yml index 824ed63e4bb..f0fd347fc24 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharpldapwhoami.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharpldapwhoami.yml @@ -5,8 +5,8 @@ description: Detects SharpLdapWhoami, a whoami alternative that queries the LDAP references: - https://github.com/bugch3ck/SharpLdapWhoami author: Florian Roth (Nextron Systems) -date: 2022/08/29 -modified: 2023/02/04 +date: 2022-08-29 +modified: 2023-02-04 tags: - attack.discovery - attack.t1033 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharpmove.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharpmove.yml index eafe3b8e3d3..0c53139b34a 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharpmove.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharpmove.yml @@ -7,9 +7,9 @@ references: - https://github.com/0xthirteen/SharpMove/ - https://pentestlab.blog/tag/sharpmove/ author: Luca Di Bartolomeo (CrimpSec) -date: 2024/01/29 +date: 2024-01-29 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharpup.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharpup.yml index 05f088c62e9..779e7103afc 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharpup.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharpup.yml @@ -5,10 +5,10 @@ description: Detects the use of SharpUp, a tool for local privilege escalation references: - https://github.com/GhostPack/SharpUp author: Florian Roth (Nextron Systems) -date: 2022/08/20 -modified: 2023/02/13 +date: 2022-08-20 +modified: 2023-02-13 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1615 - attack.t1569.002 - attack.t1574.005 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml index 6a0ff8282ec..6df40b93e58 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml @@ -10,8 +10,8 @@ references: - https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview author: frack113 -date: 2021/12/10 -modified: 2023/02/14 +date: 2021-12-10 +modified: 2023-02-14 tags: - attack.discovery - attack.t1049 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_silenttrinity_stager.yml b/rules/windows/process_creation/proc_creation_win_hktl_silenttrinity_stager.yml index 2f5de1ba34e..7164b61805b 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_silenttrinity_stager.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_silenttrinity_stager.yml @@ -8,10 +8,10 @@ description: Detects SILENTTRINITY stager use via PE metadata references: - https://github.com/byt3bl33d3r/SILENTTRINITY author: Aleksey Potapov, oscd.community -date: 2019/10/22 -modified: 2023/02/13 +date: 2019-10-22 +modified: 2023-02-13 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml b/rules/windows/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml index 20f72c3f3b9..80442b0841d 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml @@ -6,8 +6,8 @@ references: - https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36 - https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/ author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) -date: 2022/08/25 -modified: 2023/03/05 +date: 2022-08-25 +modified: 2023-03-05 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml b/rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml index bd889915fe5..bf261ee3de5 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml @@ -5,10 +5,10 @@ description: Detects Stracciatella which executes a Powershell runspace from wit references: - https://github.com/mgeeky/Stracciatella author: pH-T (Nextron Systems) -date: 2023/04/17 +date: 2023-04-17 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1059 - attack.t1562.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml b/rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml index 64d5c70c834..479fd4e84a9 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml @@ -5,12 +5,12 @@ description: Detects the execution of the PoC that can be used to exploit Sysmon references: - https://github.com/Wh04m1001/SysmonEoP author: Florian Roth (Nextron Systems) -date: 2022/12/04 -modified: 2024/04/15 +date: 2022-12-04 +modified: 2024-04-15 tags: - - cve.2022.41120 + - cve.2022-41120 - attack.t1068 - - attack.privilege_escalation + - attack.privilege-escalation logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_hktl_trufflesnout.yml b/rules/windows/process_creation/proc_creation_win_hktl_trufflesnout.yml index 4b5b5a13666..a16b00f714e 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_trufflesnout.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_trufflesnout.yml @@ -7,8 +7,8 @@ references: - https://github.com/dsnezhkov/TruffleSnout - https://github.com/dsnezhkov/TruffleSnout/blob/master/TruffleSnout/Docs/USAGE.md author: frack113 -date: 2022/08/20 -modified: 2023/02/13 +date: 2022-08-20 +modified: 2023-02-13 tags: - attack.discovery - attack.t1482 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_uacme.yml b/rules/windows/process_creation/proc_creation_win_hktl_uacme.yml index a733da1f19e..26f73345f5e 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_uacme.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_uacme.yml @@ -5,11 +5,11 @@ description: Detects the execution of UACMe, a tool used for UAC bypasses, via d references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems) -date: 2021/08/30 -modified: 2022/11/19 +date: 2021-08-30 +modified: 2022-11-19 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_wce.yml b/rules/windows/process_creation/proc_creation_win_hktl_wce.yml index 4569bad6385..71036a587a1 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_wce.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_wce.yml @@ -5,10 +5,10 @@ description: Detects the use of Windows Credential Editor (WCE) references: - https://www.ampliasecurity.com/research/windows-credentials-editor/ author: Florian Roth (Nextron Systems) -date: 2019/12/31 -modified: 2023/02/04 +date: 2019-12-31 +modified: 2023-02-04 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 - attack.s0005 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml b/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml index f79c47f9a2b..cef7490d15e 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml @@ -6,10 +6,10 @@ references: - https://github.com/carlospolop/PEASS-ng - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation author: Georg Lauenstein (sure[secure]) -date: 2022/09/19 -modified: 2023/03/23 +date: 2022-09-19 +modified: 2023-03-23 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1082 - attack.t1087 - attack.t1046 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml b/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml index b71d35ca7dd..014da3783fc 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml @@ -7,7 +7,7 @@ status: experimental description: | Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation. author: Swachchhanda Shrawan Poudel -date: 2023/12/04 +date: 2023-12-04 references: - https://github.com/S3cur3Th1sSh1t/WinPwn - https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841 @@ -15,11 +15,11 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md - https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team tags: - - attack.credential_access - - attack.defense_evasion + - attack.credential-access + - attack.defense-evasion - attack.discovery - attack.execution - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1046 - attack.t1082 - attack.t1106 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_wmiexec_default_powershell.yml b/rules/windows/process_creation/proc_creation_win_hktl_wmiexec_default_powershell.yml index 3b8781a7e32..267b359b16d 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_wmiexec_default_powershell.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_wmiexec_default_powershell.yml @@ -5,10 +5,10 @@ description: Detects the execution of PowerShell with a specific flag sequence t references: - https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/08 +date: 2023-03-08 tags: - - attack.defense_evasion - - attack.lateral_movement + - attack.defense-evasion + - attack.lateral-movement logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_hktl_xordump.yml b/rules/windows/process_creation/proc_creation_win_hktl_xordump.yml index 260e07137e6..49a26e476e7 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_xordump.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_xordump.yml @@ -5,10 +5,10 @@ description: Detects suspicious use of XORDump process memory dumping utility references: - https://github.com/audibleblink/xordump author: Florian Roth (Nextron Systems) -date: 2022/01/28 -modified: 2023/02/08 +date: 2022-01-28 +modified: 2023-02-08 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 - attack.t1003.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_zipexec.yml b/rules/windows/process_creation/proc_creation_win_hktl_zipexec.yml index f5aa721f8f9..d020adfae86 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_zipexec.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_zipexec.yml @@ -6,11 +6,11 @@ references: - https://twitter.com/SBousseaden/status/1451237393017839616 - https://github.com/Tylous/ZipExec author: frack113 -date: 2021/11/07 -modified: 2022/12/25 +date: 2021-11-07 +modified: 2022-12-25 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.t1202 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hostname_execution.yml b/rules/windows/process_creation/proc_creation_win_hostname_execution.yml index 182a603905c..20d7d441df0 100644 --- a/rules/windows/process_creation/proc_creation_win_hostname_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_hostname_execution.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname author: frack113 -date: 2022/01/01 +date: 2022-01-01 tags: - attack.discovery - attack.t1082 diff --git a/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml b/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml index 6f0cf758d64..79678e699f2 100644 --- a/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml +++ b/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml @@ -9,10 +9,10 @@ references: - https://blog.alyac.co.kr/1901 - https://en.wikipedia.org/wiki/Hangul_(word_processor) author: Florian Roth (Nextron Systems) -date: 2019/10/24 -modified: 2021/11/27 +date: 2019-10-24 +modified: 2021-11-27 tags: - - attack.initial_access + - attack.initial-access - attack.t1566.001 - attack.execution - attack.t1203 diff --git a/rules/windows/process_creation/proc_creation_win_hxtsr_masquerading.yml b/rules/windows/process_creation/proc_creation_win_hxtsr_masquerading.yml index a6072c5551a..d1b20ab5055 100644 --- a/rules/windows/process_creation/proc_creation_win_hxtsr_masquerading.yml +++ b/rules/windows/process_creation/proc_creation_win_hxtsr_masquerading.yml @@ -8,10 +8,10 @@ description: | references: - Internal Research author: Sreeman -date: 2020/04/17 -modified: 2024/02/08 +date: 2020-04-17 +modified: 2024-02-08 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_icacls_deny.yml b/rules/windows/process_creation/proc_creation_win_icacls_deny.yml index 6d091deae3a..65017d66361 100644 --- a/rules/windows/process_creation/proc_creation_win_icacls_deny.yml +++ b/rules/windows/process_creation/proc_creation_win_icacls_deny.yml @@ -5,10 +5,10 @@ description: Detect use of icacls to deny access for everyone in Users folder so references: - https://app.any.run/tasks/1df999e6-1cb8-45e3-8b61-499d1b7d5a9b/ author: frack113 -date: 2022/07/18 -modified: 2024/04/29 +date: 2022-07-18 +modified: 2024-04-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_ieexec_download.yml b/rules/windows/process_creation/proc_creation_win_ieexec_download.yml index 0aa8f9912e9..afb569f1380 100644 --- a/rules/windows/process_creation/proc_creation_win_ieexec_download.yml +++ b/rules/windows/process_creation/proc_creation_win_ieexec_download.yml @@ -5,10 +5,10 @@ description: Detects execution of the IEExec utility to download and execute fil references: - https://lolbas-project.github.io/lolbas/Binaries/Ieexec/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/05/16 -modified: 2023/11/09 +date: 2022-05-16 +modified: 2023-11-09 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml index 19330691b41..534723863ff 100644 --- a/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml @@ -10,10 +10,10 @@ references: - https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ - https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior author: Joseliyo Sanchez, @Joseliyo_Jstnk, Nasreddine Bencherchali (Nextron Systems) -date: 2024/02/05 -modified: 2024/06/04 +date: 2024-02-05 +modified: 2024-06-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_iis_appcmd_http_logging.yml b/rules/windows/process_creation/proc_creation_win_iis_appcmd_http_logging.yml index 92411156ef5..70c84c48277 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_appcmd_http_logging.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_appcmd_http_logging.yml @@ -5,10 +5,10 @@ description: Disables HTTP logging on a Windows IIS web server as seen by Threat references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.002/T1562.002.md#atomic-test-1---disable-windows-iis-http-logging author: frack113 -date: 2022/01/09 -modified: 2023/01/22 +date: 2022-01-09 +modified: 2023-01-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml b/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml index 386622722df..dae0d27fc6d 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml @@ -7,10 +7,10 @@ references: - https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA - https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/ author: Tim Rauch, Janantha Marasinghe, Elastic (original idea) -date: 2022/11/08 -modified: 2023/01/22 +date: 2022-11-08 +modified: 2023-01-22 tags: - - attack.credential_access + - attack.credential-access - attack.t1003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml b/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml index 50d83973c0e..c96934fbf04 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml @@ -6,8 +6,8 @@ references: - https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/ - https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/ author: Florian Roth (Nextron Systems) -date: 2019/12/11 -modified: 2024/03/13 +date: 2019-12-11 +modified: 2024-03-13 tags: - attack.persistence - attack.t1505.003 diff --git a/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml b/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml index d51a77ccfd2..602fd20a47c 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml @@ -6,9 +6,9 @@ references: - https://twitter.com/malmoeb/status/1616702107242971144 - https://learn.microsoft.com/en-us/answers/questions/739120/how-to-add-re-write-global-rule-with-action-type-r author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/22 +date: 2023-01-22 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml b/rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml index 2d7cff58fd4..ae313368e88 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml @@ -5,10 +5,10 @@ description: Detects use of aspnet_regiis to decrypt Microsoft IIS connection st references: - https://www.elastic.co/guide/en/security/current/microsoft-iis-connection-strings-decryption.html author: Tim Rauch, Elastic (idea) -date: 2022/09/28 -modified: 2022/12/30 +date: 2022-09-28 +modified: 2022-12-30 tags: - - attack.credential_access + - attack.credential-access - attack.t1003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_iis_susp_module_registration.yml b/rules/windows/process_creation/proc_creation_win_iis_susp_module_registration.yml index 713560145cf..8316657799c 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_susp_module_registration.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_susp_module_registration.yml @@ -5,8 +5,8 @@ description: Detects a suspicious IIS module registration as described in Micros references: - https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/ author: Florian Roth (Nextron Systems), Microsoft (idea) -date: 2022/08/04 -modified: 2023/01/23 +date: 2022-08-04 +modified: 2023-01-23 tags: - attack.persistence - attack.t1505.004 diff --git a/rules/windows/process_creation/proc_creation_win_ilasm_il_code_compilation.yml b/rules/windows/process_creation/proc_creation_win_ilasm_il_code_compilation.yml index 94c2f55b045..453ee74edaf 100644 --- a/rules/windows/process_creation/proc_creation_win_ilasm_il_code_compilation.yml +++ b/rules/windows/process_creation/proc_creation_win_ilasm_il_code_compilation.yml @@ -6,10 +6,10 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Ilasm/ - https://www.echotrail.io/insights/search/ilasm.exe author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2022/05/07 -modified: 2022/05/16 +date: 2022-05-07 +modified: 2022-05-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1127 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml b/rules/windows/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml index fcd50fe5470..ffe2ad61af0 100644 --- a/rules/windows/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml +++ b/rules/windows/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml @@ -5,10 +5,10 @@ description: Detects unusual parent or children of the ImagingDevices.exe (Windo references: - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/27 -modified: 2022/12/29 +date: 2022-09-27 +modified: 2022-12-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_imewbdld_download.yml b/rules/windows/process_creation/proc_creation_win_imewbdld_download.yml index b1865c6cb8b..487a9408181 100644 --- a/rules/windows/process_creation/proc_creation_win_imewbdld_download.yml +++ b/rules/windows/process_creation/proc_creation_win_imewbdld_download.yml @@ -9,9 +9,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download - https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/ author: Swachchhanda Shrawan Poudel -date: 2023/11/09 +date: 2023-11-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1218 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml b/rules/windows/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml index 3099148eb66..aa839f5864f 100644 --- a/rules/windows/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml +++ b/rules/windows/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution - https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/ author: frack113 -date: 2021/07/13 -modified: 2022/10/09 +date: 2021-07-13 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_installutil_download.yml b/rules/windows/process_creation/proc_creation_win_installutil_download.yml index 9c4d2823dc5..234c35b8d31 100644 --- a/rules/windows/process_creation/proc_creation_win_installutil_download.yml +++ b/rules/windows/process_creation/proc_creation_win_installutil_download.yml @@ -6,10 +6,10 @@ description: | references: - https://github.com/LOLBAS-Project/LOLBAS/pull/239 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/19 -modified: 2023/11/09 +date: 2022-08-19 +modified: 2023-11-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_instalutil_no_log_execution.yml b/rules/windows/process_creation/proc_creation_win_instalutil_no_log_execution.yml index 29e4c231af1..e3857295ed1 100644 --- a/rules/windows/process_creation/proc_creation_win_instalutil_no_log_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_instalutil_no_log_execution.yml @@ -6,10 +6,10 @@ references: - https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/ - https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool author: frack113 -date: 2022/01/23 -modified: 2022/02/04 +date: 2022-01-23 +modified: 2022-02-04 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_java_keytool_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_java_keytool_susp_child_process.yml index a5634bbe857..f9ee9171fa9 100644 --- a/rules/windows/process_creation/proc_creation_win_java_keytool_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_java_keytool_susp_child_process.yml @@ -6,12 +6,12 @@ references: - https://redcanary.com/blog/intelligence-insights-december-2021 - https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html author: Andreas Hunkeler (@Karneades) -date: 2021/12/22 -modified: 2023/01/21 +date: 2021-12-22 +modified: 2023-01-21 tags: - - attack.initial_access + - attack.initial-access - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml index ea60e620f0a..02502889f5e 100644 --- a/rules/windows/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml @@ -7,10 +7,10 @@ references: - https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py - https://blog.viettelcybersecurity.com/saml-show-stopper/ author: Florian Roth (Nextron Systems) -date: 2023/01/18 -modified: 2023/08/29 +date: 2023-01-18 +modified: 2023-08-29 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1102 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_java_remote_debugging.yml b/rules/windows/process_creation/proc_creation_win_java_remote_debugging.yml index 673b6005c01..ad7eea041bf 100644 --- a/rules/windows/process_creation/proc_creation_win_java_remote_debugging.yml +++ b/rules/windows/process_creation/proc_creation_win_java_remote_debugging.yml @@ -5,8 +5,8 @@ description: Detects a JAVA process running with remote debugging allowing more references: - https://dzone.com/articles/remote-debugging-java-applications-with-jdwp author: Florian Roth (Nextron Systems) -date: 2019/01/16 -modified: 2023/02/01 +date: 2019-01-16 +modified: 2023-02-01 tags: - attack.t1203 - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml index 9f367f33688..d6ca9e98ca7 100644 --- a/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml @@ -8,12 +8,12 @@ description: Detects suspicious processes spawned from a Java host process which references: - https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/ author: Andreas Hunkeler (@Karneades), Florian Roth -date: 2021/12/17 -modified: 2024/01/18 +date: 2021-12-17 +modified: 2024-01-18 tags: - - attack.initial_access + - attack.initial-access - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_java_susp_child_process_2.yml b/rules/windows/process_creation/proc_creation_win_java_susp_child_process_2.yml index 48cf1412e5b..bd942b127a5 100644 --- a/rules/windows/process_creation/proc_creation_win_java_susp_child_process_2.yml +++ b/rules/windows/process_creation/proc_creation_win_java_susp_child_process_2.yml @@ -8,12 +8,12 @@ description: Detects shell spawned from Java host process, which could be a sign references: - https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/ author: Andreas Hunkeler (@Karneades), Nasreddine Bencherchali -date: 2021/12/17 -modified: 2024/01/18 +date: 2021-12-17 +modified: 2024-01-18 tags: - - attack.initial_access + - attack.initial-access - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_java_sysaidserver_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_java_sysaidserver_susp_child_process.yml index 8fc96188a8f..75128c6d76b 100644 --- a/rules/windows/process_creation/proc_creation_win_java_sysaidserver_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_java_sysaidserver_susp_child_process.yml @@ -5,9 +5,9 @@ description: Detects suspicious child processes of SysAidServer (as seen in MERC references: - https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/ author: Florian Roth (Nextron Systems) -date: 2022/08/26 +date: 2022-08-26 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1210 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_jsc_execution.yml b/rules/windows/process_creation/proc_creation_win_jsc_execution.yml index d310c83412a..d99b3c5a7f7 100644 --- a/rules/windows/process_creation/proc_creation_win_jsc_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_jsc_execution.yml @@ -9,10 +9,10 @@ references: - https://www.phpied.com/make-your-javascript-a-windows-exe/ - https://twitter.com/DissectMalware/status/998797808907046913 author: frack113 -date: 2022/05/02 -modified: 2024/04/24 +date: 2022-05-02 +modified: 2024-04-24 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1127 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_kavremover_uncommon_execution.yml b/rules/windows/process_creation/proc_creation_win_kavremover_uncommon_execution.yml index e50057175ea..39e4e22bad0 100644 --- a/rules/windows/process_creation/proc_creation_win_kavremover_uncommon_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_kavremover_uncommon_execution.yml @@ -5,9 +5,9 @@ description: Detects the execution of a signed binary dropped by Kaspersky Lab P references: - https://nasbench.medium.com/lolbined-using-kaspersky-endpoint-security-kes-installer-to-execute-arbitrary-commands-1c999f1b7fea author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/11/01 +date: 2022-11-01 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1127 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_kd_execution.yml b/rules/windows/process_creation/proc_creation_win_kd_execution.yml index e9eb243792f..4f938bd587e 100644 --- a/rules/windows/process_creation/proc_creation_win_kd_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_kd_execution.yml @@ -5,11 +5,11 @@ description: Detects execution of the Windows Kernel Debugger "kd.exe". references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/15 -modified: 2024/04/24 +date: 2023-05-15 +modified: 2024-04-24 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_keyscrambler_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_keyscrambler_susp_child_process.yml index 1bea30ac95f..3a5577d3e2c 100644 --- a/rules/windows/process_creation/proc_creation_win_keyscrambler_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_keyscrambler_susp_child_process.yml @@ -8,11 +8,11 @@ description: Detects potentially suspicious child processes of KeyScrambler.exe references: - https://twitter.com/DTCERT/status/1712785421845790799 author: Swachchhanda Shrawan Poudel -date: 2024/05/13 +date: 2024-05-13 tags: - attack.execution - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1203 - attack.t1574.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_ksetup_password_change_computer.yml b/rules/windows/process_creation/proc_creation_win_ksetup_password_change_computer.yml index a809225e211..3445660fb45 100644 --- a/rules/windows/process_creation/proc_creation_win_ksetup_password_change_computer.yml +++ b/rules/windows/process_creation/proc_creation_win_ksetup_password_change_computer.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/Oddvarmoe/status/1641712700605513729 - https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/06 +date: 2023-04-06 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_ksetup_password_change_user.yml b/rules/windows/process_creation/proc_creation_win_ksetup_password_change_user.yml index 1a38722e51a..3423b1848a0 100644 --- a/rules/windows/process_creation/proc_creation_win_ksetup_password_change_user.yml +++ b/rules/windows/process_creation/proc_creation_win_ksetup_password_change_user.yml @@ -5,7 +5,7 @@ description: Detects password change for the logged-on user's via "ksetup.exe" references: - https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/06 +date: 2023-04-06 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_ldifde_export.yml b/rules/windows/process_creation/proc_creation_win_ldifde_export.yml index ebdacd3efa2..52b382f9bec 100644 --- a/rules/windows/process_creation/proc_creation_win_ldifde_export.yml +++ b/rules/windows/process_creation/proc_creation_win_ldifde_export.yml @@ -7,7 +7,7 @@ references: - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11) author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/14 +date: 2023-03-14 tags: - attack.exfiltration logsource: diff --git a/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml b/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml index 619b66d979f..fc6c065519c 100644 --- a/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml +++ b/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml @@ -8,11 +8,11 @@ references: - https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11) author: '@gott_cyber' -date: 2022/09/02 -modified: 2023/03/14 +date: 2022-09-02 +modified: 2023-03-14 tags: - - attack.command_and_control - - attack.defense_evasion + - attack.command-and-control + - attack.defense-evasion - attack.t1218 - attack.t1105 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_link_uncommon_parent_process.yml b/rules/windows/process_creation/proc_creation_win_link_uncommon_parent_process.yml index 27838ebb19b..87a13fdbf20 100644 --- a/rules/windows/process_creation/proc_creation_win_link_uncommon_parent_process.yml +++ b/rules/windows/process_creation/proc_creation_win_link_uncommon_parent_process.yml @@ -10,10 +10,10 @@ description: | references: - https://twitter.com/0gtweet/status/1560732860935729152 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/22 -modified: 2024/06/27 +date: 2022-08-22 +modified: 2024-06-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml b/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml index 102dccd8140..cf707302bd3 100644 --- a/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml +++ b/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml @@ -5,8 +5,8 @@ description: Detects the execution of "lodctr.exe" to rebuild the performance co references: - https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/15 -modified: 2024/03/05 +date: 2023-06-15 +modified: 2024-03-05 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_logman_disable_eventlog.yml b/rules/windows/process_creation/proc_creation_win_logman_disable_eventlog.yml index 1f752593fd6..c93f334ae36 100644 --- a/rules/windows/process_creation/proc_creation_win_logman_disable_eventlog.yml +++ b/rules/windows/process_creation/proc_creation_win_logman_disable_eventlog.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/0gtweet/status/1359039665232306183?s=21 - https://ss64.com/nt/logman.html author: Florian Roth (Nextron Systems) -date: 2021/02/11 -modified: 2023/02/21 +date: 2021-02-11 +modified: 2023-02-21 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 - attack.t1070.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml b/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml index 35a10cbb6c8..e7d768dff7f 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml @@ -6,9 +6,9 @@ references: - https://github.com/LOLBAS-Project/LOLBAS/pull/180 - https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/19 +date: 2022-08-19 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1216 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml b/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml index 8866f67c7ce..f9409743ad3 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml @@ -9,8 +9,8 @@ references: - https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services - https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/ author: Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger -date: 2021/09/30 -modified: 2022/05/16 +date: 2021-09-30 +modified: 2022-05-16 tags: - attack.exfiltration - attack.t1567 diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml b/rules/windows/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml index f96324b651b..ae571816884 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml @@ -5,9 +5,9 @@ description: Detects the execution of DeviceCredentialDeployment to hide a proce references: - https://github.com/LOLBAS-Project/LOLBAS/pull/147 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/19 +date: 2022-08-19 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml b/rules/windows/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml index 66b8056efb5..4d0b0e1fc03 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml @@ -6,10 +6,10 @@ references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/ - https://twitter.com/_felamos/status/1179811992841797632 author: Beyu Denis, oscd.community (rule), @_felamos (idea) -date: 2019/10/12 -modified: 2021/11/27 +date: 2019-10-12 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml b/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml index 81d56c4f807..c8465230776 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml @@ -5,10 +5,10 @@ description: Compress target file into a cab file stored in the Alternate Data S references: - https://lolbas-project.github.io/lolbas/Binaries/Diantz/ author: frack113 -date: 2021/11/26 -modified: 2022/12/31 +date: 2021-11-26 +modified: 2022-12-31 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml b/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml index f069de11737..5ca0d24b1fa 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml @@ -5,10 +5,10 @@ description: Download and compress a remote file and store it in a cab file on l references: - https://lolbas-project.github.io/lolbas/Binaries/Diantz/ author: frack113 -date: 2021/11/26 -modified: 2022/08/13 +date: 2021-11-26 +modified: 2022-08-13 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_extexport.yml b/rules/windows/process_creation/proc_creation_win_lolbin_extexport.yml index a34a4fe0ff8..5b42115a3d1 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_extexport.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_extexport.yml @@ -5,10 +5,10 @@ description: Extexport.exe loads dll and is execute from other folder the origin references: - https://lolbas-project.github.io/lolbas/Binaries/Extexport/ author: frack113 -date: 2021/11/26 -modified: 2022/05/16 +date: 2021-11-26 +modified: 2022-05-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml b/rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml index 6bc1fda3c4d..2e049b2529e 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml @@ -5,10 +5,10 @@ description: Download or Copy file with Extrac32 references: - https://lolbas-project.github.io/lolbas/Binaries/Extrac32/ author: frack113 -date: 2021/11/26 -modified: 2022/08/13 +date: 2021-11-26 +modified: 2022-08-13 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml b/rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml index 002514356d2..ddbb6bf5894 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml @@ -5,10 +5,10 @@ description: Extract data from cab file and hide it in an alternate data stream references: - https://lolbas-project.github.io/lolbas/Binaries/Extrac32/ author: frack113 -date: 2021/11/26 -modified: 2022/12/30 +date: 2021-11-26 +modified: 2022-12-30 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_gather_network_info.yml b/rules/windows/process_creation/proc_creation_win_lolbin_gather_network_info.yml index 6578a7752bc..9eab8306a16 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_gather_network_info.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_gather_network_info.yml @@ -11,8 +11,8 @@ references: - https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs - https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government author: blueteamer8699 -date: 2022/01/03 -modified: 2023/02/08 +date: 2022-01-03 +modified: 2023-02-08 tags: - attack.discovery - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml b/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml index 36d81aad8ca..2b08fb5c514 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml @@ -6,10 +6,10 @@ references: - https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/ - https://lolbas-project.github.io/lolbas/Binaries/Gpscript/ author: frack113 -date: 2022/05/16 -modified: 2023/06/14 +date: 2022-05-16 +modified: 2023-06-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml b/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml index 32f618ed4cf..1089ffa478d 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml @@ -6,10 +6,10 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/ - https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ author: frack113 -date: 2022/05/07 -modified: 2022/05/16 +date: 2022-05-07 +modified: 2022-05-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml b/rules/windows/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml index 9bf994b6638..9422f3aa336 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml @@ -5,9 +5,9 @@ description: Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed scr references: - https://twitter.com/nas_bench/status/1535981653239255040 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/19 +date: 2022-08-19 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1216.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml b/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml index b1e2177f901..f1e61b054e4 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml @@ -9,10 +9,10 @@ references: - https://twitter.com/JohnLaTwC/status/1223292479270600706 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md author: oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems) -date: 2020/10/13 -modified: 2023/02/03 +date: 2020-10-13 +modified: 2023-02-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1216 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml b/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml index dcfe256a568..bb2dd9fcd7c 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml @@ -2,7 +2,7 @@ title: Mavinject Inject DLL Into Running Process id: 4f73421b-5a0b-4bbf-a892-5a7fb99bea66 related: - id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8 - type: obsoletes + type: obsolete status: test description: Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag references: @@ -15,11 +15,11 @@ references: - https://github.com/SigmaHQ/sigma/issues/3742 - https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection author: frack113, Florian Roth -date: 2021/07/12 -modified: 2022/12/05 +date: 2021-07-12 +modified: 2022-12-05 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1055.001 - attack.t1218.013 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_mpiexec.yml b/rules/windows/process_creation/proc_creation_win_lolbin_mpiexec.yml index ca48e6aca6a..b68553abebc 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_mpiexec.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_mpiexec.yml @@ -6,11 +6,11 @@ references: - https://twitter.com/mrd0x/status/1465058133303246867 - https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps author: Florian Roth (Nextron Systems) -date: 2022/01/11 -modified: 2022/03/04 +date: 2022-01-11 +modified: 2022-03-04 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml b/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml index 8ffd8631469..61db95b56ed 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml @@ -7,10 +7,10 @@ references: - https://twitter.com/pabraeken/status/995837734379032576 - https://twitter.com/pabraeken/status/999090532839313408 author: Beyu Denis, oscd.community -date: 2020/10/18 -modified: 2021/11/27 +date: 2020-10-18 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml b/rules/windows/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml index af275a4a7b1..e43b66e5b56 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml @@ -5,9 +5,9 @@ description: Detects execution of "msdt.exe" using an answer file which is simul references: - https://lolbas-project.github.io/lolbas/Binaries/Msdt/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/13 +date: 2022-06-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_openconsole.yml b/rules/windows/process_creation/proc_creation_win_lolbin_openconsole.yml index 38d8ff3ec22..55f757d8069 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_openconsole.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_openconsole.yml @@ -5,7 +5,7 @@ description: Detects usage of OpenConsole binary as a LOLBIN to launch other bin references: - https://twitter.com/nas_bench/status/1537563834478645252 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/16 +date: 2022-06-16 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_openwith.yml b/rules/windows/process_creation/proc_creation_win_lolbin_openwith.yml index c5891bdb46a..cdeeb1e3261 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_openwith.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_openwith.yml @@ -6,10 +6,10 @@ references: - https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml - https://twitter.com/harr0ey/status/991670870384021504 author: Beyu Denis, oscd.community (rule), @harr0ey (idea) -date: 2019/10/12 -modified: 2021/11/27 +date: 2019-10-12 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml b/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml index 0c064e3b462..7672ec751f0 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml @@ -2,15 +2,15 @@ title: Use of Pcalua For Execution id: 0955e4e1-c281-4fb9-9ee1-5ee7b4b754d2 related: - id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02 - type: obsoletes + type: obsolete status: test description: Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting. references: - https://lolbas-project.github.io/lolbas/Binaries/Pcalua/ - https://pentestlab.blog/2020/07/06/indirect-command-execution/ author: Nasreddine Bencherchali (Nextron Systems), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -date: 2022/06/14 -modified: 2023/01/04 +date: 2022-06-14 +modified: 2023-01-04 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml b/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml index a316319da85..f407e528c6c 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/pabraeken/status/991335019833708544 - https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/ author: A. Sungurov , oscd.community -date: 2020/10/12 -modified: 2021/11/27 +date: 2020-10-12 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml b/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml index c4c3feed441..fc460b69d0e 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml @@ -5,9 +5,9 @@ description: Detects indirect command execution via Program Compatibility Assist references: - https://twitter.com/nas_bench/status/1535663791362519040 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/13 +date: 2022-06-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_pcwutl.yml b/rules/windows/process_creation/proc_creation_win_lolbin_pcwutl.yml index 8d2e0f798f0..1ff177bbfb3 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_pcwutl.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_pcwutl.yml @@ -6,10 +6,10 @@ references: - https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/ - https://twitter.com/harr0ey/status/989617817849876488 author: Julia Fomina, oscd.community -date: 2020/10/05 -modified: 2023/02/09 +date: 2020-10-05 +modified: 2023-02-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_pester.yml b/rules/windows/process_creation/proc_creation_win_lolbin_pester.yml index 84b3da532fe..45d45dce662 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_pester.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_pester.yml @@ -9,11 +9,11 @@ references: - https://twitter.com/Oddvarmoe/status/993383596244258816 - https://twitter.com/_st0pp3r_/status/1560072680887525378 author: frack113, Nasreddine Bencherchali -date: 2022/08/20 +date: 2022-08-20 tags: - attack.execution - attack.t1059.001 - - attack.defense_evasion + - attack.defense-evasion - attack.t1216 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_pester_1.yml b/rules/windows/process_creation/proc_creation_win_lolbin_pester_1.yml index 903a3db4c19..0936900bf85 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_pester_1.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_pester_1.yml @@ -6,12 +6,12 @@ references: - https://twitter.com/Oddvarmoe/status/993383596244258816 - https://github.com/api0cradle/LOLBAS/blob/d148d278f5f205ce67cfaf49afdfb68071c7252a/OSScripts/pester.md author: Julia Fomina, oscd.community -date: 2020/10/08 -modified: 2023/11/09 +date: 2020-10-08 +modified: 2023-11-09 tags: - attack.execution - attack.t1059.001 - - attack.defense_evasion + - attack.defense-evasion - attack.t1216 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml b/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml index 75a14853519..32626fda306 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml @@ -5,11 +5,11 @@ description: Detects the execution of the LOLBIN PrintBrm.exe, which can be used references: - https://lolbas-project.github.io/lolbas/Binaries/PrintBrm/ author: frack113 -date: 2022/05/02 +date: 2022-05-02 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.004 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml b/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml index 7482ebb8af6..b01127c96b4 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml @@ -5,9 +5,9 @@ description: Detects the use of the 'Pubprn.vbs' Microsoft signed script to exec references: - https://lolbas-project.github.io/lolbas/Scripts/Pubprn/ author: frack113 -date: 2022/05/28 +date: 2022-05-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1216.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml b/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml index c69a8056145..823c273346c 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml @@ -7,9 +7,9 @@ references: - https://github.com/fireeye/DueDLLigence - https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html author: Julia Fomina, oscd.community -date: 2020/10/09 +date: 2020-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_register_app.yml b/rules/windows/process_creation/proc_creation_win_lolbin_register_app.yml index ed66cc41bc8..9a9a9894a73 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_register_app.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_register_app.yml @@ -5,9 +5,9 @@ description: Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to references: - https://twitter.com/sblmsrsn/status/1456613494783160325?s=20 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/19 +date: 2022-08-19 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml b/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml index e98dae12d69..3dd81beb286 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml @@ -6,9 +6,9 @@ references: - https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/ - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Remote/ author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io' -date: 2022/06/02 +date: 2022-06-02 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1127 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml b/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml index 3f9015e7918..07d8625e929 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml @@ -6,10 +6,10 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Replace/ - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/replace author: frack113 -date: 2022/03/06 -modified: 2024/03/13 +date: 2022-03-06 +modified: 2024-03-13 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml b/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml index 5395baa2c04..993052cc999 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml @@ -6,9 +6,9 @@ references: - https://twitter.com/0gtweet/status/1206692239839289344 - https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/ author: frack113 -date: 2022/12/29 +date: 2022-12-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_runscripthelper.yml b/rules/windows/process_creation/proc_creation_win_lolbin_runscripthelper.yml index 1c4a8fbb828..0d58f8f8fff 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_runscripthelper.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_runscripthelper.yml @@ -5,12 +5,12 @@ description: Detects execution of powershell scripts via Runscripthelper.exe references: - https://lolbas-project.github.io/lolbas/Binaries/Runscripthelper/ author: Victor Sergeev, oscd.community -date: 2020/10/09 -modified: 2022/07/11 +date: 2020-10-09 +modified: 2022-07-11 tags: - attack.execution - attack.t1059 - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_scriptrunner.yml b/rules/windows/process_creation/proc_creation_win_lolbin_scriptrunner.yml index 096b85628af..d9b945af398 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_scriptrunner.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_scriptrunner.yml @@ -5,9 +5,9 @@ description: The "ScriptRunner.exe" binary can be abused to proxy execution thro references: - https://lolbas-project.github.io/lolbas/Binaries/Scriptrunner/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/01 +date: 2022-07-01 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1218 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_settingsynchost.yml b/rules/windows/process_creation/proc_creation_win_lolbin_settingsynchost.yml index 409a4e45090..b19ba6b5a76 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_settingsynchost.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_settingsynchost.yml @@ -5,11 +5,11 @@ description: Detects using SettingSyncHost.exe to run hijacked binary references: - https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin author: Anton Kutepov, oscd.community -date: 2020/02/05 -modified: 2021/11/27 +date: 2020-02-05 +modified: 2021-11-27 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.008 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_sftp.yml b/rules/windows/process_creation/proc_creation_win_lolbin_sftp.yml index 2b03f783530..b618302b132 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_sftp.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_sftp.yml @@ -5,9 +5,9 @@ description: Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing t references: - https://github.com/LOLBAS-Project/LOLBAS/pull/264 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/11/10 +date: 2022-11-10 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1218 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_sigverif.yml b/rules/windows/process_creation/proc_creation_win_lolbin_sigverif.yml index cba743b6f8a..ba2fcdbed99 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_sigverif.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_sigverif.yml @@ -6,9 +6,9 @@ references: - https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/ - https://twitter.com/0gtweet/status/1457676633809330184 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/19 +date: 2022-08-19 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1216 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml b/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml index b0e2c0d1822..99ab0eff600 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml @@ -9,10 +9,10 @@ references: - https://man.openbsd.org/ssh_config#ProxyCommand - https://man.openbsd.org/ssh_config#LocalCommand author: frack113, Nasreddine Bencherchali -date: 2022/12/29 -modified: 2023/01/25 +date: 2022-12-29 +modified: 2023-01-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml index 83513b37df4..6f1aad9655a 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml @@ -7,7 +7,7 @@ references: - https://twitter.com/bohops/status/1477717351017680899?s=12 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/ author: Florian Roth (Nextron Systems) -date: 2022/01/06 +date: 2022-01-06 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml index 97e4ac25766..804626a9450 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml @@ -5,10 +5,10 @@ description: Detects a suspicious certreq execution taken from the LOLBAS exampl references: - https://lolbas-project.github.io/lolbas/Binaries/Certreq/ author: Christian Burkard (Nextron Systems) -date: 2021/11/24 -modified: 2022/06/13 +date: 2021-11-24 +modified: 2022-06-13 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml index 257866ce323..17eade9ef38 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml @@ -6,8 +6,8 @@ references: - https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax - https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html author: Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, Austin Songer @austinsonger -date: 2021/09/30 -modified: 2022/10/09 +date: 2021-09-30 +modified: 2022-10-09 tags: - attack.persistence - attack.t1547 diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml index 449026a8353..786cc9065ea 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml @@ -6,10 +6,10 @@ references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/ - https://twitter.com/harr0ey/status/992008180904419328 author: Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2019/10/26 -modified: 2022/06/09 +date: 2019-10-26 +modified: 2022-06-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml index 9428c8a7bfd..3710a87605f 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml @@ -5,7 +5,7 @@ description: Detects the suspicious execution of a utility to convert Windows 3. references: - https://twitter.com/0gtweet/status/1526833181831200770 author: Florian Roth (Nextron Systems) -date: 2022/05/19 +date: 2022-05-19 tags: - attack.persistence - attack.t1547 diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml index fe99ac17fd5..3606441aa46 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml @@ -7,10 +7,10 @@ references: - https://twitter.com/countuponsec/status/910969424215232518 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/ author: Kirill Kiryanov, oscd.community -date: 2020/10/08 -modified: 2021/11/27 +date: 2020-10-08 +modified: 2021-11-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml b/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml index b4cfcc7e517..9efb7540d4f 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml @@ -2,17 +2,17 @@ title: SyncAppvPublishingServer Execute Arbitrary PowerShell Code id: fbd7c32d-db2a-4418-b92c-566eb8911133 related: - id: fde7929d-8beb-4a4c-b922-be9974671667 - type: obsoletes + type: obsolete status: test description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ author: frack113 -date: 2021/07/12 -modified: 2022/10/04 +date: 2021-07-12 +modified: 2022-10-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml b/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml index 1a6f0e7e716..79942ca93b3 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ author: frack113 -date: 2021/07/16 -modified: 2022/06/22 +date: 2021-07-16 +modified: 2022-06-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.t1216 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_tracker.yml b/rules/windows/process_creation/proc_creation_win_lolbin_tracker.yml index 7d8d3807674..eb80b979d0f 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_tracker.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_tracker.yml @@ -5,10 +5,10 @@ description: Detects potential DLL injection and execution using "Tracker.exe" references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/ author: 'Avneet Singh @v3t0_, oscd.community' -date: 2020/10/18 -modified: 2023/01/09 +date: 2020-10-18 +modified: 2023-01-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1055.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml b/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml index 659520143d1..c11d3d784a2 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml @@ -5,9 +5,9 @@ description: Detects the executiob of TTDInject.exe, which is used by Windows 10 references: - https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/ author: frack113 -date: 2022/05/16 +date: 2022-05-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1127 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml b/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml index 3b206cf3f60..c86c21d522f 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml @@ -10,11 +10,11 @@ references: - https://twitter.com/mattifestation/status/1196390321783025666 - https://twitter.com/oulusoyum/status/1191329746069655553 author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative' -date: 2020/10/06 -modified: 2022/10/09 +date: 2020-10-06 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.credential_access + - attack.defense-evasion + - attack.credential-access - attack.t1218 - attack.t1003.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml b/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml index 8a1aa6db6dd..d76cb25ba11 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml @@ -5,10 +5,10 @@ description: Detect usage of the "unregmp2.exe" binary as a proxy to launch a cu references: - https://lolbas-project.github.io/lolbas/Binaries/Unregmp2/ author: frack113 -date: 2022/12/29 -modified: 2024/06/04 +date: 2022-12-29 +modified: 2024-06-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_utilityfunctions.yml b/rules/windows/process_creation/proc_creation_win_lolbin_utilityfunctions.yml index 8bfc89ccc89..7dce23df556 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_utilityfunctions.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_utilityfunctions.yml @@ -5,9 +5,9 @@ description: Detects the use of a Microsoft signed script executing a managed DL references: - https://lolbas-project.github.io/lolbas/Scripts/UtilityFunctions/ author: frack113 -date: 2022/05/28 +date: 2022-05-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1216 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml b/rules/windows/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml index 22ff1da7f16..5b5667613a3 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml @@ -5,10 +5,10 @@ description: Detects successful code compilation via Visual Basic Command Line C references: - https://lolbas-project.github.io/lolbas/Binaries/Vbc/ author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative' -date: 2020/10/07 -modified: 2021/11/27 +date: 2020-10-07 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml b/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml index 966d6a89cc5..3561e084a58 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml @@ -8,9 +8,9 @@ references: - https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/ - https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io' -date: 2022/06/01 +date: 2022-06-01 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml b/rules/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml index 64e26318086..208d533c37b 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml @@ -5,9 +5,9 @@ description: The "VSIISExeLauncher.exe" binary part of the Visual Studio/VS Code references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/VSIISExeLauncher/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/09 +date: 2022-06-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1127 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml b/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml index 2332ab8ee3f..d1b36829814 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml @@ -6,9 +6,9 @@ references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/ - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io' -date: 2022/06/01 +date: 2022-06-01 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1127 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_workflow_compiler.yml b/rules/windows/process_creation/proc_creation_win_lolbin_workflow_compiler.yml index 20133500be0..e84763bbccd 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_workflow_compiler.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_workflow_compiler.yml @@ -7,10 +7,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md - https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/ author: Nik Seetharaman, frack113 -date: 2019/01/16 -modified: 2023/02/03 +date: 2019-01-16 +modified: 2023-02-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1127 - attack.t1218 diff --git a/rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml b/rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml index a2562faa01d..8e0c854fd47 100644 --- a/rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml +++ b/rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/sblmsrsn/status/1456613494783160325?s=20 - https://github.com/microsoft/Windows-classic-samples/blob/7cbd99ac1d2b4a0beffbaba29ea63d024ceff700/Samples/Win7Samples/winbase/vss/vsssampleprovider/register_app.vbs author: Austin Songer @austinsonger -date: 2021/11/05 -modified: 2022/07/07 +date: 2021-11-05 +modified: 2022-07-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lsass_process_clone.yml b/rules/windows/process_creation/proc_creation_win_lsass_process_clone.yml index cd7757ee2f8..5ce833272f4 100644 --- a/rules/windows/process_creation/proc_creation_win_lsass_process_clone.yml +++ b/rules/windows/process_creation/proc_creation_win_lsass_process_clone.yml @@ -7,10 +7,10 @@ references: - https://twitter.com/Hexacorn/status/1420053502554951689 - https://twitter.com/SBousseaden/status/1464566846594691073?s=20 author: Florian Roth (Nextron Systems), Samir Bousseaden -date: 2021/11/27 -modified: 2023/03/02 +date: 2021-11-27 +modified: 2023-03-02 tags: - - attack.credential_access + - attack.credential-access - attack.t1003 - attack.t1003.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_mftrace_child_process.yml b/rules/windows/process_creation/proc_creation_win_mftrace_child_process.yml index ad226cb9e86..386842c8f43 100644 --- a/rules/windows/process_creation/proc_creation_win_mftrace_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_mftrace_child_process.yml @@ -5,10 +5,10 @@ description: Detects child processes of the "Trace log generation tool for Media references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mftrace/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/09 -modified: 2023/08/03 +date: 2022-06-09 +modified: 2023-08-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1127 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_mmc_mmc20_lateral_movement.yml b/rules/windows/process_creation/proc_creation_win_mmc_mmc20_lateral_movement.yml index e7793c01e8f..0656acc4c50 100644 --- a/rules/windows/process_creation/proc_creation_win_mmc_mmc20_lateral_movement.yml +++ b/rules/windows/process_creation/proc_creation_win_mmc_mmc20_lateral_movement.yml @@ -6,8 +6,8 @@ references: - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing author: '@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)' -date: 2020/03/04 -modified: 2021/11/27 +date: 2020-03-04 +modified: 2021-11-27 tags: - attack.execution - attack.t1021.003 diff --git a/rules/windows/process_creation/proc_creation_win_mmc_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_mmc_susp_child_process.yml index 4e66d1338d1..73203887fa2 100644 --- a/rules/windows/process_creation/proc_creation_win_mmc_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_mmc_susp_child_process.yml @@ -5,10 +5,10 @@ description: Detects a Windows command line executable started from MMC references: - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ author: Karneades, Swisscom CSIRT -date: 2019/08/05 -modified: 2022/07/14 +date: 2019-08-05 +modified: 2022-07-14 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_mode_codepage_russian.yml b/rules/windows/process_creation/proc_creation_win_mode_codepage_russian.yml index 39590a6ad32..a20a99a86b1 100644 --- a/rules/windows/process_creation/proc_creation_win_mode_codepage_russian.yml +++ b/rules/windows/process_creation/proc_creation_win_mode_codepage_russian.yml @@ -13,9 +13,9 @@ references: - https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html - https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior author: Joseliyo Sanchez, @Joseliyo_Jstnk -date: 2024/01/17 +date: 2024-01-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml b/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml index 70f44c091c5..61e9dfbce82 100644 --- a/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml @@ -10,10 +10,10 @@ references: - https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml - https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/12 -modified: 2023/04/11 +date: 2022-07-12 +modified: 2023-04-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml b/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml index f52b0cd9d29..bab6f9fd3fe 100644 --- a/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml +++ b/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml @@ -8,10 +8,10 @@ description: Detects potential sideloading of "mpclient.dll" by Windows Defender references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool author: Bhabesh Raj -date: 2022/08/01 -modified: 2023/08/04 +date: 2022-08-01 +modified: 2023-08-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml b/rules/windows/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml index f2bcb57760a..9ab70f25d78 100644 --- a/rules/windows/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml +++ b/rules/windows/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml @@ -6,12 +6,12 @@ references: - https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866 - https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/ author: Matthew Matchen -date: 2020/09/04 -modified: 2023/11/09 +date: 2020-09-04 +modified: 2023-11-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml b/rules/windows/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml index b72143303be..1e2664c9436 100644 --- a/rules/windows/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml +++ b/rules/windows/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/ author: frack113 -date: 2021/07/07 -modified: 2023/07/18 +date: 2021-07-07 +modified: 2023-07-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_msbuild_susp_parent_process.yml b/rules/windows/process_creation/proc_creation_win_msbuild_susp_parent_process.yml index 0d8aae2ec27..2391af6cb8c 100644 --- a/rules/windows/process_creation/proc_creation_win_msbuild_susp_parent_process.yml +++ b/rules/windows/process_creation/proc_creation_win_msbuild_susp_parent_process.yml @@ -6,9 +6,9 @@ references: - https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/ - https://www.echotrail.io/insights/search/msbuild.exe author: frack113 -date: 2022/11/17 +date: 2022-11-17 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml b/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml index 17e808f2320..15fbbe0d840 100644 --- a/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml @@ -7,10 +7,10 @@ references: - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/ - https://twitter.com/_JohnHammond/status/1531672601067675648 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/05/29 -modified: 2024/03/13 +date: 2022-05-29 +modified: 2024-03-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml b/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml index 12294470b03..90b0c670528 100644 --- a/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml +++ b/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml @@ -2,7 +2,7 @@ title: Suspicious Cabinet File Execution Via Msdt.EXE id: dc4576d4-7467-424f-9eee-fd2b02855fe0 related: - id: 6545ce61-a1bd-4119-b9be-fcbee42c0cf3 - type: obsoletes + type: obsolete status: test description: Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190 references: @@ -11,10 +11,10 @@ references: - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0 - https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd author: Nasreddine Bencherchali (Nextron Systems), GossiTheDog, frack113 -date: 2022/06/21 -modified: 2024/03/13 +date: 2022-06-21 +modified: 2024-03-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml b/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml index 26dd9b3173b..b86d8cbd068 100644 --- a/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/nao_sec/status/1530196847679401984 - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/ author: Nextron Systems -date: 2022/06/01 -modified: 2023/02/06 +date: 2022-06-01 +modified: 2023-02-06 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 - attack.t1218 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_msedge_proxy_download.yml b/rules/windows/process_creation/proc_creation_win_msedge_proxy_download.yml index c3368ab67cc..abbb5ac3ccf 100644 --- a/rules/windows/process_creation/proc_creation_win_msedge_proxy_download.yml +++ b/rules/windows/process_creation/proc_creation_win_msedge_proxy_download.yml @@ -5,9 +5,9 @@ description: Detects usage of "msedge_proxy.exe" to download arbitrary files references: - https://lolbas-project.github.io/lolbas/Binaries/msedge_proxy/ author: Swachchhanda Shrawan Poudel -date: 2023/11/09 +date: 2023-11-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1218 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_mshta_http.yml b/rules/windows/process_creation/proc_creation_win_mshta_http.yml index 4616880dbcb..9f5cbf0a426 100644 --- a/rules/windows/process_creation/proc_creation_win_mshta_http.yml +++ b/rules/windows/process_creation/proc_creation_win_mshta_http.yml @@ -5,10 +5,10 @@ description: Detects execution of the "mshta" utility with an argument containin references: - https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/08 -modified: 2023/02/06 +date: 2022-08-08 +modified: 2023-02-06 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1218.005 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml b/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml index 590edb8d363..7b01c2897b7 100644 --- a/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml +++ b/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml @@ -6,8 +6,8 @@ references: - https://web.archive.org/web/20220830122045/http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html - https://blog.talosintelligence.com/modernloader-delivers-multiple-stealers-cryptominers-and-rats/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/31 -modified: 2023/05/15 +date: 2022-08-31 +modified: 2023-05-15 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml b/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml index c04a0e71c8b..c71f0e03d42 100644 --- a/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml +++ b/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml @@ -6,10 +6,10 @@ references: - https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.005/T1218.005.md author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -date: 2019/10/24 -modified: 2023/02/07 +date: 2019-10-24 +modified: 2023-02-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.005 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_mshta_lethalhta_technique.yml b/rules/windows/process_creation/proc_creation_win_mshta_lethalhta_technique.yml index 28d43eb82c6..ab4307a3130 100644 --- a/rules/windows/process_creation/proc_creation_win_mshta_lethalhta_technique.yml +++ b/rules/windows/process_creation/proc_creation_win_mshta_lethalhta_technique.yml @@ -5,10 +5,10 @@ description: Detects potential LethalHTA technique where the "mshta.exe" is spaw references: - https://codewhitesec.blogspot.com/2018/07/lethalhta.html author: Markus Neis -date: 2018/06/07 -modified: 2023/02/07 +date: 2018-06-07 +modified: 2023-02-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.005 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_mshta_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_mshta_susp_child_processes.yml index bc95ac45d92..2b690e821e3 100644 --- a/rules/windows/process_creation/proc_creation_win_mshta_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_mshta_susp_child_processes.yml @@ -5,10 +5,10 @@ description: Detects a suspicious process spawning from an "mshta.exe" process, references: - https://www.trustedsec.com/july-2015/malicious-htas/ author: Michael Haag -date: 2019/01/16 -modified: 2023/02/06 +date: 2019-01-16 +modified: 2023-02-06 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.005 - car.2013-02-003 - car.2013-03-001 diff --git a/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml index c2f33a804be..4aeed34dd32 100644 --- a/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml @@ -9,15 +9,15 @@ references: - https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997 - https://twitter.com/mattifestation/status/1326228491302563846 author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule) -date: 2019/02/22 -modified: 2022/11/07 +date: 2019-02-22 +modified: 2022-11-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1140 - attack.t1218.005 - attack.execution - attack.t1059.007 - - cve.2020.1599 + - cve.2020-1599 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml b/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml index 1f3c6e7fe16..dfd8053f66f 100644 --- a/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml @@ -7,8 +7,8 @@ references: - https://www.echotrail.io/insights/search/mshta.exe - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2021/07/17 -modified: 2023/02/21 +date: 2021-07-17 +modified: 2023-02-21 tags: - attack.execution - attack.t1106 diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml b/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml index f686fbd7830..56df948f2c9 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml @@ -7,10 +7,10 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Msiexec/ - https://twitter.com/_st0pp3r_/status/1583914515996897281 author: frack113 -date: 2022/04/24 -modified: 2024/03/13 +date: 2022-04-24 +modified: 2024-03-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.007 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_embedding.yml b/rules/windows/process_creation/proc_creation_win_msiexec_embedding.yml index e2734a46c12..2dab5452441 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_embedding.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_embedding.yml @@ -5,11 +5,11 @@ description: Adversaries may abuse msiexec.exe to proxy the execution of malicio references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md author: frack113 -date: 2022/04/16 -modified: 2022/07/14 +date: 2022-04-16 +modified: 2022-07-14 tags: - attack.t1218.007 - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml b/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml index fe957298f40..3f7b78db416 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml @@ -9,10 +9,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md - https://twitter.com/_st0pp3r_/status/1583914515996897281 author: frack113 -date: 2022/01/16 -modified: 2024/03/13 +date: 2022-01-16 +modified: 2024-03-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.007 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml b/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml index 66abbe28c9f..fdf292ae355 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml @@ -9,10 +9,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md - https://twitter.com/_st0pp3r_/status/1583914244344799235 author: frack113 -date: 2022/01/16 -modified: 2024/03/13 +date: 2022-01-16 +modified: 2024-03-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.007 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_install_remote.yml b/rules/windows/process_creation/proc_creation_win_msiexec_install_remote.yml index 62efc5c5114..2d07f2368cc 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_install_remote.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_install_remote.yml @@ -8,10 +8,10 @@ description: Detects usage of Msiexec.exe to install packages hosted remotely qu references: - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/28 -modified: 2024/03/13 +date: 2022-10-28 +modified: 2024-03-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.007 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_masquerading.yml b/rules/windows/process_creation/proc_creation_win_msiexec_masquerading.yml index 719db6d434d..d8d71c1f098 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_masquerading.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_masquerading.yml @@ -5,10 +5,10 @@ description: Detects the execution of msiexec.exe from an uncommon directory references: - https://twitter.com/200_okay_/status/1194765831911215104 author: Florian Roth (Nextron Systems) -date: 2019/11/14 -modified: 2023/02/21 +date: 2019-11-14 +modified: 2023-02-21 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.005 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_web_install.yml b/rules/windows/process_creation/proc_creation_win_msiexec_web_install.yml index 9c6b54d1048..2b42219f6d1 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_web_install.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_web_install.yml @@ -8,12 +8,12 @@ description: Detects suspicious msiexec process starts with web addresses as par references: - https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/ author: Florian Roth (Nextron Systems) -date: 2018/02/09 -modified: 2022/01/07 +date: 2018-02-09 +modified: 2022-01-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.007 - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_msohtmed_download.yml b/rules/windows/process_creation/proc_creation_win_msohtmed_download.yml index eda88d25774..05cecbce78b 100644 --- a/rules/windows/process_creation/proc_creation_win_msohtmed_download.yml +++ b/rules/windows/process_creation/proc_creation_win_msohtmed_download.yml @@ -5,10 +5,10 @@ description: Detects usage of "MSOHTMED" to download arbitrary files references: - https://github.com/LOLBAS-Project/LOLBAS/pull/238/files author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/19 -modified: 2023/11/09 +date: 2022-08-19 +modified: 2023-11-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1218 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_mspub_download.yml b/rules/windows/process_creation/proc_creation_win_mspub_download.yml index 196ffa009f0..f698ea1ac2d 100644 --- a/rules/windows/process_creation/proc_creation_win_mspub_download.yml +++ b/rules/windows/process_creation/proc_creation_win_mspub_download.yml @@ -5,10 +5,10 @@ description: Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrar references: - https://github.com/LOLBAS-Project/LOLBAS/pull/238/files author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/19 -modified: 2023/02/08 +date: 2022-08-19 +modified: 2023-02-08 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1218 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml b/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml index 958be5ee45e..d6f3c55de6e 100644 --- a/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml +++ b/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml @@ -6,10 +6,10 @@ references: - https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/ - https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf author: Alexander McDonald -date: 2022/06/24 -modified: 2023/02/03 +date: 2022-06-24 +modified: 2023-02-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1055 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml index 00e841f285a..0500cb38ffc 100644 --- a/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml @@ -9,12 +9,12 @@ references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/ - https://twitter.com/bryon_/status/975835709587075072 author: 'Agro (@agro_sev) oscd.community' -date: 2020/10/10 -modified: 2022/12/09 +date: 2020-10-10 +modified: 2022-12-09 tags: - attack.execution - attack.t1059.001 - - attack.defense_evasion + - attack.defense-evasion - attack.t1127 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml index 0ee8748bb94..1cad374ae62 100644 --- a/rules/windows/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml @@ -8,12 +8,12 @@ references: - https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml - https://twitter.com/pabraeken/status/993298228840992768 author: 'Agro (@agro_sev) oscd.communitly' -date: 2020/10/13 -modified: 2022/02/25 +date: 2020-10-13 +modified: 2022-02-25 tags: - attack.execution - attack.t1059.001 - - attack.defense_evasion + - attack.defense-evasion - attack.t1127 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml index 8b5fcb0cea9..571a66a831d 100644 --- a/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml @@ -2,20 +2,20 @@ title: Suspicious Child Process Of SQL Server id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445 related: - id: 344482e4-a477-436c-aa70-7536d18a48c7 - type: obsoletes + type: obsolete status: test description: Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection. references: - Internal Research author: FPT.EagleEye Team, wagga -date: 2020/12/11 -modified: 2023/05/04 +date: 2020-12-11 +modified: 2023-05-04 tags: - attack.t1505.003 - attack.t1190 - - attack.initial_access + - attack.initial-access - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml index 6b1139af9f2..1d700067047 100644 --- a/rules/windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml @@ -8,11 +8,11 @@ description: Detects suspicious child processes of the Veeam service process. Th references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/04 +date: 2023-05-04 tags: - - attack.initial_access + - attack.initial-access - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_mstsc_rdp_hijack_shadowing.yml b/rules/windows/process_creation/proc_creation_win_mstsc_rdp_hijack_shadowing.yml index c3943d2e6a5..ea640b8b9eb 100644 --- a/rules/windows/process_creation/proc_creation_win_mstsc_rdp_hijack_shadowing.yml +++ b/rules/windows/process_creation/proc_creation_win_mstsc_rdp_hijack_shadowing.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/kmkz_security/status/1220694202301976576 - https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet author: Florian Roth (Nextron Systems) -date: 2020/01/24 -modified: 2023/02/05 +date: 2020-01-24 +modified: 2023-02-05 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1563.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml b/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml index a8d9af11a21..906d740421b 100644 --- a/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml +++ b/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml @@ -8,10 +8,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc author: frack113 -date: 2022/01/07 -modified: 2024/06/04 +date: 2022-01-07 +modified: 2024-06-04 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml index baa0a0a74f9..ee950308e27 100644 --- a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml +++ b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml @@ -6,10 +6,10 @@ references: - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/ - https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ author: Nasreddine Bencherchali (Nextron Systems), Christopher Peacock @securepeacock -date: 2023/04/18 -modified: 2023/04/30 +date: 2023-04-18 +modified: 2023-04-30 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml index 4c4dd59c728..46924362e32 100644 --- a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml +++ b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml @@ -6,9 +6,9 @@ references: - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/ - https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/18 +date: 2023-04-18 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml index 4f694938e7c..92bb477f2ab 100644 --- a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml @@ -6,10 +6,10 @@ references: - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/ - https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/18 -modified: 2023/04/18 +date: 2023-04-18 +modified: 2023-04-18 tags: - - attack.lateral_movement + - attack.lateral-movement logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_msxsl_execution.yml b/rules/windows/process_creation/proc_creation_win_msxsl_execution.yml index 7eed7a1696f..3617cfd7778 100644 --- a/rules/windows/process_creation/proc_creation_win_msxsl_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_msxsl_execution.yml @@ -8,10 +8,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/ author: Timur Zinniatullin, oscd.community -date: 2019/10/21 -modified: 2023/11/09 +date: 2019-10-21 +modified: 2023-11-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1220 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_msxsl_remote_execution.yml b/rules/windows/process_creation/proc_creation_win_msxsl_remote_execution.yml index 8a0af8241dd..696d8d25d80 100644 --- a/rules/windows/process_creation/proc_creation_win_msxsl_remote_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_msxsl_remote_execution.yml @@ -6,9 +6,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/ author: Swachchhanda Shrawan Poudel -date: 2023/11/09 +date: 2023-11-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1220 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml b/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml index c2d348136cd..98d75ebfcf5 100644 --- a/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml @@ -9,8 +9,8 @@ references: - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/ - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/ author: Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems) -date: 2019/01/16 -modified: 2023/03/02 +date: 2019-01-16 +modified: 2023-03-02 tags: - attack.discovery - attack.t1087.001 diff --git a/rules/windows/process_creation/proc_creation_win_net_share_unmount.yml b/rules/windows/process_creation/proc_creation_win_net_share_unmount.yml index d1622ff5d09..34fa64866c8 100644 --- a/rules/windows/process_creation/proc_creation_win_net_share_unmount.yml +++ b/rules/windows/process_creation/proc_creation_win_net_share_unmount.yml @@ -5,10 +5,10 @@ description: Detects when when a mounted share is removed. Adversaries may remov references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md author: oscd.community, @redcanary, Zach Stanford @svch0st -date: 2020/10/08 -modified: 2023/02/21 +date: 2020-10-08 +modified: 2023-02-21 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.005 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_net_start_service.yml b/rules/windows/process_creation/proc_creation_win_net_start_service.yml index febcf673910..cf36f28400b 100644 --- a/rules/windows/process_creation/proc_creation_win_net_start_service.yml +++ b/rules/windows/process_creation/proc_creation_win_net_start_service.yml @@ -5,8 +5,8 @@ description: Detects the usage of the "net.exe" command to start a service using references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.002/T1569.002.md author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community -date: 2019/10/21 -modified: 2023/03/05 +date: 2019-10-21 +modified: 2023-03-05 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/process_creation/proc_creation_win_net_stop_service.yml b/rules/windows/process_creation/proc_creation_win_net_stop_service.yml index 9c77946d9d1..1a2ef922497 100644 --- a/rules/windows/process_creation/proc_creation_win_net_stop_service.yml +++ b/rules/windows/process_creation/proc_creation_win_net_stop_service.yml @@ -2,13 +2,13 @@ title: Stop Windows Service Via Net.EXE id: 88872991-7445-4a22-90b2-a3adadb0e827 related: - id: eb87818d-db5d-49cc-a987-d5da331fbd90 - type: obsoletes + type: obsolete status: test description: Detects the stopping of a Windows service via the "net" utility. references: - https://ss64.com/nt/net-service.html author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/05 +date: 2023-03-05 tags: - attack.impact - attack.t1489 diff --git a/rules/windows/process_creation/proc_creation_win_net_use_mount_admin_share.yml b/rules/windows/process_creation/proc_creation_win_net_use_mount_admin_share.yml index cea23a01c3a..c99fc209a1c 100644 --- a/rules/windows/process_creation/proc_creation_win_net_use_mount_admin_share.yml +++ b/rules/windows/process_creation/proc_creation_win_net_use_mount_admin_share.yml @@ -8,10 +8,10 @@ description: Detects when an admin share is mounted using net.exe references: - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga -date: 2020/10/05 -modified: 2023/02/21 +date: 2020-10-05 +modified: 2023-02-21 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_net_use_mount_internet_share.yml b/rules/windows/process_creation/proc_creation_win_net_use_mount_internet_share.yml index b352bf0463b..71d4ce167ef 100644 --- a/rules/windows/process_creation/proc_creation_win_net_use_mount_internet_share.yml +++ b/rules/windows/process_creation/proc_creation_win_net_use_mount_internet_share.yml @@ -5,10 +5,10 @@ description: Detects when an internet hosted webdav share is mounted using the " references: - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/21 -modified: 2023/07/25 +date: 2023-02-21 +modified: 2023-07-25 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml b/rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml index 2e72dfd99f8..5938a14a93d 100644 --- a/rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml +++ b/rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml @@ -8,10 +8,10 @@ description: Detects when a share is mounted using the "net.exe" utility references: - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/02 -modified: 2023/02/21 +date: 2023-02-02 +modified: 2023-02-21 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_net_use_network_connections_discovery.yml b/rules/windows/process_creation/proc_creation_win_net_use_network_connections_discovery.yml index acf870c8266..abad8b80222 100644 --- a/rules/windows/process_creation/proc_creation_win_net_use_network_connections_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_net_use_network_connections_discovery.yml @@ -5,8 +5,8 @@ description: Adversaries may attempt to get a listing of network connections to references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery author: frack113 -date: 2021/12/10 -modified: 2023/02/21 +date: 2021-12-10 +modified: 2023-02-21 tags: - attack.discovery - attack.t1049 diff --git a/rules/windows/process_creation/proc_creation_win_net_use_password_plaintext.yml b/rules/windows/process_creation/proc_creation_win_net_use_password_plaintext.yml index e3f13067586..57a5ca9d3e8 100644 --- a/rules/windows/process_creation/proc_creation_win_net_use_password_plaintext.yml +++ b/rules/windows/process_creation/proc_creation_win_net_use_password_plaintext.yml @@ -5,14 +5,14 @@ description: Detects a when net.exe is called with a password in the command lin references: - Internal Research author: Tim Shelton (HAWK.IO) -date: 2021/12/09 -modified: 2023/02/21 +date: 2021-12-09 +modified: 2023-02-21 tags: - - attack.defense_evasion - - attack.initial_access + - attack.defense-evasion + - attack.initial-access - attack.persistence - - attack.privilege_escalation - - attack.lateral_movement + - attack.privilege-escalation + - attack.lateral-movement - attack.t1021.002 - attack.t1078 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_net_user_add.yml b/rules/windows/process_creation/proc_creation_win_net_user_add.yml index 35a4b809285..d12bc6f2b37 100644 --- a/rules/windows/process_creation/proc_creation_win_net_user_add.yml +++ b/rules/windows/process_creation/proc_creation_win_net_user_add.yml @@ -9,8 +9,8 @@ references: - https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md author: Endgame, JHasenbusch (adapted to Sigma for oscd.community) -date: 2018/10/30 -modified: 2023/02/21 +date: 2018-10-30 +modified: 2023-02-21 tags: - attack.persistence - attack.t1136.001 diff --git a/rules/windows/process_creation/proc_creation_win_net_user_add_never_expire.yml b/rules/windows/process_creation/proc_creation_win_net_user_add_never_expire.yml index ecfc1a481df..73b30e9c54d 100644 --- a/rules/windows/process_creation/proc_creation_win_net_user_add_never_expire.yml +++ b/rules/windows/process_creation/proc_creation_win_net_user_add_never_expire.yml @@ -8,8 +8,8 @@ description: Detects creation of local users via the net.exe command with the op references: - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/12 -modified: 2023/02/21 +date: 2022-07-12 +modified: 2023-02-21 tags: - attack.persistence - attack.t1136.001 diff --git a/rules/windows/process_creation/proc_creation_win_net_user_default_accounts_manipulation.yml b/rules/windows/process_creation/proc_creation_win_net_user_default_accounts_manipulation.yml index 0404696f9d5..c55fa61836c 100644 --- a/rules/windows/process_creation/proc_creation_win_net_user_default_accounts_manipulation.yml +++ b/rules/windows/process_creation/proc_creation_win_net_user_default_accounts_manipulation.yml @@ -7,8 +7,8 @@ references: - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/ - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/01 -modified: 2023/02/21 +date: 2022-09-01 +modified: 2023-02-21 tags: - attack.collection - attack.t1560.001 diff --git a/rules/windows/process_creation/proc_creation_win_net_view_share_and_sessions_enum.yml b/rules/windows/process_creation/proc_creation_win_net_view_share_and_sessions_enum.yml index e82b3014e88..c1eb268dbf7 100644 --- a/rules/windows/process_creation/proc_creation_win_net_view_share_and_sessions_enum.yml +++ b/rules/windows/process_creation/proc_creation_win_net_view_share_and_sessions_enum.yml @@ -6,8 +6,8 @@ references: - https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md author: Endgame, JHasenbusch (ported for oscd.community) -date: 2018/10/30 -modified: 2023/02/21 +date: 2018-10-30 +modified: 2023-02-21 tags: - attack.discovery - attack.t1018 diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml index 0a903d4187e..1c95471b135 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml @@ -5,10 +5,10 @@ description: Detects the addition of a new rule to the Windows firewall via nets references: - https://web.archive.org/web/20190508165435/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf author: Markus Neis, Sander Wiebing -date: 2019/01/29 -modified: 2023/02/10 +date: 2019-01-29 +modified: 2023-02-10 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 - attack.s0246 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_allow_program_in_susp_location.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_allow_program_in_susp_location.yml index 81d851b9c5e..7f530d906af 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_allow_program_in_susp_location.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_allow_program_in_susp_location.yml @@ -6,10 +6,10 @@ references: - https://www.virusradar.com/en/Win32_Kasidet.AD/description - https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100 author: Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community -date: 2020/05/25 -modified: 2023/12/11 +date: 2020-05-25 +modified: 2023-12-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_allow_rdp.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_allow_rdp.yml index bbae0e43d99..609378f7200 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_allow_rdp.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_allow_rdp.yml @@ -5,10 +5,10 @@ description: Detects usage of the netsh command to open and allow connections to references: - https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/ author: Sander Wiebing -date: 2020/05/23 -modified: 2023/12/11 +date: 2020-05-23 +modified: 2023-12-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_delete_rule.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_delete_rule.yml index b59893cd01e..bb57f97961d 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_delete_rule.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_delete_rule.yml @@ -5,10 +5,10 @@ description: Detects the removal of a port or application rule in the Windows Fi references: - https://app.any.run/tasks/8bbd5b4c-b82d-4e6d-a3ea-d454594a37cc/ author: frack113 -date: 2022/08/14 -modified: 2023/02/10 +date: 2022-08-14 +modified: 2023-02-10 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_disable.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_disable.yml index 4e067198361..b4a46526e0b 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_disable.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_disable.yml @@ -7,10 +7,10 @@ references: - https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall author: Fatih Sirin -date: 2019/11/01 -modified: 2023/02/13 +date: 2019-11-01 +modified: 2023-02-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 - attack.s0108 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml index 9efa732a745..fc550cf84dd 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall - https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior author: frack113 -date: 2022/01/09 -modified: 2023/02/14 +date: 2022-01-09 +modified: 2023-02-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml index 1fe4dff9bac..d3622d65893 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml @@ -6,8 +6,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules - https://ss64.com/nt/netsh.html author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' -date: 2021/12/07 -modified: 2023/12/11 +date: 2021-12-07 +modified: 2023-12-11 tags: - attack.discovery - attack.t1016 diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_set_rule.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_set_rule.yml index 67a5768993f..4bb6dbe26fd 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_set_rule.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_set_rule.yml @@ -5,9 +5,9 @@ description: Detects execution of netsh with the "advfirewall" and the "set" opt references: - https://ss64.com/nt/netsh.html author: X__Junior (Nextron Systems) -date: 2023/07/18 +date: 2023-07-18 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml b/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml index a44246c3489..e3e4408e95d 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml @@ -13,10 +13,10 @@ references: - https://github.com/outflanknl/NetshHelperBeacon - https://web.archive.org/web/20160928212230/https://www.adaptforward.com/2016/09/using-netshell-to-execute-evil-dlls-and-persist-on-a-host/ author: Victor Sergeev, oscd.community -date: 2019/10/25 -modified: 2023/11/28 +date: 2019-10-25 +modified: 2023-11-28 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.persistence - attack.t1546.007 - attack.s0108 diff --git a/rules/windows/process_creation/proc_creation_win_netsh_packet_capture.yml b/rules/windows/process_creation/proc_creation_win_netsh_packet_capture.yml index b0975d4ebea..86f3333ea91 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_packet_capture.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_packet_capture.yml @@ -6,11 +6,11 @@ references: - https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/ - https://klausjochem.me/2016/02/03/netsh-the-cyber-attackers-tool-of-choice/ author: Kutepov Anton, oscd.community -date: 2019/10/24 -modified: 2023/02/13 +date: 2019-10-24 +modified: 2023-02-13 tags: - attack.discovery - - attack.credential_access + - attack.credential-access - attack.t1040 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml b/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml index c246111f639..a08da2ed025 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml @@ -7,12 +7,12 @@ references: - https://adepts.of0x.cc/netsh-portproxy-code/ - https://www.dfirnotes.net/portproxy_detection/ author: Florian Roth (Nextron Systems), omkar72, oscd.community, Swachchhanda Shrawan Poudel -date: 2019/01/29 -modified: 2023/09/01 +date: 2019-01-29 +modified: 2023-09-01 tags: - - attack.lateral_movement - - attack.defense_evasion - - attack.command_and_control + - attack.lateral-movement + - attack.defense-evasion + - attack.command-and-control - attack.t1090 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding_3389.yml b/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding_3389.yml index 1e024fb7ac2..2dcd586770d 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding_3389.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding_3389.yml @@ -5,12 +5,12 @@ description: Detects the execution of netsh to configure a port forwarding of po references: - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html author: Florian Roth (Nextron Systems), oscd.community -date: 2019/01/29 -modified: 2023/02/13 +date: 2019-01-29 +modified: 2023-02-13 tags: - - attack.lateral_movement - - attack.defense_evasion - - attack.command_and_control + - attack.lateral-movement + - attack.defense-evasion + - attack.command-and-control - attack.t1090 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_netsh_wifi_credential_harvesting.yml b/rules/windows/process_creation/proc_creation_win_netsh_wifi_credential_harvesting.yml index 916e6c6fb24..536ecc6cfd4 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_wifi_credential_harvesting.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_wifi_credential_harvesting.yml @@ -5,11 +5,11 @@ description: Detect the harvesting of wifi credentials using netsh.exe references: - https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/ author: Andreas Hunkeler (@Karneades), oscd.community -date: 2020/04/20 -modified: 2023/02/13 +date: 2020-04-20 +modified: 2023-02-13 tags: - attack.discovery - - attack.credential_access + - attack.credential-access - attack.t1040 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_nltest_execution.yml b/rules/windows/process_creation/proc_creation_win_nltest_execution.yml index ab92fb09f73..7e89691109b 100644 --- a/rules/windows/process_creation/proc_creation_win_nltest_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_nltest_execution.yml @@ -4,13 +4,13 @@ related: - id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248 type: similar - id: eeb66bbb-3dde-4582-815a-584aee9fe6d1 - type: obsoletes + type: obsolete status: test description: Detects nltest commands that can be used for information discovery references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm author: Arun Chauhan -date: 2023/02/03 +date: 2023-02-03 tags: - attack.discovery - attack.t1016 diff --git a/rules/windows/process_creation/proc_creation_win_nltest_recon.yml b/rules/windows/process_creation/proc_creation_win_nltest_recon.yml index 8a1677b39fe..440f86050ec 100644 --- a/rules/windows/process_creation/proc_creation_win_nltest_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_nltest_recon.yml @@ -6,7 +6,7 @@ related: - id: 903076ff-f442-475a-b667-4f246bcc203b type: similar - id: 77815820-246c-47b8-9741-e0def3f57308 - type: obsoletes + type: obsolete status: test description: Detects nltest commands that can be used for information discovery references: @@ -19,8 +19,8 @@ references: - https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ - https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest author: Craig Young, oscd.community, Georg Lauenstein -date: 2021/07/24 -modified: 2023/12/15 +date: 2021-07-24 +modified: 2023-12-15 tags: - attack.discovery - attack.t1016 diff --git a/rules/windows/process_creation/proc_creation_win_node_abuse.yml b/rules/windows/process_creation/proc_creation_win_node_abuse.yml index e2dd472049d..61107b8341d 100644 --- a/rules/windows/process_creation/proc_creation_win_node_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_node_abuse.yml @@ -8,10 +8,10 @@ references: - https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/ - https://nodejs.org/api/cli.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/09 -modified: 2023/02/03 +date: 2022-09-09 +modified: 2023-02-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1127 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_node_adobe_creative_cloud_abuse.yml b/rules/windows/process_creation/proc_creation_win_node_adobe_creative_cloud_abuse.yml index 3f28e922d9e..a737bbef3f2 100644 --- a/rules/windows/process_creation/proc_creation_win_node_adobe_creative_cloud_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_node_adobe_creative_cloud_abuse.yml @@ -5,9 +5,9 @@ description: Detects the execution of other scripts using the Node executable pa references: - https://twitter.com/mttaggart/status/1511804863293784064 author: Max Altgelt (Nextron Systems) -date: 2022/04/06 +date: 2022-04-06 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1127 - attack.t1059.007 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_nslookup_domain_discovery.yml b/rules/windows/process_creation/proc_creation_win_nslookup_domain_discovery.yml index c23bc521ccb..bf2443b6ba0 100644 --- a/rules/windows/process_creation/proc_creation_win_nslookup_domain_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_nslookup_domain_discovery.yml @@ -5,7 +5,7 @@ description: Detects a set of suspicious network related commands often used in references: - https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/ author: Florian Roth (Nextron Systems) -date: 2022/02/07 +date: 2022-02-07 tags: - attack.discovery - attack.t1087 diff --git a/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml b/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml index 9beca810ede..f5ee6c8b43d 100644 --- a/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml +++ b/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml @@ -2,7 +2,7 @@ title: Nslookup PowerShell Download Cradle - ProcessCreation id: 1b3b01c7-84e9-4072-86e5-fc285a41ff23 related: - id: 72671447-4352-4413-bb91-b85569687135 - type: obsoletes + type: obsolete - id: 999bff6d-dc15-44c9-9f5c-e1051bfc86e1 type: similar status: test @@ -10,10 +10,10 @@ description: Detects suspicious powershell download cradle using nslookup. This references: - https://twitter.com/Alh4zr3d/status/1566489367232651264 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/05 -modified: 2022/12/19 +date: 2022-09-05 +modified: 2022-12-19 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_ntdsutil_susp_usage.yml b/rules/windows/process_creation/proc_creation_win_ntdsutil_susp_usage.yml index 0424f974361..488c5f0fab5 100644 --- a/rules/windows/process_creation/proc_creation_win_ntdsutil_susp_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_ntdsutil_susp_usage.yml @@ -9,9 +9,9 @@ references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11) - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/14 +date: 2022-09-14 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_ntdsutil_usage.yml b/rules/windows/process_creation/proc_creation_win_ntdsutil_usage.yml index cfb63094796..035a1acce05 100644 --- a/rules/windows/process_creation/proc_creation_win_ntdsutil_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_ntdsutil_usage.yml @@ -5,10 +5,10 @@ description: Detects execution of ntdsutil.exe, which can be used for various at references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm author: Thomas Patzke -date: 2019/01/16 -modified: 2022/03/11 +date: 2019-01-16 +modified: 2022-03-11 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml index 21a46d9cee6..978badb807f 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml @@ -10,9 +10,9 @@ references: - https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176 - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/22 +date: 2023-05-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.008 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml index 0cc790e45eb..39713e00ece 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml @@ -10,9 +10,9 @@ references: - https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176 - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/23 +date: 2023-05-23 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.008 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml index 04cd26a89cd..4c679701da2 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml @@ -7,10 +7,10 @@ references: - https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html - https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/22 -modified: 2023/05/26 +date: 2023-05-22 +modified: 2023-05-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.008 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml index 3e49b8e2975..d7f9a520677 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml @@ -13,9 +13,9 @@ references: - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ - https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/22 +date: 2023-05-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.008 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml index 37973aa0b86..7bc5ef90426 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml @@ -10,9 +10,9 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/ - https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/22 +date: 2023-05-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.008 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml index ba064a43b2e..fc62df134c1 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml @@ -4,7 +4,7 @@ related: - id: 2d32dd6f-3196-4093-b9eb-1ad8ab088ca5 type: similar - id: 65d2be45-8600-4042-b4c0-577a1ff8a60e - type: obsoletes + type: obsolete status: experimental description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action. references: @@ -13,10 +13,10 @@ references: - https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/22 -modified: 2024/03/05 +date: 2023-05-22 +modified: 2024-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.008 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml index a38beefae4b..fe0adf15d0e 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml @@ -4,7 +4,7 @@ related: - id: 5f03babb-12db-4eec-8c82-7b4cb5580868 type: derived - id: 65d2be45-8600-4042-b4c0-577a1ff8a60e - type: obsoletes + type: obsolete status: experimental description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension. references: @@ -12,10 +12,10 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/ - https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/22 -modified: 2024/03/13 +date: 2023-05-22 +modified: 2024-03-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.008 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml index 7259f168abc..00231805b16 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml @@ -7,9 +7,9 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/ - https://medium.com/@cyberjyot/t1218-008-dll-execution-using-odbcconf-exe-803fa9e08dac author: Harjot Singh @cyb3rjy0t -date: 2023/05/22 +date: 2023-05-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.008 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml b/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml index d903fa06b39..baa359dd9a8 100644 --- a/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml +++ b/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml @@ -2,7 +2,7 @@ title: Potential Arbitrary File Download Using Office Application id: 4ae3e30b-b03f-43aa-87e3-b622f4048eed related: - id: 0c79148b-118e-472b-bdb7-9b57b444cc19 - type: obsoletes + type: obsolete status: test description: Detects potential arbitrary file download using a Microsoft Office application references: @@ -11,10 +11,10 @@ references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/ - https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191 author: Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community -date: 2022/05/17 -modified: 2023/06/22 +date: 2022-05-17 +modified: 2023-06-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml b/rules/windows/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml index a6b29db2175..82c08071f3e 100644 --- a/rules/windows/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml +++ b/rules/windows/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml @@ -8,10 +8,10 @@ references: - https://github.com/grayhatkiller/SharpExShell - https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication author: Aaron Stratton -date: 2023/11/13 +date: 2023-11-13 tags: - attack.t1021.003 - - attack.lateral_movement + - attack.lateral-movement logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml b/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml index a8b2a2338ce..dc850edb394 100644 --- a/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml +++ b/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml @@ -8,10 +8,10 @@ references: - https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465 - https://twitter.com/_JohnHammond/status/1588155401752788994 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/21 -modified: 2023/10/18 +date: 2023-06-21 +modified: 2023-10-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml index 33e616656f6..6462627a9ba 100644 --- a/rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml @@ -9,12 +9,12 @@ references: - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18 - https://micahbabinski.medium.com/detecting-onenote-one-malware-delivery-407e9321ecf0 author: Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea) -date: 2022/10/21 -modified: 2023/02/10 +date: 2022-10-21 +modified: 2023-02-10 tags: - attack.t1566 - attack.t1566.001 - - attack.initial_access + - attack.initial-access logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml b/rules/windows/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml index 1b47fe69783..79c699cba72 100644 --- a/rules/windows/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml +++ b/rules/windows/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml @@ -10,8 +10,8 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44 - https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048 author: Markus Neis, Nasreddine Bencherchali (Nextron Systems) -date: 2018/12/27 -modified: 2023/02/09 +date: 2018-12-27 +modified: 2023-02-09 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_office_outlook_execution_from_temp.yml b/rules/windows/process_creation/proc_creation_win_office_outlook_execution_from_temp.yml index 28f64366897..299f62a986f 100644 --- a/rules/windows/process_creation/proc_creation_win_office_outlook_execution_from_temp.yml +++ b/rules/windows/process_creation/proc_creation_win_office_outlook_execution_from_temp.yml @@ -5,10 +5,10 @@ description: Detects a suspicious program execution in Outlook temp folder author: Florian Roth (Nextron Systems) references: - Internal Research -date: 2019/10/01 -modified: 2022/10/09 +date: 2019-10-01 +modified: 2022-10-09 tags: - - attack.initial_access + - attack.initial-access - attack.t1566.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml index efacc94fcca..5d682f21f59 100644 --- a/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml @@ -11,8 +11,8 @@ references: - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html author: Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team -date: 2022/02/28 -modified: 2023/02/04 +date: 2022-02-28 +modified: 2023-02-04 tags: - attack.execution - attack.t1204.002 diff --git a/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml b/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml index abafb2abb16..a5e629bb425 100644 --- a/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml +++ b/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml @@ -10,8 +10,8 @@ references: - https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49 author: Markus Neis, Nasreddine Bencherchali (Nextron Systems) -date: 2018/12/27 -modified: 2023/02/09 +date: 2018-12-27 +modified: 2023-02-09 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml b/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml index 0de29ed4b39..77d738f85c3 100644 --- a/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml +++ b/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml @@ -6,8 +6,8 @@ references: - https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign - https://www.virustotal.com/gui/file/23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57 author: Jason Lynch -date: 2019/04/02 -modified: 2023/02/04 +date: 2019-04-02 +modified: 2023-02-04 tags: - attack.execution - attack.t1204.002 diff --git a/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml index d9db7943d8c..2c1228b902a 100644 --- a/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml @@ -6,11 +6,11 @@ related: - id: e1693bc8-7168-4eab-8718-cdcaa68a1738 type: derived - id: 23daeb52-e6eb-493c-8607-c4f0246cb7d8 - type: obsoletes + type: obsolete - id: 518643ba-7d9c-4fa5-9f37-baed36059f6a - type: obsoletes + type: obsolete - id: 04f5363a-6bca-42ff-be70-0d28bf629ead - type: obsoletes + type: obsolete status: test description: Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.) references: @@ -26,10 +26,10 @@ references: - https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html - https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io -date: 2018/04/06 -modified: 2023/04/24 +date: 2018-04-06 +modified: 2023-04-24 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1047 - attack.t1204.002 diff --git a/rules/windows/process_creation/proc_creation_win_office_winword_dll_load.yml b/rules/windows/process_creation/proc_creation_win_office_winword_dll_load.yml index b22896ba55f..c823f0b7ddc 100644 --- a/rules/windows/process_creation/proc_creation_win_office_winword_dll_load.yml +++ b/rules/windows/process_creation/proc_creation_win_office_winword_dll_load.yml @@ -2,16 +2,16 @@ title: Potential Arbitrary DLL Load Using Winword id: f7375e28-5c14-432f-b8d1-1db26c832df3 related: - id: 2621b3a6-3840-4810-ac14-a02426086171 - type: obsoletes + type: obsolete status: test description: Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag. references: - https://github.com/D4Vinci/One-Lin3r/blob/9fdfa5f0b9c698dfbd4cdfe7d2473192777ae1c6/one_lin3r/core/liners/windows/cmd/dll_loader_word.py author: Victor Sergeev, oscd.community -date: 2020/10/09 -modified: 2023/03/29 +date: 2020-10-09 +modified: 2023-03-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_offlinescannershell_mpclient_sideloading.yml b/rules/windows/process_creation/proc_creation_win_offlinescannershell_mpclient_sideloading.yml index bc5067a80aa..2c251d8106c 100644 --- a/rules/windows/process_creation/proc_creation_win_offlinescannershell_mpclient_sideloading.yml +++ b/rules/windows/process_creation/proc_creation_win_offlinescannershell_mpclient_sideloading.yml @@ -7,10 +7,10 @@ description: | references: - https://lolbas-project.github.io/lolbas/Binaries/OfflineScannerShell/ author: frack113 -date: 2022/03/06 -modified: 2023/08/03 +date: 2022-03-06 +modified: 2023-08-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_pdqdeploy_execution.yml b/rules/windows/process_creation/proc_creation_win_pdqdeploy_execution.yml index f73876bf2b5..b6a37eca1fb 100644 --- a/rules/windows/process_creation/proc_creation_win_pdqdeploy_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_pdqdeploy_execution.yml @@ -9,11 +9,11 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md - https://www.pdq.com/pdq-deploy/ author: frack113 -date: 2022/10/01 -modified: 2023/01/30 +date: 2022-10-01 +modified: 2023-01-30 tags: - attack.execution - - attack.lateral_movement + - attack.lateral-movement - attack.t1072 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml b/rules/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml index a42777cb04c..ffd63a5acca 100644 --- a/rules/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml +++ b/rules/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml @@ -8,8 +8,8 @@ description: Detects suspicious execution of "PDQDeployRunner" which is part of references: - https://twitter.com/malmoeb/status/1550483085472432128 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/22 -modified: 2024/05/02 +date: 2022-07-22 +modified: 2024-05-02 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml b/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml index 6c5a1cd82a5..0b492c04ba9 100644 --- a/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml @@ -6,7 +6,7 @@ references: - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet - https://www.revshells.com/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/02 +date: 2023-01-02 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml b/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml index a13cb74d93a..ebfc5979f03 100644 --- a/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml @@ -7,7 +7,7 @@ references: - https://www.revshells.com/ - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/02 +date: 2023-01-02 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_ping_hex_ip.yml b/rules/windows/process_creation/proc_creation_win_ping_hex_ip.yml index 1a0e4d894c7..d0a3c0c9923 100644 --- a/rules/windows/process_creation/proc_creation_win_ping_hex_ip.yml +++ b/rules/windows/process_creation/proc_creation_win_ping_hex_ip.yml @@ -6,10 +6,10 @@ references: - https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna - https://twitter.com/vysecurity/status/977198418354491392 author: Florian Roth (Nextron Systems) -date: 2018/03/23 -modified: 2022/01/07 +date: 2018-03-23 +modified: 2022-01-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1140 - attack.t1027 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_pktmon_execution.yml b/rules/windows/process_creation/proc_creation_win_pktmon_execution.yml index d6afde716ff..f5c4db2b222 100644 --- a/rules/windows/process_creation/proc_creation_win_pktmon_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_pktmon_execution.yml @@ -5,10 +5,10 @@ description: Detects execution of PktMon, a tool that captures network packets. references: - https://lolbas-project.github.io/lolbas/Binaries/Pktmon/ author: frack113 -date: 2022/03/17 -modified: 2023/06/23 +date: 2022-03-17 +modified: 2023-06-23 tags: - - attack.credential_access + - attack.credential-access - attack.t1040 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_plink_port_forwarding.yml b/rules/windows/process_creation/proc_creation_win_plink_port_forwarding.yml index aeeface9d55..cb49692b9c1 100644 --- a/rules/windows/process_creation/proc_creation_win_plink_port_forwarding.yml +++ b/rules/windows/process_creation/proc_creation_win_plink_port_forwarding.yml @@ -6,12 +6,12 @@ references: - https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/ - https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d author: Florian Roth (Nextron Systems) -date: 2021/01/19 -modified: 2022/10/09 +date: 2021-01-19 +modified: 2022-10-09 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1572 - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_plink_susp_tunneling.yml b/rules/windows/process_creation/proc_creation_win_plink_susp_tunneling.yml index 422a3938975..5b4ac1b4c22 100644 --- a/rules/windows/process_creation/proc_creation_win_plink_susp_tunneling.yml +++ b/rules/windows/process_creation/proc_creation_win_plink_susp_tunneling.yml @@ -8,10 +8,10 @@ description: Execution of plink to perform data exfiltration and tunneling references: - https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/ author: Florian Roth (Nextron Systems) -date: 2022/08/04 -modified: 2023/01/27 +date: 2022-08-04 +modified: 2023-01-27 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1572 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powercfg_execution.yml b/rules/windows/process_creation/proc_creation_win_powercfg_execution.yml index 76ac6007425..9603d0bbe60 100644 --- a/rules/windows/process_creation/proc_creation_win_powercfg_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_powercfg_execution.yml @@ -6,9 +6,9 @@ references: - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html - https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options author: frack113 -date: 2022/11/18 +date: 2022-11-18 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml b/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml index 90041f38338..9fa62c36a02 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml @@ -9,12 +9,12 @@ references: - https://o365blog.com/aadinternals/ - https://github.com/Gerenios/AADInternals author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/23 +date: 2022-12-23 tags: - attack.execution - attack.reconnaissance - attack.discovery - - attack.credential_access + - attack.credential-access - attack.impact logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml b/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml index 5cbfd28a7ea..148bb70c926 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml @@ -12,7 +12,7 @@ references: - https://twitter.com/cyb3rops/status/1617108657166061568?s=20 - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges author: frack113 -date: 2023/01/22 +date: 2023-01-22 tags: - attack.reconnaissance - attack.discovery diff --git a/rules/windows/process_creation/proc_creation_win_powershell_add_windows_capability.yml b/rules/windows/process_creation/proc_creation_win_powershell_add_windows_capability.yml index 473f05fa149..9f077664fa2 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_add_windows_capability.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_add_windows_capability.yml @@ -9,8 +9,8 @@ references: - https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell - https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/22 -modified: 2023/05/09 +date: 2023-01-22 +modified: 2023-05-09 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml b/rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml index f418a9eee19..fc5e7dbfa06 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml @@ -2,17 +2,17 @@ title: Potential AMSI Bypass Via .NET Reflection id: 30edb182-aa75-42c0-b0a9-e998bb29067c related: - id: 4f927692-68b5-4267-871b-073c45f4f6fe - type: obsoletes + type: obsolete status: test description: Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning references: - https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/ - https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/ author: Markus Neis, @Kostastsale -date: 2018/08/17 -modified: 2023/02/03 +date: 2018-08-17 +modified: 2023-02-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml b/rules/windows/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml index 2efc33ed96f..0c159f1df34 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml @@ -8,10 +8,10 @@ description: Detects usage of special strings/null bits in order to potentially references: - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/04 -modified: 2023/05/09 +date: 2023-01-04 +modified: 2023-05-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml b/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml index dcaa249561c..e920d212438 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml @@ -7,8 +7,8 @@ references: - https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html - https://github.com/frgnca/AudioDeviceCmdlets author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2019/10/24 -modified: 2023/04/06 +date: 2019-10-24 +modified: 2023-04-06 tags: - attack.collection - attack.t1123 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yml index 2f7e7e85858..4b05b35468a 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yml @@ -5,8 +5,8 @@ description: Detects suspicious powershell process starts with base64 encoded co references: - https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community -date: 2018/09/03 -modified: 2023/04/06 +date: 2018-09-03 +modified: 2023-04-06 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd_patterns.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd_patterns.yml index 6fe238666df..27d2c1589b5 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd_patterns.yml @@ -5,8 +5,8 @@ description: Detects PowerShell command line patterns in combincation with encod references: - https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/ author: Florian Roth (Nextron Systems) -date: 2022/05/24 -modified: 2023/01/05 +date: 2022-05-24 +modified: 2023-01-05 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_obfusc.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_obfusc.yml index d40b11730c7..3a908d007af 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_obfusc.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_obfusc.yml @@ -5,10 +5,10 @@ description: Detects suspicious UTF16 and base64 encoded and often obfuscated Po references: - https://app.any.run/tasks/fcadca91-3580-4ede-aff4-4d2bf809bf99/ author: Florian Roth (Nextron Systems) -date: 2022/07/11 -modified: 2023/02/14 +date: 2022-07-11 +modified: 2023-02-14 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_frombase64string.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_frombase64string.yml index 000c2b02392..f6094e19c84 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_frombase64string.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_frombase64string.yml @@ -5,10 +5,10 @@ description: Detects usage of a base64 encoded "FromBase64String" cmdlet in a pr references: - Internal Research author: Florian Roth (Nextron Systems) -date: 2019/08/24 -modified: 2023/04/06 +date: 2019-08-24 +modified: 2023-04-06 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1140 - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_hidden_flag.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_hidden_flag.yml index 6d774ea98c4..d4f5fc04b9c 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_hidden_flag.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_hidden_flag.yml @@ -5,8 +5,8 @@ description: Detects base64 encoded strings used in hidden malicious PowerShell references: - http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/ author: John Lambert (rule) -date: 2019/01/16 -modified: 2023/01/05 +date: 2019-01-16 +modified: 2023-01-05 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_iex.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_iex.yml index 98d0a5b692a..b6303328b77 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_iex.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_iex.yml @@ -5,8 +5,8 @@ description: Detects usage of a base64 encoded "IEX" cmdlet in a process command references: - Internal Research author: Florian Roth (Nextron Systems) -date: 2019/08/23 -modified: 2023/04/06 +date: 2019-08-23 +modified: 2023-04-06 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_invoke.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_invoke.yml index 510a718c9a8..9681b6f0845 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_invoke.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_invoke.yml @@ -2,18 +2,18 @@ title: PowerShell Base64 Encoded Invoke Keyword id: 6385697e-9f1b-40bd-8817-f4a91f40508e related: - id: fd6e2919-3936-40c9-99db-0aa922c356f7 - type: obsoletes + type: obsolete status: test description: Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls references: - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ author: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t -date: 2022/05/20 -modified: 2023/04/06 +date: 2022-05-20 +modified: 2023-04-06 tags: - attack.execution - attack.t1059.001 - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml index 443d39e730d..78bad83674b 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml @@ -7,10 +7,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://twitter.com/AdamTheAnalyst/status/1483497517119590403 author: Florian Roth (Nextron Systems) -date: 2022/03/04 -modified: 2023/01/30 +date: 2022-03-04 +modified: 2023-01-30 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load.yml index d682bc63c0e..41b6af9ccda 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load.yml @@ -9,12 +9,12 @@ references: - https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ author: Christian Burkard (Nextron Systems), pH-T (Nextron Systems) -date: 2022/03/01 -modified: 2023/01/30 +date: 2022-03-01 +modified: 2023-01-30 tags: - attack.execution - attack.t1059.001 - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.t1620 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml index 00e8e7b6c14..38cb80cca04 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml @@ -10,11 +10,11 @@ references: - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ - https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0 author: pH-T (Nextron Systems) -date: 2022/03/01 -modified: 2023/04/06 +date: 2022-03-01 +modified: 2023-04-06 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1059.001 - attack.t1027 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml index 9e4af468078..d655058c8c3 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml @@ -2,17 +2,17 @@ title: PowerShell Base64 Encoded WMI Classes id: 1816994b-42e1-4fb1-afd2-134d88184f71 related: - id: 47688f1b-9f51-4656-b013-3cc49a166a36 - type: obsoletes + type: obsolete status: test description: Detects calls to base64 encoded WMI class such as "Win32_ShadowCopy", "Win32_ScheduledJob", etc. references: - https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar author: Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/30 +date: 2023-01-30 tags: - attack.execution - attack.t1059.001 - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cl_invocation.yml b/rules/windows/process_creation/proc_creation_win_powershell_cl_invocation.yml index 6f11a1d6b06..1416a2da373 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_cl_invocation.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_cl_invocation.yml @@ -6,10 +6,10 @@ references: - https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/ - https://twitter.com/bohops/status/948061991012327424 author: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova -date: 2020/10/14 -modified: 2023/08/17 +date: 2020-10-14 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1216 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cl_loadassembly.yml b/rules/windows/process_creation/proc_creation_win_powershell_cl_loadassembly.yml index 06beed98a58..d9067f4b923 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_cl_loadassembly.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_cl_loadassembly.yml @@ -6,10 +6,10 @@ references: - https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/ - https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/ author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2022/05/21 -modified: 2023/08/17 +date: 2022-05-21 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1216 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cl_mutexverifiers.yml b/rules/windows/process_creation/proc_creation_win_powershell_cl_mutexverifiers.yml index 7fb441be922..cdea7db436f 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_cl_mutexverifiers.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_cl_mutexverifiers.yml @@ -5,10 +5,10 @@ description: Detects the use of the Microsoft signed script "CL_mutexverifiers" references: - https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/ author: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova, frack113 -date: 2022/05/21 -modified: 2023/08/17 +date: 2022-05-21 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1216 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml index 38cfa229aca..e7a0388af90 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml @@ -6,10 +6,10 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65 - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton -date: 2020/10/11 -modified: 2023/02/01 +date: 2020-10-11 +modified: 2023-02-01 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml index 2e58e722cd6..cc533274cfb 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml @@ -6,10 +6,10 @@ references: - https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/ - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66 author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton -date: 2020/10/11 -modified: 2023/05/31 +date: 2020-10-11 +modified: 2023-05-31 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml index ca41366fd98..1f1e2ea0095 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml @@ -5,11 +5,11 @@ description: Detects the PowerShell command lines with special characters references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64 author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp) -date: 2020/10/15 -modified: 2024/04/15 +date: 2020-10-15 +modified: 2024-04-15 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.t1059.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml b/rules/windows/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml index 621e908a049..952f842b1a9 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml @@ -10,8 +10,8 @@ references: - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/ - https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/11/10 -modified: 2022/11/17 +date: 2022-11-10 +modified: 2022-11-17 tags: - attack.discovery - attack.t1033 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_create_service.yml b/rules/windows/process_creation/proc_creation_win_powershell_create_service.yml index 90af18ddf87..7d2daed45bf 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_create_service.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_create_service.yml @@ -8,10 +8,10 @@ description: Detects the creation of a new service using powershell. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community -date: 2023/02/20 +date: 2023-02-20 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_decode_gzip.yml b/rules/windows/process_creation/proc_creation_win_powershell_decode_gzip.yml index 8d76e7d5548..e7c5bde7b69 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_decode_gzip.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_decode_gzip.yml @@ -5,9 +5,9 @@ description: Detects attempts of decoding encoded Gzip archives via PowerShell. references: - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution author: Hieu Tran -date: 2023/03/13 +date: 2023-03-13 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1132.001 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml b/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml index d4a23895abd..05c1df9440d 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml @@ -5,8 +5,8 @@ description: Detects PowerShell commands that decrypt an ".LNK" "file to drop th references: - https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/ author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/30 -modified: 2023/12/05 +date: 2023-06-30 +modified: 2023-12-05 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml b/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml index 929f7145720..9a1a536451e 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml @@ -7,10 +7,10 @@ references: - https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE - https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files author: Florian Roth (Nextron Systems) -date: 2022/03/03 -modified: 2024/01/02 +date: 2022-03-03 +modified: 2024-01-02 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml b/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml index e7f7aa037d7..8a0b3a33535 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml @@ -10,10 +10,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://twitter.com/AdamTheAnalyst/status/1483497517119590403 author: Florian Roth (Nextron Systems) -date: 2021/04/29 -modified: 2022/05/12 +date: 2021-04-29 +modified: 2022-05-12 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml b/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml index 2f8e0938d08..85e540109ef 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml @@ -7,10 +7,10 @@ references: - https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md author: 'ok @securonix invrep-de, oscd.community, frack113' -date: 2020/10/12 -modified: 2022/11/18 +date: 2020-10-12 +modified: 2022-11-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_disable_firewall.yml b/rules/windows/process_creation/proc_creation_win_powershell_disable_firewall.yml index 272d5d7d11c..2fe327847b2 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_disable_firewall.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_disable_firewall.yml @@ -8,10 +8,10 @@ description: Detects attempts to disable the Windows Firewall using PowerShell references: - https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html author: Tim Rauch, Elastic (idea) -date: 2022/09/14 -modified: 2023/02/13 +date: 2022-09-14 +modified: 2023-02-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_disable_ie_features.yml b/rules/windows/process_creation/proc_creation_win_powershell_disable_ie_features.yml index 83137d0b90d..36fc38dee9b 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_disable_ie_features.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_disable_ie_features.yml @@ -5,10 +5,10 @@ description: Detects command lines that indicate unwanted modifications to regis references: - https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/ author: Florian Roth (Nextron Systems) -date: 2020/06/19 -modified: 2021/11/27 +date: 2020-06-19 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml b/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml index e28e6189b43..26be469cee5 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml @@ -9,10 +9,10 @@ references: - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/ - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#bypass-or-avoid-amsi-by-version-downgrade- author: Harish Segar (rule) -date: 2020/03/20 -modified: 2023/01/04 +date: 2020-03-20 +modified: 2023-01-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1059.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml index 685f4897c36..2c4f417dab3 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml @@ -9,9 +9,9 @@ references: - https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0 - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57 author: frack113 -date: 2022/12/25 +date: 2022-12-25 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml index 030a7abc0f0..88d62daf89f 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml @@ -5,10 +5,10 @@ description: Detects suspicious ways to download files or content using PowerShe references: - https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd author: Florian Roth (Nextron Systems) -date: 2022/03/24 -modified: 2023/01/05 +date: 2022-03-24 +modified: 2023-01-05 tags: - - attack.command_and_control + - attack.command-and-control - attack.execution - attack.t1059.001 - attack.t1105 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_dll.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_dll.yml index a10e8c9e92a..1160979479c 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_dll.yml @@ -5,9 +5,9 @@ description: Detects potential DLL files being downloaded using the PowerShell I references: - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution author: Florian Roth (Nextron Systems), Hieu Tran -date: 2023/03/13 +date: 2023-03-13 tags: - - attack.command_and_control + - attack.command-and-control - attack.execution - attack.t1059.001 - attack.t1105 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml index e129a0565af..5fb9dc6cf44 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml @@ -6,8 +6,8 @@ references: - https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd - https://labs.withsecure.com/publications/fin7-target-veeam-servers author: Florian Roth (Nextron Systems) -date: 2022/03/24 -modified: 2023/05/04 +date: 2022-03-24 +modified: 2023-05-04 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml index 195b3b0ea7f..3f74d50eb47 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml @@ -10,8 +10,8 @@ references: - https://lab52.io/blog/winter-vivern-all-summer/ - https://hatching.io/blog/powershell-analysis/ author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro -date: 2019/01/16 -modified: 2023/01/26 +date: 2019-01-16 +modified: 2023-01-26 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml index 7c3d8e69a18..c6afa475dfa 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml @@ -8,7 +8,7 @@ references: - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/02/23 +date: 2024-02-23 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_dsinternals_cmdlets.yml b/rules/windows/process_creation/proc_creation_win_powershell_dsinternals_cmdlets.yml index 8185eb5a4cd..277cda516ea 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_dsinternals_cmdlets.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_dsinternals_cmdlets.yml @@ -10,7 +10,7 @@ description: | references: - https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1 author: Nasreddine Bencherchali (Nextron Systems), Nounou Mbeiri -date: 2024/06/26 +date: 2024-06-26 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_email_exfil.yml b/rules/windows/process_creation/proc_creation_win_powershell_email_exfil.yml index 146ceadc21f..bf0fa52edcb 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_email_exfil.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_email_exfil.yml @@ -6,7 +6,7 @@ references: - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/ - https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml author: Nasreddine Bencherchali (Nextron Systems), Azure-Sentinel (idea) -date: 2022/09/09 +date: 2022-09-09 tags: - attack.exfiltration logsource: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml b/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml index e76ea4027f8..8969a822a78 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml @@ -12,9 +12,9 @@ references: - https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system - https://learn.microsoft.com/en-us/windows/wsl/install-on-server author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/29 +date: 2022-12-29 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_encode.yml b/rules/windows/process_creation/proc_creation_win_powershell_encode.yml index cdd82e75f6f..a72d1629a88 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_encode.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_encode.yml @@ -7,8 +7,8 @@ references: - https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/ - https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/ author: frack113 -date: 2022/01/02 -modified: 2023/01/05 +date: 2022-01-02 +modified: 2023-01-05 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_encoding_patterns.yml b/rules/windows/process_creation/proc_creation_win_powershell_encoding_patterns.yml index f50886c9c1a..4f109282ffb 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_encoding_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_encoding_patterns.yml @@ -8,10 +8,10 @@ description: Detects specific combinations of encoding methods in PowerShell via references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65 author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton -date: 2020/10/11 -modified: 2023/01/26 +date: 2020-10-11 +modified: 2023-01-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_exec_data_file.yml b/rules/windows/process_creation/proc_creation_win_powershell_exec_data_file.yml index a3f8f4a2c52..0090e9f284b 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_exec_data_file.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_exec_data_file.yml @@ -5,7 +5,7 @@ description: Detects inline execution of PowerShell code from a file references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50 author: frack113 -date: 2022/12/25 +date: 2022-12-25 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml b/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml index 3a4500a1e9d..837a1bab90e 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml @@ -10,9 +10,9 @@ references: - https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/18 +date: 2023-05-18 tags: - - attack.credential_access + - attack.credential-access - attack.execution - attack.t1552.004 - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml b/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml index 6c245389803..ceb1d0587c6 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml @@ -5,11 +5,11 @@ description: Detects usage of the "FromBase64String" function in the commandline references: - https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639 author: Florian Roth (Nextron Systems) -date: 2020/01/29 -modified: 2023/01/26 +date: 2020-01-29 +modified: 2023-01-26 tags: - attack.t1027 - - attack.defense_evasion + - attack.defense-evasion - attack.t1140 - attack.t1059.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_frombase64string_archive.yml b/rules/windows/process_creation/proc_creation_win_powershell_frombase64string_archive.yml index 2561e26815f..0e668e5714d 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_frombase64string_archive.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_frombase64string_archive.yml @@ -8,9 +8,9 @@ description: Detects attempts of decoding a base64 Gzip archive via PowerShell. references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43 author: frack113 -date: 2022/12/23 +date: 2022-12-23 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1132.001 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml b/rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml index 8b1aecec441..43992ef9f2b 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml @@ -9,8 +9,8 @@ references: - https://github.com/OTRF/detection-hackathon-apt29/issues/16 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md author: Nasreddine Bencherchali (Nextron Systems) -date: 2020/05/02 -modified: 2022/12/25 +date: 2020-05-02 +modified: 2022-12-25 tags: - attack.collection - attack.t1115 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_get_localgroup_member_recon.yml b/rules/windows/process_creation/proc_creation_win_powershell_get_localgroup_member_recon.yml index 6c129bbc2d9..4e1a3164a54 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_get_localgroup_member_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_get_localgroup_member_recon.yml @@ -8,7 +8,7 @@ description: Detects suspicious reconnaissance command line activity on Windows references: - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/10 +date: 2022-10-10 tags: - attack.discovery - attack.t1087.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_getprocess_lsass.yml b/rules/windows/process_creation/proc_creation_win_powershell_getprocess_lsass.yml index 21de196ed0a..526f97c9e9b 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_getprocess_lsass.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_getprocess_lsass.yml @@ -5,10 +5,10 @@ description: Detects a "Get-Process" cmdlet and it's aliases on lsass process, w references: - https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211 author: Florian Roth (Nextron Systems) -date: 2021/04/23 -modified: 2023/01/05 +date: 2021-04-23 +modified: 2023-01-05 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml b/rules/windows/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml index 79d2fda906e..344bff202ef 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml @@ -11,11 +11,11 @@ references: - https://twitter.com/Alh4zr3d/status/1580925761996828672 - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/17 +date: 2022-10-17 tags: - attack.persistence - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_iex_patterns.yml b/rules/windows/process_creation/proc_creation_win_powershell_iex_patterns.yml index cd10df94704..bed05c1cfa9 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_iex_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_iex_patterns.yml @@ -6,8 +6,8 @@ references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2 - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/03/24 -modified: 2022/11/28 +date: 2022-03-24 +modified: 2022-11-28 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml b/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml index c817650d7a3..442667b7b89 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml @@ -6,10 +6,10 @@ references: - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/ - https://learn.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/09 -modified: 2023/01/16 +date: 2022-09-09 +modified: 2023-01-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1553.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_import_module_susp_dirs.yml b/rules/windows/process_creation/proc_creation_win_powershell_import_module_susp_dirs.yml index 329fecd6111..6ffe036a850 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_import_module_susp_dirs.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_import_module_susp_dirs.yml @@ -8,7 +8,7 @@ description: Detects powershell scripts that import modules from suspicious dire references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/10 +date: 2023-01-10 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml b/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml index 8525e42073b..bda94b9c170 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml @@ -9,10 +9,10 @@ references: - https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package - https://twitter.com/WindowsDocs/status/1620078135080325122 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/31 +date: 2023-01-31 tags: - attack.persistence - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml b/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml index 8d71f2ac77f..db5ff82447c 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml @@ -2,7 +2,7 @@ title: Suspicious PowerShell Invocations - Specific - ProcessCreation id: 536e2947-3729-478c-9903-745aaffe60d2 related: - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c - type: obsoletes + type: obsolete - id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71 type: similar - id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090 @@ -12,9 +12,9 @@ description: Detects suspicious PowerShell invocation command parameters references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/05 +date: 2023-01-05 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml b/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml index 1ba2ad95114..55ffdff939f 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml @@ -5,9 +5,9 @@ description: Detects calls to PowerShell with Invoke-WebRequest cmdlet using dir references: - https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/21 +date: 2023-04-21 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml b/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml index 437906dcde9..5e81fdb2abd 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml @@ -8,10 +8,10 @@ description: Detects a suspicious call to Invoke-WebRequest cmdlet where the and references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/02 -modified: 2024/02/23 +date: 2022-08-02 +modified: 2024-02-23 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_mailboxexport_share.yml b/rules/windows/process_creation/proc_creation_win_powershell_mailboxexport_share.yml index 9d9e8294782..20fd255a8df 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_mailboxexport_share.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_mailboxexport_share.yml @@ -8,8 +8,8 @@ references: - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1 - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/ author: Florian Roth (Nextron Systems) -date: 2021/08/07 -modified: 2022/10/26 +date: 2021-08-07 +modified: 2022-10-26 tags: - attack.exfiltration logsource: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml b/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml index 0c74b947205..8fa81a13d16 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml @@ -27,8 +27,8 @@ references: - https://github.com/adrecon/ADRecon - https://github.com/adrecon/AzureADRecon author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/02 -modified: 2024/01/25 +date: 2023-01-02 +modified: 2024-01-25 tags: - attack.execution - attack.discovery diff --git a/rules/windows/process_creation/proc_creation_win_powershell_msexchange_transport_agent.yml b/rules/windows/process_creation/proc_creation_win_powershell_msexchange_transport_agent.yml index 05cf509a3d7..72591f2ca8a 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_msexchange_transport_agent.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_msexchange_transport_agent.yml @@ -8,8 +8,8 @@ description: Detects the Installation of a Exchange Transport Agent references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=7 author: Tobias Michalski (Nextron Systems) -date: 2021/06/08 -modified: 2022/10/09 +date: 2021-06-08 +modified: 2022-10-09 tags: - attack.persistence - attack.t1505.002 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml b/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml index 4920282f6d0..8634b9cf2af 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml @@ -5,8 +5,8 @@ description: Detects non-interactive PowerShell activity by looking at the "powe references: - https://web.archive.org/web/20200925032237/https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements) -date: 2019/09/12 -modified: 2023/09/07 +date: 2019-09-12 +modified: 2023-09-07 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_obfuscation_via_utf8.yml b/rules/windows/process_creation/proc_creation_win_powershell_obfuscation_via_utf8.yml index db2d56c2701..70b1d779375 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_obfuscation_via_utf8.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_obfuscation_via_utf8.yml @@ -5,12 +5,12 @@ description: Detects suspicious encoded character syntax often used for defense references: - https://twitter.com/0gtweet/status/1281103918693482496 author: Florian Roth (Nextron Systems) -date: 2020/07/09 -modified: 2023/01/05 +date: 2020-07-09 +modified: 2023-01-05 tags: - attack.execution - attack.t1059.001 - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_public_folder.yml b/rules/windows/process_creation/proc_creation_win_powershell_public_folder.yml index 3d1df4c9a0a..69908b7bcfc 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_public_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_public_folder.yml @@ -5,8 +5,8 @@ description: This rule detects execution of PowerShell scripts located in the "C references: - https://www.mandiant.com/resources/evolution-of-fin7 author: Max Altgelt (Nextron Systems) -date: 2022/04/06 -modified: 2022/07/14 +date: 2022-04-06 +modified: 2022-07-14 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml b/rules/windows/process_creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml index 0039fd05afe..ef01c0e95af 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml @@ -13,10 +13,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md - https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 author: frack113 -date: 2021/07/13 -modified: 2023/05/09 +date: 2021-07-13 +modified: 2023-05-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_remove_mppreference.yml b/rules/windows/process_creation/proc_creation_win_powershell_remove_mppreference.yml index 6892f5bcb19..c056a2663d9 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_remove_mppreference.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_remove_mppreference.yml @@ -8,9 +8,9 @@ description: Detects attempts to remove Windows Defender configurations using th references: - https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/05 +date: 2022-08-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml b/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml index 4c0913b5c23..db6caa0e7ac 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml @@ -7,8 +7,8 @@ references: - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ - https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1 author: FPT.EagleEye, wagga, Nasreddine Bencherchali (Nextron Systems) -date: 2021/03/03 -modified: 2023/04/05 +date: 2021-03-03 +modified: 2023-04-05 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_ads.yml b/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_ads.yml index 3af5fcd354c..08a0188a756 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_ads.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_ads.yml @@ -5,10 +5,10 @@ description: Detects PowerShell script execution from Alternate Data Stream (ADS references: - https://github.com/p0shkatz/Get-ADS/blob/1c3a3562e713c254edce1995a7d9879c687c7473/Get-ADS.ps1 author: Sergey Soldatov, Kaspersky Lab, oscd.community -date: 2019/10/30 -modified: 2022/07/14 +date: 2019-10-30 +modified: 2022-07-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_input_stream.yml b/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_input_stream.yml index adc8a96bcee..c9e429ead24 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_input_stream.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_input_stream.yml @@ -6,10 +6,10 @@ references: - https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml - https://twitter.com/Moriarty_Meng/status/984380793383370752 author: Moriarty Meng (idea), Anton Kutepov (rule), oscd.community -date: 2020/10/17 -modified: 2021/11/27 +date: 2020-10-17 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1059 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_sam_access.yml b/rules/windows/process_creation/proc_creation_win_powershell_sam_access.yml index d450ee18185..c48ba5e8361 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_sam_access.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_sam_access.yml @@ -5,10 +5,10 @@ description: Detects suspicious PowerShell scripts accessing SAM hives references: - https://twitter.com/splinter_code/status/1420546784250769408 author: Florian Roth (Nextron Systems) -date: 2021/07/29 -modified: 2023/01/06 +date: 2021-07-29 +modified: 2023-01-06 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_script_engine_parent.yml b/rules/windows/process_creation/proc_creation_win_powershell_script_engine_parent.yml index c8b04c202f8..ebf05e498b7 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_script_engine_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_script_engine_parent.yml @@ -5,8 +5,8 @@ description: Detects suspicious powershell invocations from interpreters or unus references: - https://www.securitynewspaper.com/2017/03/20/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/ author: Florian Roth (Nextron Systems) -date: 2019/01/16 -modified: 2023/01/05 +date: 2019-01-16 +modified: 2023-01-05 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml b/rules/windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml index e27730d65ba..5f7cebbeaae 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml @@ -9,7 +9,7 @@ references: - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ - https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/18 +date: 2022-10-18 tags: - attack.persistence - attack.t1543.003 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_set_acl.yml b/rules/windows/process_creation/proc_creation_win_powershell_set_acl.yml index 515cc7f0518..edd87ef7c6f 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_set_acl.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_set_acl.yml @@ -13,9 +13,9 @@ references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1 - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/18 +date: 2022-10-18 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml b/rules/windows/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml index 7d1ea1f8b7d..1d1fe711c4e 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml @@ -13,9 +13,9 @@ references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1 - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/18 +date: 2022-10-18 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml b/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml index 6feca9f49f2..df8d01e6508 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml @@ -15,8 +15,8 @@ references: - https://adsecurity.org/?p=2604 - https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/ author: frack113 -date: 2021/11/01 -modified: 2023/12/13 +date: 2021-11-01 +modified: 2023-12-13 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_set_service_disabled.yml b/rules/windows/process_creation/proc_creation_win_powershell_set_service_disabled.yml index 5c2534ff00f..5bdfbc58a8b 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_set_service_disabled.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_set_service_disabled.yml @@ -5,10 +5,10 @@ description: Detects the use of the PowerShell "Set-Service" cmdlet to change th references: - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/04 +date: 2023-03-04 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml b/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml index cdc762a4079..6108177b1f1 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml @@ -11,8 +11,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell - https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html author: Tim Rauch, Elastic (idea) -date: 2022/09/20 -modified: 2022/12/30 +date: 2022-09-20 +modified: 2022-12-30 tags: - attack.impact - attack.t1490 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml b/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml index 69225edada9..aacb1bbaa94 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml @@ -7,8 +7,8 @@ references: - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ - https://www.intrinsec.com/apt27-analysis/ author: FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems) -date: 2021/03/03 -modified: 2023/03/24 +date: 2021-03-03 +modified: 2023-03-24 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_stop_service.yml b/rules/windows/process_creation/proc_creation_win_powershell_stop_service.yml index 5653001de63..2a5ffa784f3 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_stop_service.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_stop_service.yml @@ -2,13 +2,13 @@ title: Stop Windows Service Via PowerShell Stop-Service id: c49c5062-0966-4170-9efd-9968c913a6cf related: - id: eb87818d-db5d-49cc-a987-d5da331fbd90 - type: obsoletes + type: obsolete status: test description: Detects the stopping of a Windows service via the PowerShell Cmdlet "Stop-Service" references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/stop-service?view=powershell-7.4 author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/05 +date: 2023-03-05 tags: - attack.impact - attack.t1489 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml b/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml index e292eff7779..2026bd226a3 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml @@ -9,8 +9,8 @@ references: - https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70 - https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html author: Florian Roth (Nextron Systems) -date: 2022/02/28 -modified: 2022/03/01 +date: 2022-02-28 +modified: 2022-03-01 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml b/rules/windows/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml index 4d3a29e6868..c3de98e4de2 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml @@ -5,8 +5,8 @@ description: Detects suspicious PowerShell invocation with a parameter substring references: - http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix) -date: 2019/01/16 -modified: 2022/07/14 +date: 2019-01-16 +modified: 2022-07-14 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_susp_parent_process.yml b/rules/windows/process_creation/proc_creation_win_powershell_susp_parent_process.yml index a11fa914fd4..720c0c1758f 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_susp_parent_process.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_susp_parent_process.yml @@ -8,8 +8,8 @@ description: Detects a suspicious or uncommon parent processes of PowerShell references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=26 author: Teymur Kheirkhabarov, Harish Segar -date: 2020/03/20 -modified: 2023/02/04 +date: 2020-03-20 +modified: 2023-02-04 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_appdata.yml b/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_appdata.yml index 162f157e0d8..ff5d961d512 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_appdata.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_appdata.yml @@ -6,8 +6,8 @@ references: - https://twitter.com/JohnLaTwC/status/1082851155481288706 - https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03 author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community -date: 2019/01/09 -modified: 2022/07/14 +date: 2019-01-09 +modified: 2022-07-14 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_downloadfile.yml b/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_downloadfile.yml index d3bbeb15e72..f98b275d090 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_downloadfile.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_downloadfile.yml @@ -5,12 +5,12 @@ description: Detects the execution of powershell, a WebClient object creation an references: - https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html author: Florian Roth (Nextron Systems) -date: 2020/08/28 -modified: 2021/11/27 +date: 2020-08-28 +modified: 2021-11-27 tags: - attack.execution - attack.t1059.001 - - attack.command_and_control + - attack.command-and-control - attack.t1104 - attack.t1105 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml b/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml index 6c88f8b51a0..4a96bcb139d 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml @@ -8,10 +8,10 @@ description: Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation references: - https://github.com/danielbohannon/Invoke-Obfuscation author: frack113 -date: 2022/12/27 -modified: 2024/08/11 +date: 2022-12-27 +modified: 2024-08-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027.009 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_user_discovery_get_aduser.yml b/rules/windows/process_creation/proc_creation_win_powershell_user_discovery_get_aduser.yml index c606d36f766..be4f0af06db 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_user_discovery_get_aduser.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_user_discovery_get_aduser.yml @@ -9,8 +9,8 @@ references: - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/09 -modified: 2022/11/17 +date: 2022-09-09 +modified: 2022-11-17 tags: - attack.discovery - attack.t1033 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_webclient_casing.yml b/rules/windows/process_creation/proc_creation_win_powershell_webclient_casing.yml index be33964e4b1..8b4b003ec73 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_webclient_casing.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_webclient_casing.yml @@ -5,8 +5,8 @@ description: Detects PowerShell command line contents that include a suspicious references: - https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/ author: Florian Roth (Nextron Systems) -date: 2022/05/24 -modified: 2023/01/05 +date: 2022-05-24 +modified: 2023-01-05 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml b/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml index 7b47c7d7e4b..34aa33f22d4 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml @@ -10,9 +10,9 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41 - https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115 author: frack113 -date: 2022/12/23 +date: 2022-12-23 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1553.004 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml b/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml index 8932afd0c59..95e2ed443d0 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml @@ -2,7 +2,7 @@ title: Suspicious XOR Encoded PowerShell Command id: bb780e0c-16cf-4383-8383-1e5471db6cf9 related: - id: 5b572dcf-254b-425c-a8c5-d9af6bea35a6 - type: obsoletes + type: obsolete status: test description: Detects presence of a potentially xor encoded powershell command references: @@ -11,10 +11,10 @@ references: - https://zero2auto.com/2020/05/19/netwalker-re/ - https://mez0.cc/posts/cobaltstrike-powershell-exec/ author: Sami Ruohonen, Harish Segar, Tim Shelton, Teymur Kheirkhabarov, Vasiliy Burov, oscd.community, Nasreddine Bencherchali -date: 2018/09/05 -modified: 2023/01/30 +date: 2018-09-05 +modified: 2023-01-30 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1059.001 - attack.t1140 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_zip_compress.yml b/rules/windows/process_creation/proc_creation_win_powershell_zip_compress.yml index d9795a0ebf0..4c69117420b 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_zip_compress.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_zip_compress.yml @@ -15,8 +15,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a author: Nasreddine Bencherchali (Nextron Systems), frack113 -date: 2021/07/20 -modified: 2022/10/09 +date: 2021-07-20 +modified: 2022-10-09 tags: - attack.collection - attack.t1074.001 diff --git a/rules/windows/process_creation/proc_creation_win_presentationhost_download.yml b/rules/windows/process_creation/proc_creation_win_presentationhost_download.yml index 9c4be72ddac..07b9b33875b 100644 --- a/rules/windows/process_creation/proc_creation_win_presentationhost_download.yml +++ b/rules/windows/process_creation/proc_creation_win_presentationhost_download.yml @@ -5,10 +5,10 @@ description: Detects usage of "PresentationHost" which is a utility that runs ". references: - https://github.com/LOLBAS-Project/LOLBAS/pull/239/files author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/19 -modified: 2023/11/09 +date: 2022-08-19 +modified: 2023-11-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1218 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_presentationhost_uncommon_location_exec.yml b/rules/windows/process_creation/proc_creation_win_presentationhost_uncommon_location_exec.yml index cfe575b762a..24d674c5e77 100644 --- a/rules/windows/process_creation/proc_creation_win_presentationhost_uncommon_location_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_presentationhost_uncommon_location_exec.yml @@ -6,10 +6,10 @@ description: | references: - https://lolbas-project.github.io/lolbas/Binaries/Presentationhost/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/01 -modified: 2023/11/09 +date: 2022-07-01 +modified: 2023-11-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1218 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml b/rules/windows/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml index 5840e42fe20..aaff7ae7c2c 100644 --- a/rules/windows/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml @@ -9,11 +9,11 @@ references: - https://twitter.com/mrd0x/status/1463526834918854661 - https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/01/11 -modified: 2023/04/11 +date: 2022-01-11 +modified: 2023-04-11 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml b/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml index 609e824786b..2425b4ea5fc 100644 --- a/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml +++ b/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml @@ -6,10 +6,10 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Print/ - https://twitter.com/Oddvarmoe/status/985518877076541440 author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative' -date: 2020/10/05 -modified: 2022/07/07 +date: 2020-10-05 +modified: 2022-07-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_protocolhandler_download.yml b/rules/windows/process_creation/proc_creation_win_protocolhandler_download.yml index 25a584c82cd..497bffec3e2 100644 --- a/rules/windows/process_creation/proc_creation_win_protocolhandler_download.yml +++ b/rules/windows/process_creation/proc_creation_win_protocolhandler_download.yml @@ -7,10 +7,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md - https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/ author: frack113 -date: 2021/07/13 -modified: 2023/11/09 +date: 2021-07-13 +modified: 2023-11-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml b/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml index a13ba06b803..1f65531f62d 100644 --- a/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml @@ -13,9 +13,9 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ - https://twitter.com/0gtweet/status/1674399582162153472 author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel -date: 2023/08/08 +date: 2023-08-08 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml index 9c01e150268..8acfb918732 100644 --- a/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml @@ -13,9 +13,9 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ - https://twitter.com/0gtweet/status/1674399582162153472 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/08 +date: 2023-08-08 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_psr_capture_screenshots.yml b/rules/windows/process_creation/proc_creation_win_psr_capture_screenshots.yml index 7918c8fd696..63cbe4f6c1c 100644 --- a/rules/windows/process_creation/proc_creation_win_psr_capture_screenshots.yml +++ b/rules/windows/process_creation/proc_creation_win_psr_capture_screenshots.yml @@ -7,8 +7,8 @@ references: - https://web.archive.org/web/20200229201156/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493861893.pdf - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md author: Beyu Denis, oscd.community -date: 2019/10/12 -modified: 2024/01/04 +date: 2019-10-12 +modified: 2024-01-04 tags: - attack.collection - attack.t1113 diff --git a/rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml b/rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml index 04638f9f92c..8b4c8054956 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml @@ -6,10 +6,10 @@ references: - https://github.com/3proxy/3proxy - https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html author: Florian Roth (Nextron Systems) -date: 2022/09/13 -modified: 2023/02/21 +date: 2022-09-13 +modified: 2023-02-21 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1572 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml b/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml index 7a7a6952cde..0e99a9a83df 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml @@ -10,8 +10,8 @@ references: - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md author: frack113 -date: 2021/12/13 -modified: 2023/03/05 +date: 2021-12-13 +modified: 2023-03-05 tags: - attack.discovery - attack.t1087.002 diff --git a/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml b/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml index 0464748680d..063f0d8552f 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml @@ -4,7 +4,7 @@ related: - id: 455b9d50-15a1-4b99-853f-8d37655a4c1b type: similar - id: 75df3b17-8bcc-4565-b89b-c9898acef911 - type: obsoletes + type: obsolete status: test description: Detects AdFind execution with common flags seen used during attacks references: @@ -16,8 +16,8 @@ references: - https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects author: Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community -date: 2021/02/02 -modified: 2023/03/05 +date: 2021-02-02 +modified: 2023-03-05 tags: - attack.discovery - attack.t1018 diff --git a/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml b/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml index d04c5ee1039..b83cc804738 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml @@ -10,8 +10,8 @@ references: - https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner author: Nasreddine Bencherchali (Nextron Systems), @ROxPinTeddy -date: 2020/05/12 -modified: 2023/02/07 +date: 2020-05-12 +modified: 2023-02-07 tags: - attack.discovery - attack.t1046 diff --git a/rules/windows/process_creation/proc_creation_win_pua_advanced_port_scanner.yml b/rules/windows/process_creation/proc_creation_win_pua_advanced_port_scanner.yml index a35ff4a83fb..c9e33cee5a1 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_advanced_port_scanner.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_advanced_port_scanner.yml @@ -5,8 +5,8 @@ description: Detects the use of Advanced Port Scanner. references: - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20Port%20Scanner author: Nasreddine Bencherchali (Nextron Systems) -date: 2021/12/18 -modified: 2023/02/07 +date: 2021-12-18 +modified: 2023-02-07 tags: - attack.discovery - attack.t1046 diff --git a/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml b/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml index fc72e197338..1336ef27349 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml @@ -11,12 +11,12 @@ references: - https://www.elastic.co/security-labs/operation-bleeding-bear - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ author: Florian Roth (Nextron Systems) -date: 2022/01/20 -modified: 2023/02/21 +date: 2022-01-20 +modified: 2023-02-21 tags: - attack.execution - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1564.003 - attack.t1134.002 - attack.t1059.003 diff --git a/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml b/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml index 331d4a3e8dc..88046fe9c78 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml @@ -11,11 +11,11 @@ references: - https://www.elastic.co/security-labs/operation-bleeding-bear - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ author: Florian Roth (Nextron Systems) -date: 2022/01/20 -modified: 2023/02/21 +date: 2022-01-20 +modified: 2023-02-21 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1134.002 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_pua_chisel.yml b/rules/windows/process_creation/proc_creation_win_pua_chisel.yml index d4b04ca3177..d31aaeac706 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_chisel.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_chisel.yml @@ -10,10 +10,10 @@ references: - https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/ - https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/ author: Florian Roth (Nextron Systems) -date: 2022/09/13 -modified: 2023/02/13 +date: 2022-09-13 +modified: 2023-02-13 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1090.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_pua_cleanwipe.yml b/rules/windows/process_creation/proc_creation_win_pua_cleanwipe.yml index d2289e8431d..724e5c03be8 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_cleanwipe.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_cleanwipe.yml @@ -5,10 +5,10 @@ description: Detects the use of CleanWipe a tool usually used to delete Symantec references: - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/CleanWipe author: Nasreddine Bencherchali (Nextron Systems) -date: 2021/12/18 -modified: 2023/02/14 +date: 2021-12-18 +modified: 2023-02-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_pua_crassus.yml b/rules/windows/process_creation/proc_creation_win_pua_crassus.yml index 5af7f9b90aa..d1ea956c704 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_crassus.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_crassus.yml @@ -5,7 +5,7 @@ description: Detects Crassus, a Windows privilege escalation discovery tool, bas references: - https://github.com/vu-ls/Crassus author: pH-T (Nextron Systems) -date: 2023/04/17 +date: 2023-04-17 tags: - attack.discovery - attack.t1590.001 diff --git a/rules/windows/process_creation/proc_creation_win_pua_csexec.yml b/rules/windows/process_creation/proc_creation_win_pua_csexec.yml index a9398da0fa9..3b732714fb2 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_csexec.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_csexec.yml @@ -6,10 +6,10 @@ references: - https://github.com/malcomvetter/CSExec - https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/ author: Florian Roth (Nextron Systems) -date: 2022/08/22 -modified: 2023/02/21 +date: 2022-08-22 +modified: 2023-02-21 tags: - - attack.resource_development + - attack.resource-development - attack.t1587.001 - attack.execution - attack.t1569.002 diff --git a/rules/windows/process_creation/proc_creation_win_pua_defendercheck.yml b/rules/windows/process_creation/proc_creation_win_pua_defendercheck.yml index 5bed99cfbf5..74a3dd00850 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_defendercheck.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_defendercheck.yml @@ -5,10 +5,10 @@ description: Detects the use of DefenderCheck, a tool to evaluate the signatures references: - https://github.com/matterpreter/DefenderCheck author: Florian Roth (Nextron Systems) -date: 2022/08/30 -modified: 2023/02/04 +date: 2022-08-30 +modified: 2023-02-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027.005 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_pua_ditsnap.yml b/rules/windows/process_creation/proc_creation_win_pua_ditsnap.yml index 237a0f8b15a..246d82ca400 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_ditsnap.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_ditsnap.yml @@ -6,10 +6,10 @@ references: - https://thedfirreport.com/2020/06/21/snatch-ransomware/ - https://web.archive.org/web/20201124182207/https://github.com/yosqueoy/ditsnap author: Furkan Caliskan (@caliskanfurkan_) -date: 2020/07/04 -modified: 2023/02/21 +date: 2020-07-04 +modified: 2023-02-21 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_pua_frp.yml b/rules/windows/process_creation/proc_creation_win_pua_frp.yml index 9b809012f8e..19b5098c00a 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_frp.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_frp.yml @@ -6,10 +6,10 @@ references: - https://asec.ahnlab.com/en/38156/ - https://github.com/fatedier/frp author: frack113, Florian Roth -date: 2022/09/02 -modified: 2023/02/04 +date: 2022-09-02 +modified: 2023-02-04 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1090 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_pua_iox.yml b/rules/windows/process_creation/proc_creation_win_pua_iox.yml index 5fb2df51bd7..3c4738818ba 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_iox.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_iox.yml @@ -5,10 +5,10 @@ description: Detects the use of IOX - a tool for port forwarding and intranet pr references: - https://github.com/EddieIvan01/iox author: Florian Roth (Nextron Systems) -date: 2022/10/08 -modified: 2023/02/08 +date: 2022-10-08 +modified: 2023-02-08 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1090 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_pua_mouselock_execution.yml b/rules/windows/process_creation/proc_creation_win_pua_mouselock_execution.yml index 3334eddd9ba..751cd62bd67 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_mouselock_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_mouselock_execution.yml @@ -6,10 +6,10 @@ references: - https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf - https://sourceforge.net/projects/mouselock/ author: Cian Heasley -date: 2020/08/13 -modified: 2023/02/21 +date: 2020-08-13 +modified: 2023-02-21 tags: - - attack.credential_access + - attack.credential-access - attack.collection - attack.t1056.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_pua_netcat.yml b/rules/windows/process_creation/proc_creation_win_pua_netcat.yml index dc857162653..da6274c486a 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_netcat.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_netcat.yml @@ -7,10 +7,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md - https://www.revshells.com/ author: frack113, Florian Roth (Nextron Systems) -date: 2021/07/21 -modified: 2023/02/08 +date: 2021-07-21 +modified: 2023-02-08 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1095 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_pua_netscan.yml b/rules/windows/process_creation/proc_creation_win_pua_netscan.yml index 606316aa612..4ff4df6216b 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_netscan.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_netscan.yml @@ -13,7 +13,7 @@ references: - https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/ - https://www.softperfect.com/products/networkscanner/ author: '@d4ns4n_ (Wuerth-Phoenix)' -date: 2024/04/25 +date: 2024-04-25 tags: - attack.discovery - attack.t1046 diff --git a/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml b/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml index 0f5ec44081f..2c8f2d109f8 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml @@ -13,10 +13,10 @@ references: - https://twitter.com/xorJosh/status/1598646907802451969 - https://www.softwaretestinghelp.com/how-to-use-ngrok/ author: Florian Roth (Nextron Systems) -date: 2021/05/14 -modified: 2023/02/21 +date: 2021-05-14 +modified: 2023-02-21 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1572 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_pua_nimgrab.yml b/rules/windows/process_creation/proc_creation_win_pua_nimgrab.yml index fd61809361f..3d3f0b8aa12 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_nimgrab.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_nimgrab.yml @@ -5,10 +5,10 @@ description: Detects the usage of nimgrab, a tool bundled with the Nim programmi references: - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md author: frack113 -date: 2022/08/28 -modified: 2023/02/13 +date: 2022-08-28 +modified: 2023-02-13 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml b/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml index b4a321a2cf3..3ae74672848 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml @@ -7,8 +7,8 @@ references: - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ - https://www.nirsoft.net/utils/nircmd2.html#using author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/01/24 -modified: 2023/02/13 +date: 2022-01-24 +modified: 2023-02-13 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/process_creation/proc_creation_win_pua_nircmd_as_system.yml b/rules/windows/process_creation/proc_creation_win_pua_nircmd_as_system.yml index fc346f301f2..b37c3294432 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_nircmd_as_system.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_nircmd_as_system.yml @@ -7,8 +7,8 @@ references: - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ - https://www.nirsoft.net/utils/nircmd2.html#using author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/01/24 -modified: 2023/02/13 +date: 2022-01-24 +modified: 2023-02-13 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/process_creation/proc_creation_win_pua_nmap_zenmap.yml b/rules/windows/process_creation/proc_creation_win_pua_nmap_zenmap.yml index bed7471e106..44e1269ae52 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_nmap_zenmap.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_nmap_zenmap.yml @@ -6,8 +6,8 @@ references: - https://nmap.org/ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows author: frack113 -date: 2021/12/10 -modified: 2023/12/11 +date: 2021-12-10 +modified: 2023-12-11 tags: - attack.discovery - attack.t1046 diff --git a/rules/windows/process_creation/proc_creation_win_pua_nps.yml b/rules/windows/process_creation/proc_creation_win_pua_nps.yml index 1a5550ff492..f696f7a32ce 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_nps.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_nps.yml @@ -5,10 +5,10 @@ description: Detects the use of NPS, a port forwarding and intranet penetration references: - https://github.com/ehang-io/nps author: Florian Roth (Nextron Systems) -date: 2022/10/08 -modified: 2023/02/04 +date: 2022-10-08 +modified: 2023-02-04 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1090 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_pua_nsudo.yml b/rules/windows/process_creation/proc_creation_win_pua_nsudo.yml index 9da2bd8591b..8fc2458a28e 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_nsudo.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_nsudo.yml @@ -6,8 +6,8 @@ references: - https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/ - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali -date: 2022/01/24 -modified: 2023/02/13 +date: 2022-01-24 +modified: 2023-02-13 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/process_creation/proc_creation_win_pua_pingcastle.yml b/rules/windows/process_creation/proc_creation_win_pua_pingcastle.yml index 47e79e61075..da8445b7309 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_pingcastle.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_pingcastle.yml @@ -14,7 +14,7 @@ references: - https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8 - https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1 author: Nasreddine Bencherchali (Nextron Systems), frack113 -date: 2024/01/11 +date: 2024-01-11 tags: - attack.reconnaissance - attack.t1595 diff --git a/rules/windows/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml b/rules/windows/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml index bad28cede13..7a56a9143e8 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml @@ -15,7 +15,7 @@ references: - https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8 - https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1 author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) -date: 2024/01/11 +date: 2024-01-11 tags: - attack.reconnaissance - attack.t1595 diff --git a/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml b/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml index 394c8a241de..d7ee73f3ad0 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml @@ -12,13 +12,13 @@ references: - https://processhacker.sourceforge.io/ - https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/ author: Florian Roth (Nextron Systems) -date: 2022/10/10 -modified: 2023/12/11 +date: 2022-10-10 +modified: 2023-12-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.discovery - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1622 - attack.t1564 - attack.t1543 diff --git a/rules/windows/process_creation/proc_creation_win_pua_radmin.yml b/rules/windows/process_creation/proc_creation_win_pua_radmin.yml index 89126a02849..fbfebd2dccf 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_radmin.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_radmin.yml @@ -6,11 +6,11 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md - https://www.radmin.fr/ author: frack113 -date: 2022/01/22 -modified: 2023/12/11 +date: 2022-01-22 +modified: 2023-12-11 tags: - attack.execution - - attack.lateral_movement + - attack.lateral-movement - attack.t1072 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml b/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml index c299fb6008e..bd2bd540f73 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml @@ -7,10 +7,10 @@ references: - https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915 - https://github.com/electron/rcedit author: Micah Babinski -date: 2022/12/11 -modified: 2023/03/05 +date: 2022-12-11 +modified: 2023-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.003 - attack.t1036 - attack.t1027.005 diff --git a/rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml b/rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml index b61912e1b91..226fc992d40 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml @@ -2,9 +2,9 @@ title: PUA - Rclone Execution id: e37db05d-d1f9-49c8-b464-cee1a4b11638 related: - id: a0d63692-a531-4912-ad39-4393325b2a9c - type: obsoletes + type: obsolete - id: cb7286ba-f207-44ab-b9e6-760d82b84253 - type: obsoletes + type: obsolete status: test description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc references: @@ -14,8 +14,8 @@ references: - https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone - https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html author: Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group -date: 2021/05/10 -modified: 2023/03/05 +date: 2021-05-10 +modified: 2023-03-05 tags: - attack.exfiltration - attack.t1567.002 diff --git a/rules/windows/process_creation/proc_creation_win_pua_runxcmd.yml b/rules/windows/process_creation/proc_creation_win_pua_runxcmd.yml index c3a58063ef3..86784bcfd4e 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_runxcmd.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_runxcmd.yml @@ -6,8 +6,8 @@ references: - https://www.d7xtech.com/free-software/runx/ - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ author: Florian Roth (Nextron Systems) -date: 2022/01/24 -modified: 2023/02/14 +date: 2022-01-24 +modified: 2023-02-14 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml b/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml index 84559cbd2c8..42ec12cbd7f 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml @@ -6,8 +6,8 @@ references: - https://github.com/GhostPack/Seatbelt - https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/18 -modified: 2023/02/04 +date: 2022-10-18 +modified: 2023-02-04 tags: - attack.discovery - attack.t1526 diff --git a/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml b/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml index 3aaa59f44c5..42420aa9b2e 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml @@ -8,12 +8,12 @@ description: Detects the execution of System Informer, a task manager tool to vi references: - https://github.com/winsiderss/systeminformer author: Florian Roth (Nextron Systems) -date: 2023/05/08 +date: 2023-05-08 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.discovery - - attack.defense_evasion + - attack.defense-evasion - attack.t1082 - attack.t1564 - attack.t1543 diff --git a/rules/windows/process_creation/proc_creation_win_pua_webbrowserpassview.yml b/rules/windows/process_creation/proc_creation_win_pua_webbrowserpassview.yml index b08f5847cb4..c43183295e7 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_webbrowserpassview.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_webbrowserpassview.yml @@ -5,10 +5,10 @@ description: Detects the execution of WebBrowserPassView.exe. A password recover references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1555.003/T1555.003.md author: frack113 -date: 2022/08/20 -modified: 2023/02/14 +date: 2022-08-20 +modified: 2023-02-14 tags: - - attack.credential_access + - attack.credential-access - attack.t1555.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_pua_wsudo_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_pua_wsudo_susp_execution.yml index e42b3d26223..53c4bfc90ad 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_wsudo_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_wsudo_susp_execution.yml @@ -5,11 +5,11 @@ description: Detects usage of wsudo (Windows Sudo Utility). Which is a tool that references: - https://github.com/M2Team/Privexec/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/02 -modified: 2023/02/14 +date: 2022-12-02 +modified: 2023-02-14 tags: - attack.execution - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1059 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_python_adidnsdump.yml b/rules/windows/process_creation/proc_creation_win_python_adidnsdump.yml index 8420fca22cd..ec4518f83a1 100644 --- a/rules/windows/process_creation/proc_creation_win_python_adidnsdump.yml +++ b/rules/windows/process_creation/proc_creation_win_python_adidnsdump.yml @@ -7,8 +7,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-9---remote-system-discovery---adidnsdump author: frack113 -date: 2022/01/01 -modified: 2023/02/21 +date: 2022-01-01 +modified: 2023-02-21 tags: - attack.discovery - attack.t1018 diff --git a/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml b/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml index 03929b66077..24463a9ab1f 100644 --- a/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml @@ -7,8 +7,8 @@ references: - https://www.revshells.com/ - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/02 -modified: 2023/02/17 +date: 2023-01-02 +modified: 2023-02-17 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_python_pty_spawn.yml b/rules/windows/process_creation/proc_creation_win_python_pty_spawn.yml index df5e0e7bcdf..0d93d94141e 100644 --- a/rules/windows/process_creation/proc_creation_win_python_pty_spawn.yml +++ b/rules/windows/process_creation/proc_creation_win_python_pty_spawn.yml @@ -8,7 +8,7 @@ description: Detects python spawning a pretty tty references: - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/ author: Nextron Systems -date: 2022/06/03 +date: 2022-06-03 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_qemu_suspicious_execution.yml b/rules/windows/process_creation/proc_creation_win_qemu_suspicious_execution.yml index 5f2a4cdc761..64c86b01014 100644 --- a/rules/windows/process_creation/proc_creation_win_qemu_suspicious_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_qemu_suspicious_execution.yml @@ -8,9 +8,9 @@ references: - https://securelist.com/network-tunneling-with-qemu/111803/ - https://www.qemu.org/docs/master/system/invocation.html#hxtool-5 author: Muhammad Faisal (@faisalusuf), Hunter Juhan (@threatHNTR) -date: 2024/06/03 +date: 2024-06-03 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1090 - attack.t1572 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_query_session_exfil.yml b/rules/windows/process_creation/proc_creation_win_query_session_exfil.yml index e7928dd1f20..c730037aeba 100644 --- a/rules/windows/process_creation/proc_creation_win_query_session_exfil.yml +++ b/rules/windows/process_creation/proc_creation_win_query_session_exfil.yml @@ -5,8 +5,8 @@ description: Detects usage of "query.exe" a system binary to exfil information s references: - https://twitter.com/MichalKoczwara/status/1553634816016498688 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/01 -modified: 2023/01/19 +date: 2022-08-01 +modified: 2023-01-19 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_rar_compress_data.yml b/rules/windows/process_creation/proc_creation_win_rar_compress_data.yml index a47bab18da7..6b758af7539 100644 --- a/rules/windows/process_creation/proc_creation_win_rar_compress_data.yml +++ b/rules/windows/process_creation/proc_creation_win_rar_compress_data.yml @@ -6,8 +6,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md - https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html author: Timur Zinniatullin, E.M. Anhaus, oscd.community -date: 2019/10/21 -modified: 2023/02/05 +date: 2019-10-21 +modified: 2023-02-05 tags: - attack.collection - attack.t1560.001 diff --git a/rules/windows/process_creation/proc_creation_win_rar_compression_with_password.yml b/rules/windows/process_creation/proc_creation_win_rar_compression_with_password.yml index fd484bef4c4..547e171e5bc 100644 --- a/rules/windows/process_creation/proc_creation_win_rar_compression_with_password.yml +++ b/rules/windows/process_creation/proc_creation_win_rar_compression_with_password.yml @@ -7,8 +7,8 @@ references: - https://ss64.com/bash/rar.html - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md author: '@ROxPinTeddy' -date: 2020/05/12 -modified: 2022/03/16 +date: 2020-05-12 +modified: 2022-03-16 tags: - attack.collection - attack.t1560.001 diff --git a/rules/windows/process_creation/proc_creation_win_rar_susp_greedy_compression.yml b/rules/windows/process_creation/proc_creation_win_rar_susp_greedy_compression.yml index e564b321303..1f352d1030a 100644 --- a/rules/windows/process_creation/proc_creation_win_rar_susp_greedy_compression.yml +++ b/rules/windows/process_creation/proc_creation_win_rar_susp_greedy_compression.yml @@ -5,8 +5,8 @@ description: Detects RAR usage that creates an archive from a suspicious folder, references: - https://decoded.avast.io/martinchlumecky/png-steganography author: X__Junior (Nextron Systems), Florian Roth (Nextron Systems) -date: 2022/12/15 -modified: 2024/01/02 +date: 2022-12-15 +modified: 2024-01-02 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_rasdial_execution.yml b/rules/windows/process_creation/proc_creation_win_rasdial_execution.yml index 7e919587e0f..276d8fb5c81 100644 --- a/rules/windows/process_creation/proc_creation_win_rasdial_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_rasdial_execution.yml @@ -5,10 +5,10 @@ description: Detects suspicious process related to rasdial.exe references: - https://twitter.com/subTee/status/891298217907830785 author: juju4 -date: 2019/01/16 -modified: 2021/11/27 +date: 2019-01-16 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1059 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml b/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml index 5fe7b539d3e..2a0e1ff9108 100644 --- a/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml +++ b/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml @@ -2,7 +2,7 @@ title: Process Memory Dump via RdrLeakDiag.EXE id: edadb1e5-5919-4e4c-8462-a9e643b02c4b related: - id: 6355a919-2e97-4285-a673-74645566340d - type: obsoletes + type: obsolete status: test description: Detects the use of the Microsoft Windows Resource Leak Diagnostic tool "rdrleakdiag.exe" to dump process memory references: @@ -11,10 +11,10 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/ - https://twitter.com/0gtweet/status/1299071304805560321?s=21 author: Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) -date: 2021/09/24 -modified: 2023/04/24 +date: 2021-09-24 +modified: 2023-04-24 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml b/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml index 633554ee7d2..6bb079cbf13 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml @@ -6,8 +6,8 @@ references: - https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/ - https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys author: Florian Roth (Nextron Systems) -date: 2021/06/28 -modified: 2023/01/30 +date: 2021-06-28 +modified: 2023-01-30 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml b/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml index d4775a8d0e3..84b26b8bfbc 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml @@ -8,10 +8,10 @@ description: Detects execution of "reg.exe" commands with the "add" or "copy" fl references: - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/02 -modified: 2024/03/19 +date: 2022-09-02 +modified: 2024-03-19 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_reg_bitlocker.yml b/rules/windows/process_creation/proc_creation_win_reg_bitlocker.yml index aff12694e11..eba078581e9 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_bitlocker.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_bitlocker.yml @@ -5,8 +5,8 @@ description: Detects suspicious addition to BitLocker related registry keys via references: - https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/ author: frack113 -date: 2021/11/15 -modified: 2022/09/09 +date: 2021-11-15 +modified: 2022-09-09 tags: - attack.impact - attack.t1486 diff --git a/rules/windows/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml b/rules/windows/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml index e1b08e7a6d4..1af51441abb 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml @@ -6,10 +6,10 @@ references: - https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/ - https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter author: Sreeman -date: 2020/10/29 -modified: 2022/10/09 +date: 2020-10-29 +modified: 2022-10-09 tags: - - attack.credential_access + - attack.credential-access - attack.t1556.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml b/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml index 8bbfb03d2fb..cf02453bef1 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml @@ -6,10 +6,10 @@ references: - https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/ - https://redcanary.com/threat-detection-report/threats/qbot/ author: frack113 -date: 2022/02/13 -modified: 2023/02/04 +date: 2022-02-13 +modified: 2023-02-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml b/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml index 2b45c02e98e..e869a89857d 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml @@ -8,10 +8,10 @@ description: Detects execution of "reg.exe" commands with the "delete" flag on s references: - https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html author: Nasreddine Bencherchali (Nextron Systems), Tim Shelton -date: 2022/08/08 -modified: 2023/02/04 +date: 2022-08-08 +modified: 2023-02-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml b/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml index 6da47889b6c..b624d9c8505 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml @@ -5,10 +5,10 @@ description: Detects execution of "reg.exe" commands with the "delete" flag on s references: - https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/01 -modified: 2023/02/04 +date: 2022-08-01 +modified: 2023-02-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml b/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml index 9bf476f1e9e..4ea1796db78 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml @@ -15,9 +15,9 @@ references: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI author: Stephen Lincoln @slincoln-aiq (AttackIQ) -date: 2023/12/21 +date: 2023-12-21 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.impact - attack.t1112 - attack.t1491.001 diff --git a/rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml b/rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml index 3876c5ffd6a..8fa6f48ae74 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml @@ -5,8 +5,8 @@ description: Detects direct modification of autostart extensibility point (ASEP) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community -date: 2019/10/25 -modified: 2022/08/04 +date: 2019-10-25 +modified: 2022-08-04 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml b/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml index 3f13fb2a5ef..4af53ef910b 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml @@ -8,10 +8,10 @@ references: - https://vms.drweb.fr/virus/?i=24144899 - https://bidouillesecurity.com/disable-windows-defender-in-powershell/ author: Florian Roth (Nextron Systems), John Lambert (idea), elhoim -date: 2021/07/14 -modified: 2023/06/05 +date: 2021-07-14 +modified: 2023-06-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml b/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml index aa7e4c8bc40..2106467abfc 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml @@ -2,9 +2,9 @@ title: Dumping of Sensitive Hives Via Reg.EXE id: fd877b94-9bb5-4191-bb25-d79cbd93c167 related: - id: 038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e - type: obsoletes + type: obsolete - id: 4d6c9da1-318b-4edf-bcea-b6c93fa98fd0 - type: obsoletes + type: obsolete status: test description: Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives. references: @@ -14,10 +14,10 @@ references: - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets author: Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113 -date: 2019/10/22 -modified: 2023/12/13 +date: 2019-10-22 +modified: 2023-12-13 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.002 - attack.t1003.004 - attack.t1003.005 diff --git a/rules/windows/process_creation/proc_creation_win_reg_enable_windows_recall.yml b/rules/windows/process_creation/proc_creation_win_reg_enable_windows_recall.yml index 58cc58c8841..419d229d13c 100755 --- a/rules/windows/process_creation/proc_creation_win_reg_enable_windows_recall.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_enable_windows_recall.yml @@ -15,7 +15,7 @@ references: - https://learn.microsoft.com/en-us/windows/client-management/manage-recall - https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis author: Sajid Nawaz Khan -date: 2024/06/02 +date: 2024-06-02 tags: - attack.collection - attack.t1113 diff --git a/rules/windows/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yml b/rules/windows/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yml index 75cb8e25de1..ea0e764cdce 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yml @@ -8,10 +8,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.002/T1552.002.md author: frack113 -date: 2021/12/20 -modified: 2022/12/25 +date: 2021-12-20 +modified: 2022-12-25 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml b/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml index d344c053e4a..bd55d92cd84 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml @@ -8,11 +8,11 @@ description: Detects the import of '.reg' files from suspicious paths using the references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import author: frack113, Nasreddine Bencherchali -date: 2022/08/01 -modified: 2023/02/05 +date: 2022-08-01 +modified: 2023-02-05 tags: - attack.t1112 - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml b/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml index b7d6ba43153..d07c8619071 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml @@ -12,10 +12,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md - https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx author: frack113 -date: 2023/01/13 -modified: 2023/12/15 +date: 2023-01-13 +modified: 2023-12-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml b/rules/windows/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml index c281521a14b..88aa62516a2 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml @@ -5,10 +5,10 @@ description: Detects the usage of the "reg.exe" utility to disable PPL protectio references: - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/ author: Florian Roth (Nextron Systems) -date: 2022/03/22 -modified: 2023/03/26 +date: 2022-03-22 +modified: 2023-03-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.010 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_reg_machineguid.yml b/rules/windows/process_creation/proc_creation_win_reg_machineguid.yml index 74ff0ae46e9..cebb669b616 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_machineguid.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_machineguid.yml @@ -5,7 +5,7 @@ description: Use of reg to get MachineGuid information references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-8---windows-machineguid-discovery author: frack113 -date: 2022/01/01 +date: 2022-01-01 tags: - attack.discovery - attack.t1082 diff --git a/rules/windows/process_creation/proc_creation_win_reg_modify_group_policy_settings.yml b/rules/windows/process_creation/proc_creation_win_reg_modify_group_policy_settings.yml index e7f262969e5..45b66c49ee1 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_modify_group_policy_settings.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_modify_group_policy_settings.yml @@ -8,10 +8,10 @@ description: Detect malicious GPO modifications can be used to implement many ot references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md author: frack113 -date: 2022/08/19 +date: 2022-08-19 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1484.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml b/rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml index df5e689f83d..85b3c92b64a 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml @@ -12,10 +12,10 @@ references: - https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password - https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/12/15 -modified: 2023/12/22 +date: 2023-12-15 +modified: 2023-12-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_reg_open_command.yml b/rules/windows/process_creation/proc_creation_win_reg_open_command.yml index 2924a7eb6ee..680e38432b4 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_open_command.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_open_command.yml @@ -5,10 +5,10 @@ description: Threat actors performed dumping of SAM, SECURITY and SYSTEM registr references: - https://thedfirreport.com/2021/12/13/diavol-ransomware/ author: frack113 -date: 2021/12/20 -modified: 2022/12/25 +date: 2021-12-20 +modified: 2022-12-25 tags: - - attack.credential_access + - attack.credential-access - attack.t1003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_reg_query_registry.yml b/rules/windows/process_creation/proc_creation_win_reg_query_registry.yml index fca6c1ed634..5acc5958978 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_query_registry.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_query_registry.yml @@ -5,8 +5,8 @@ description: Detects the usage of "reg.exe" in order to query reconnaissance inf references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md author: Timur Zinniatullin, oscd.community -date: 2019/10/21 -modified: 2023/02/05 +date: 2019-10-21 +modified: 2023-02-05 tags: - attack.discovery - attack.t1012 diff --git a/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml b/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml index f0832d4b268..80c6c555254 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml @@ -5,11 +5,11 @@ description: Detects the execution of "reg.exe" for enabling/disabling the RDP s references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ author: pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport -date: 2022/02/12 -modified: 2023/02/05 +date: 2022-02-12 +modified: 2023-02-05 tags: - - attack.defense_evasion - - attack.lateral_movement + - attack.defense-evasion + - attack.lateral-movement - attack.t1021.001 - attack.t1112 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_reg_screensaver.yml b/rules/windows/process_creation/proc_creation_win_reg_screensaver.yml index 37589818048..b16ba1acd5a 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_screensaver.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_screensaver.yml @@ -8,10 +8,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md - https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf author: frack113 -date: 2021/08/19 -modified: 2022/06/02 +date: 2021-08-19 +modified: 2022-06-02 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1546.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml b/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml index 069650e57e8..aa688ab7009 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml @@ -8,8 +8,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-2---service-imagepath-change-with-regexe author: frack113 -date: 2021/12/30 -modified: 2024/03/13 +date: 2021-12-30 +modified: 2024-03-13 tags: - attack.persistence - attack.t1574.011 diff --git a/rules/windows/process_creation/proc_creation_win_reg_software_discovery.yml b/rules/windows/process_creation/proc_creation_win_reg_software_discovery.yml index 47394ec8c04..b7beb2ceb89 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_software_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_software_discovery.yml @@ -9,8 +9,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md - https://github.com/harleyQu1nn/AggressorScripts # AVQuery.cna author: Nikita Nazarov, oscd.community -date: 2020/10/16 -modified: 2022/10/09 +date: 2020-10-16 +modified: 2022-10-09 tags: - attack.discovery - attack.t1518 diff --git a/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml b/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml index f5530768c25..f07bd00e776 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml @@ -7,10 +7,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/19 -modified: 2022/10/10 +date: 2022-08-19 +modified: 2022-10-10 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 - attack.t1562.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_reg_volsnap_disable.yml b/rules/windows/process_creation/proc_creation_win_reg_volsnap_disable.yml index 0a26512174c..ce0555afae7 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_volsnap_disable.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_volsnap_disable.yml @@ -5,10 +5,10 @@ description: Detects commands that temporarily turn off Volume Snapshots references: - https://twitter.com/0gtweet/status/1354766164166115331 author: Florian Roth (Nextron Systems) -date: 2021/01/28 -modified: 2023/12/15 +date: 2021-01-28 +modified: 2023-12-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml b/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml index c0887bc7d13..0454906c711 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml @@ -7,10 +7,10 @@ references: - https://github.com/swagkarna/Defeat-Defender-V1.2.0 - https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2 author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) -date: 2022/03/22 -modified: 2023/06/05 +date: 2022-03-22 +modified: 2023-06-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml b/rules/windows/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml index 1ecfad9f274..495207ebd12 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml @@ -7,10 +7,10 @@ description: | references: - https://www.manageengine.com/products/desktop-central/os-imaging-deployment/media-is-write-protected.html author: Sreeman -date: 2021/06/11 -modified: 2024/01/18 +date: 2021-06-11 +modified: 2024-01-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml b/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml index fa1c2a5ea67..f57026d73ad 100644 --- a/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml @@ -10,9 +10,9 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Regasm/ - https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/13 +date: 2023-02-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.009 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml b/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml index 55e0dc86a27..6d05c27a462 100644 --- a/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml @@ -10,10 +10,10 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Regasm/ - https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/25 -modified: 2023/02/13 +date: 2022-08-25 +modified: 2023-02-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.009 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_regedit_export_critical_keys.yml b/rules/windows/process_creation/proc_creation_win_regedit_export_critical_keys.yml index 8d370f3f18d..4efc9fe11b8 100644 --- a/rules/windows/process_creation/proc_creation_win_regedit_export_critical_keys.yml +++ b/rules/windows/process_creation/proc_creation_win_regedit_export_critical_keys.yml @@ -9,8 +9,8 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Regedit/ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f author: Oddvar Moe, Sander Wiebing, oscd.community -date: 2020/10/12 -modified: 2024/03/13 +date: 2020-10-12 +modified: 2024-03-13 tags: - attack.exfiltration - attack.t1012 diff --git a/rules/windows/process_creation/proc_creation_win_regedit_export_keys.yml b/rules/windows/process_creation/proc_creation_win_regedit_export_keys.yml index b7ba692b4b2..4be669eb8cc 100644 --- a/rules/windows/process_creation/proc_creation_win_regedit_export_keys.yml +++ b/rules/windows/process_creation/proc_creation_win_regedit_export_keys.yml @@ -9,8 +9,8 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Regedit/ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f author: Oddvar Moe, Sander Wiebing, oscd.community -date: 2020/10/07 -modified: 2024/03/13 +date: 2020-10-07 +modified: 2024-03-13 tags: - attack.exfiltration - attack.t1012 diff --git a/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml b/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml index c8c2aad9590..3fdee181efe 100644 --- a/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml +++ b/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml @@ -9,11 +9,11 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Regedit/ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f author: Oddvar Moe, Sander Wiebing, oscd.community -date: 2020/10/07 -modified: 2024/03/13 +date: 2020-10-07 +modified: 2024-03-13 tags: - attack.t1112 - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml b/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml index bf63c18f998..f7fa00e5e31 100644 --- a/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml +++ b/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml @@ -9,11 +9,11 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Regedit/ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f author: Oddvar Moe, Sander Wiebing, oscd.community -date: 2020/10/12 -modified: 2024/03/13 +date: 2020-10-12 +modified: 2024-03-13 tags: - attack.t1112 - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_regedit_trustedinstaller.yml b/rules/windows/process_creation/proc_creation_win_regedit_trustedinstaller.yml index 086e7d4e7e1..983759d1bb3 100644 --- a/rules/windows/process_creation/proc_creation_win_regedit_trustedinstaller.yml +++ b/rules/windows/process_creation/proc_creation_win_regedit_trustedinstaller.yml @@ -5,10 +5,10 @@ description: Detects a regedit started with TrustedInstaller privileges or by Pr references: - https://twitter.com/1kwpeter/status/1397816101455765504 author: Florian Roth (Nextron Systems) -date: 2021/05/27 -modified: 2022/10/09 +date: 2021-05-27 +modified: 2022-10-09 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1548 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_regini_ads.yml b/rules/windows/process_creation/proc_creation_win_regini_ads.yml index ab6d822d948..8be1f4f7b2e 100644 --- a/rules/windows/process_creation/proc_creation_win_regini_ads.yml +++ b/rules/windows/process_creation/proc_creation_win_regini_ads.yml @@ -10,11 +10,11 @@ references: - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini author: Eli Salem, Sander Wiebing, oscd.community -date: 2020/10/12 -modified: 2023/02/08 +date: 2020-10-12 +modified: 2023-02-08 tags: - attack.t1112 - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_regini_execution.yml b/rules/windows/process_creation/proc_creation_win_regini_execution.yml index 26f46d98f00..21b40aacf7b 100644 --- a/rules/windows/process_creation/proc_creation_win_regini_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_regini_execution.yml @@ -10,11 +10,11 @@ references: - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini author: Eli Salem, Sander Wiebing, oscd.community -date: 2020/10/08 -modified: 2023/02/08 +date: 2020-10-08 +modified: 2023-02-08 tags: - attack.t1112 - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml b/rules/windows/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml index 80444710316..4d37473fba9 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/PhilipTsukerman/status/992021361106268161 - https://lolbas-project.github.io/lolbas/Binaries/Register-cimprovider/ author: Ivan Dyachkov, Yulia Fomina, oscd.community -date: 2020/10/07 -modified: 2021/11/27 +date: 2020-10-07 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml b/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml index 3e925557675..0ac71d47ef8 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml @@ -11,9 +11,9 @@ references: - https://github.com/HyperSine/how-does-MobaXterm-encrypt-password - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/20 +date: 2022-06-20 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml b/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml index 0a8231ab477..aea746113c8 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml @@ -12,10 +12,10 @@ references: - https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries - https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/09/05 +date: 2023-09-05 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_registry_install_reg_debugger_backdoor.yml b/rules/windows/process_creation/proc_creation_win_registry_install_reg_debugger_backdoor.yml index 95d4083ac3b..e7e4e72f0b7 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_install_reg_debugger_backdoor.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_install_reg_debugger_backdoor.yml @@ -6,11 +6,11 @@ references: - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/ - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/ author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro -date: 2019/09/06 -modified: 2022/08/06 +date: 2019-09-06 +modified: 2022-08-06 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1546.008 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_registry_logon_script.yml b/rules/windows/process_creation/proc_creation_win_registry_logon_script.yml index dd6ed188311..f194259c9f7 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_logon_script.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_logon_script.yml @@ -8,8 +8,8 @@ description: Detects the addition of a new LogonScript to the registry value "Us references: - https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html author: Tom Ueltschi (@c_APT_ure) -date: 2019/01/12 -modified: 2023/06/09 +date: 2019-01-12 +modified: 2023-06-09 tags: - attack.persistence - attack.t1037.001 diff --git a/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml b/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml index 8de386c8e15..053f0ef34ab 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml @@ -9,10 +9,10 @@ references: - https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade - https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/23 -modified: 2023/02/02 +date: 2022-08-23 +modified: 2023-02-02 tags: - - attack.credential_access + - attack.credential-access - attack.t1003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml b/rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml index 995d61d3669..df0524ed9c2 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml @@ -6,10 +6,10 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://pentestlab.blog/2017/03/31/insecure-registry-permissions/ author: Teymur Kheirkhabarov -date: 2019/10/26 -modified: 2023/01/30 +date: 2019-10-26 +modified: 2023-01-30 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574.011 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml b/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml index 761f9f9d8cd..69dd19d83a1 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml @@ -13,9 +13,9 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ - https://twitter.com/0gtweet/status/1674399582162153472 author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel -date: 2023/08/08 +date: 2023-08-08 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_registry_set_unsecure_powershell_policy.yml b/rules/windows/process_creation/proc_creation_win_registry_set_unsecure_powershell_policy.yml index e2ae3a66488..1ee3cd6dd4c 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_set_unsecure_powershell_policy.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_set_unsecure_powershell_policy.yml @@ -12,9 +12,9 @@ description: Detects changes to the PowerShell execution policy registry key in references: - https://learn.microsoft.com/de-de/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/11 +date: 2023-01-11 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_registry_typed_paths_persistence.yml b/rules/windows/process_creation/proc_creation_win_registry_typed_paths_persistence.yml index 3cfc73271b0..069efe2ceb3 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_typed_paths_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_typed_paths_persistence.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/dez_/status/1560101453150257154 - https://forensafe.com/blogs/typedpaths.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/22 +date: 2022-08-22 tags: - attack.persistence logsource: diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml index 593f9d0ec2e..e0a2546f48d 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml @@ -5,10 +5,10 @@ description: Detects a potential command line flag anomaly related to "regsvr32" references: - https://twitter.com/sbousseaden/status/1282441816986484737?s=12 author: Florian Roth (Nextron Systems) -date: 2019/07/13 -modified: 2024/03/13 +date: 2019-07-13 +modified: 2024-03-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.010 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml index 397ae87bcd9..e68d4df0e74 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml @@ -7,10 +7,10 @@ references: - https://twitter.com/tccontre18/status/1480950986650832903 - https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/ author: Florian Roth (Nextron Systems) -date: 2022/01/11 -modified: 2023/05/24 +date: 2022-01-11 +modified: 2023-05-24 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.010 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml index 2a99c64e6cd..af1bcb191d7 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml @@ -2,7 +2,7 @@ title: Potentially Suspicious Regsvr32 HTTP/FTP Pattern id: 867356ee-9352-41c9-a8f2-1be690d78216 related: - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d - type: obsoletes + type: obsolete status: test description: Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers. references: @@ -10,10 +10,10 @@ references: - https://twitter.com/tccontre18/status/1480950986650832903 - https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/ author: Florian Roth (Nextron Systems) -date: 2023/05/24 -modified: 2023/05/26 +date: 2023-05-24 +modified: 2023-05-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.010 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_remote_share.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_remote_share.yml index 81bb6023c6d..c1626055721 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_remote_share.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_remote_share.yml @@ -5,9 +5,9 @@ description: Detects REGSVR32.exe to execute DLL hosted on remote shares references: - https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/31 +date: 2022-10-31 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.010 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml index 27463a9d971..ba846ced3b7 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml @@ -2,7 +2,7 @@ title: Potentially Suspicious Child Process Of Regsvr32 id: 6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca related: - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d - type: obsoletes + type: obsolete status: test description: Detects potentially suspicious child processes of "regsvr32.exe". references: @@ -10,10 +10,10 @@ references: - https://www.echotrail.io/insights/search/regsvr32.exe - https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo author: elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/05/05 -modified: 2023/05/26 +date: 2022-05-05 +modified: 2023-05-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.010 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml index 75dcf5b0a21..9c285592ff5 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml @@ -2,16 +2,16 @@ title: Regsvr32 Execution From Potential Suspicious Location id: 9525dc73-0327-438c-8c04-13c0e037e9da related: - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d - type: obsoletes + type: obsolete status: test description: Detects execution of regsvr32 where the DLL is located in a potentially suspicious location. references: - https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/26 +date: 2023-05-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.010 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml index 7cf9cc245d8..2b4071b6314 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml @@ -5,9 +5,9 @@ description: Detects execution of regsvr32 where the DLL is located in a highly references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/26 +date: 2023-05-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.010 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml index 30f7c594b67..60c5689e835 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml @@ -2,7 +2,7 @@ title: Regsvr32 DLL Execution With Suspicious File Extension id: 089fc3d2-71e8-4763-a8a5-c97fbb0a403e related: - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d - type: obsoletes + type: obsolete status: test description: Detects the execution of REGSVR32.exe with DLL files masquerading as other files references: @@ -10,10 +10,10 @@ references: - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html - https://guides.lib.umich.edu/c.php?g=282942&p=1885348 author: Florian Roth (Nextron Systems), frack113 -date: 2021/11/29 -modified: 2023/05/24 +date: 2021-11-29 +modified: 2023-05-24 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.010 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml index ccd0f9a82d5..b7021462fe7 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml @@ -2,16 +2,16 @@ title: Scripting/CommandLine Process Spawned Regsvr32 id: ab37a6ec-6068-432b-a64e-2c7bf95b1d22 related: - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d - type: obsoletes + type: obsolete status: test description: Detects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance. references: - https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/26 +date: 2023-05-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.010 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml index bae2dcf8f27..85799d495e8 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml @@ -5,10 +5,10 @@ description: Detects a "regsvr32" execution where the DLL doesn't contain a comm references: - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ author: Florian Roth (Nextron Systems) -date: 2019/07/17 -modified: 2023/05/24 +date: 2019-07-17 +modified: 2023-05-24 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574 - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk.yml index e7fbbab376c..6e2b3457b02 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk.yml @@ -11,10 +11,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows author: frack113 -date: 2022/02/11 -modified: 2023/03/05 +date: 2022-02-11 +modified: 2023-03-05 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml index d68f2966146..8a870c0ebae 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml @@ -5,10 +5,10 @@ description: Detects piping the password to an anydesk instance via CMD and the references: - https://redcanary.com/blog/misbehaving-rats/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/28 -modified: 2023/03/05 +date: 2022-09-28 +modified: 2023-03-05 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml index 4d59ef141e8..0234458bf40 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml @@ -10,10 +10,10 @@ references: - https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/ - https://anydesk.com/en/changelog/windows author: Sai Prashanth Pulisetti, Nasreddine Bencherchali (Nextron Systems) -date: 2024/02/08 +date: 2024-02-08 tags: - attack.execution - - attack.initial_access + - attack.initial-access logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml index c81e38b3197..07109aad8b3 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20 - https://support.anydesk.com/Automatic_Deployment author: Ján Trenčanský -date: 2021/08/06 -modified: 2023/03/05 +date: 2021-08-06 +modified: 2023-03-05 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.yml index a6b1a9e8979..f84a8528335 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.yml @@ -11,10 +11,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows author: Florian Roth (Nextron Systems) -date: 2022/05/20 -modified: 2023/03/05 +date: 2022-05-20 +modified: 2023-03-05 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_gotoopener.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_gotoopener.yml index b2f9584c5d4..c60e56527fd 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_gotoopener.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_gotoopener.yml @@ -8,10 +8,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows author: frack113 -date: 2022/02/13 -modified: 2023/03/05 +date: 2022-02-13 +modified: 2023-03-05 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml index 9ceff0a9f1c..0e331ced803 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml @@ -8,10 +8,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows author: frack113 -date: 2022/02/11 -modified: 2023/03/05 +date: 2022-02-11 +modified: 2023-03-05 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport.yml index 841c1dbb3c2..5610ff2a304 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport.yml @@ -8,10 +8,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md author: frack113 -date: 2022/09/25 -modified: 2023/03/06 +date: 2022-09-25 +modified: 2023-03-06 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml index 16b03b2601b..88b2be2998d 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml @@ -5,10 +5,10 @@ description: Detects execution of client32.exe (NetSupport RAT) from an unusual references: - https://redcanary.com/blog/misbehaving-rats/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/19 -modified: 2023/03/05 +date: 2022-09-19 +modified: 2023-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yml index bc177acf66b..7ef274cfa8d 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yml @@ -5,10 +5,10 @@ description: Detects execution of Remote Utilities RAT (RURAT) from an unusual l references: - https://redcanary.com/blog/misbehaving-rats/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/19 -modified: 2023/03/05 +date: 2022-09-19 +modified: 2023-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect.yml index ac346dceb7a..5837ee40a57 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect.yml @@ -8,10 +8,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows author: frack113 -date: 2022/02/13 -modified: 2023/03/05 +date: 2022-02-13 +modified: 2023-03-05 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.yml index 57e16a502c6..6a823017d89 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.yml @@ -5,10 +5,10 @@ description: Detects ScreenConnect program starts that establish a remote access references: - https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies author: Florian Roth (Nextron Systems) -date: 2021/02/11 -modified: 2024/02/26 +date: 2021-02-11 +modified: 2024-02-26 tags: - - attack.initial_access + - attack.initial-access - attack.t1133 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution.yml index 51c9c4131ba..ebe5cec977c 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution.yml @@ -5,8 +5,8 @@ description: Detects the execution of a system command via the ScreenConnect RMM references: - https://github.com/SigmaHQ/sigma/pull/4467 author: Ali Alwashali -date: 2023/10/10 -modified: 2024/02/26 +date: 2023-10-10 +modified: 2024-02-26 tags: - attack.execution - attack.t1059.003 diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.yml index 1c061482c80..1ffeab35c50 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.yml @@ -12,10 +12,10 @@ references: - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 - https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @Kostastsale -date: 2022/02/25 -modified: 2024/02/28 +date: 2022-02-25 +modified: 2024-02-28 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_webshell.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_webshell.yml index fc679f3c2a1..4c96eab5ac8 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_webshell.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_webshell.yml @@ -6,9 +6,9 @@ references: - https://blackpointcyber.com/resources/blog/breaking-through-the-screen/ - https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8 author: Jason Rathbun (Blackpoint Cyber) -date: 2024/02/26 +date: 2024-02-26 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_simple_help.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_simple_help.yml index 97d5a7c1a1f..f5ae7a5751b 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_simple_help.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_simple_help.yml @@ -8,9 +8,9 @@ description: | references: - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/02/23 +date: 2024-02-23 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.yml index a7cd2f6c88c..4eb010662e1 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.yml @@ -12,9 +12,9 @@ description: | references: - Internal Research author: Josh Nickels, Qi Nan -date: 2024/03/11 +date: 2024-03-11 tags: - - attack.initial_access + - attack.initial-access - attack.t1133 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_ultraviewer.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_ultraviewer.yml index 7f90c85f278..6ac2605033a 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_ultraviewer.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_ultraviewer.yml @@ -8,10 +8,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md author: frack113 -date: 2022/09/25 -modified: 2024/03/14 +date: 2022-09-25 +modified: 2024-03-14 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_remote_time_discovery.yml b/rules/windows/process_creation/proc_creation_win_remote_time_discovery.yml index 08ae7a4f517..db3c5946e40 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_time_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_time_discovery.yml @@ -6,8 +6,8 @@ references: - https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -date: 2019/10/24 -modified: 2022/06/28 +date: 2019-10-24 +modified: 2022-06-28 tags: - attack.discovery - attack.t1124 diff --git a/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml b/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml index 32f9cacad26..ea6b2b07db3 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml @@ -10,8 +10,8 @@ references: - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx - https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md author: Florian Roth (Nextron Systems) -date: 2022/08/21 -modified: 2023/02/14 +date: 2022-08-21 +modified: 2023-02-14 tags: - attack.discovery - attack.t1018 diff --git a/rules/windows/process_creation/proc_creation_win_renamed_autohotkey.yml b/rules/windows/process_creation/proc_creation_win_renamed_autohotkey.yml index e068c073e06..7163fc610e1 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_autohotkey.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_autohotkey.yml @@ -6,9 +6,9 @@ references: - https://www.autohotkey.com/download/ - https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/ author: Nasreddine Bencherchali -date: 2023/02/07 +date: 2023-02-07 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml b/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml index 2d9869469d7..71266141e31 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml @@ -9,10 +9,10 @@ references: - https://twitter.com/malmoeb/status/1665463817130725378?s=12&t=C0_T_re0wRP_NfKa27Xw9w - https://www.autoitscript.com/site/ author: Florian Roth (Nextron Systems) -date: 2023/06/04 -modified: 2023/09/19 +date: 2023-06-04 +modified: 2023-09-19 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_binary.yml b/rules/windows/process_creation/proc_creation_win_renamed_binary.yml index 34fcffbb018..41aa02ba41b 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_binary.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_binary.yml @@ -10,10 +10,10 @@ references: - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1036.003/T1036.003.md#atomic-test-1---masquerading-as-windows-lsass-process author: Matthew Green @mgreen27, Ecco, James Pemberton @4A616D6573, oscd.community, Andreas Hunkeler (@Karneades) -date: 2019/06/15 -modified: 2023/01/18 +date: 2019-06-15 +modified: 2023-01-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml b/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml index a6b3309b97b..f433daa459e 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml @@ -6,11 +6,11 @@ related: - id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed # Renamed Rundll32 Specific type: derived - id: a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2 # Renamed PsExec - type: obsoletes + type: obsolete - id: d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20 # Renamed PowerShell - type: obsoletes + type: obsolete - id: d4d2574f-ac17-4d9e-b986-aeeae0dc8fe2 # Renamed Rundll32 - type: obsoletes + type: obsolete status: test description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint. references: @@ -20,10 +20,10 @@ references: - https://twitter.com/christophetd/status/1164506034720952320 - https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/ author: Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113 -date: 2019/06/15 -modified: 2023/08/23 +date: 2019-06-15 +modified: 2023-08-23 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.003 - car.2013-05-009 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_renamed_boinc.yml b/rules/windows/process_creation/proc_creation_win_renamed_boinc.yml index 95f36cdf4fc..8cef6284752 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_boinc.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_boinc.yml @@ -7,9 +7,9 @@ references: - https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software author: Matt Anderson (Huntress) -date: 2024/07/23 +date: 2024-07-23 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1553 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml b/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml index a0e5762c2b4..6e3be93cf67 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml @@ -5,8 +5,8 @@ description: Detects process creation with a renamed BrowserCore.exe (used to ex references: - https://twitter.com/mariuszbit/status/1531631015139102720 author: Max Altgelt (Nextron Systems) -date: 2022/06/02 -modified: 2023/02/03 +date: 2022-06-02 +modified: 2023-02-03 tags: - attack.t1528 - attack.t1036.003 diff --git a/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml b/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml index ed52ec7a261..90b12f0ee3a 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml @@ -9,10 +9,10 @@ references: - https://www.intrinsec.com/akira_ransomware/ - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/ tags: - - attack.command_and_control + - attack.command-and-control - attack.t1090.001 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/12/20 +date: 2023-12-20 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml b/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml index 2b3be1eb6cc..99bbf9453bd 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml @@ -9,10 +9,10 @@ references: - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/ - https://twitter.com/bopin2020/status/1366400799199272960 author: Florian Roth (Nextron Systems) -date: 2022/09/20 -modified: 2023/02/14 +date: 2022-09-20 +modified: 2023-02-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 - attack.t1003.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_renamed_curl.yml b/rules/windows/process_creation/proc_creation_win_renamed_curl.yml index 4690f440adb..6d964cf0fa6 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_curl.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_curl.yml @@ -5,12 +5,12 @@ description: Detects the execution of a renamed "CURL.exe" binary based on the P references: - https://twitter.com/Kostastsale/status/1700965142828290260 author: X__Junior (Nextron Systems) -date: 2023/09/11 -modified: 2023/10/12 +date: 2023-09-11 +modified: 2023-10-12 tags: - attack.execution - attack.t1059 - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml b/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml index ce446ab8b1e..f8d82f84a49 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml @@ -9,10 +9,10 @@ references: - https://twitter.com/gN3mes1s/status/1222095963789111296 - https://twitter.com/gN3mes1s/status/1222095371175911424 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2020/01/28 -modified: 2024/04/22 +date: 2020-01-28 +modified: 2024-04-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 - attack.t1055.001 - attack.t1202 diff --git a/rules/windows/process_creation/proc_creation_win_renamed_ftp.yml b/rules/windows/process_creation/proc_creation_win_renamed_ftp.yml index edfda885f64..b670315e1ab 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_ftp.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_ftp.yml @@ -5,12 +5,12 @@ description: Detects the execution of a renamed "ftp.exe" binary based on the PE references: - https://lolbas-project.github.io/lolbas/Binaries/Ftp/ author: Victor Sergeev, oscd.community -date: 2020/10/09 -modified: 2023/02/03 +date: 2020-10-09 +modified: 2023-02-03 tags: - attack.execution - attack.t1059 - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_gpg4win.yml b/rules/windows/process_creation/proc_creation_win_renamed_gpg4win.yml index 08b10c7459f..6bba496c088 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_gpg4win.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_gpg4win.yml @@ -5,7 +5,7 @@ description: Detects the execution of a renamed "gpg.exe". Often used by ransomw references: - https://securelist.com/locked-out/68960/ author: Nasreddine Bencherchali (Nextron Systems), frack113 -date: 2023/08/09 +date: 2023-08-09 tags: - attack.impact - attack.t1486 diff --git a/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml b/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml index f1b4c61cb8a..7150ee30f8c 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml @@ -5,11 +5,11 @@ description: Detects the execution of a renamed "jusched.exe" as seen used by th references: - https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf author: Markus Neis, Swisscom -date: 2019/06/04 -modified: 2023/02/03 +date: 2019-06-04 +modified: 2023-02-03 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml b/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml index c4c13d98d6d..858a13222b2 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml @@ -12,11 +12,11 @@ references: - https://github.com/SigmaHQ/sigma/issues/3742 - https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection author: frack113, Florian Roth -date: 2022/12/05 -modified: 2023/02/03 +date: 2022-12-05 +modified: 2023-02-03 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1055.001 - attack.t1218.013 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_renamed_megasync.yml b/rules/windows/process_creation/proc_creation_win_renamed_megasync.yml index 70520a07e0f..188232b830e 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_megasync.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_megasync.yml @@ -5,10 +5,10 @@ description: Detects the execution of a renamed MegaSync.exe as seen used by ran references: - https://redcanary.com/blog/rclone-mega-extortion/ author: Sittikorn S -date: 2021/06/22 -modified: 2023/02/03 +date: 2021-06-22 +modified: 2023-02-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml b/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml index 6a5c90b2890..9979e1358e4 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml @@ -5,10 +5,10 @@ description: Detects the execution of a renamed "Msdt.exe" binary references: - https://lolbas-project.github.io/lolbas/Binaries/Msdt/ author: pH-T (Nextron Systems) -date: 2022/06/03 -modified: 2023/02/03 +date: 2022-06-03 +modified: 2023-02-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_msteams.yml b/rules/windows/process_creation/proc_creation_win_renamed_msteams.yml index 79af7acae31..c72c7ddbcc6 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_msteams.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_msteams.yml @@ -5,9 +5,9 @@ description: Detects the execution of a renamed Microsoft Teams binary. references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/07/12 +date: 2024-07-12 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml b/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml index 48ae4e590f3..b0ac2fd5ddf 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml @@ -5,10 +5,10 @@ description: Detects the execution of a renamed "client32.exe" (NetSupport RAT) references: - https://redcanary.com/blog/misbehaving-rats/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/19 -modified: 2023/02/04 +date: 2022-09-19 +modified: 2023-02-04 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_renamed_nircmd.yml b/rules/windows/process_creation/proc_creation_win_renamed_nircmd.yml index c37b5c87177..521f4e2b549 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_nircmd.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_nircmd.yml @@ -6,11 +6,11 @@ references: - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ - https://www.nirsoft.net/utils/nircmd.html author: X__Junior (Nextron Systems) -date: 2024/03/11 +date: 2024-03-11 tags: - attack.execution - attack.t1059 - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml b/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml index 4189681c7e0..c14b35c2915 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml @@ -5,10 +5,10 @@ description: Detects the execution of a renamed office binary references: - https://infosec.exchange/@sbousseaden/109542254124022664 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/20 -modified: 2023/11/13 +date: 2022-12-20 +modified: 2023-11-13 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml b/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml index f5c57dd4177..0866f475618 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml @@ -2,17 +2,17 @@ title: Renamed PAExec Execution id: c4e49831-1496-40cf-8ce1-b53f942b02f9 related: - id: 7b0666ad-3e38-4e3d-9bab-78b06de85f7b - type: obsoletes + type: obsolete status: test description: Detects execution of renamed version of PAExec. Often used by attackers references: - https://www.poweradmin.com/paexec/ - https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf author: Florian Roth (Nextron Systems), Jason Lynch -date: 2021/05/22 -modified: 2023/02/14 +date: 2021-05-22 +modified: 2023-02-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_pingcastle.yml b/rules/windows/process_creation/proc_creation_win_renamed_pingcastle.yml index 00d3989d232..b58cd356b22 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_pingcastle.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_pingcastle.yml @@ -6,11 +6,11 @@ references: - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/ - https://www.pingcastle.com/documentation/scanner/ author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) -date: 2024/01/11 +date: 2024-01-11 tags: - attack.execution - attack.t1059 - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_plink.yml b/rules/windows/process_creation/proc_creation_win_renamed_plink.yml index 6a4d5a33ecc..500a515554a 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_plink.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_plink.yml @@ -6,10 +6,10 @@ references: - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/ - https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/06 -modified: 2023/02/03 +date: 2022-06-06 +modified: 2023-02-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml b/rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml index 0523888adb5..721d9c4cfb8 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml @@ -9,10 +9,10 @@ references: - https://twitter.com/mrd0x/status/1463526834918854661 - https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5 author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) -date: 2023/04/11 +date: 2023-04-11 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml b/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml index 6667dda49ca..cdf33910fb9 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml @@ -9,8 +9,8 @@ references: - https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20 - https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/22 -modified: 2023/02/03 +date: 2022-08-22 +modified: 2023-02-03 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml b/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml index f1e541c2eb4..218c4ae45bb 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml @@ -5,12 +5,12 @@ description: Detects execution of renamed Remote Utilities (RURAT) via Product P references: - https://redcanary.com/blog/misbehaving-rats/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/19 -modified: 2023/02/03 +date: 2022-09-19 +modified: 2023-02-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.collection - - attack.command_and_control + - attack.command-and-control - attack.discovery - attack.s0592 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_debugview.yml b/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_debugview.yml index 230c1dcaff5..413a7c4bf47 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_debugview.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_debugview.yml @@ -5,10 +5,10 @@ description: Detects suspicious renamed SysInternals DebugView execution references: - https://www.epicturla.com/blog/sysinturla author: Florian Roth (Nextron Systems) -date: 2020/05/28 -modified: 2023/02/14 +date: 2020-05-28 +modified: 2023-02-14 tags: - - attack.resource_development + - attack.resource-development - attack.t1588.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml b/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml index d7e4d89611c..0fca0d71ed6 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml @@ -2,7 +2,7 @@ title: Renamed ProcDump Execution id: 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67 related: - id: 03795938-1387-481b-9f4c-3f6241e604fe - type: obsoletes + type: obsolete status: test description: | Detects the execution of a renamed ProcDump executable. @@ -10,10 +10,10 @@ description: | references: - https://learn.microsoft.com/en-us/sysinternals/downloads/procdump author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2019/11/18 -modified: 2024/06/25 +date: 2019-11-18 +modified: 2024-06-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.003 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_psexec_service.yml b/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_psexec_service.yml index e814035242e..15d669e03db 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_psexec_service.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_psexec_service.yml @@ -6,7 +6,7 @@ references: - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec - https://www.youtube.com/watch?v=ro2QuZTIMBM author: Florian Roth (Nextron Systems) -date: 2022/07/21 +date: 2022-07-21 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml b/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml index 2b0f5e0e71a..fd5a4a37352 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml @@ -6,8 +6,8 @@ references: - https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md author: Florian Roth (Nextron Systems) -date: 2022/09/06 -modified: 2023/02/03 +date: 2022-09-06 +modified: 2023-02-03 tags: - attack.impact - attack.t1485 diff --git a/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml b/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml index c598023335a..920651f3c29 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml @@ -5,10 +5,10 @@ description: Detects renamed vmnat.exe or portable version that can be used for references: - https://twitter.com/malmoeb/status/1525901219247845376 author: elhoim -date: 2022/09/09 -modified: 2023/02/03 +date: 2022-09-09 +modified: 2023-02-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml b/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml index 846719a0bab..df91c1b5b41 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml @@ -6,8 +6,8 @@ references: - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/ - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/ author: Florian Roth (Nextron Systems) -date: 2021/08/12 -modified: 2022/10/09 +date: 2021-08-12 +modified: 2022-10-09 tags: - attack.discovery - attack.t1033 diff --git a/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml b/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml index d3b3c1f28ac..ba3c0d550cb 100644 --- a/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml +++ b/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml @@ -8,10 +8,10 @@ references: - https://twitter.com/vysecurity/status/873181705024266241 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11) author: Julia Fomina, oscd.community -date: 2020/10/09 -modified: 2024/03/13 +date: 2020-10-09 +modified: 2024-03-13 tags: - - attack.credential_access + - attack.credential-access - attack.t1003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml b/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml index bed8d924152..8cd96803917 100644 --- a/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml @@ -6,7 +6,7 @@ references: - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet - https://www.revshells.com/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/02 +date: 2023-01-02 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_ads_stored_dll_execution.yml b/rules/windows/process_creation/proc_creation_win_rundll32_ads_stored_dll_execution.yml index 83308c35ac9..46057d26d57 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_ads_stored_dll_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_ads_stored_dll_execution.yml @@ -5,10 +5,10 @@ description: Detects execution of rundll32 where the DLL being called is stored references: - https://lolbas-project.github.io/lolbas/Binaries/Rundll32 author: Harjot Singh, '@cyb3rjy0t' -date: 2023/01/21 -modified: 2023/02/08 +date: 2023-01-21 +modified: 2023-02-08 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml b/rules/windows/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml index 811448ab2b6..4b2b4647db0 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml @@ -6,9 +6,9 @@ references: - https://twitter.com/Hexacorn/status/1224848930795552769 - http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/17 +date: 2023-05-17 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_inline_vbs.yml b/rules/windows/process_creation/proc_creation_win_rundll32_inline_vbs.yml index 2815cf47fe9..df306b41dfb 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_inline_vbs.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_inline_vbs.yml @@ -5,10 +5,10 @@ description: Detects suspicious process related to rundll32 based on command lin references: - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ author: Florian Roth (Nextron Systems) -date: 2021/03/05 -modified: 2022/10/09 +date: 2021-03-05 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1055 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml b/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml index 5aec1b61aeb..a65e79cc426 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml @@ -6,11 +6,11 @@ references: - https://lolbas-project.github.io/lolbas/Libraries/Desk/ - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1218.011/T1218.011.md#atomic-test-13---rundll32-with-deskcpl author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec' -date: 2022/04/28 -modified: 2023/02/09 +date: 2022-04-28 +modified: 2023-02-09 tags: - attack.t1218.011 - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_keymgr.yml b/rules/windows/process_creation/proc_creation_win_rundll32_keymgr.yml index d549c8c3505..e448d62af92 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_keymgr.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_keymgr.yml @@ -5,10 +5,10 @@ description: Detects the invocation of the Stored User Names and Passwords dialo references: - https://twitter.com/NinjaParanoid/status/1516442028963659777 author: Florian Roth (Nextron Systems) -date: 2022/04/21 -modified: 2023/02/09 +date: 2022-04-21 +modified: 2023-02-09 tags: - - attack.credential_access + - attack.credential-access - attack.t1555.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml b/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml index 8463d845919..d2b0e789699 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml @@ -2,9 +2,9 @@ title: Mshtml.DLL RunHTMLApplication Suspicious Usage id: 4782eb5a-a513-4523-a0ac-f3082b26ac5c related: - id: 9f06447a-a33a-4cbe-a94f-a3f43184a7a3 - type: obsoletes + type: obsolete - id: 73fcad2e-ff14-4c38-b11d-4172c8ac86c7 - type: obsoletes + type: obsolete status: test description: | Detects execution of commands that leverage the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...) @@ -13,10 +13,10 @@ references: - https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt - http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems), Josh Nickels, frack113, Zaw Min Htun (ZETA) -date: 2022/08/14 -modified: 2024/02/23 +date: 2022-08-14 +modified: 2024-02-23 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml b/rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml index 39893387247..44da78da8ed 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml @@ -6,10 +6,10 @@ references: - https://www.cobaltstrike.com/help-opsec - https://twitter.com/ber_m1ng/status/1397948048135778309 author: Florian Roth (Nextron Systems) -date: 2021/05/27 -modified: 2023/08/31 +date: 2021-05-27 +modified: 2023-08-31 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_ntlmrelay.yml b/rules/windows/process_creation/proc_creation_win_rundll32_ntlmrelay.yml index 31db732deb7..3bbc732a204 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_ntlmrelay.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_ntlmrelay.yml @@ -6,11 +6,11 @@ references: - https://twitter.com/med0x2e/status/1520402518685200384 - https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml author: Elastic (idea), Tobias Michalski (Nextron Systems) -date: 2022/05/04 -modified: 2023/02/09 +date: 2022-05-04 +modified: 2023-02-09 tags: - - attack.privilege_escalation - - attack.credential_access + - attack.privilege-escalation + - attack.credential-access - attack.t1212 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_obfuscated_ordinal_call.yml b/rules/windows/process_creation/proc_creation_win_rundll32_obfuscated_ordinal_call.yml index 3209b188dd0..66bba5cd557 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_obfuscated_ordinal_call.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_obfuscated_ordinal_call.yml @@ -5,9 +5,9 @@ description: Detects execution of "rundll32" with potential obfuscated ordinal c references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/17 +date: 2023-05-17 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml index ed28458bb19..0a3227f928a 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml @@ -6,10 +6,10 @@ references: - https://redcanary.com/blog/raspberry-robin/ - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: CD_ROM_ -date: 2022/05/21 -modified: 2023/08/31 +date: 2022-05-21 +modified: 2023-08-31 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml b/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml index ec88f600212..714815aae05 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml @@ -2,7 +2,7 @@ title: Process Memory Dump Via Comsvcs.DLL id: 646ea171-dded-4578-8a4d-65e9822892e3 related: - id: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c - type: obsoletes + type: obsolete status: test description: Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.) references: @@ -14,11 +14,11 @@ references: - https://twitter.com/Wietze/status/1542107456507203586 - https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py author: Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems) -date: 2020/02/18 -modified: 2023/05/16 +date: 2020-02-18 +modified: 2023-05-16 tags: - - attack.defense_evasion - - attack.credential_access + - attack.defense-evasion + - attack.credential-access - attack.t1036 - attack.t1003.001 - car.2013-05-009 diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml b/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml index 1b11880b0bd..737d8f360cd 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml @@ -6,10 +6,10 @@ references: - https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md author: frack113 -date: 2022/02/13 -modified: 2023/02/09 +date: 2022-02-13 +modified: 2023-02-09 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.persistence - attack.t1546.015 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_run_locations.yml b/rules/windows/process_creation/proc_creation_win_rundll32_run_locations.yml index a5779948770..2e19639032c 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_run_locations.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_run_locations.yml @@ -5,10 +5,10 @@ description: Detects suspicious process run from unusual locations references: - https://car.mitre.org/wiki/CAR-2013-05-002 author: juju4, Jonhnathan Ribeiro, oscd.community -date: 2019/01/16 -modified: 2022/01/07 +date: 2019-01-16 +modified: 2022-01-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 - car.2013-05-002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml b/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml index e3c6d5a9d61..45842f26116 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml @@ -8,10 +8,10 @@ references: - https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf - https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20 author: Konstantin Grishchenko, oscd.community -date: 2020/10/07 -modified: 2021/11/27 +date: 2020-10-07 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_shell32_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_rundll32_shell32_susp_execution.yml index 9ea945925ab..fc7dfe938d1 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_shell32_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_shell32_susp_execution.yml @@ -5,10 +5,10 @@ description: Detects shell32.dll executing a DLL in a suspicious directory references: - https://www.group-ib.com/resources/threat-research/red-curl-2.html author: Christian Burkard (Nextron Systems) -date: 2021/11/24 -modified: 2023/02/09 +date: 2021-11-24 +modified: 2023-02-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1218.011 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml b/rules/windows/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml index cdec3852b05..e64616f6742 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml @@ -5,10 +5,10 @@ description: Detects potential "ShellDispatch.dll" functionality abuse to execut references: - https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ author: X__Junior (Nextron Systems) -date: 2023/06/20 +date: 2023-06-20 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_spawn_explorer.yml b/rules/windows/process_creation/proc_creation_win_rundll32_spawn_explorer.yml index 9f195446fd8..d9a6b8cb895 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_spawn_explorer.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_spawn_explorer.yml @@ -5,10 +5,10 @@ description: Detects RunDLL32.exe spawning explorer.exe as child, which is very references: - https://redcanary.com/blog/intelligence-insights-november-2021/ author: elhoim, CD_ROM_ -date: 2022/04/27 -modified: 2022/05/25 +date: 2022-04-27 +modified: 2022-05-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml b/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml index 16a2909e886..6cfa9d4abfe 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml @@ -10,10 +10,10 @@ references: - https://twitter.com/eral4m/status/1479106975967240209 # scrobj.dll,GenerateTypeLib - https://twitter.com/eral4m/status/1479080793003671557 # shimgvw.dll,ImageView_Fullscreen author: juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2019/01/16 -modified: 2023/05/17 +date: 2019-01-16 +modified: 2023-05-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml b/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml index dbad3a4bbd0..03b843879d2 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/rikvduijn/status/853251879320662017 - https://twitter.com/felixw3000/status/853354851128025088 author: Florian Roth (Nextron Systems) -date: 2017/04/15 -modified: 2023/02/09 +date: 2017-04-15 +modified: 2023-02-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_susp_execution_with_image_extension.yml b/rules/windows/process_creation/proc_creation_win_rundll32_susp_execution_with_image_extension.yml index 84403e8320d..2795efa6d83 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_susp_execution_with_image_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_susp_execution_with_image_extension.yml @@ -8,9 +8,9 @@ description: Detects the execution of Rundll32.exe with DLL files masquerading a references: - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution author: Hieu Tran -date: 2023/03/13 +date: 2023-03-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml b/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml index 90b7cac650e..c71a44c8330 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml @@ -2,7 +2,7 @@ title: Suspicious Usage Of ShellExec_RunDLL id: d87bd452-6da1-456e-8155-7dc988157b7d related: - id: 36c5146c-d127-4f85-8e21-01bf62355d5a - type: obsoletes + type: obsolete status: test description: Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack references: @@ -10,10 +10,10 @@ references: - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/ - https://github.com/SigmaHQ/sigma/issues/1009 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/01 -modified: 2022/12/30 +date: 2022-09-01 +modified: 2022-12-30 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml b/rules/windows/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml index 5976aefcbb7..5a0ec908dcf 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml @@ -5,9 +5,9 @@ description: Detects actions that clear the local ShimCache and remove forensic references: - https://medium.com/@blueteamops/shimcache-flush-89daff28d15e author: Florian Roth (Nextron Systems) -date: 2021/02/01 +date: 2021-02-01 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_sys.yml b/rules/windows/process_creation/proc_creation_win_rundll32_sys.yml index b3ca0324b89..7e27c3ab3f5 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_sys.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_sys.yml @@ -5,10 +5,10 @@ description: Detects suspicious process related to rundll32 based on command lin references: - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ author: Florian Roth (Nextron Systems) -date: 2021/03/05 -modified: 2022/10/09 +date: 2021-03-05 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml b/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml index 82dad4c3730..de471832217 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml @@ -5,9 +5,9 @@ description: Detects rundll32 execution where the DLL is located on a remote loc references: - https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/10 +date: 2022-08-10 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1021.002 - attack.t1218.011 diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml b/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml index 26141b85ef4..a349f84d3a2 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml @@ -5,10 +5,10 @@ description: Detects the execution of rundll32 with a command line that doesn't references: - https://twitter.com/mrd0x/status/1481630810495139841?s=12 author: Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou -date: 2022/01/13 -modified: 2024/04/04 +date: 2022-01-13 +modified: 2024-04-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_user32_dll.yml b/rules/windows/process_creation/proc_creation_win_rundll32_user32_dll.yml index 20439b6b8fa..87fd88589fc 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_user32_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_user32_dll.yml @@ -5,10 +5,10 @@ description: Detects a suspicious call to the user32.dll function that locks the references: - https://app.any.run/tasks/2aef9c63-f944-4763-b3ef-81eee209d128/ author: frack113 -date: 2022/06/04 -modified: 2023/02/09 +date: 2022-06-04 +modified: 2023-02-09 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_execution.yml b/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_execution.yml index 3757fd550f9..ed71d8d6649 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_execution.yml @@ -8,8 +8,8 @@ references: - https://github.com/OTRF/detection-hackathon-apt29/issues/17 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.md author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/05/02 -modified: 2023/09/18 +date: 2020-05-02 +modified: 2023-09-18 tags: - attack.exfiltration - attack.t1048.003 diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml index 610c2e6f2e0..fe715de8131 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml @@ -10,12 +10,12 @@ references: - https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/ author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) -date: 2023/03/16 -modified: 2023/09/18 +date: 2023-03-16 +modified: 2023-09-18 tags: - attack.exfiltration - attack.t1048.003 - - cve.2023.23397 + - cve.2023-23397 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_without_parameters.yml b/rules/windows/process_creation/proc_creation_win_rundll32_without_parameters.yml index 9cc95b794be..bd17411de6e 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_without_parameters.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_without_parameters.yml @@ -5,10 +5,10 @@ description: Detects rundll32 execution without parameters as observed when runn references: - https://bczyz1.github.io/2021/01/30/psexec.html author: Bartlomiej Czyz, Relativity -date: 2021/01/31 -modified: 2023/02/28 +date: 2021-01-31 +modified: 2023-02-28 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021.002 - attack.t1570 - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_runonce_execution.yml b/rules/windows/process_creation/proc_creation_win_runonce_execution.yml index 61195b186f1..06388ff4750 100644 --- a/rules/windows/process_creation/proc_creation_win_runonce_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_runonce_execution.yml @@ -7,10 +7,10 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Runonce/ - https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA author: 'Avneet Singh @v3t0_, oscd.community, Christopher Peacock @SecurePeacock (updated)' -date: 2020/10/18 -modified: 2022/12/13 +date: 2020-10-18 +modified: 2022-12-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml b/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml index 468c0e742ad..1d3ea3bd064 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml @@ -6,12 +6,12 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://pentestlab.blog/2017/03/30/weak-service-permissions/ author: Teymur Kheirkhabarov -date: 2019/10/26 -modified: 2022/07/14 +date: 2019-10-26 +modified: 2022-07-14 tags: - attack.persistence - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sc_create_service.yml b/rules/windows/process_creation/proc_creation_win_sc_create_service.yml index 02ba32dc579..c17957472a9 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_create_service.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_create_service.yml @@ -8,10 +8,10 @@ description: Detects the creation of a new service using the "sc.exe" utility. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community -date: 2023/02/20 +date: 2023-02-20 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sc_disable_service.yml b/rules/windows/process_creation/proc_creation_win_sc_disable_service.yml index f744201a645..df12c69966d 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_disable_service.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_disable_service.yml @@ -5,11 +5,11 @@ description: Detect the use of "sc.exe" to change the startup type of a service references: - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/01 -modified: 2023/03/04 +date: 2022-08-01 +modified: 2023-03-04 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sc_new_kernel_driver.yml b/rules/windows/process_creation/proc_creation_win_sc_new_kernel_driver.yml index 8aec61d5a9d..8715341d6fa 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_new_kernel_driver.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_new_kernel_driver.yml @@ -5,11 +5,11 @@ description: Detects creation of a new service (kernel driver) with the type "ke references: - https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/14 -modified: 2022/08/08 +date: 2022-07-14 +modified: 2022-08-08 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml b/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml index 565e70fbe28..7ecfdb1441c 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml @@ -8,7 +8,7 @@ references: - https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/ - https://pentestlab.blog/tag/svchost/ author: Swachchhanda Shrawan Poudel -date: 2024/02/12 +date: 2024-02-12 tags: - attack.t1003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml b/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml index 6d13dddb245..f8d48321fd3 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml @@ -10,7 +10,7 @@ references: - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/ - https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/28 +date: 2023-02-28 tags: - attack.persistence - attack.t1543.003 diff --git a/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml b/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml index 435c827bea6..d10b3de7cf2 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml @@ -12,8 +12,8 @@ references: - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/ - https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings author: Jonhnathan Ribeiro, oscd.community -date: 2020/10/16 -modified: 2023/02/28 +date: 2020-10-16 +modified: 2023-02-28 tags: - attack.persistence - attack.t1543.003 diff --git a/rules/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml b/rules/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml index 55e2f88be8f..b1261f9c6a6 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml @@ -13,12 +13,12 @@ references: - https://twitter.com/Alh4zr3d/status/1580925761996828672 - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/ author: Andreas Hunkeler (@Karneades) -date: 2021/12/20 -modified: 2022/08/08 +date: 2021-12-20 +modified: 2022-08-08 tags: - attack.persistence - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml b/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml index a840e37eb96..08a56a06d45 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml @@ -14,11 +14,11 @@ references: - https://twitter.com/0gtweet/status/1628720819537936386 - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/28 +date: 2023-02-28 tags: - attack.persistence - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1574.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sc_service_path_modification.yml b/rules/windows/process_creation/proc_creation_win_sc_service_path_modification.yml index 6d2a8dc5831..613afbacba9 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_service_path_modification.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_service_path_modification.yml @@ -6,11 +6,11 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html author: Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2019/10/21 -modified: 2022/11/18 +date: 2019-10-21 +modified: 2022-11-18 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml b/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml index 8f47c4a0012..b2c29769fbb 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml @@ -5,8 +5,8 @@ description: Detects the modification of an existing service in order to execute references: - https://pentestlab.blog/2020/01/22/persistence-modify-existing-service/ author: Sreeman -date: 2020/09/29 -modified: 2023/02/04 +date: 2020-09-29 +modified: 2023-02-04 tags: - attack.persistence - attack.t1543.003 diff --git a/rules/windows/process_creation/proc_creation_win_sc_stop_service.yml b/rules/windows/process_creation/proc_creation_win_sc_stop_service.yml index 021b959aea8..0c541cb7237 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_stop_service.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_stop_service.yml @@ -2,14 +2,14 @@ title: Stop Windows Service Via Sc.EXE id: 81bcb81b-5b1f-474b-b373-52c871aaa7b1 related: - id: eb87818d-db5d-49cc-a987-d5da331fbd90 - type: obsoletes + type: obsolete status: test description: Detects the stopping of a Windows service via the "sc.exe" utility references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc742107(v=ws.11) author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/05 -modified: 2024/01/18 +date: 2023-03-05 +modified: 2024-01-18 tags: - attack.impact - attack.t1489 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml b/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml index 8809b4bc0b2..9ff4c256b44 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml @@ -5,8 +5,8 @@ description: 'Detects the creation of a schtask that executes a file from C:\Use references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/03/15 -modified: 2022/07/28 +date: 2022-03-15 +modified: 2022-07-28 tags: - attack.execution - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_change.yml b/rules/windows/process_creation/proc_creation_win_schtasks_change.yml index 23f81020098..d6ae42d41d1 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_change.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_change.yml @@ -12,8 +12,8 @@ references: - Internal Research - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/28 -modified: 2022/11/18 +date: 2022-07-28 +modified: 2022-11-18 tags: - attack.execution - attack.t1053.005 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml b/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml index 34f3bcc072c..ffd4529fdd1 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml @@ -5,12 +5,12 @@ description: Detects the creation of scheduled tasks by user accounts via the "s references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create author: Florian Roth (Nextron Systems) -date: 2019/01/16 -modified: 2024/01/18 +date: 2019-01-16 +modified: 2024-01-18 tags: - attack.execution - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1053.005 - attack.s0111 - car.2013-08-001 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml b/rules/windows/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml index c0f71c2dec2..e79bc2c631a 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml @@ -5,8 +5,8 @@ description: Detects the creation of scheduled tasks that involves a temporary f references: - https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3 author: Florian Roth (Nextron Systems) -date: 2021/03/11 -modified: 2022/10/09 +date: 2021-03-11 +modified: 2022-10-09 tags: - attack.execution - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_delete.yml b/rules/windows/process_creation/proc_creation_win_schtasks_delete.yml index 332026d0eba..a559cb449ee 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_delete.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_delete.yml @@ -10,7 +10,7 @@ description: Detects when adversaries stop services or processes by deleting the references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/09 +date: 2022-09-09 tags: - attack.impact - attack.t1489 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_delete_all.yml b/rules/windows/process_creation/proc_creation_win_schtasks_delete_all.yml index c26cf564570..c44f82ae6bf 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_delete_all.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_delete_all.yml @@ -5,7 +5,7 @@ description: Detects the usage of schtasks with the delete flag and the asterisk references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/09 +date: 2022-09-09 tags: - attack.impact - attack.t1489 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml b/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml index 41d9ecf9db2..4fa4b178415 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml @@ -10,8 +10,8 @@ references: - https://twitter.com/MichalKoczwara/status/1553634816016498688 - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2021/12/26 -modified: 2022/09/02 +date: 2021-12-26 +modified: 2022-09-02 tags: - attack.impact - attack.t1489 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml b/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml index cab01e54852..bd5dbaf9f16 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml @@ -9,8 +9,8 @@ references: - https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/ - https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04 author: Florian Roth (Nextron Systems) -date: 2022/02/21 -modified: 2023/11/30 +date: 2022-02-21 +modified: 2023-11-30 tags: - attack.execution - attack.t1053.005 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_folder_combos.yml b/rules/windows/process_creation/proc_creation_win_schtasks_folder_combos.yml index 20d0b3afbbd..bfe2883eef3 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_folder_combos.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_folder_combos.yml @@ -5,8 +5,8 @@ description: Detects scheduled task creations that have suspicious action comman references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical author: Florian Roth (Nextron Systems) -date: 2022/04/15 -modified: 2022/11/18 +date: 2022-04-15 +modified: 2022-11-18 tags: - attack.execution - attack.t1053.005 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_guid_task_name.yml b/rules/windows/process_creation/proc_creation_win_schtasks_guid_task_name.yml index b160d5b9dad..f4b7ec16a7e 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_guid_task_name.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_guid_task_name.yml @@ -6,7 +6,7 @@ references: - https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/ - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/31 +date: 2022-10-31 tags: - attack.execution - attack.t1053.005 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml b/rules/windows/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml index b5e40bb6f96..03ad5717d8b 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml @@ -5,12 +5,12 @@ description: Detects scheduled task creation events that include suspicious acti references: - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte author: pH-T (Nextron Systems) -date: 2022/07/15 -modified: 2023/02/03 +date: 2022-07-15 +modified: 2023-02-03 tags: - attack.execution - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1053.005 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yml b/rules/windows/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yml index 6a3e317d26c..a65cee2b88e 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yml @@ -10,8 +10,8 @@ description: | references: - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/ author: Sreeman -date: 2020/09/29 -modified: 2023/02/10 +date: 2020-09-29 +modified: 2023-02-10 tags: - attack.persistence - attack.t1053.005 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_powershell_persistence.yml b/rules/windows/process_creation/proc_creation_win_schtasks_powershell_persistence.yml index 14869fd6d54..87bb266a3e4 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_powershell_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_powershell_persistence.yml @@ -8,8 +8,8 @@ description: Detects suspicious powershell execution via a schedule task where t references: - https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/ author: pH-T (Nextron Systems), Florian Roth (Nextron Systems) -date: 2022/04/08 -modified: 2023/02/03 +date: 2022-04-08 +modified: 2023-02-03 tags: - attack.execution - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml index d2bea93c3f9..99163716862 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml @@ -8,7 +8,7 @@ description: Detects the creation of a schtasks that potentially executes a payl references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2023/07/18 +date: 2023-07-18 tags: - attack.execution - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml index b5af7a3d4d7..15c92888516 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml @@ -5,8 +5,8 @@ description: Detects the creation of a schtask that potentially executes a base6 references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ author: pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport, X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/02/12 -modified: 2023/02/04 +date: 2022-02-12 +modified: 2023-02-04 tags: - attack.execution - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml index 8f54cd52973..26dd70113b2 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml @@ -10,7 +10,7 @@ references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/09 +date: 2022-09-09 tags: - attack.execution - attack.t1053.005 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type_system.yml b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type_system.yml index 628579ef580..512b2356ddb 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type_system.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type_system.yml @@ -9,7 +9,7 @@ references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/31 +date: 2022-08-31 tags: - attack.execution - attack.t1053.005 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml index 2a7737600ad..a7d8db95a25 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml @@ -6,9 +6,9 @@ references: - https://learn.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml- - https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml author: Swachchhanda Shrawan Poudel, Elastic (idea) -date: 2023/04/20 +date: 2023-04-20 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1036.005 - attack.t1053.005 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml b/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml index 9f6d002f55e..d2470cf015b 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml @@ -7,8 +7,8 @@ references: - https://twitter.com/RedDrip7/status/1506480588827467785 - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf author: Florian Roth (Nextron Systems) -date: 2022/02/23 -modified: 2024/03/19 +date: 2022-02-23 +modified: 2024-03-19 tags: - attack.execution - attack.t1053.005 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_system.yml b/rules/windows/process_creation/proc_creation_win_schtasks_system.yml index a40a2ee44bb..d6eac695b55 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_system.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_system.yml @@ -6,8 +6,8 @@ references: - https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/28 -modified: 2023/10/11 +date: 2022-07-28 +modified: 2023-10-11 tags: - attack.execution - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_scrcons_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_scrcons_susp_child_process.yml index b790f018e33..736734943a4 100644 --- a/rules/windows/process_creation/proc_creation_win_scrcons_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_scrcons_susp_child_process.yml @@ -6,8 +6,8 @@ references: - https://redcanary.com/blog/child-processes/ - https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html author: Sittikorn S -date: 2021/06/21 -modified: 2022/07/14 +date: 2021-06-21 +modified: 2022-07-14 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml b/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml index fc3401586a1..c0abc440402 100644 --- a/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml @@ -10,11 +10,11 @@ description: | references: - https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence author: Markus Neis -date: 2019/01/16 -modified: 2023/12/06 +date: 2019-01-16 +modified: 2023-12-06 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1546.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml b/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml index cf713c718fc..8c4508aad91 100644 --- a/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml @@ -11,11 +11,11 @@ references: - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html - https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/01 -modified: 2024/01/10 +date: 2023-08-01 +modified: 2024-01-10 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1546.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml b/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml index 4765abf2dea..9863eb337ac 100644 --- a/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml @@ -6,10 +6,10 @@ references: - https://github.com/OTRF/detection-hackathon-apt29/issues/6 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/05/02 -modified: 2021/11/27 +date: 2020-05-02 +modified: 2021-11-27 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml b/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml index fc46bb60f4e..d885bf0fbae 100644 --- a/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml +++ b/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml @@ -8,10 +8,10 @@ references: - https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/ - https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/ author: Nextron Systems -date: 2022/06/01 -modified: 2022/10/31 +date: 2022-06-01 +modified: 2022-10-31 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 - attack.t1218 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_secedit_execution.yml b/rules/windows/process_creation/proc_creation_win_secedit_execution.yml index 1e15aaf74cf..bd6dba03349 100644 --- a/rules/windows/process_creation/proc_creation_win_secedit_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_secedit_execution.yml @@ -6,14 +6,14 @@ references: - https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit author: Janantha Marasinghe -date: 2022/11/18 -modified: 2022/12/30 +date: 2022-11-18 +modified: 2022-12-30 tags: - attack.discovery - attack.persistence - - attack.defense_evasion - - attack.credential_access - - attack.privilege_escalation + - attack.defense-evasion + - attack.credential-access + - attack.privilege-escalation - attack.t1562.002 - attack.t1547.001 - attack.t1505.005 diff --git a/rules/windows/process_creation/proc_creation_win_servu_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_servu_susp_child_process.yml index 9d7f2ac0bee..d38a5e4c5a3 100644 --- a/rules/windows/process_creation/proc_creation_win_servu_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_servu_susp_child_process.yml @@ -5,12 +5,12 @@ description: Detects a suspicious process pattern which could be a sign of an ex references: - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ author: Florian Roth (Nextron Systems) -date: 2021/07/14 -modified: 2022/07/14 +date: 2021-07-14 +modified: 2022-07-14 tags: - - attack.credential_access + - attack.credential-access - attack.t1555 - - cve.2021.35211 + - cve.2021-35211 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_setres_uncommon_child_process.yml b/rules/windows/process_creation/proc_creation_win_setres_uncommon_child_process.yml index c4fbfac5f27..b2471cb1cd0 100644 --- a/rules/windows/process_creation/proc_creation_win_setres_uncommon_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_setres_uncommon_child_process.yml @@ -11,10 +11,10 @@ references: - https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11) author: '@gott_cyber, Nasreddine Bencherchali (Nextron Systems)' -date: 2022/12/11 -modified: 2024/06/26 +date: 2022-12-11 +modified: 2024-06-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.t1202 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_setspn_spn_enumeration.yml b/rules/windows/process_creation/proc_creation_win_setspn_spn_enumeration.yml index 5ce2b50b94e..b8b4d6beabc 100644 --- a/rules/windows/process_creation/proc_creation_win_setspn_spn_enumeration.yml +++ b/rules/windows/process_creation/proc_creation_win_setspn_spn_enumeration.yml @@ -6,10 +6,10 @@ references: - https://web.archive.org/web/20200329173843/https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation - https://www.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation/?edition=2019 author: Markus Neis, keepwatch -date: 2018/11/14 -modified: 2023/10/23 +date: 2018-11-14 +modified: 2023-10-23 tags: - - attack.credential_access + - attack.credential-access - attack.t1558.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_shutdown_execution.yml b/rules/windows/process_creation/proc_creation_win_shutdown_execution.yml index 58514201319..d16f90c2644 100644 --- a/rules/windows/process_creation/proc_creation_win_shutdown_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_shutdown_execution.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown author: frack113 -date: 2022/01/01 +date: 2022-01-01 tags: - attack.impact - attack.t1529 diff --git a/rules/windows/process_creation/proc_creation_win_shutdown_logoff.yml b/rules/windows/process_creation/proc_creation_win_shutdown_logoff.yml index b9aa501c7a8..d950db6f452 100644 --- a/rules/windows/process_creation/proc_creation_win_shutdown_logoff.yml +++ b/rules/windows/process_creation/proc_creation_win_shutdown_logoff.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown author: frack113 -date: 2022/10/01 +date: 2022-10-01 tags: - attack.impact - attack.t1529 diff --git a/rules/windows/process_creation/proc_creation_win_sndvol_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_sndvol_susp_child_processes.yml index 991912bbd5a..adb98fa41ac 100644 --- a/rules/windows/process_creation/proc_creation_win_sndvol_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_sndvol_susp_child_processes.yml @@ -5,7 +5,7 @@ description: Detects potentially uncommon child processes of SndVol.exe (the Win references: - https://twitter.com/Max_Mal_/status/1661322732456353792 author: X__Junior (Nextron Systems) -date: 2023/06/09 +date: 2023-06-09 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_soundrecorder_audio_capture.yml b/rules/windows/process_creation/proc_creation_win_soundrecorder_audio_capture.yml index 120d73412db..032905fd6d2 100644 --- a/rules/windows/process_creation/proc_creation_win_soundrecorder_audio_capture.yml +++ b/rules/windows/process_creation/proc_creation_win_soundrecorder_audio_capture.yml @@ -6,8 +6,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md - https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -date: 2019/10/24 -modified: 2021/11/27 +date: 2019-10-24 +modified: 2021-11-27 tags: - attack.collection - attack.t1123 diff --git a/rules/windows/process_creation/proc_creation_win_splwow64_cli_anomaly.yml b/rules/windows/process_creation/proc_creation_win_splwow64_cli_anomaly.yml index d2dfe75fc82..1f1cc3acc1f 100644 --- a/rules/windows/process_creation/proc_creation_win_splwow64_cli_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_splwow64_cli_anomaly.yml @@ -5,10 +5,10 @@ description: Detects suspicious Splwow64.exe process without any command line pa references: - https://twitter.com/sbousseaden/status/1429401053229891590?s=12 author: Florian Roth (Nextron Systems) -date: 2021/08/23 -modified: 2022/12/25 +date: 2021-08-23 +modified: 2022-12-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml index 14f4e809d4c..e34e32611c9 100644 --- a/rules/windows/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml @@ -5,12 +5,12 @@ description: Detects suspicious print spool service (spoolsv.exe) child processe references: - https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Exploits/Print%20Spooler%20RCE/Suspicious%20Spoolsv%20Child%20Process.md author: Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule) -date: 2021/07/11 -modified: 2023/02/09 +date: 2021-07-11 +modified: 2023-02-09 tags: - attack.execution - attack.t1203 - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1068 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml b/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml index 694df291501..4f4b6b1c8a5 100644 --- a/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml @@ -5,7 +5,7 @@ description: Detects potentially suspicious SQL queries using SQLCmd targeting t references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/04 +date: 2023-05-04 tags: - attack.collection - attack.t1005 diff --git a/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml b/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml index 78454ac43af..1323f023717 100644 --- a/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml +++ b/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml @@ -6,8 +6,8 @@ references: - https://thedfirreport.com/2021/12/13/diavol-ransomware/ - https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html author: frack113 -date: 2021/12/20 -modified: 2023/02/13 +date: 2021-12-20 +modified: 2023-02-13 tags: - attack.collection - attack.t1005 diff --git a/rules/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml b/rules/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml index e9c72d99082..8de428d8e76 100644 --- a/rules/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml +++ b/rules/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows - https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/ author: TropChaud -date: 2022/12/19 -modified: 2023/01/19 +date: 2022-12-19 +modified: 2023-01-19 tags: - - attack.credential_access + - attack.credential-access - attack.t1539 - attack.t1555.003 - attack.collection diff --git a/rules/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml b/rules/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml index 9192cf12fa2..cb9ec6c37b0 100644 --- a/rules/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml +++ b/rules/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows - https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/ author: frack113 -date: 2022/04/08 -modified: 2023/01/19 +date: 2022-04-08 +modified: 2023-01-19 tags: - - attack.credential_access + - attack.credential-access - attack.t1539 - attack.collection - attack.t1005 diff --git a/rules/windows/process_creation/proc_creation_win_squirrel_download.yml b/rules/windows/process_creation/proc_creation_win_squirrel_download.yml index f12306af17c..ae5d70dd089 100644 --- a/rules/windows/process_creation/proc_creation_win_squirrel_download.yml +++ b/rules/windows/process_creation/proc_creation_win_squirrel_download.yml @@ -4,7 +4,7 @@ related: - id: 45239e6a-b035-4aaf-b339-8ad379fcb67e type: similar - id: fa4b21c9-0057-4493-b289-2556416ae4d7 - type: obsoletes + type: obsolete status: experimental description: | Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.) @@ -13,10 +13,10 @@ references: - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ - http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community -date: 2022/06/09 -modified: 2023/11/09 +date: 2022-06-09 +modified: 2023-11-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1218 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml b/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml index 706757b4ca3..69ea3ea2327 100644 --- a/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml @@ -4,7 +4,7 @@ related: - id: 1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c type: similar - id: fa4b21c9-0057-4493-b289-2556416ae4d7 - type: obsoletes + type: obsolete status: experimental description: | Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.) @@ -13,10 +13,10 @@ references: - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ - http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community -date: 2022/06/09 -modified: 2023/11/09 +date: 2022-06-09 +modified: 2023-11-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1218 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml b/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml index abd9994911f..0e5e79ac389 100644 --- a/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml +++ b/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml @@ -5,11 +5,11 @@ description: Detects port forwarding activity via SSH.exe references: - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/12 -modified: 2024/03/05 +date: 2022-10-12 +modified: 2024-03-05 tags: - - attack.command_and_control - - attack.lateral_movement + - attack.command-and-control + - attack.lateral-movement - attack.t1572 - attack.t1021.001 - attack.t1021.004 diff --git a/rules/windows/process_creation/proc_creation_win_ssh_rdp_tunneling.yml b/rules/windows/process_creation/proc_creation_win_ssh_rdp_tunneling.yml index 1a707053986..0b7c2bcc182 100644 --- a/rules/windows/process_creation/proc_creation_win_ssh_rdp_tunneling.yml +++ b/rules/windows/process_creation/proc_creation_win_ssh_rdp_tunneling.yml @@ -8,10 +8,10 @@ description: Execution of ssh.exe to perform data exfiltration and tunneling thr references: - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/12 -modified: 2023/01/25 +date: 2022-10-12 +modified: 2023-01-25 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1572 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml b/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml index c10b673d119..026345ac200 100644 --- a/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml @@ -7,9 +7,9 @@ references: - https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/ - https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/ author: Muhammad Faisal -date: 2023/08/02 +date: 2023-08-02 tags: - - attack.command_and_control + - attack.command-and-control - attack.persistence - attack.t1219 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_stordiag_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_stordiag_susp_child_process.yml index 549753a3883..ca0bc2f5131 100644 --- a/rules/windows/process_creation/proc_creation_win_stordiag_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_stordiag_susp_child_process.yml @@ -6,10 +6,10 @@ references: - https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html - https://twitter.com/eral4m/status/1451112385041911809 author: Austin Songer (@austinsonger) -date: 2021/10/21 -modified: 2022/12/25 +date: 2021-10-21 +modified: 2022-12-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml b/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml index 5dc67e47186..2be1fac6979 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml @@ -8,10 +8,10 @@ references: - https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/ - https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/ author: frack113 -date: 2022/07/16 -modified: 2022/07/16 +date: 2022-07-16 +modified: 2022-07-16 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_abusing_debug_privilege.yml b/rules/windows/process_creation/proc_creation_win_susp_abusing_debug_privilege.yml index a052d079963..2ab8fb6b9fa 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_abusing_debug_privilege.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_abusing_debug_privilege.yml @@ -5,10 +5,10 @@ description: Detection of unusual child processes by different system processes references: - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg author: 'Semanur Guneysu @semanurtg, oscd.community' -date: 2020/10/28 -modified: 2022/11/11 +date: 2020-10-28 +modified: 2022-11-11 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1548 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml b/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml index ddbfed9d8a6..a76b7c779bd 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml @@ -10,8 +10,8 @@ description: Detects addition of users to the local administrator group via "Net references: - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/12 -modified: 2023/03/02 +date: 2022-08-12 +modified: 2023-03-02 tags: - attack.persistence - attack.t1098 diff --git a/rules/windows/process_creation/proc_creation_win_susp_add_user_privileged_group.yml b/rules/windows/process_creation/proc_creation_win_susp_add_user_privileged_group.yml index 12d8156987b..c15579cb9b7 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_add_user_privileged_group.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_add_user_privileged_group.yml @@ -10,7 +10,7 @@ description: Detects addition of users to highly privileged groups via "Net" or references: - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/02/23 +date: 2024-02-23 tags: - attack.persistence - attack.t1098 diff --git a/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml b/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml index f3be0334bd4..4ff9dcceb21 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml @@ -10,11 +10,11 @@ description: Detects addition of users to the local Remote Desktop Users group v references: - https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/ author: Florian Roth (Nextron Systems) -date: 2021/12/06 -modified: 2022/09/09 +date: 2021-12-06 +modified: 2022-09-09 tags: - attack.persistence - - attack.lateral_movement + - attack.lateral-movement - attack.t1133 - attack.t1136.001 - attack.t1021.001 diff --git a/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml b/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml index 6425bd32d21..3f4165ee68c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml @@ -5,10 +5,10 @@ description: Detects execution from an Alternate Data Stream (ADS). Adversaries references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md author: frack113 -date: 2021/09/01 -modified: 2022/10/09 +date: 2021-09-01 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml b/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml index 275ef218086..ef7734a59da 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml @@ -5,10 +5,10 @@ description: Detects Windows Installer service (msiexec.exe) trying to install M references: - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community -date: 2020/10/13 -modified: 2023/03/23 +date: 2020-10-13 +modified: 2023-03-23 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1548.002 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml index eb0cd776317..4b574bd377d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml @@ -6,10 +6,10 @@ references: - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/12 -modified: 2023/08/31 +date: 2023-01-12 +modified: 2023-08-31 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml b/rules/windows/process_creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml index 70023c677d6..1d5c7af9d91 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml @@ -5,13 +5,13 @@ description: The .SettingContent-ms file type was introduced in Windows 10 and a references: - https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 author: Sreeman -date: 2020/03/13 -modified: 2022/04/14 +date: 2020-03-13 +modified: 2022-04-14 tags: - attack.t1204 - attack.t1566.001 - attack.execution - - attack.initial_access + - attack.initial-access logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_archiver_iso_phishing.yml b/rules/windows/process_creation/proc_creation_win_susp_archiver_iso_phishing.yml index 27fadd50fe1..176bb756a42 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_archiver_iso_phishing.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_archiver_iso_phishing.yml @@ -6,9 +6,9 @@ references: - https://twitter.com/1ZRR4H/status/1534259727059787783 - https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/ author: Florian Roth (Nextron Systems) -date: 2022/06/07 +date: 2022-06-07 tags: - - attack.initial_access + - attack.initial-access - attack.t1566 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_automated_collection.yml b/rules/windows/process_creation/proc_creation_win_susp_automated_collection.yml index ce56d7ceb45..c0bbaf65747 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_automated_collection.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_automated_collection.yml @@ -6,12 +6,12 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md author: frack113 -date: 2021/07/28 -modified: 2022/11/11 +date: 2021-07-28 +modified: 2022-11-11 tags: - attack.collection - attack.t1119 - - attack.credential_access + - attack.credential-access - attack.t1552.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml index 1cea509263f..6c414fefcdd 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml @@ -2,7 +2,7 @@ title: Bad Opsec Defaults Sacrificial Processes With Improper Arguments id: a7c3d773-caef-227e-a7e7-c2f13c622329 related: - id: f5647edc-a7bf-4737-ab50-ef8c60dc3add - type: obsoletes + type: obsolete status: experimental description: | Detects attackers using tooling with bad opsec defaults. @@ -17,10 +17,10 @@ references: - https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool - https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems) -date: 2020/10/23 -modified: 2023/12/02 +date: 2020-10-23 +modified: 2023-12-02 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_browser_launch_from_document_reader_process.yml b/rules/windows/process_creation/proc_creation_win_susp_browser_launch_from_document_reader_process.yml index 9235887ad2d..1c2fafbeb8c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_browser_launch_from_document_reader_process.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_browser_launch_from_document_reader_process.yml @@ -7,7 +7,7 @@ references: - https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ # PDF Document - https://app.any.run/tasks/64043a79-165f-4052-bcba-e6e49f847ec1/ # Office Document author: Joseph Kamau -date: 2024/05/27 +date: 2024-05-27 tags: - attack.execution - attack.t1204.002 diff --git a/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml b/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml index 029ddf639aa..ca37a85689d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml @@ -8,10 +8,10 @@ references: - https://github.com/antonioCoco/RogueWinRM - https://twitter.com/Cyb3rWard0g/status/1453123054243024897 author: Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR) -date: 2019/10/26 -modified: 2022/12/15 +date: 2019-10-26 +modified: 2022-12-15 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1134.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml b/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml index 58caabd5aeb..06783482721 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml @@ -9,10 +9,10 @@ references: - https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques - https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/ author: juju4 -date: 2018/12/11 -modified: 2023/03/03 +date: 2018-12-11 +modified: 2023-03-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1140 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml b/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml index 2df73f9e4e9..5c4990d623b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml @@ -2,7 +2,7 @@ title: Potential Commandline Obfuscation Using Unicode Characters id: e0552b19-5a83-4222-b141-b36184bb8d79 related: - id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9 - type: obsoletes + type: obsolete status: test description: | Detects potential commandline obfuscation using unicode characters. @@ -11,10 +11,10 @@ references: - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http author: frack113, Florian Roth (Nextron Systems) -date: 2022/01/15 -modified: 2024/07/22 +date: 2022-01-15 +modified: 2024-07-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1027 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml b/rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml index fca1f14b055..87b5c6e5890 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/hexacorn/status/1448037865435320323 - https://twitter.com/Gal_B1t/status/1062971006078345217 author: Christian Burkard (Nextron Systems) -date: 2021/10/26 -modified: 2023/03/29 +date: 2021-10-26 +modified: 2023-03-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml b/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml index 3ce4b2cb29d..2d4375d4db9 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml @@ -11,10 +11,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/23 -modified: 2023/08/29 +date: 2022-12-23 +modified: 2023-08-29 tags: - - attack.credential_access + - attack.credential-access - attack.t1555.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml b/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml index 0f6d34c5c92..41da47ed065 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml @@ -8,10 +8,10 @@ references: - https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/ author: Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali -date: 2019/12/30 -modified: 2023/11/15 +date: 2019-12-30 +modified: 2023-11-15 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.collection - attack.exfiltration - attack.t1039 diff --git a/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml b/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml index b31a32e7488..8fd8668f5b6 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml @@ -12,10 +12,10 @@ references: - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/ author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems) -date: 2020/07/03 -modified: 2023/08/29 +date: 2020-07-03 +modified: 2023-08-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml b/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml index 49fb0c5537e..225f8b27a91 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml @@ -11,9 +11,9 @@ references: - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/29 +date: 2023-08-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_crypto_mining_monero.yml b/rules/windows/process_creation/proc_creation_win_susp_crypto_mining_monero.yml index 337b534e682..21e9c86b3a0 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_crypto_mining_monero.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_crypto_mining_monero.yml @@ -5,8 +5,8 @@ description: Detects command line parameters or strings often used by crypto min references: - https://www.poolwatch.io/coin/monero author: Florian Roth (Nextron Systems) -date: 2021/10/26 -modified: 2023/02/13 +date: 2021-10-26 +modified: 2023-02-13 tags: - attack.impact - attack.t1496 diff --git a/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml b/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml index d9a4141405c..e174a1b0374 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml @@ -5,8 +5,8 @@ description: Detects the use of various CLI utilities exfiltrating data via web references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/02 -modified: 2023/07/27 +date: 2022-08-02 +modified: 2023-07-27 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml b/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml index 74c40d55db5..9e0e26b5ae8 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml @@ -5,10 +5,10 @@ description: Detects commands that indicate a Raccine removal from an end system references: - https://github.com/Neo23x0/Raccine author: Florian Roth (Nextron Systems) -date: 2021/01/21 -modified: 2022/10/09 +date: 2021-01-21 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml b/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml index 1c6d256504b..46b9ff3fb2f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml @@ -9,10 +9,10 @@ references: - https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html - https://twitter.com/blackorbird/status/1140519090961825792 author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) -date: 2019/06/26 -modified: 2023/02/28 +date: 2019-06-26 +modified: 2023-02-28 tags: - - attack.initial_access + - attack.initial-access - attack.t1566.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml b/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml index 0a14cd5bc0c..59572989ba8 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml @@ -9,10 +9,10 @@ references: - https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/06 -modified: 2023/02/28 +date: 2023-01-06 +modified: 2023-02-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.007 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml b/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml index 2c691f14ec3..015f43dbf31 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/an0n_r0/status/1474698356635193346?s=12 - https://twitter.com/mrd0x/status/1475085452784844803?s=12 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2021/12/27 -modified: 2022/08/02 +date: 2021-12-27 +modified: 2022-08-02 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 - attack.t1608 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_dumpstack_log_evasion.yml b/rules/windows/process_creation/proc_creation_win_susp_dumpstack_log_evasion.yml index 4d2075134ed..50ba43d5a04 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_dumpstack_log_evasion.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_dumpstack_log_evasion.yml @@ -5,10 +5,10 @@ description: Detects the use of the filename DumpStack.log to evade Microsoft De references: - https://twitter.com/mrd0x/status/1479094189048713219 author: Florian Roth (Nextron Systems) -date: 2022/01/06 -modified: 2022/06/17 +date: 2022-01-06 +modified: 2022-06-17 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_elavated_msi_spawned_shell.yml b/rules/windows/process_creation/proc_creation_win_susp_elavated_msi_spawned_shell.yml index 251d98467ae..db394807ff1 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_elavated_msi_spawned_shell.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_elavated_msi_spawned_shell.yml @@ -5,10 +5,10 @@ description: Detects Windows Installer service (msiexec.exe) spawning "cmd" or " references: - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community -date: 2020/10/13 -modified: 2022/10/20 +date: 2020-10-13 +modified: 2022-10-20 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1548.002 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml b/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml index 63d8d6ab173..2778575dbdd 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml @@ -15,8 +15,8 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/ - https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/21 -modified: 2024/07/12 +date: 2022-10-21 +modified: 2024-07-12 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml b/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml index ef096ea1cac..370e3dcc0d3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml @@ -13,8 +13,8 @@ references: - https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf - https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2023/09/05 -modified: 2023/11/09 +date: 2023-09-05 +modified: 2023-11-09 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml b/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml index ef9da018271..271d8a99563 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml @@ -8,11 +8,11 @@ description: Detects when a shell program such as the Windows command prompt or references: - https://github.com/Wh04m1001/SysmonEoP author: frack113, Tim Shelton (update fp) -date: 2022/12/05 -modified: 2023/11/23 +date: 2022-12-05 +modified: 2023-11-23 tags: - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.execution - attack.t1059 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_embed_exe_lnk.yml b/rules/windows/process_creation/proc_creation_win_susp_embed_exe_lnk.yml index 1ee3dea9cfb..a1a84246a3d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_embed_exe_lnk.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_embed_exe_lnk.yml @@ -5,7 +5,7 @@ description: Detects events that appear when a user click on a link file with a references: - https://www.x86matthew.com/view_post?id=embed_exe_lnk author: frack113 -date: 2022/02/06 +date: 2022-02-06 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml b/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml index ff860de061d..ecd20aaa7e1 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml @@ -16,10 +16,10 @@ references: - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/05/02 -modified: 2022/12/09 +date: 2020-05-02 +modified: 2022-12-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml b/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml index 3cd5ededa1a..64c7bf780b5 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml @@ -8,10 +8,10 @@ references: - https://abuse.io/lockergoga.txt - https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63 author: '@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community' -date: 2019/03/22 -modified: 2022/06/28 +date: 2019-03-22 +modified: 2022-06-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070 - attack.t1562.006 - car.2016-04-002 diff --git a/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml b/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml index 3ca670aae69..21e5ba0bc85 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml @@ -11,10 +11,10 @@ references: - https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee - https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/ author: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105 -date: 2019/09/26 -modified: 2023/07/13 +date: 2019-09-26 +modified: 2023-07-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.001 - attack.t1562.002 - car.2016-04-002 diff --git a/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml b/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml index abeef5c72ce..1fe8c0efe8f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml @@ -18,10 +18,10 @@ references: - http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/ - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) -date: 2022/09/09 -modified: 2024/07/12 +date: 2022-09-09 +modified: 2024-07-12 tags: - - attack.credential_access + - attack.credential-access - attack.discovery - attack.t1552 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yml b/rules/windows/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yml index 9775ea65ddd..380377348bb 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yml @@ -6,10 +6,10 @@ description: | references: - https://redcanary.com/blog/blackbyte-ransomware/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/02/25 -modified: 2024/07/12 +date: 2022-02-25 +modified: 2024-07-12 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1564 - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml b/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml index 1edbf5b7969..7b0494fe52e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml @@ -8,10 +8,10 @@ references: - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ - https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md author: Florian Roth (Nextron Systems), Tim Shelton -date: 2019/01/16 -modified: 2024/07/12 +date: 2019-01-16 +modified: 2024-07-12 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml b/rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml index a9e0d798566..2441df75522 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml @@ -6,8 +6,8 @@ references: - https://securelist.com/muddywater/88059/ - https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection author: Markus Neis, Sander Wiebing -date: 2018/11/22 -modified: 2022/10/09 +date: 2018-11-22 +modified: 2022-10-09 tags: - attack.execution - attack.t1059.006 diff --git a/rules/windows/process_creation/proc_creation_win_susp_gather_network_info_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_gather_network_info_execution.yml index 5c7470007c4..fc62c9d496d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_gather_network_info_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_gather_network_info_execution.yml @@ -11,7 +11,7 @@ references: - https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs - https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/08 +date: 2023-02-08 tags: - attack.discovery - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml b/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml index f7e821ad2dd..8dbabf5e305 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml @@ -13,9 +13,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3 author: Nasreddine Bencherchali (Nextron Systems), Scoubi (@ScoubiMtl) -date: 2023/10/09 +date: 2023-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.004 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml b/rules/windows/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml index ac2f2302657..f769748cbaa 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml @@ -5,12 +5,12 @@ description: Monitors for the hiding possible malicious files in the C:\Windows\ references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ author: Sreeman -date: 2020/04/21 -modified: 2022/03/08 +date: 2020-04-21 +modified: 2022-03-08 tags: - attack.t1211 - attack.t1059 - - attack.defense_evasion + - attack.defense-evasion - attack.persistence logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml b/rules/windows/process_creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml index 06788d19cae..c8ad77d27f5 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml @@ -9,9 +9,9 @@ references: - https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish - http://www.irongeek.com/homoglyph-attack-generator.php author: Micah Babinski, @micahbabinski -date: 2023/05/07 +date: 2023-05-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 - attack.t1036.003 # - attack.t1036.008 diff --git a/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml b/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml index 6b241e67f1a..7acb7a5f7e1 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml @@ -5,10 +5,10 @@ description: Checks whether the image specified in a process creation event is n references: - https://pentestlaboratories.com/2021/12/08/process-ghosting/ author: Max Altgelt (Nextron Systems) -date: 2021/12/09 -modified: 2022/12/14 +date: 2021-12-09 +modified: 2022-12-14 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_inline_base64_mz_header.yml b/rules/windows/process_creation/proc_creation_win_susp_inline_base64_mz_header.yml index 69c8dc3f65e..c95ec1d6f40 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_inline_base64_mz_header.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_inline_base64_mz_header.yml @@ -5,7 +5,7 @@ description: Detects encoded base64 MZ header in the commandline references: - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/12 +date: 2022-07-12 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml b/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml index c6473041487..8310c8fa0ff 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml @@ -8,8 +8,8 @@ description: Detects the use of WinAPI Functions via the commandline. As seen us references: - https://twitter.com/m417z/status/1566674631788007425 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/06 -modified: 2023/01/09 +date: 2022-09-06 +modified: 2023-01-09 tags: - attack.execution - attack.t1106 diff --git a/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml b/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml index bee5a6cc435..5f3d9798bc8 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml @@ -5,8 +5,8 @@ description: Local accounts, System Owner/User discovery using operating systems references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community -date: 2019/10/21 -modified: 2023/01/03 +date: 2019-10-21 +modified: 2023-01-03 tags: - attack.discovery - attack.t1033 diff --git a/rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml b/rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml index fde466c4ef6..b10f0d2e961 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml @@ -10,10 +10,10 @@ references: - https://www.scythe.io/library/threat-emulation-qakbot - https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/ author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Angelo Violetti - SEC Consult '@angelo_violetti', Aaron Herman -date: 2022/01/25 -modified: 2023/08/29 +date: 2022-01-25 +modified: 2023-08-29 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml b/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml index 501b012cb8b..a0383ed2184 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml @@ -14,10 +14,10 @@ references: - https://github.com/helpsystems/nanodump - https://github.com/CCob/MirrorDump author: E.M. Anhaus, Tony Lambert, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2019/10/24 -modified: 2023/08/29 +date: 2019-10-24 +modified: 2023-08-29 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml b/rules/windows/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml index 98220bde896..a1f8d6ba804 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml @@ -10,9 +10,9 @@ description: | references: - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/ author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel -date: 2023/11/09 +date: 2023-11-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1218 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_network_command.yml b/rules/windows/process_creation/proc_creation_win_susp_network_command.yml index 1ed46c0c786..ed3b80e4a26 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_network_command.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_network_command.yml @@ -5,8 +5,8 @@ description: Adversaries may look for details about the network configuration an references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-1---system-network-configuration-discovery-on-windows author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' -date: 2021/12/07 -modified: 2022/04/11 +date: 2021-12-07 +modified: 2022-04-11 tags: - attack.discovery - attack.t1016 diff --git a/rules/windows/process_creation/proc_creation_win_susp_network_scan_loop.yml b/rules/windows/process_creation/proc_creation_win_susp_network_scan_loop.yml index 3d4ca79a55b..9cca291a5c3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_network_scan_loop.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_network_scan_loop.yml @@ -7,7 +7,7 @@ references: - https://ss64.com/nt/for.html - https://ss64.com/ps/foreach-object.html author: frack113 -date: 2022/03/12 +date: 2022-03-12 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_susp_network_sniffing.yml b/rules/windows/process_creation/proc_creation_win_susp_network_sniffing.yml index 891987e6065..59a570237af 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_network_sniffing.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_network_sniffing.yml @@ -8,10 +8,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md author: Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2019/10/21 -modified: 2023/02/20 +date: 2019-10-21 +modified: 2023-02-20 tags: - - attack.credential_access + - attack.credential-access - attack.discovery - attack.t1040 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_no_image_name.yml b/rules/windows/process_creation/proc_creation_win_susp_no_image_name.yml index 21badb8f46f..90915ed402a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_no_image_name.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_no_image_name.yml @@ -5,9 +5,9 @@ description: Detect the use of processes with no name (".exe"), which can be use references: - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software author: Matt Anderson (Huntress) -date: 2024/07/23 +date: 2024-07-23 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml b/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml index 6e01e7f5d9c..647af0885be 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml @@ -7,10 +7,10 @@ description: | references: - https://pentestlaboratories.com/2021/12/08/process-ghosting/ author: Max Altgelt (Nextron Systems) -date: 2021/12/09 -modified: 2023/11/23 +date: 2021-12-09 +modified: 2023-11-23 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml b/rules/windows/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml index 3af41bfb444..d4da3213073 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml @@ -5,10 +5,10 @@ description: Search for usage of reg or Powershell by non-privileged users to mo references: - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community -date: 2020/10/05 -modified: 2022/07/07 +date: 2020-10-05 +modified: 2022-07-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntds.yml b/rules/windows/process_creation/proc_creation_win_susp_ntds.yml index 4deb46e333c..a44d5c7a60b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntds.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ntds.yml @@ -11,10 +11,10 @@ references: - https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1 - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1 author: Florian Roth (Nextron Systems) -date: 2022/03/11 -modified: 2022/11/10 +date: 2022-03-11 +modified: 2022-11-10 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.003 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml b/rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml index cbd83ab9f82..570b9477dc7 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml @@ -8,9 +8,9 @@ description: Detects usage of the WMI class "Win32_NTEventlogFile" in a potentia references: - https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85) author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/07/13 +date: 2023-07-13 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml index 28f7b355888..b339a6272d3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml @@ -10,10 +10,10 @@ references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10) - https://twitter.com/frack113/status/1555830623633375232 author: frack113, Nasreddine Bencherchali -date: 2022/08/07 -modified: 2022/10/26 +date: 2022-08-07 +modified: 2022-10-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml index 8300c093c89..e5d620fc79b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml @@ -10,10 +10,10 @@ references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10) - https://twitter.com/frack113/status/1555830623633375232 author: frack113, Nasreddine Bencherchali -date: 2022/08/07 -modified: 2023/03/21 +date: 2022-08-07 +modified: 2023-03-21 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml index 4643eadc130..0be94c50bbb 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml @@ -10,10 +10,10 @@ references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10) - https://twitter.com/jonasLyk/status/1555914501802921984 author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/05 -modified: 2022/09/21 +date: 2022-08-05 +modified: 2022-09-21 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml index ac150106f67..50381e0259e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml @@ -10,10 +10,10 @@ references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10) - https://twitter.com/jonasLyk/status/1555914501802921984 author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/06 -modified: 2023/07/20 +date: 2022-08-06 +modified: 2023-07-20 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml b/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml index b1969826838..89b66f3ce7e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml @@ -7,8 +7,8 @@ references: - https://twitter.com/Yasser_Elsnbary/status/1553804135354564608 - https://twitter.com/fr0s7_/status/1712780207105404948 author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems) -date: 2022/08/03 -modified: 2023/11/06 +date: 2022-08-03 +modified: 2023-11-06 tags: - attack.discovery logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml b/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml index 6b0cba323fc..5fd7eb597e9 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml @@ -6,8 +6,8 @@ references: - https://h.43z.one/ipconverter/ - https://twitter.com/Yasser_Elsnbary/status/1553804135354564608 author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) -date: 2022/08/03 -modified: 2023/11/06 +date: 2022-08-03 +modified: 2023-11-06 tags: - attack.discovery logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_office_token_search.yml b/rules/windows/process_creation/proc_creation_win_susp_office_token_search.yml index 102e66c9c4a..2cde32de6a0 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_office_token_search.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_office_token_search.yml @@ -5,9 +5,9 @@ description: Detects possible search for office tokens via CLI by looking for th references: - https://mrd0x.com/stealing-tokens-from-office-applications/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/10/25 +date: 2022-10-25 tags: - - attack.credential_access + - attack.credential-access - attack.t1528 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_parents.yml b/rules/windows/process_creation/proc_creation_win_susp_parents.yml index 524bcbf3617..374b6a7c6aa 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_parents.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_parents.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/x86matthew/status/1505476263464607744?s=12 - https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b author: Florian Roth (Nextron Systems) -date: 2022/03/21 -modified: 2022/09/08 +date: 2022-03-21 +modified: 2022-09-08 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_execution_via_dll.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_execution_via_dll.yml index ec80abbcd16..37499cf9d07 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_execution_via_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_execution_via_dll.yml @@ -7,10 +7,10 @@ description: | references: - https://github.com/p3nt4/PowerShdll/blob/62cfa172fb4e1f7f4ac00ca942685baeb88ff356/README.md author: Markus Neis, Nasreddine Bencherchali (Nextron Systems) -date: 2018/08/25 -modified: 2024/03/07 +date: 2018-08-25 +modified: 2024-03-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml b/rules/windows/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml index a5fce186694..c2bb24c2c60 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml @@ -8,10 +8,10 @@ description: Detects a remote file copy attempt to a hidden network share. This references: - https://www.elastic.co/guide/en/security/current/privilege-escalation-via-named-pipe-impersonation.html author: Tim Rauch, Elastic (idea) -date: 2022/09/27 -modified: 2022/12/30 +date: 2022-09-27 +modified: 2022-12-30 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_private_keys_recon.yml b/rules/windows/process_creation/proc_creation_win_susp_private_keys_recon.yml index 1bd577cc214..35765f997ba 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_private_keys_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_private_keys_recon.yml @@ -5,10 +5,10 @@ description: Adversaries may search for private key certificate files on comprom references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.004/T1552.004.md author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2021/07/20 -modified: 2023/03/06 +date: 2021-07-20 +modified: 2023-03-06 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_privilege_escalation_cli_patterns.yml b/rules/windows/process_creation/proc_creation_win_susp_privilege_escalation_cli_patterns.yml index 4c7e40a27a8..08f4bf30151 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_privilege_escalation_cli_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_privilege_escalation_cli_patterns.yml @@ -5,9 +5,9 @@ description: Detects suspicious command line flags that let the user set a targe references: - https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html author: Florian Roth (Nextron Systems) -date: 2022/11/11 +date: 2022-11-11 tags: - - attack.privilege_escalation + - attack.privilege-escalation logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml b/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml index f89f6fd2441..72b9c382f72 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml @@ -7,10 +7,10 @@ references: - https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/ - https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf author: vburov -date: 2019/02/23 -modified: 2022/02/14 +date: 2019-02-23 +modified: 2022-02-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.003 - attack.t1036.005 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_progname.yml b/rules/windows/process_creation/proc_creation_win_susp_progname.yml index 1e08522f56d..a0c91375671 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_progname.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_progname.yml @@ -5,8 +5,8 @@ description: Detects suspicious patterns in program names or folders that are of references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md author: Florian Roth (Nextron Systems) -date: 2022/02/11 -modified: 2023/03/22 +date: 2022-02-11 +modified: 2023-03-22 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_susp_recon.yml b/rules/windows/process_creation/proc_creation_win_susp_recon.yml index 22e81ad1d41..4c7af53c19c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_recon.yml @@ -8,8 +8,8 @@ description: Once established within a system or network, an adversary may use a references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md author: frack113 -date: 2021/07/30 -modified: 2022/09/13 +date: 2021-07-30 +modified: 2022-09-13 tags: - attack.collection - attack.t1119 diff --git a/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml index 9e46bb09f4d..aee49b14846 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml @@ -9,11 +9,11 @@ references: - https://www.mandiant.com/resources/blog/infected-usb-steal-secrets - https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/ author: X__Junior (Nextron Systems) -date: 2023/07/12 -modified: 2023/12/11 +date: 2023-07-12 +modified: 2023-12-11 tags: - attack.persistence - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml b/rules/windows/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml index 27545ea805c..81b697d24ae 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml @@ -6,8 +6,8 @@ references: - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html author: Florian Roth (Nextron Systems) -date: 2022/01/16 -modified: 2023/12/28 +date: 2022-01-16 +modified: 2023-12-28 tags: - attack.exfiltration - attack.t1048 diff --git a/rules/windows/process_creation/proc_creation_win_susp_remote_desktop_tunneling.yml b/rules/windows/process_creation/proc_creation_win_susp_remote_desktop_tunneling.yml index b02f0a5e640..e84daaa8907 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_remote_desktop_tunneling.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_remote_desktop_tunneling.yml @@ -5,9 +5,9 @@ description: Detects potential use of an SSH utility to establish RDP over a rev references: - https://www.elastic.co/guide/en/security/current/potential-remote-desktop-tunneling-detected.html author: Tim Rauch, Elastic (idea) -date: 2022/09/27 +date: 2022-09-27 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1021 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml b/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml index c6c597d9913..53583383428 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml @@ -9,9 +9,9 @@ references: - https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method - https://unicode-explorer.com/c/202E author: Micah Babinski, @micahbabinski -date: 2023/02/15 +date: 2023-02-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml b/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml index b32fbc96f29..f4fcfc0afbd 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml @@ -7,8 +7,8 @@ references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military - https://learn.microsoft.com/en-us/windows/win32/shell/csidl author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2022/02/08 -modified: 2023/06/16 +date: 2022-02-08 +modified: 2023-06-16 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml b/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml index a8bcecd8507..b50f53858ad 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml @@ -5,8 +5,8 @@ description: Detects a suspicious script executions from temporary folder references: - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton -date: 2021/07/14 -modified: 2022/10/05 +date: 2021-07-14 +modified: 2022-10-05 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.yml b/rules/windows/process_creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.yml index 7534759ac0d..4b37fae90ee 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.yml @@ -8,8 +8,8 @@ references: - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection - https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/ author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) -date: 2021/08/09 -modified: 2024/01/18 +date: 2021-08-09 +modified: 2024-01-18 tags: - attack.impact - attack.t1490 diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml b/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml index a425b2bba12..e5ee1060bcf 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml @@ -9,11 +9,11 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/14 -modified: 2022/11/18 +date: 2022-07-14 +modified: 2022-11-18 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_dir.yml b/rules/windows/process_creation/proc_creation_win_susp_service_dir.yml index 8601274f1f9..3606e7ab0a5 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_service_dir.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_service_dir.yml @@ -5,10 +5,10 @@ description: Detects a service binary running in a suspicious directory references: - https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/ author: Florian Roth (Nextron Systems) -date: 2021/03/09 -modified: 2022/10/09 +date: 2021-03-09 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml index 98d3f570a16..acf23b465a8 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml @@ -4,9 +4,9 @@ related: - id: eb87818d-db5d-49cc-a987-d5da331fbd90 type: derived - id: 6783aa9e-0dc3-49d4-a94a-8b39c5fd700b - type: obsoletes + type: obsolete - id: 7fd4bb39-12d0-45ab-bb36-cebabc73dc7b - type: obsoletes + type: obsolete status: test description: Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts references: @@ -16,10 +16,10 @@ references: - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/ - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955 author: Nasreddine Bencherchali (Nextron Systems), frack113 -date: 2022/09/01 -modified: 2023/08/07 +date: 2022-09-01 +modified: 2023-08-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1489 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml b/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml index a370a435580..e1c7c86dad2 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml @@ -6,10 +6,10 @@ references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/ author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community -date: 2019/10/22 -modified: 2022/11/10 +date: 2019-10-22 +modified: 2022-11-10 tags: - - attack.credential_access + - attack.credential-access - attack.t1003 - attack.t1003.002 - attack.t1003.003 diff --git a/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml b/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml index de76a0a53be..563d6675588 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml @@ -13,10 +13,10 @@ references: - https://redcanary.com/blog/intelligence-insights-october-2021/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware author: Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades) -date: 2019/10/22 -modified: 2022/11/03 +date: 2019-10-22 +modified: 2022-11-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.impact - attack.t1070 - attack.t1490 diff --git a/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml b/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml index c840292b07a..ca1821f9def 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml @@ -5,11 +5,11 @@ description: Detects suspicious child processes of a Windows shell and scripting references: - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html author: Florian Roth (Nextron Systems), Tim Shelton -date: 2018/04/06 -modified: 2023/05/23 +date: 2018-04-06 +modified: 2023-05-23 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1059.005 - attack.t1059.001 - attack.t1218 diff --git a/rules/windows/process_creation/proc_creation_win_susp_sysnative.yml b/rules/windows/process_creation/proc_creation_win_susp_sysnative.yml index 78f982c4160..f52a096b7d9 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_sysnative.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_sysnative.yml @@ -5,11 +5,11 @@ description: Detects process creation events that use the Sysnative folder (comm references: - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/ author: Max Altgelt (Nextron Systems) -date: 2022/08/23 -modified: 2023/12/14 +date: 2022-08-23 +modified: 2023-12-14 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1055 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml b/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml index 4c461717db6..c1ac8bf19d6 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml @@ -10,10 +10,10 @@ references: - https://twitter.com/GelosSnake/status/934900723426439170 - https://asec.ahnlab.com/en/39828/ author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2017/11/27 -modified: 2024/07/16 +date: 2017-11-27 +modified: 2024-07-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml b/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml index 5da3bba0f76..3996deda6cc 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml @@ -6,12 +6,12 @@ references: - Internal Research - https://tools.thehacker.recipes/mimikatz/modules author: Florian Roth (Nextron Systems), David ANDRE (additional keywords) -date: 2021/12/20 -modified: 2024/07/22 +date: 2021-12-20 +modified: 2024-07-22 tags: - - attack.credential_access - - attack.defense_evasion - - attack.privilege_escalation + - attack.credential-access + - attack.defense-evasion + - attack.privilege-escalation - attack.t1134 - attack.t1003 - attack.t1027 diff --git a/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml b/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml index bd095346e27..ec1e2cc4ba5 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml @@ -6,10 +6,10 @@ references: - https://adsecurity.org/?p=2288 - https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100 author: Markus Neis, Jonhnathan Ribeiro, oscd.community -date: 2018/04/09 -modified: 2022/01/07 +date: 2018-04-09 +modified: 2022-01-07 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.006 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_task_folder_evasion.yml b/rules/windows/process_creation/proc_creation_win_susp_task_folder_evasion.yml index 13b18f88a63..a6965e2d603 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_task_folder_evasion.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_task_folder_evasion.yml @@ -9,10 +9,10 @@ references: - https://twitter.com/subTee/status/1216465628946563073 - https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26 author: Sreeman -date: 2020/01/13 -modified: 2022/12/25 +date: 2020-01-13 +modified: 2022-12-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.execution - attack.t1574.002 diff --git a/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml b/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml index acd96a790aa..0803f12f59b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml @@ -9,10 +9,10 @@ references: - https://twitter.com/pabraeken/status/993298228840992768 - https://learn.microsoft.com/en-us/windows-hardware/drivers/taef/ author: 'Agro (@agro_sev) oscd.community' -date: 2020/10/13 -modified: 2021/11/27 +date: 2020-10-13 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml b/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml index ca8667658cf..b1717ae90bc 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml @@ -10,11 +10,11 @@ references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/ - https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019 author: Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community -date: 2020/10/14 -modified: 2022/10/09 +date: 2020-10-14 +modified: 2022-10-09 tags: - attack.t1218 - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml b/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml index 1b32046a1ac..bce7a82248e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml @@ -5,10 +5,10 @@ description: Detects a suspicious child process of userinit references: - https://twitter.com/SBousseaden/status/1139811587760562176 author: Florian Roth (Nextron Systems), Samir Bousseaden (idea) -date: 2019/06/17 -modified: 2022/12/09 +date: 2019-06-17 +modified: 2022-12-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1055 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml b/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml index 0eb7f92531d..a3542ba6152 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml @@ -10,10 +10,10 @@ references: - https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/ - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/14 -modified: 2024/02/23 +date: 2022-09-14 +modified: 2024-02-23 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml b/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml index 125912e9b88..580a7accb42 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml @@ -4,9 +4,9 @@ related: - id: 1139d2e2-84b1-4226-b445-354492eba8ba type: similar - id: f67dbfce-93bc-440d-86ad-a95ae8858c90 - type: obsoletes + type: obsolete - id: cd5c8085-4070-4e22-908d-a5b3342deb74 - type: obsoletes + type: obsolete status: test description: Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine references: @@ -14,8 +14,8 @@ references: - https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell - https://learn.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger -date: 2019/10/24 -modified: 2023/01/10 +date: 2019-10-24 +modified: 2023-01-10 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_susp_whoami_as_param.yml b/rules/windows/process_creation/proc_creation_win_susp_whoami_as_param.yml index 4d47ad86843..add21fe4b30 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_whoami_as_param.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_whoami_as_param.yml @@ -5,8 +5,8 @@ description: Detects a suspicious process command line that uses whoami as first references: - https://twitter.com/blackarrowsec/status/1463805700602224645?s=12 author: Florian Roth (Nextron Systems) -date: 2021/11/29 -modified: 2022/12/25 +date: 2021-11-29 +modified: 2022-12-25 tags: - attack.discovery - attack.t1033 diff --git a/rules/windows/process_creation/proc_creation_win_susp_workfolders.yml b/rules/windows/process_creation/proc_creation_win_susp_workfolders.yml index 391a7983c87..65022b15d29 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_workfolders.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_workfolders.yml @@ -5,10 +5,10 @@ description: Detects using WorkFolders.exe to execute an arbitrary control.exe references: - https://twitter.com/elliotkillick/status/1449812843772227588 author: Maxime Thiebaut (@0xThiebaut) -date: 2021/10/21 -modified: 2022/12/25 +date: 2021-10-21 +modified: 2022-12-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml b/rules/windows/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml index 8c3c5f9be7d..002aacf4c10 100644 --- a/rules/windows/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml +++ b/rules/windows/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml @@ -5,11 +5,11 @@ description: It is extremely abnormal for svchost.exe to spawn without any CLI a references: - https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2 author: David Burkett, @signalblur -date: 2019/12/28 -modified: 2022/06/27 +date: 2019-12-28 +modified: 2022-06-27 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1055 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution.yml b/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution.yml index 1ef9b1642e0..3b93f8c0df3 100644 --- a/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution.yml @@ -13,9 +13,9 @@ references: - https://tria.ge/240731-jh4crsycnb/behavioral2 - https://redcanary.com/blog/threat-detection/process-masquerading/ author: Swachchhanda Shrawan Poudel -date: 2024/08/07 +date: 2024-08-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.005 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_svchost_termserv_proc_spawn.yml b/rules/windows/process_creation/proc_creation_win_svchost_termserv_proc_spawn.yml index a80d45a3dd2..6a39a684aa0 100644 --- a/rules/windows/process_creation/proc_creation_win_svchost_termserv_proc_spawn.yml +++ b/rules/windows/process_creation/proc_creation_win_svchost_termserv_proc_spawn.yml @@ -5,12 +5,12 @@ description: Detects a process spawned by the terminal service server process (t references: - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/ author: Florian Roth (Nextron Systems) -date: 2019/05/22 -modified: 2023/01/25 +date: 2019-05-22 +modified: 2023-01-25 tags: - - attack.initial_access + - attack.initial-access - attack.t1190 - - attack.lateral_movement + - attack.lateral-movement - attack.t1210 - car.2013-07-002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_svchost_uncommon_parent_process.yml b/rules/windows/process_creation/proc_creation_win_svchost_uncommon_parent_process.yml index 7de9c1c0581..31eb6380f32 100644 --- a/rules/windows/process_creation/proc_creation_win_svchost_uncommon_parent_process.yml +++ b/rules/windows/process_creation/proc_creation_win_svchost_uncommon_parent_process.yml @@ -5,10 +5,10 @@ description: Detects an uncommon svchost parent process references: - Internal Research author: Florian Roth (Nextron Systems) -date: 2017/08/15 -modified: 2022/06/28 +date: 2017-08-15 +modified: 2022-06-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.005 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml index a61b6d48fea..b744b889649 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml @@ -8,8 +8,8 @@ references: - https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat - https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat author: Teymur Kheirkhabarov (idea), Mangatas Tondang, oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2020/10/13 -modified: 2023/02/20 +date: 2020-10-13 +modified: 2023-02-20 tags: - attack.discovery - attack.t1069.001 diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_execution.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_execution.yml index a6cedbca262..72b8996bca0 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_execution.yml @@ -8,9 +8,9 @@ description: Detects the execution of Sysinternals ADExplorer with the "-snapsho references: - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/14 +date: 2023-03-14 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.001 - attack.t1003.003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_susp_execution.yml index 53d1712a4c1..892499cbbb8 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_susp_execution.yml @@ -8,9 +8,9 @@ description: Detects the execution of Sysinternals ADExplorer with the "-snapsho references: - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/14 +date: 2023-03-14 tags: - - attack.credential_access + - attack.credential-access - attack.t1552.001 - attack.t1003.003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml index ae302e8d6c2..6521fcd779a 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml @@ -8,10 +8,10 @@ description: Detects command lines that contain the 'accepteula' flag which coul references: - https://twitter.com/Moti_B/status/1008587936735035392 author: Markus Neis -date: 2017/08/28 -modified: 2024/03/13 +date: 2017-08-28 +modified: 2024-03-13 tags: - - attack.resource_development + - attack.resource-development - attack.t1588.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_execution.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_execution.yml index 3f5b5531501..14286ba5c75 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_execution.yml @@ -5,9 +5,9 @@ description: Detects execution of LiveKD based on PE metadata or image name references: - https://learn.microsoft.com/en-us/sysinternals/downloads/livekd author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/15 +date: 2023-05-15 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml index 1dddf1f205c..7df179152bb 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml @@ -7,10 +7,10 @@ references: - https://4sysops.com/archives/creating-a-complete-memory-dump-without-a-blue-screen/ - https://kb.acronis.com/content/60892 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/16 -modified: 2024/03/13 +date: 2023-05-16 +modified: 2024-03-13 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml index c8c9336129c..d67ee49d2c8 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml @@ -5,10 +5,10 @@ description: Detects usage of the SysInternals Procdump utility references: - https://learn.microsoft.com/en-us/sysinternals/downloads/procdump author: Florian Roth (Nextron Systems) -date: 2021/08/16 -modified: 2023/02/28 +date: 2021-08-16 +modified: 2023-02-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 - attack.t1003.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_evasion.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_evasion.yml index 4f88b377721..c5d31f84ea7 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_evasion.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_evasion.yml @@ -5,10 +5,10 @@ description: Detects uses of the SysInternals ProcDump utility in which ProcDump references: - https://twitter.com/mrd0x/status/1480785527901204481 author: Florian Roth (Nextron Systems) -date: 2022/01/11 -modified: 2023/05/09 +date: 2022-01-11 +modified: 2023-05-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 - attack.t1003.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml index 25b3533b470..46d0f5ca4ba 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml @@ -7,12 +7,12 @@ description: | references: - https://learn.microsoft.com/en-us/sysinternals/downloads/procdump author: Florian Roth (Nextron Systems) -date: 2018/10/30 -modified: 2024/03/13 +date: 2018-10-30 +modified: 2024-03-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 - - attack.credential_access + - attack.credential-access - attack.t1003.001 - car.2013-05-009 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_execution.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_execution.yml index a7c0c80ba6a..e5a8278726a 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_execution.yml @@ -5,8 +5,8 @@ description: Detects user accept agreement execution in psexec commandline references: - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html author: omkar72 -date: 2020/10/30 -modified: 2023/02/28 +date: 2020-10-30 +modified: 2023-02-28 tags: - attack.execution - attack.t1569 diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml index 42776d610f3..1d10dff6989 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml @@ -10,10 +10,10 @@ references: - https://www.poweradmin.com/paexec/ - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2021/11/23 -modified: 2024/03/05 +date: 2021-11-23 +modified: 2024-03-05 tags: - - attack.resource_development + - attack.resource-development - attack.t1587.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml index 43742e69a96..cacb1c5f02a 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml @@ -7,9 +7,9 @@ references: - https://www.poweradmin.com/paexec/ - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/28 +date: 2023-02-28 tags: - - attack.resource_development + - attack.resource-development - attack.t1587.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc.yml index c76f471df21..907cf1a8b9b 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc.yml @@ -2,15 +2,15 @@ title: PsExec Service Execution id: fdfcbd78-48f1-4a4b-90ac-d82241e368c5 related: - id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba - type: obsoletes + type: obsolete status: test description: Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution references: - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec - https://www.youtube.com/watch?v=ro2QuZTIMBM author: Thomas Patzke, Romaissa Adjailia, Florian Roth (Nextron Systems) -date: 2017/06/12 -modified: 2023/02/28 +date: 2017-06-12 +modified: 2023-02-28 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml index b00da4ce2a6..e012f9c3757 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml @@ -8,8 +8,8 @@ description: Detects suspicious launch of the PSEXESVC service on this system an references: - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec author: Florian Roth (Nextron Systems) -date: 2022/07/21 -modified: 2023/02/28 +date: 2022-07-21 +modified: 2023-02-28 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml index 04c6d140603..bf4e675a9eb 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml @@ -8,8 +8,8 @@ references: - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList - https://twitter.com/EricaZelic/status/1614075109827874817 author: Nasreddine Bencherchali (Nextron Systems) -date: 2021/12/18 -modified: 2024/03/05 +date: 2021-12-18 +modified: 2024-03-05 tags: - attack.discovery - attack.t1087 diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml index 8a6778afcd8..48348d71d68 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml @@ -5,8 +5,8 @@ description: Detects usage of Sysinternals PsService which can be abused for ser references: - https://learn.microsoft.com/en-us/sysinternals/downloads/psservice author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/16 -modified: 2023/02/24 +date: 2022-06-16 +modified: 2023-02-24 tags: - attack.discovery - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml index 98fa3c83d1c..92433b191c4 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml @@ -9,7 +9,7 @@ references: - https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend - https://twitter.com/0gtweet/status/1638069413717975046 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/23 +date: 2023-03-23 tags: - attack.discovery - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml index 76ef6c2dc61..d7c5623619a 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml @@ -9,9 +9,9 @@ references: - https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend - https://twitter.com/0gtweet/status/1638069413717975046 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/23 +date: 2023-03-23 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_sdelete.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_sdelete.yml index 5a88207ac55..4e5eb701d79 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_sdelete.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_sdelete.yml @@ -5,8 +5,8 @@ description: Detects the use of SDelete to erase a file not the free space references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md author: frack113 -date: 2021/06/03 -modified: 2023/02/28 +date: 2021-06-03 +modified: 2023-02-28 tags: - attack.impact - attack.t1485 diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml index 20ee3faada2..3aaba2c55d6 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml @@ -10,10 +10,10 @@ references: - https://www.poweradmin.com/paexec/ - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2021/05/22 -modified: 2024/03/05 +date: 2021-05-22 +modified: 2024-03-05 tags: - - attack.resource_development + - attack.resource-development - attack.t1587.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_config_update.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_config_update.yml index 803db9abe85..1fb2a7d2c73 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_config_update.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_config_update.yml @@ -5,10 +5,10 @@ description: Detects updates to Sysmon's configuration. Attackers might update o references: - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/03/09 -modified: 2024/03/13 +date: 2023-03-09 +modified: 2024-03-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_uninstall.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_uninstall.yml index 7cf984404db..4690d9914ac 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_uninstall.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_uninstall.yml @@ -5,10 +5,10 @@ description: Detects the removal of Sysmon, which could be a potential attempt a references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon author: frack113 -date: 2022/01/12 -modified: 2024/03/13 +date: 2022-01-12 +modified: 2024-03-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_tools_masquerading.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_tools_masquerading.yml index daa94bb5bb3..7fad5eb500d 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_tools_masquerading.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_tools_masquerading.yml @@ -5,11 +5,11 @@ description: Detects binaries that use the same name as legitimate sysinternals references: - https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite author: frack113 -date: 2021/12/20 -modified: 2022/12/08 +date: 2021-12-20 +modified: 2022-12-08 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.t1202 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_sysprep_appdata.yml b/rules/windows/process_creation/proc_creation_win_sysprep_appdata.yml index 8cc79ea752f..41c310383a5 100644 --- a/rules/windows/process_creation/proc_creation_win_sysprep_appdata.yml +++ b/rules/windows/process_creation/proc_creation_win_sysprep_appdata.yml @@ -6,8 +6,8 @@ references: - https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets - https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b author: Florian Roth (Nextron Systems) -date: 2018/06/22 -modified: 2021/11/27 +date: 2018-06-22 +modified: 2021-11-27 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_systeminfo_execution.yml b/rules/windows/process_creation/proc_creation_win_systeminfo_execution.yml index 324555a2695..fc2a8f6f0c1 100644 --- a/rules/windows/process_creation/proc_creation_win_systeminfo_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_systeminfo_execution.yml @@ -6,8 +6,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo author: frack113 -date: 2022/01/01 -modified: 2022/07/14 +date: 2022-01-01 +modified: 2022-07-14 tags: - attack.discovery - attack.t1082 diff --git a/rules/windows/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml b/rules/windows/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml index a5f2f3b61fb..fc2464708d8 100644 --- a/rules/windows/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml +++ b/rules/windows/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml @@ -9,9 +9,9 @@ references: - Internal Research - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/11 +date: 2023-01-11 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_takeown_recursive_own.yml b/rules/windows/process_creation/proc_creation_win_takeown_recursive_own.yml index 351f2ed5feb..34415b94613 100644 --- a/rules/windows/process_creation/proc_creation_win_takeown_recursive_own.yml +++ b/rules/windows/process_creation/proc_creation_win_takeown_recursive_own.yml @@ -6,10 +6,10 @@ references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility author: frack113 -date: 2022/01/30 -modified: 2022/11/21 +date: 2022-01-30 +modified: 2022-11-21 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1222.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_tapinstall_execution.yml b/rules/windows/process_creation/proc_creation_win_tapinstall_execution.yml index df3f962ad5b..8ec4f4908ff 100644 --- a/rules/windows/process_creation/proc_creation_win_tapinstall_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_tapinstall_execution.yml @@ -5,8 +5,8 @@ description: Well-known TAP software installation. Possible preparation for data references: - https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers author: Daniil Yugoslavskiy, Ian Davis, oscd.community -date: 2019/10/24 -modified: 2023/12/11 +date: 2019-10-24 +modified: 2023-12-11 tags: - attack.exfiltration - attack.t1048 diff --git a/rules/windows/process_creation/proc_creation_win_tar_compression.yml b/rules/windows/process_creation/proc_creation_win_tar_compression.yml index 873f9fc8607..3cf3fcfa076 100644 --- a/rules/windows/process_creation/proc_creation_win_tar_compression.yml +++ b/rules/windows/process_creation/proc_creation_win_tar_compression.yml @@ -9,7 +9,7 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Tar/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage author: Nasreddine Bencherchali (Nextron Systems), AdmU3 -date: 2023/12/19 +date: 2023-12-19 tags: - attack.collection - attack.exfiltration diff --git a/rules/windows/process_creation/proc_creation_win_tar_extraction.yml b/rules/windows/process_creation/proc_creation_win_tar_extraction.yml index d9135d1b724..98298b3e9f4 100644 --- a/rules/windows/process_creation/proc_creation_win_tar_extraction.yml +++ b/rules/windows/process_creation/proc_creation_win_tar_extraction.yml @@ -9,7 +9,7 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Tar/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage author: AdmU3 -date: 2023/12/19 +date: 2023-12-19 tags: - attack.collection - attack.exfiltration diff --git a/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml b/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml index 4e76d7b48cc..b0b7fd4d3e9 100644 --- a/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml +++ b/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml @@ -10,9 +10,9 @@ references: - https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection - https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer author: Ilya Krestinichev, Florian Roth (Nextron Systems) -date: 2022/09/13 +date: 2022-09-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml b/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml index 1d8734dbf92..8fdc84c0681 100644 --- a/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml +++ b/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml @@ -9,8 +9,8 @@ references: - https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/ - https://pentestlab.blog/tag/svchost/ author: Swachchhanda Shrawan Poudel -date: 2024/02/12 -modified: 2024/03/13 +date: 2024-02-12 +modified: 2024-03-13 tags: - attack.t1003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_taskmgr_localsystem.yml b/rules/windows/process_creation/proc_creation_win_taskmgr_localsystem.yml index a7826d46ad0..62fc346affb 100644 --- a/rules/windows/process_creation/proc_creation_win_taskmgr_localsystem.yml +++ b/rules/windows/process_creation/proc_creation_win_taskmgr_localsystem.yml @@ -5,10 +5,10 @@ description: Detects the creation of taskmgr.exe process in context of LOCAL_SYS references: - Internal Research author: Florian Roth (Nextron Systems) -date: 2018/03/18 -modified: 2022/05/27 +date: 2018-03-18 +modified: 2022-05-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_taskmgr_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_taskmgr_susp_child_process.yml index a947261665c..24e8cb145f1 100644 --- a/rules/windows/process_creation/proc_creation_win_taskmgr_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_taskmgr_susp_child_process.yml @@ -5,10 +5,10 @@ description: Detects the creation of a process via the Windows task manager. Thi references: - https://twitter.com/ReneFreingruber/status/1172244989335810049 author: Florian Roth (Nextron Systems) -date: 2018/03/13 -modified: 2024/01/18 +date: 2018-03-13 +modified: 2024-01-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml b/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml index 8cda14f9e73..021da471ef2 100644 --- a/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml +++ b/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml @@ -8,10 +8,10 @@ references: - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/ - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens author: '@SerkinValery' -date: 2022/09/16 -modified: 2023/12/18 +date: 2022-09-16 +modified: 2023-12-18 tags: - - attack.credential_access + - attack.credential-access - attack.t1528 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml b/rules/windows/process_creation/proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml index 78fb7387ad8..cc5cd405435 100644 --- a/rules/windows/process_creation/proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml +++ b/rules/windows/process_creation/proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml @@ -5,7 +5,7 @@ description: Detects execution of "Tpmvscmgr.exe" to create a new virtual smart references: - https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/15 +date: 2023-06-15 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_tscon_localsystem.yml b/rules/windows/process_creation/proc_creation_win_tscon_localsystem.yml index 58c0f9631c4..536b3175892 100644 --- a/rules/windows/process_creation/proc_creation_win_tscon_localsystem.yml +++ b/rules/windows/process_creation/proc_creation_win_tscon_localsystem.yml @@ -7,10 +7,10 @@ references: - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 - https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement author: Florian Roth (Nextron Systems) -date: 2018/03/17 -modified: 2022/05/27 +date: 2018-03-17 +modified: 2022-05-27 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_tscon_rdp_redirect.yml b/rules/windows/process_creation/proc_creation_win_tscon_rdp_redirect.yml index af9ba4ac511..dda2f95d02c 100644 --- a/rules/windows/process_creation/proc_creation_win_tscon_rdp_redirect.yml +++ b/rules/windows/process_creation/proc_creation_win_tscon_rdp_redirect.yml @@ -7,10 +7,10 @@ references: - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 - https://www.hackingarticles.in/rdp-session-hijacking-with-tscon/ author: Florian Roth (Nextron Systems) -date: 2018/03/17 -modified: 2023/05/16 +date: 2018-03-17 +modified: 2023-05-16 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.t1563.002 - attack.t1021.001 - car.2013-07-002 diff --git a/rules/windows/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml b/rules/windows/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml index d98c795a7f8..da3c8b1ad66 100644 --- a/rules/windows/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml +++ b/rules/windows/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml @@ -5,7 +5,7 @@ description: Detects potential RDP Session Hijacking activity on Windows systems references: - https://twitter.com/Moti_B/status/909449115477659651 author: '@juju4' -date: 2022/12/27 +date: 2022-12-27 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml index 23e9805b092..e35de890eca 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml @@ -7,11 +7,11 @@ references: - https://github.com/hfiref0x/UACME - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf author: Christian Burkard (Nextron Systems) -date: 2021/08/23 -modified: 2022/10/09 +date: 2021-08-23 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml index 36a16b00244..54431028ce1 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml @@ -5,11 +5,11 @@ description: Detects the pattern of UAC Bypass using scheduled tasks and variabl references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) -date: 2021/08/30 -modified: 2022/10/09 +date: 2021-08-30 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml index c1415fabac6..6bd65d8b56e 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml @@ -7,11 +7,11 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md - https://lolbas-project.github.io/lolbas/Binaries/Cmstp/ author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -date: 2019/10/24 -modified: 2022/08/30 +date: 2019-10-24 +modified: 2022-08-30 tags: - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.t1548.002 - attack.t1218.003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml index 188619e7914..e57df597952 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml @@ -8,12 +8,12 @@ references: - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf - https://github.com/hfiref0x/UACME author: Nik Seetharaman, Christian Burkard (Nextron Systems) -date: 2019/07/31 -modified: 2022/09/21 +date: 2019-07-31 +modified: 2022-09-21 tags: - attack.execution - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 - attack.t1218.003 - attack.g0069 diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml index 4dfe578e0c4..0163e1ac983 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml @@ -5,11 +5,11 @@ description: Detects tools such as UACMe used to bypass UAC with computerdefault references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) -date: 2021/08/31 -modified: 2022/10/09 +date: 2021-08-31 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml index 33b8c645419..e21dee1e9b0 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml @@ -5,11 +5,11 @@ description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dl references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) -date: 2021/08/23 -modified: 2022/10/09 +date: 2021-08-23 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml index be3f6eb6e8a..8250a092d05 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml @@ -5,11 +5,11 @@ description: Detects the pattern of UAC Bypass using DismHost DLL hijacking (UAC references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) -date: 2021/08/30 -modified: 2022/10/09 +date: 2021-08-30 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr_recentviews.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr_recentviews.yml index 3113412c597..3bf09474be4 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr_recentviews.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr_recentviews.yml @@ -9,10 +9,10 @@ references: - https://twitter.com/orange_8361/status/1518970259868626944 - https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/11/22 +date: 2022-11-22 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml index 3d889f30380..5ada3cce64f 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml @@ -6,10 +6,10 @@ references: - https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community -date: 2019/10/24 -modified: 2021/11/27 +date: 2019-10-24 +modified: 2021-11-27 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml index f0b0f5ce4cb..c987fc15d3b 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml @@ -5,9 +5,9 @@ description: Detects attempts to bypass User Account Control (UAC) by hijacking references: - https://www.elastic.co/guide/en/security/current/uac-bypass-via-windows-firewall-snap-in-hijack.html#uac-bypass-via-windows-firewall-snap-in-hijack author: Tim Rauch, Elastic (idea) -date: 2022/09/27 +date: 2022-09-27 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1548 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml index 7934fc77b9d..db1ec4358e4 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml @@ -5,11 +5,11 @@ description: Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM int references: - https://www.elastic.co/guide/en/security/current/uac-bypass-via-icmluautil-elevated-com-interface.html author: Florian Roth (Nextron Systems), Elastic (idea) -date: 2022/09/13 -modified: 2022/09/27 +date: 2022-09-13 +modified: 2022-09-27 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml index 6ff2df23c2e..05ecaa8ee28 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml @@ -5,11 +5,11 @@ description: Detects the "IDiagnosticProfileUAC" UAC bypass technique references: - https://github.com/Wh04m1001/IDiagnosticProfileUAC author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/03 +date: 2022-07-03 tags: - attack.execution - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml index dbf495ec24d..da0fa174b2a 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml @@ -5,11 +5,11 @@ description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64) references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) -date: 2021/08/30 -modified: 2022/10/09 +date: 2021-08-30 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml index 1044386ef5d..52bec8124ed 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml @@ -5,11 +5,11 @@ description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) -date: 2021/08/30 -modified: 2022/10/09 +date: 2021-08-30 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml index e343b03692c..dfe8b47398f 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml @@ -5,11 +5,11 @@ description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) -date: 2021/08/30 -modified: 2022/10/09 +date: 2021-08-30 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml index 54f19503c5a..523d2be04ec 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml @@ -5,11 +5,11 @@ description: Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UA references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) -date: 2021/08/23 -modified: 2022/10/09 +date: 2021-08-23 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_sdclt.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_sdclt.yml index a12ba436654..77976a2efbd 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_sdclt.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_sdclt.yml @@ -6,11 +6,11 @@ references: - https://github.com/OTRF/detection-hackathon-apt29/issues/6 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/05/02 -modified: 2023/02/14 +date: 2020-05-02 +modified: 2023-02-14 tags: - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml index 91dbe36f5be..ebdd7a29b7d 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml @@ -7,9 +7,9 @@ references: - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows - https://github.com/netero1010/TrustedPath-UACBypass-BOF author: Florian Roth (Nextron Systems) -date: 2021/08/27 +date: 2021-08-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_winsat.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_winsat.yml index 4c5a55613f3..c230f475e9a 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_winsat.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_winsat.yml @@ -5,11 +5,11 @@ description: Detects the pattern of UAC Bypass using a path parsing issue in win references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) -date: 2021/08/30 -modified: 2022/10/09 +date: 2021-08-30 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml index 4e59df648a0..a365002b800 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml @@ -5,11 +5,11 @@ description: Detects the pattern of UAC Bypass using Windows Media Player osksup references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) -date: 2021/08/23 -modified: 2022/10/09 +date: 2021-08-23 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml index 7bef75dbd8c..c8188244f80 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml @@ -2,7 +2,7 @@ title: Bypass UAC via WSReset.exe id: d797268e-28a9-49a7-b9a8-2f5039011c5c related: - id: bdc8918e-a1d5-49d1-9db7-ea0fd91aa2ae - type: obsoletes + type: obsolete status: test description: Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes. references: @@ -11,11 +11,11 @@ references: - https://www.activecyber.us/activelabs/windows-uac-bypass - https://twitter.com/ReaQta/status/1222548288731217921 author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth -date: 2019/10/24 -modified: 2022/05/13 +date: 2019-10-24 +modified: 2022-05-13 tags: - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml index bf66d4460b9..2e139752a3b 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml @@ -7,11 +7,11 @@ references: - https://github.com/hfiref0x/UACME - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf author: Christian Burkard (Nextron Systems) -date: 2021/08/23 -modified: 2022/10/09 +date: 2021-08-23 +modified: 2022-10-09 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_ultravnc.yml b/rules/windows/process_creation/proc_creation_win_ultravnc.yml index 6d2fbc37b21..31c62dd9121 100644 --- a/rules/windows/process_creation/proc_creation_win_ultravnc.yml +++ b/rules/windows/process_creation/proc_creation_win_ultravnc.yml @@ -5,9 +5,9 @@ description: An adversary may use legitimate desktop support and remote access s references: - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1219/T1219.md author: frack113 -date: 2022/10/02 +date: 2022-10-02 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_ultravnc_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_ultravnc_susp_execution.yml index dbe7e3fef4f..c7e91f5083c 100644 --- a/rules/windows/process_creation/proc_creation_win_ultravnc_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_ultravnc_susp_execution.yml @@ -8,10 +8,10 @@ references: - https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution - https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html author: Bhabesh Raj -date: 2022/03/04 -modified: 2022/03/09 +date: 2022-03-04 +modified: 2022-03-09 tags: - - attack.lateral_movement + - attack.lateral-movement - attack.g0047 - attack.t1021.005 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml b/rules/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml index 67cbf260e5d..94699a6fe05 100644 --- a/rules/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml +++ b/rules/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml @@ -5,10 +5,10 @@ description: Adversaries may disable security tools to avoid possible detection references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md author: frack113 -date: 2021/07/12 -modified: 2023/03/09 +date: 2021-07-12 +modified: 2023-03-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml b/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml index 3e349b6f661..b7893d038b6 100644 --- a/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml @@ -9,8 +9,8 @@ references: - https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html - https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core author: Tom Ueltschi (@c_APT_ure), Tim Shelton -date: 2019/01/12 -modified: 2023/11/14 +date: 2019-01-12 +modified: 2023-11-14 tags: - attack.t1037.001 - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_vaultcmd_list_creds.yml b/rules/windows/process_creation/proc_creation_win_vaultcmd_list_creds.yml index 77c4d348db4..0d6faba44a5 100644 --- a/rules/windows/process_creation/proc_creation_win_vaultcmd_list_creds.yml +++ b/rules/windows/process_creation/proc_creation_win_vaultcmd_list_creds.yml @@ -5,10 +5,10 @@ description: List credentials currently stored in Windows Credential Manager via references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.004/T1555.004.md#atomic-test-1---access-saved-credentials-via-vaultcmd author: frack113 -date: 2022/04/08 -modified: 2022/05/13 +date: 2022-04-08 +modified: 2022-05-13 tags: - - attack.credential_access + - attack.credential-access - attack.t1555.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml b/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml index f5ad33c8206..f3d09f0015f 100644 --- a/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml +++ b/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml @@ -7,10 +7,10 @@ references: - https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5 - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ author: Victor Sergeev, oscd.community -date: 2020/10/09 -modified: 2022/07/11 +date: 2020-10-09 +modified: 2022-07-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_virtualbox_execution.yml b/rules/windows/process_creation/proc_creation_win_virtualbox_execution.yml index 79208ee0163..66fe2e553a5 100644 --- a/rules/windows/process_creation/proc_creation_win_virtualbox_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_virtualbox_execution.yml @@ -6,10 +6,10 @@ references: - https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/ - https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/ author: Janantha Marasinghe -date: 2020/09/26 -modified: 2022/07/14 +date: 2020-09-26 +modified: 2022-07-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.006 - attack.t1564 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml b/rules/windows/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml index 75c245f39ad..edc4a660e91 100644 --- a/rules/windows/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml @@ -9,10 +9,10 @@ references: - https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml - https://twitter.com/pabraeken/status/993497996179492864 author: Konstantin Grishchenko, oscd.community -date: 2020/10/06 -modified: 2021/11/27 +date: 2020-10-06 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml b/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml index 2a2c1446123..7dc7f4bfb2a 100644 --- a/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml @@ -9,7 +9,7 @@ references: - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/ - https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/14 +date: 2023-06-14 tags: - attack.execution - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml b/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml index 65225d628bf..ba4038987c0 100644 --- a/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml +++ b/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml @@ -8,7 +8,7 @@ description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" a references: - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/14 +date: 2023-06-14 tags: - attack.execution - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml index bc3751e4ec8..a21d370af59 100644 --- a/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml @@ -7,8 +7,8 @@ references: - https://user-images.githubusercontent.com/61026070/136518004-b68cce7d-f9b8-4e9a-9b7b-53b1568a9a94.png - https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/tools.conf author: bohops, Bhabesh Raj -date: 2021/10/08 -modified: 2023/07/25 +date: 2021-10-08 +modified: 2023-07-25 tags: - attack.execution - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml b/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml index 19360242f74..1538402e677 100644 --- a/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml +++ b/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml @@ -6,11 +6,11 @@ references: - https://twitter.com/nas_bench/status/1618021838407495681 - https://twitter.com/nas_bench/status/1618021415852335105 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/26 -modified: 2023/10/25 +date: 2023-01-26 +modified: 2023-10-25 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.t1202 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml index e3607a306f9..33ab564561d 100644 --- a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml @@ -7,9 +7,9 @@ references: - https://badoption.eu/blog/2023/01/31/code_c2.html - https://code.visualstudio.com/docs/remote/tunnels author: Nasreddine Bencherchali (Nextron Systems), citron_ninja -date: 2023/10/25 +date: 2023-10-25 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml index 177d912b9a1..c73c51207c6 100644 --- a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml +++ b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml @@ -7,9 +7,9 @@ references: - https://badoption.eu/blog/2023/01/31/code_c2.html - https://code.visualstudio.com/docs/remote/tunnels author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/10/25 +date: 2023-10-25 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml index 42e75cd56e5..8c68972b65c 100644 --- a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml @@ -7,9 +7,9 @@ references: - https://badoption.eu/blog/2023/01/31/code_c2.html - https://code.visualstudio.com/docs/remote/tunnels author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/09/28 +date: 2023-09-28 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml index 8026d5d8d86..bb20a7ae017 100644 --- a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml +++ b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml @@ -7,9 +7,9 @@ references: - https://badoption.eu/blog/2023/01/31/code_c2.html - https://code.visualstudio.com/docs/remote/tunnels author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/10/25 +date: 2023-10-25 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1071.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml b/rules/windows/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml index 0eb26551840..3eaf8a4b7a1 100644 --- a/rules/windows/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml +++ b/rules/windows/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml @@ -5,9 +5,9 @@ description: Detects execution of "VSDiagnostics.exe" with the "start" command i references: - https://twitter.com/0xBoku/status/1679200664013135872 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/03 +date: 2023-08-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_vslsagent_agentextensionpath_load.yml b/rules/windows/process_creation/proc_creation_win_vslsagent_agentextensionpath_load.yml index fe0dd2a581e..da01a1837bd 100644 --- a/rules/windows/process_creation/proc_creation_win_vslsagent_agentextensionpath_load.yml +++ b/rules/windows/process_creation/proc_creation_win_vslsagent_agentextensionpath_load.yml @@ -5,9 +5,9 @@ description: Detects Microsoft Visual Studio vsls-agent.exe lolbin execution wit references: - https://twitter.com/bohops/status/1583916360404729857 author: bohops -date: 2022/10/30 +date: 2022-10-30 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_w32tm.yml b/rules/windows/process_creation/proc_creation_win_w32tm.yml index 173f591942b..072e381d7a1 100644 --- a/rules/windows/process_creation/proc_creation_win_w32tm.yml +++ b/rules/windows/process_creation/proc_creation_win_w32tm.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md - https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains author: frack113 -date: 2022/09/25 +date: 2022-09-25 tags: - attack.discovery - attack.t1124 diff --git a/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml b/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml index c08b6841a5a..3a698e48fe3 100644 --- a/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml +++ b/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml @@ -7,10 +7,10 @@ references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/12 -modified: 2022/09/27 +date: 2022-08-12 +modified: 2022-09-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml b/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml index 81787cc2840..c928adbf34b 100644 --- a/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml +++ b/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml @@ -7,10 +7,10 @@ references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/12 -modified: 2022/09/27 +date: 2022-08-12 +modified: 2022-09-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_wbadmin_delete_all_backups.yml b/rules/windows/process_creation/proc_creation_win_wbadmin_delete_all_backups.yml index 45e01adadfe..3c8044028b5 100644 --- a/rules/windows/process_creation/proc_creation_win_wbadmin_delete_all_backups.yml +++ b/rules/windows/process_creation/proc_creation_win_wbadmin_delete_all_backups.yml @@ -16,8 +16,8 @@ references: - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2021/12/13 -modified: 2024/05/10 +date: 2021-12-13 +modified: 2024-05-10 tags: - attack.impact - attack.t1490 diff --git a/rules/windows/process_creation/proc_creation_win_wbadmin_delete_backups.yml b/rules/windows/process_creation/proc_creation_win_wbadmin_delete_backups.yml index 36cd87e88dd..44c9037e5c8 100644 --- a/rules/windows/process_creation/proc_creation_win_wbadmin_delete_backups.yml +++ b/rules/windows/process_creation/proc_creation_win_wbadmin_delete_backups.yml @@ -16,8 +16,8 @@ references: - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2021/12/13 -modified: 2024/05/10 +date: 2021-12-13 +modified: 2024-05-10 tags: - attack.impact - attack.t1490 diff --git a/rules/windows/process_creation/proc_creation_win_wbadmin_dump_sensitive_files.yml b/rules/windows/process_creation/proc_creation_win_wbadmin_dump_sensitive_files.yml index 28ad8635baf..c5e0ffd8166 100644 --- a/rules/windows/process_creation/proc_creation_win_wbadmin_dump_sensitive_files.yml +++ b/rules/windows/process_creation/proc_creation_win_wbadmin_dump_sensitive_files.yml @@ -10,9 +10,9 @@ references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup author: Nasreddine Bencherchali (Nextron Systems), frack113 -date: 2024/05/10 +date: 2024-05-10 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_wbadmin_restore_file.yml b/rules/windows/process_creation/proc_creation_win_wbadmin_restore_file.yml index 0cac4b39420..31310f503d2 100644 --- a/rules/windows/process_creation/proc_creation_win_wbadmin_restore_file.yml +++ b/rules/windows/process_creation/proc_creation_win_wbadmin_restore_file.yml @@ -11,7 +11,7 @@ references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery - https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/ author: Nasreddine Bencherchali (Nextron Systems), frack113 -date: 2024/05/10 +date: 2024-05-10 tags: - attack.impact - attack.t1490 diff --git a/rules/windows/process_creation/proc_creation_win_wbadmin_restore_sensitive_files.yml b/rules/windows/process_creation/proc_creation_win_wbadmin_restore_sensitive_files.yml index bc95f44c9c0..36f3ffa75ba 100644 --- a/rules/windows/process_creation/proc_creation_win_wbadmin_restore_sensitive_files.yml +++ b/rules/windows/process_creation/proc_creation_win_wbadmin_restore_sensitive_files.yml @@ -13,9 +13,9 @@ references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup author: Nasreddine Bencherchali (Nextron Systems), frack113 -date: 2024/05/10 +date: 2024-05-10 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_webdav_lnk_execution.yml b/rules/windows/process_creation/proc_creation_win_webdav_lnk_execution.yml index 991c86b7762..1e81f5f91f8 100644 --- a/rules/windows/process_creation/proc_creation_win_webdav_lnk_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_webdav_lnk_execution.yml @@ -9,7 +9,7 @@ references: - https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html - https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462 author: Micah Babinski -date: 2023/08/21 +date: 2023-08-21 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_webshell_chopper.yml b/rules/windows/process_creation/proc_creation_win_webshell_chopper.yml index 3a87945a630..d7edb232fec 100644 --- a/rules/windows/process_creation/proc_creation_win_webshell_chopper.yml +++ b/rules/windows/process_creation/proc_creation_win_webshell_chopper.yml @@ -5,7 +5,7 @@ description: Detects patterns found in process executions cause by China Chopper references: - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/ author: Florian Roth (Nextron Systems), MSTI (query) -date: 2022/10/01 +date: 2022-10-01 tags: - attack.persistence - attack.t1505.003 diff --git a/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml b/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml index 2b3dbc800d9..3de1c43d017 100644 --- a/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml +++ b/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml @@ -6,8 +6,8 @@ description: | references: - https://youtu.be/7aemGhaE9ds?t=641 author: Florian Roth (Nextron Systems) -date: 2022/03/17 -modified: 2023/11/09 +date: 2022-03-17 +modified: 2023-11-09 tags: - attack.persistence - attack.t1505.003 diff --git a/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml b/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml index 67e6d15358c..96feead4ecc 100644 --- a/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml @@ -6,8 +6,8 @@ references: - https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html - https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/ author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community -date: 2017/01/01 -modified: 2022/05/13 +date: 2017-01-01 +modified: 2022-05-13 tags: - attack.persistence - attack.t1505.003 diff --git a/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml b/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml index d0822cbd413..476809f3cf0 100644 --- a/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml +++ b/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml @@ -6,8 +6,8 @@ description: | references: - https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) -date: 2019/01/16 -modified: 2023/11/11 +date: 2019-01-16 +modified: 2023-11-11 tags: - attack.persistence - attack.t1505.003 diff --git a/rules/windows/process_creation/proc_creation_win_webshell_tool_recon.yml b/rules/windows/process_creation/proc_creation_win_webshell_tool_recon.yml index 1358e328b79..e5031f62ae3 100644 --- a/rules/windows/process_creation/proc_creation_win_webshell_tool_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_webshell_tool_recon.yml @@ -6,8 +6,8 @@ description: | references: - https://ragged-lab.blogspot.com/2020/07/webshells-automating-reconnaissance.html author: Cian Heasley, Florian Roth (Nextron Systems) -date: 2020/07/22 -modified: 2023/11/09 +date: 2020-07-22 +modified: 2023-11-09 tags: - attack.persistence - attack.t1505.003 diff --git a/rules/windows/process_creation/proc_creation_win_werfault_lsass_shtinkering.yml b/rules/windows/process_creation/proc_creation_win_werfault_lsass_shtinkering.yml index f8d4a40ebbb..0d17c692ab3 100644 --- a/rules/windows/process_creation/proc_creation_win_werfault_lsass_shtinkering.yml +++ b/rules/windows/process_creation/proc_creation_win_werfault_lsass_shtinkering.yml @@ -6,10 +6,10 @@ references: - https://github.com/deepinstinct/Lsass-Shtinkering - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf author: '@pbssubhash , Nasreddine Bencherchali' -date: 2022/12/08 -modified: 2022/12/09 +date: 2022-12-08 +modified: 2022-12-09 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml b/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml index 53acd9cfb71..75b4f985958 100644 --- a/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml @@ -9,10 +9,10 @@ references: - https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html - https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ author: X__Junior (Nextron Systems) -date: 2023/06/30 +date: 2023-06-30 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml index 7c49062e0e4..182b17941b3 100644 --- a/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml @@ -10,11 +10,11 @@ references: - https://www.echotrail.io/insights/search/wermgr.exe - https://github.com/binderlabs/DirCreate2System author: Florian Roth (Nextron Systems) -date: 2022/10/14 -modified: 2024/06/20 +date: 2022-10-14 +modified: 2024-06-20 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1055 - attack.t1036 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_wermgr_susp_exec_location.yml b/rules/windows/process_creation/proc_creation_win_wermgr_susp_exec_location.yml index 1f6f63ff445..41638c10749 100644 --- a/rules/windows/process_creation/proc_creation_win_wermgr_susp_exec_location.yml +++ b/rules/windows/process_creation/proc_creation_win_wermgr_susp_exec_location.yml @@ -10,8 +10,8 @@ references: - https://www.echotrail.io/insights/search/wermgr.exe - https://github.com/binderlabs/DirCreate2System author: Florian Roth (Nextron Systems) -date: 2022/10/14 -modified: 2023/08/23 +date: 2022-10-14 +modified: 2023-08-23 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_wget_download_direct_ip.yml b/rules/windows/process_creation/proc_creation_win_wget_download_direct_ip.yml index 0645a1cb34b..e107572c0bc 100644 --- a/rules/windows/process_creation/proc_creation_win_wget_download_direct_ip.yml +++ b/rules/windows/process_creation/proc_creation_win_wget_download_direct_ip.yml @@ -5,7 +5,7 @@ description: Detects potentially suspicious file downloads directly from IP addr references: - https://www.gnu.org/software/wget/manual/wget.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/07/27 +date: 2023-07-27 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml index 005aef2c940..fd62eb5e093 100644 --- a/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml @@ -7,8 +7,8 @@ references: - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/05 -modified: 2024/02/09 +date: 2023-05-05 +modified: 2024-02-09 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_wget_download_susp_locations.yml b/rules/windows/process_creation/proc_creation_win_wget_download_susp_locations.yml index 1a62c2f6220..01636c4e67d 100644 --- a/rules/windows/process_creation/proc_creation_win_wget_download_susp_locations.yml +++ b/rules/windows/process_creation/proc_creation_win_wget_download_susp_locations.yml @@ -5,7 +5,7 @@ description: Detects potentially suspicious file downloads directly from IP addr references: - https://www.gnu.org/software/wget/manual/wget.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/02/23 +date: 2024-02-23 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_where_browser_data_recon.yml b/rules/windows/process_creation/proc_creation_win_where_browser_data_recon.yml index 8407ef7f091..597f2619920 100644 --- a/rules/windows/process_creation/proc_creation_win_where_browser_data_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_where_browser_data_recon.yml @@ -8,8 +8,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2021/12/13 -modified: 2022/06/29 +date: 2021-12-13 +modified: 2022-06-29 tags: - attack.discovery - attack.t1217 diff --git a/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml b/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml index 6115cc0f149..22817da9b36 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml @@ -7,8 +7,8 @@ references: - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/ - https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2023/12/04 -modified: 2024/03/05 +date: 2023-12-04 +modified: 2024-03-05 tags: - attack.discovery - attack.t1033 diff --git a/rules/windows/process_creation/proc_creation_win_whoami_execution.yml b/rules/windows/process_creation/proc_creation_win_whoami_execution.yml index 531ac6e6da1..b497a81521c 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_execution.yml @@ -6,8 +6,8 @@ references: - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/ - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/ author: Florian Roth (Nextron Systems) -date: 2018/08/13 -modified: 2023/11/30 +date: 2018-08-13 +modified: 2023-11-30 tags: - attack.discovery - attack.t1033 diff --git a/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml b/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml index 45e25fe47b4..daa294ce3b4 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml @@ -2,17 +2,17 @@ title: Whoami.EXE Execution From Privileged Process id: 79ce34ca-af29-4d0e-b832-fc1b377020db related: - id: 80167ada-7a12-41ed-b8e9-aa47195c66a1 - type: obsoletes + type: obsolete status: experimental description: Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/ author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov -date: 2022/01/28 -modified: 2023/12/04 +date: 2022-01-28 +modified: 2023-12-04 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.discovery - attack.t1033 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_whoami_groups_discovery.yml b/rules/windows/process_creation/proc_creation_win_whoami_groups_discovery.yml index 229cf65c7ab..a64d3e5bf4d 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_groups_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_groups_discovery.yml @@ -5,7 +5,7 @@ description: Detects the execution of whoami.exe with the /group command line fl references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/whoami author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/28 +date: 2023-02-28 tags: - attack.discovery - attack.t1033 diff --git a/rules/windows/process_creation/proc_creation_win_whoami_output.yml b/rules/windows/process_creation/proc_creation_win_whoami_output.yml index 2d74a28c74f..78d2919bc53 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_output.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_output.yml @@ -7,8 +7,8 @@ references: - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/ - https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/28 -modified: 2023/12/04 +date: 2023-02-28 +modified: 2023-12-04 tags: - attack.discovery - attack.t1033 diff --git a/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml b/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml index ccdd36a49bb..37e64e0f036 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml @@ -7,8 +7,8 @@ references: - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/ - https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s author: Florian Roth (Nextron Systems) -date: 2021/08/12 -modified: 2023/12/04 +date: 2021-08-12 +modified: 2023-12-04 tags: - attack.discovery - attack.t1033 diff --git a/rules/windows/process_creation/proc_creation_win_whoami_priv_discovery.yml b/rules/windows/process_creation/proc_creation_win_whoami_priv_discovery.yml index c60f3dc91b9..3d41d47e9f9 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_priv_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_priv_discovery.yml @@ -5,10 +5,10 @@ description: Detects a whoami.exe executed with the /priv command line flag inst references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/whoami author: Florian Roth (Nextron Systems) -date: 2021/05/05 -modified: 2023/02/28 +date: 2021-05-05 +modified: 2023-02-28 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.discovery - attack.t1033 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml b/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml index c87f477284b..a31be8e93b0 100644 --- a/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml +++ b/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml @@ -6,8 +6,8 @@ references: - https://persistence-info.github.io/Data/windowsterminalprofile.html - https://twitter.com/nas_bench/status/1550836225652686848 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/25 -modified: 2023/02/14 +date: 2022-07-25 +modified: 2023-02-14 tags: - attack.execution - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_winget_add_custom_source.yml b/rules/windows/process_creation/proc_creation_win_winget_add_custom_source.yml index 4efffd1d2ed..8aafaf81e29 100644 --- a/rules/windows/process_creation/proc_creation_win_winget_add_custom_source.yml +++ b/rules/windows/process_creation/proc_creation_win_winget_add_custom_source.yml @@ -11,9 +11,9 @@ references: - https://learn.microsoft.com/en-us/windows/package-manager/winget/source - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/17 +date: 2023-04-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1059 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml b/rules/windows/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml index 33e3ddd4bbb..78c3065c613 100644 --- a/rules/windows/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml +++ b/rules/windows/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml @@ -13,9 +13,9 @@ references: - https://learn.microsoft.com/en-us/windows/package-manager/winget/source - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/17 +date: 2023-04-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1059 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml b/rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml index c1ac79f6754..ce4f11509fb 100644 --- a/rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml +++ b/rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml @@ -11,10 +11,10 @@ references: - https://learn.microsoft.com/en-us/windows/package-manager/winget/source - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/17 -modified: 2023/12/04 +date: 2023-04-17 +modified: 2023-12-04 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1059 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml b/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml index 1bc59fa97d6..46900416b8f 100644 --- a/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml +++ b/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml @@ -10,10 +10,10 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Winget/ - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget author: Sreeman, Florian Roth (Nextron Systems), frack113 -date: 2020/04/21 -modified: 2023/04/17 +date: 2020-04-21 +modified: 2023-04-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1059 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml b/rules/windows/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml index fa562799e67..634634ed7b1 100644 --- a/rules/windows/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml +++ b/rules/windows/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml @@ -8,8 +8,8 @@ description: Detects execution of WinRAR in order to compress a file with a ".dm references: - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/ author: Florian Roth (Nextron Systems) -date: 2022/01/04 -modified: 2023/09/12 +date: 2022-01-04 +modified: 2023-09-12 tags: - attack.collection - attack.t1560.001 diff --git a/rules/windows/process_creation/proc_creation_win_winrar_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_winrar_susp_child_process.yml index da37d2210aa..b8cb34fdcf4 100644 --- a/rules/windows/process_creation/proc_creation_win_winrar_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_winrar_susp_child_process.yml @@ -9,7 +9,7 @@ references: - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ - https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/31 +date: 2023-08-31 tags: - attack.execution - attack.t1203 diff --git a/rules/windows/process_creation/proc_creation_win_winrar_uncommon_folder_execution.yml b/rules/windows/process_creation/proc_creation_win_winrar_uncommon_folder_execution.yml index bba0ae8a21c..97763878c01 100644 --- a/rules/windows/process_creation/proc_creation_win_winrar_uncommon_folder_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_winrar_uncommon_folder_execution.yml @@ -5,8 +5,8 @@ description: Detects a suspicious winrar execution in a folder which is not the references: - https://twitter.com/cyb3rops/status/1460978167628406785 author: Florian Roth (Nextron Systems), Tigzy -date: 2021/11/17 -modified: 2023/08/31 +date: 2021-11-17 +modified: 2023-08-31 tags: - attack.collection - attack.t1560.001 diff --git a/rules/windows/process_creation/proc_creation_win_winrm_awl_bypass.yml b/rules/windows/process_creation/proc_creation_win_winrm_awl_bypass.yml index 00c5f08b211..4ccfdff9161 100644 --- a/rules/windows/process_creation/proc_creation_win_winrm_awl_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_winrm_awl_bypass.yml @@ -5,10 +5,10 @@ description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl v references: - https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404 author: Julia Fomina, oscd.community -date: 2020/10/06 -modified: 2022/10/09 +date: 2020-10-06 +modified: 2022-10-09 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1216 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml b/rules/windows/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml index b51594406f1..cab7cf058c7 100644 --- a/rules/windows/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml +++ b/rules/windows/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml @@ -7,10 +7,10 @@ references: - https://redcanary.com/blog/lateral-movement-winrm-wmi/ - https://lolbas-project.github.io/lolbas/Scripts/Winrm/ author: Julia Fomina, oscd.community -date: 2020/10/07 -modified: 2023/03/03 +date: 2020-10-07 +modified: 2023-03-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1216 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_winrm_remote_powershell_session_process.yml b/rules/windows/process_creation/proc_creation_win_winrm_remote_powershell_session_process.yml index 60b03962010..37921b6114f 100644 --- a/rules/windows/process_creation/proc_creation_win_winrm_remote_powershell_session_process.yml +++ b/rules/windows/process_creation/proc_creation_win_winrm_remote_powershell_session_process.yml @@ -5,8 +5,8 @@ description: Detects remote PowerShell sections by monitoring for wsmprovhost (W references: - https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/09/12 -modified: 2022/10/09 +date: 2019-09-12 +modified: 2022-10-09 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_winrm_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_winrm_susp_child_process.yml index 67f29fe1ee0..326cd2f9587 100644 --- a/rules/windows/process_creation/proc_creation_win_winrm_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_winrm_susp_child_process.yml @@ -5,13 +5,13 @@ description: Detects suspicious processes including shells spawnd from WinRM hos author: Andreas Hunkeler (@Karneades), Markus Neis references: - Internal Research -date: 2021/05/20 -modified: 2022/07/14 +date: 2021-05-20 +modified: 2022-07-14 tags: - attack.t1190 - - attack.initial_access + - attack.initial-access - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_winzip_password_compression.yml b/rules/windows/process_creation/proc_creation_win_winzip_password_compression.yml index b136a6e8382..024b904062b 100644 --- a/rules/windows/process_creation/proc_creation_win_winzip_password_compression.yml +++ b/rules/windows/process_creation/proc_creation_win_winzip_password_compression.yml @@ -5,8 +5,8 @@ description: An adversary may compress or encrypt data that is collected prior t references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md author: frack113 -date: 2021/07/27 -modified: 2022/12/25 +date: 2021-07-27 +modified: 2022-12-25 tags: - attack.collection - attack.t1560.001 diff --git a/rules/windows/process_creation/proc_creation_win_wlrmdr_uncommon_child_process.yml b/rules/windows/process_creation/proc_creation_win_wlrmdr_uncommon_child_process.yml index c6bffc2e8ec..de065585c20 100644 --- a/rules/windows/process_creation/proc_creation_win_wlrmdr_uncommon_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_wlrmdr_uncommon_child_process.yml @@ -8,10 +8,10 @@ references: - https://twitter.com/0gtweet/status/1493963591745220608?s=20&t=xUg9DsZhJy1q9bPTUWgeIQ - https://lolbas-project.github.io/lolbas/Binaries/Wlrmdr/ author: frack113, manasmbellani -date: 2022/02/16 -modified: 2024/03/06 +date: 2022-02-16 +modified: 2024-03-06 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml b/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml index 2fae2a4af9a..7af9fb7cef0 100644 --- a/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml +++ b/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml @@ -6,8 +6,8 @@ references: - https://twitter.com/cglyer/status/1182389676876980224 - https://twitter.com/cglyer/status/1182391019633029120 author: Florian Roth (Nextron Systems) -date: 2019/10/11 -modified: 2023/02/08 +date: 2019-10-11 +modified: 2023-02-08 tags: - attack.persistence - attack.t1546.003 diff --git a/rules/windows/process_creation/proc_creation_win_wmi_persistence_script_event_consumer.yml b/rules/windows/process_creation/proc_creation_win_wmi_persistence_script_event_consumer.yml index cb2f28e5bef..cb436fbfd7c 100644 --- a/rules/windows/process_creation/proc_creation_win_wmi_persistence_script_event_consumer.yml +++ b/rules/windows/process_creation/proc_creation_win_wmi_persistence_script_event_consumer.yml @@ -5,11 +5,11 @@ description: Detects WMI script event consumers references: - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ author: Thomas Patzke -date: 2018/03/07 -modified: 2022/10/11 +date: 2018-03-07 +modified: 2022-10-11 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1546.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml b/rules/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml index 208176a4150..ead1a4d821e 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml @@ -6,8 +6,8 @@ references: - https://twitter.com/johnlatwc/status/1408062131321270282?s=12 - https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf author: Florian Roth (Nextron Systems) -date: 2021/06/25 -modified: 2023/02/14 +date: 2021-06-25 +modified: 2023-02-14 tags: - attack.persistence - attack.t1546.003 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml b/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml index d6809887400..72c0d40ca0e 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml @@ -7,10 +7,10 @@ references: - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ - https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/ author: frack113 -date: 2022/12/11 -modified: 2023/02/14 +date: 2022-12-11 +modified: 2023-02-14 tags: - - attack.credential_access + - attack.credential-access - attack.t1546.008 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_wmic_process_creation.yml b/rules/windows/process_creation/proc_creation_win_wmic_process_creation.yml index a242bd5fa47..2071ae8990b 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_process_creation.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_process_creation.yml @@ -9,8 +9,8 @@ references: - https://www.sans.org/blog/wmic-for-incident-response/ - https://github.com/redcanaryco/atomic-red-team/blob/84215139ee5127f8e3a117e063b604812bd71928/atomics/T1047/T1047.md#atomic-test-5---wmi-execute-local-process author: Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community -date: 2019/01/16 -modified: 2023/02/14 +date: 2019-01-16 +modified: 2023-02-14 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_computersystem.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_computersystem.yml index fec41430b4a..43bc0832faf 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_computersystem.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_computersystem.yml @@ -5,8 +5,8 @@ description: Detects execution of wmic utility with the "computersystem" flag in references: - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/08 -modified: 2023/02/14 +date: 2022-09-08 +modified: 2023-02-14 tags: - attack.discovery - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_csproduct.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_csproduct.yml index c3dd3482766..30706912ee9 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_csproduct.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_csproduct.yml @@ -6,7 +6,7 @@ references: - https://jonconwayuk.wordpress.com/2014/01/31/wmic-csproduct-using-wmi-to-identify-make-and-model-of-hardware/ - https://www.uptycs.com/blog/kuraystealer-a-bandit-using-discord-webhooks author: Florian Roth (Nextron Systems) -date: 2023/02/14 +date: 2023-02-14 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_group.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_group.yml index 375e35e1b4c..5eab2fe12e6 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_group.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_group.yml @@ -9,8 +9,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md author: frack113 -date: 2021/12/12 -modified: 2023/02/14 +date: 2021-12-12 +modified: 2023-02-14 tags: - attack.discovery - attack.t1069.001 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml index d1f8c41aef8..761022e21df 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml @@ -6,8 +6,8 @@ references: - https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat - https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/20 -modified: 2023/02/14 +date: 2022-06-20 +modified: 2023-02-14 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml index 2899144ce41..a10ef6786d1 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml @@ -6,8 +6,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic author: frack113 -date: 2022/01/01 -modified: 2023/02/14 +date: 2022-01-01 +modified: 2023-02-14 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml index 07db3fc47f2..65a3b3b510e 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml @@ -7,7 +7,7 @@ references: - https://www.yeahhub.com/list-installed-programs-version-path-windows/ - https://learn.microsoft.com/en-us/answers/questions/253555/software-list-inventory-wmic-product author: Nasreddine Bencherchali -date: 2023/02/14 +date: 2023-02-14 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_product_class.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_product_class.yml index 8c61e02a815..540ef9b989a 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_product_class.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_product_class.yml @@ -6,8 +6,8 @@ references: - https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md - https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1 author: Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community -date: 2023/02/14 -modified: 2023/03/07 +date: 2023-02-14 +modified: 2023-03-07 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml index 947bcaee73c..8ef1f0c7bbb 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml @@ -13,7 +13,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/14 +date: 2023-02-14 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml index de18684dca9..40460c76c12 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml @@ -17,8 +17,8 @@ references: - https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/ - https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior author: TropChaud -date: 2023/01/26 -modified: 2023/12/19 +date: 2023-01-26 +modified: 2023-12-19 tags: - attack.discovery - attack.t1082 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml index b3d54f81abf..8cd2e230098 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml @@ -12,8 +12,8 @@ references: - https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1 - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/20 -modified: 2023/09/11 +date: 2022-06-20 +modified: 2023-09-11 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_volume.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_volume.yml index b5719fa3089..759f600328e 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_volume.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_volume.yml @@ -12,7 +12,7 @@ references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic author: Stephen Lincoln `@slincoln-aiq`(AttackIQ) -date: 2024/02/02 +date: 2024-02-02 tags: - attack.execution - attack.discovery diff --git a/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml b/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml index b62dee19e30..43d49ac589a 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml @@ -2,16 +2,16 @@ title: WMIC Remote Command Execution id: 7773b877-5abb-4a3e-b9c9-fd0369b59b00 related: - id: e42af9df-d90b-4306-b7fb-05c863847ebd - type: obsoletes + type: obsolete - id: 09af397b-c5eb-4811-b2bb-08b3de464ebf - type: obsoletes + type: obsolete status: test description: Detects the execution of WMIC to query information on a remote system references: - https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/ - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/14 +date: 2023-02-14 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_service_manipulation.yml b/rules/windows/process_creation/proc_creation_win_wmic_service_manipulation.yml index f1ca9fc45b9..7b5e0f2e7da 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_service_manipulation.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_service_manipulation.yml @@ -5,8 +5,8 @@ description: Detects usage of wmic to start or stop a service references: - https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/20 -modified: 2023/02/14 +date: 2022-06-20 +modified: 2023-02-14 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml b/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml index 8c791759c00..305acaae6fb 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml @@ -8,10 +8,10 @@ references: - https://atomicredteam.io/defense-evasion/T1220/ - https://lolbas-project.github.io/lolbas/Binaries/Wmic/ author: Markus Neis, Florian Roth -date: 2019/01/16 -modified: 2023/02/15 +date: 2019-01-16 +modified: 2023-02-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1047 - attack.t1220 - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml b/rules/windows/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml index 2fa2054bd48..6233eff74e1 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml @@ -4,27 +4,27 @@ related: - id: 438025f9-5856-4663-83f7-52f878a70a50 type: derived - id: 518643ba-7d9c-4fa5-9f37-baed36059f6a - type: obsoletes + type: obsolete - id: 9d1c72f5-43f0-4da5-9320-648cf2099dd0 - type: obsoletes + type: obsolete - id: c0e1c3d5-4381-4f18-8145-2583f06a1fe5 - type: obsoletes + type: obsolete - id: 04f5363a-6bca-42ff-be70-0d28bf629ead - type: obsoletes + type: obsolete status: test description: Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin). references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml author: Vadim Khrykov, Cyb3rEng -date: 2021/08/23 -modified: 2023/02/14 +date: 2021-08-23 +modified: 2023-02-14 tags: - attack.t1204.002 - attack.t1047 - attack.t1218.010 - attack.execution - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml b/rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml index 9fc8a9d21ee..81b58894cca 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml @@ -9,8 +9,8 @@ references: - https://thedfirreport.com/2020/10/08/ryuks-return/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2020/10/12 -modified: 2023/02/14 +date: 2020-10-12 +modified: 2023-02-14 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_terminate_application.yml b/rules/windows/process_creation/proc_creation_win_wmic_terminate_application.yml index 8dd0fe238a8..46b80ddbf2f 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_terminate_application.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_terminate_application.yml @@ -9,7 +9,7 @@ references: - https://cyble.com/blog/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/ - https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/09/11 +date: 2023-09-11 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_uninstall_application.yml b/rules/windows/process_creation/proc_creation_win_wmic_uninstall_application.yml index 5484c51894a..6264814d961 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_uninstall_application.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_uninstall_application.yml @@ -8,8 +8,8 @@ description: Detects the removal or uninstallation of an application via "Wmic.E references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-10---application-uninstall-using-wmic author: frack113 -date: 2022/01/28 -modified: 2024/07/02 +date: 2022-01-28 +modified: 2024-07-02 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml b/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml index 590f7698eb1..3d0d1995a72 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml @@ -12,10 +12,10 @@ references: - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/ - https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -date: 2021/01/30 -modified: 2023/02/14 +date: 2021-01-30 +modified: 2023-02-14 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml b/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml index eb4beb6bfb7..6cc520cca00 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml @@ -8,10 +8,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md author: Timur Zinniatullin, oscd.community, Swachchhanda Shrawan Poudel -date: 2019/10/21 -modified: 2024/03/05 +date: 2019-10-21 +modified: 2024-03-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1220 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_wmiprvse_spawning_process.yml b/rules/windows/process_creation/proc_creation_win_wmiprvse_spawning_process.yml index 445dede4fee..6b9905c2c2d 100644 --- a/rules/windows/process_creation/proc_creation_win_wmiprvse_spawning_process.yml +++ b/rules/windows/process_creation/proc_creation_win_wmiprvse_spawning_process.yml @@ -10,8 +10,8 @@ description: Detects WmiPrvSE spawning a process references: - https://threathunterplaybook.com/hunts/windows/190815-RemoteServiceInstallation/notebook.html author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/08/15 -modified: 2023/03/23 +date: 2019-08-15 +modified: 2023-03-23 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_wmiprvse_spawns_powershell.yml b/rules/windows/process_creation/proc_creation_win_wmiprvse_spawns_powershell.yml index ab0a28a9b04..edeb4456c3d 100644 --- a/rules/windows/process_creation/proc_creation_win_wmiprvse_spawns_powershell.yml +++ b/rules/windows/process_creation/proc_creation_win_wmiprvse_spawns_powershell.yml @@ -10,8 +10,8 @@ description: Detects Powershell as a child of the WmiPrvSE process. Which could references: - https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e author: Markus Neis @Karneades -date: 2019/04/03 -modified: 2023/03/29 +date: 2019-04-03 +modified: 2023-03-29 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml index d65e301e7bd..983b235d47f 100644 --- a/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml @@ -6,7 +6,7 @@ related: - id: d21374ff-f574-44a7-9998-4a8c8bf33d7d type: similar - id: 18cf6cf0-39b0-4c22-9593-e244bdc9a2d4 - type: obsoletes + type: obsolete status: test description: Detects suspicious and uncommon child processes of WmiPrvSE references: @@ -15,11 +15,11 @@ references: - https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/ - https://twitter.com/ForensicITGuy/status/1334734244120309760 author: Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems) -date: 2021/08/23 -modified: 2023/11/10 +date: 2021-08-23 +modified: 2023-11-10 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1047 - attack.t1204.002 - attack.t1218.010 diff --git a/rules/windows/process_creation/proc_creation_win_wpbbin_potential_persistence.yml b/rules/windows/process_creation/proc_creation_win_wpbbin_potential_persistence.yml index f0c69108697..f5315af5b1f 100644 --- a/rules/windows/process_creation/proc_creation_win_wpbbin_potential_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_wpbbin_potential_persistence.yml @@ -6,10 +6,10 @@ references: - https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c - https://persistence-info.github.io/Data/wpbbin.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/18 +date: 2022-07-18 tags: - attack.persistence - - attack.defense_evasion + - attack.defense-evasion - attack.t1542.001 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_wscript_cscript_dropper.yml b/rules/windows/process_creation/proc_creation_win_wscript_cscript_dropper.yml index 91f3d93f2c6..166d3d3faef 100644 --- a/rules/windows/process_creation/proc_creation_win_wscript_cscript_dropper.yml +++ b/rules/windows/process_creation/proc_creation_win_wscript_cscript_dropper.yml @@ -9,8 +9,8 @@ references: - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/ - https://redcanary.com/blog/gootloader/ author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems) -date: 2019/01/16 -modified: 2024/01/30 +date: 2019-01-16 +modified: 2024-01-30 tags: - attack.execution - attack.t1059.005 diff --git a/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml index aefacd9afad..d0f0402e788 100644 --- a/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml @@ -9,8 +9,8 @@ references: - https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_30.10.2023.txt - https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt author: Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86') -date: 2023/05/15 -modified: 2024/01/02 +date: 2023-05-15 +modified: 2024-01-02 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml b/rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml index 5f25f325917..8ce52637060 100644 --- a/rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml @@ -5,8 +5,8 @@ description: Detects Wscript/Cscript executing a file with an uncommon (i.e. non references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/15 -modified: 2023/06/19 +date: 2023-05-15 +modified: 2023-06-19 tags: - attack.execution - attack.t1059.005 diff --git a/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml b/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml index 65491ff776b..f39edc3353a 100644 --- a/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml +++ b/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml @@ -9,11 +9,11 @@ references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/ - https://twitter.com/nas_bench/status/1535431474429808642 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/23 -modified: 2023/08/15 +date: 2023-01-23 +modified: 2023-08-15 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.t1202 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_wsl_lolbin_execution.yml b/rules/windows/process_creation/proc_creation_win_wsl_lolbin_execution.yml index 6f38bca7b8d..304e23b3c20 100644 --- a/rules/windows/process_creation/proc_creation_win_wsl_lolbin_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_wsl_lolbin_execution.yml @@ -9,11 +9,11 @@ references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/ - https://twitter.com/nas_bench/status/1535431474429808642 author: oscd.community, Zach Stanford @svch0st, Nasreddine Bencherchali (Nextron Systems) -date: 2020/10/05 -modified: 2023/04/12 +date: 2020-10-05 +modified: 2023-04-12 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.t1202 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml b/rules/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml index 23f5d26a727..1773330abf6 100644 --- a/rules/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml @@ -5,10 +5,10 @@ description: Detects the execution of Windows binaries from within a WSL instanc references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/14 +date: 2023-02-14 tags: - attack.execution - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml b/rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml index 712d72f91e6..48af49ae59e 100644 --- a/rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml +++ b/rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml @@ -2,19 +2,19 @@ title: Proxy Execution Via Wuauclt.EXE id: af77cf95-c469-471c-b6a0-946c685c4798 related: - id: ba1bb0cb-73da-42de-ad3a-de10c643a5d0 - type: obsoletes + type: obsolete - id: d7825193-b70a-48a4-b992-8b5b3015cc11 - type: obsoletes + type: obsolete status: test description: Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution. references: - https://dtm.uk/wuauclt/ - https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team -date: 2020/10/12 -modified: 2023/11/11 +date: 2020-10-12 +modified: 2023-11-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml b/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml index 8f29a67ea07..604f48f6a88 100644 --- a/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml @@ -6,10 +6,10 @@ description: | references: - https://redcanary.com/blog/blackbyte-ransomware/ author: Florian Roth (Nextron Systems) -date: 2022/02/26 -modified: 2023/11/11 +date: 2022-02-26 +modified: 2023-11-11 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction.yml b/rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction.yml index 33a939c17ae..a1db4fe0ecb 100644 --- a/rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction.yml +++ b/rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction.yml @@ -5,7 +5,7 @@ description: Detects usage of the "wusa.exe" (Windows Update Standalone Installe references: - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/04 +date: 2022-08-04 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml b/rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml index 46d3b7c1eb3..5e0fb0bd75c 100644 --- a/rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml +++ b/rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml @@ -6,8 +6,8 @@ references: - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html - https://www.echotrail.io/insights/search/wusa.exe/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/05 -modified: 2023/11/28 +date: 2022-08-05 +modified: 2023-11-28 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_wusa_susp_parent_execution.yml b/rules/windows/process_creation/proc_creation_win_wusa_susp_parent_execution.yml index a095bb9900b..73fc7c9d67a 100644 --- a/rules/windows/process_creation/proc_creation_win_wusa_susp_parent_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_wusa_susp_parent_execution.yml @@ -6,7 +6,7 @@ description: | references: - https://www.fortinet.com/blog/threat-research/konni-campaign-distributed-via-malicious-document author: X__Junior (Nextron Systems) -date: 2023/11/26 +date: 2023-11-26 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_xwizard_execution_non_default_location.yml b/rules/windows/process_creation/proc_creation_win_xwizard_execution_non_default_location.yml index 83fdb5e2894..808d8e8ae64 100644 --- a/rules/windows/process_creation/proc_creation_win_xwizard_execution_non_default_location.yml +++ b/rules/windows/process_creation/proc_creation_win_xwizard_execution_non_default_location.yml @@ -8,10 +8,10 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/ - http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ author: Christian Burkard (Nextron Systems) -date: 2021/09/20 -modified: 2024/04/22 +date: 2021-09-20 +modified: 2024-04-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_xwizard_runwizard_com_object_exec.yml b/rules/windows/process_creation/proc_creation_win_xwizard_runwizard_com_object_exec.yml index 71b94a3492d..6297fac2214 100644 --- a/rules/windows/process_creation/proc_creation_win_xwizard_runwizard_com_object_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_xwizard_runwizard_com_object_exec.yml @@ -9,10 +9,10 @@ references: - https://www.elastic.co/guide/en/security/current/execution-of-com-object-via-xwizard.html - https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ author: Ensar Şamil, @sblmsrsn, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) -date: 2020/10/07 -modified: 2024/04/22 +date: 2020-10-07 +modified: 2024-04-22 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_tampering/proc_tampering_susp_process_hollowing.yml b/rules/windows/process_tampering/proc_tampering_susp_process_hollowing.yml index d1c2be162ee..c5c9b1e8a06 100644 --- a/rules/windows/process_tampering/proc_tampering_susp_process_hollowing.yml +++ b/rules/windows/process_tampering/proc_tampering_susp_process_hollowing.yml @@ -6,11 +6,11 @@ references: - https://twitter.com/SecurePeacock/status/1486054048390332423?s=20 - https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/ author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S -date: 2022/01/25 -modified: 2023/11/28 +date: 2022-01-25 +modified: 2023-11-28 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1055.012 logsource: product: windows diff --git a/rules/windows/raw_access_thread/raw_access_thread_susp_disk_access_using_uncommon_tools.yml b/rules/windows/raw_access_thread/raw_access_thread_susp_disk_access_using_uncommon_tools.yml index 137b29a8b25..3e7002b1321 100644 --- a/rules/windows/raw_access_thread/raw_access_thread_susp_disk_access_using_uncommon_tools.yml +++ b/rules/windows/raw_access_thread/raw_access_thread_susp_disk_access_using_uncommon_tools.yml @@ -5,10 +5,10 @@ description: Detects raw disk access using uncommon tools or tools that are loca references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment author: Teymur Kheirkhabarov, oscd.community -date: 2019/10/22 -modified: 2023/11/28 +date: 2019-10-22 +modified: 2023-11-28 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1006 logsource: product: windows diff --git a/rules/windows/registry/registry_add/registry_add_malware_netwire.yml b/rules/windows/registry/registry_add/registry_add_malware_netwire.yml index f643eaff868..3bbb016b80b 100644 --- a/rules/windows/registry/registry_add/registry_add_malware_netwire.yml +++ b/rules/windows/registry/registry_add/registry_add_malware_netwire.yml @@ -9,10 +9,10 @@ references: - https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line - https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/ author: Christopher Peacock -date: 2021/10/07 -modified: 2023/02/07 +date: 2021-10-07 +modified: 2023-02-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: product: windows diff --git a/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml b/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml index dad041dcaa7..50e86dc3406 100644 --- a/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml +++ b/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml @@ -6,8 +6,8 @@ references: - https://persistence-info.github.io/Data/amsi.html - https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/21 -modified: 2023/02/07 +date: 2022-07-21 +modified: 2023-02-07 tags: - attack.persistence logsource: diff --git a/rules/windows/registry/registry_add/registry_add_persistence_com_key_linking.yml b/rules/windows/registry/registry_add/registry_add_persistence_com_key_linking.yml index 55f067b45ed..015af3461ca 100644 --- a/rules/windows/registry/registry_add/registry_add_persistence_com_key_linking.yml +++ b/rules/windows/registry/registry_add/registry_add_persistence_com_key_linking.yml @@ -5,8 +5,8 @@ description: Detects COM object hijacking via TreatAs subkey references: - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ author: Kutepov Anton, oscd.community -date: 2019/10/23 -modified: 2023/02/07 +date: 2019-10-23 +modified: 2023-02-07 tags: - attack.persistence - attack.t1546.015 diff --git a/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml b/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml index 0b5db516bed..42854def3fc 100644 --- a/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml +++ b/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml @@ -12,8 +12,8 @@ references: - https://persistence-info.github.io/Data/diskcleanuphandler.html - https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/21 -modified: 2023/02/07 +date: 2022-07-21 +modified: 2023-02-07 tags: - attack.persistence logsource: diff --git a/rules/windows/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml b/rules/windows/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml index c4a7a570477..d1374b97853 100644 --- a/rules/windows/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml +++ b/rules/windows/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml @@ -5,12 +5,12 @@ description: Detects creation of "UserInitMprLogonScript" registry value which c references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.001/T1037.001.md author: Tom Ueltschi (@c_APT_ure) -date: 2019/01/12 -modified: 2023/06/09 +date: 2019-01-12 +modified: 2023-06-09 tags: - attack.t1037.001 - attack.persistence - - attack.lateral_movement + - attack.lateral-movement logsource: category: registry_add product: windows diff --git a/rules/windows/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml index 96fe42dfa40..7266dd35216 100644 --- a/rules/windows/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml +++ b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml @@ -5,10 +5,10 @@ description: Detects the execution of a Sysinternals Tool via the creation of th references: - https://twitter.com/Moti_B/status/1008587936735035392 author: Markus Neis -date: 2017/08/28 -modified: 2023/02/07 +date: 2017-08-28 +modified: 2023-02-07 tags: - - attack.resource_development + - attack.resource-development - attack.t1588.002 logsource: product: windows diff --git a/rules/windows/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml index d8cdebdedf8..5272fa58e96 100644 --- a/rules/windows/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml +++ b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml @@ -10,10 +10,10 @@ description: Detects the creation of the "accepteula" key related to the Sysinte references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/24 -modified: 2023/02/07 +date: 2022-08-24 +modified: 2023-02-07 tags: - - attack.resource_development + - attack.resource-development - attack.t1588.002 logsource: product: windows diff --git a/rules/windows/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml index cf22352087b..0ab8b80cd6b 100644 --- a/rules/windows/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml +++ b/rules/windows/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml @@ -4,16 +4,16 @@ related: - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 type: derived - id: 9841b233-8df8-4ad7-9133-b0b4402a9014 - type: obsoletes + type: obsolete status: test description: Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key. references: - https://twitter.com/Moti_B/status/1008587936735035392 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/24 -modified: 2023/02/07 +date: 2022-08-24 +modified: 2023-02-07 tags: - - attack.resource_development + - attack.resource-development - attack.t1588.002 logsource: product: windows diff --git a/rules/windows/registry/registry_delete/registry_delete_enable_windows_recall.yml b/rules/windows/registry/registry_delete/registry_delete_enable_windows_recall.yml index 90724343fa8..1289711ad61 100755 --- a/rules/windows/registry/registry_delete/registry_delete_enable_windows_recall.yml +++ b/rules/windows/registry/registry_delete/registry_delete_enable_windows_recall.yml @@ -14,7 +14,7 @@ references: - https://learn.microsoft.com/en-us/windows/client-management/manage-recall - https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis author: Sajid Nawaz Khan -date: 2024/06/02 +date: 2024-06-02 tags: - attack.collection - attack.t1113 diff --git a/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml b/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml index fa66851298d..d62440d9720 100644 --- a/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml +++ b/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml @@ -5,10 +5,10 @@ description: Detects the removal of folders from the "ProtectedFolders" list of references: - https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/05 -modified: 2023/02/08 +date: 2022-08-05 +modified: 2023-02-08 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: registry_delete diff --git a/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml b/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml index a84d29bd694..99588236826 100644 --- a/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml +++ b/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml @@ -7,10 +7,10 @@ references: - http://woshub.com/how-to-clear-rdp-connections-history/ - https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html author: Christian Burkard (Nextron Systems) -date: 2021/10/19 -modified: 2023/02/08 +date: 2021-10-19 +modified: 2023-02-08 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070 - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml b/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml index 84770ee4cdf..0d00f1589ae 100644 --- a/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml +++ b/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://seclists.org/fulldisclosure/2020/Mar/45 author: frack113 -date: 2021/06/07 -modified: 2023/02/08 +date: 2021-06-07 +modified: 2023-02-08 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml index 3b9c723e6d1..7978818a263 100644 --- a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml +++ b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml @@ -11,10 +11,10 @@ references: - https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand - https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/05/02 -modified: 2023/01/19 +date: 2020-05-02 +modified: 2023-01-19 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: product: windows diff --git a/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml b/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml index ec2b9d20cc0..d0c06457e91 100644 --- a/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml +++ b/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml @@ -10,10 +10,10 @@ description: Detects when the "index" value of a scheduled task is removed or de references: - https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/26 -modified: 2023/02/08 +date: 2022-08-26 +modified: 2023-02-08 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562 logsource: product: windows diff --git a/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml b/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml index 4272a303677..d33cc045d95 100644 --- a/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml +++ b/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml @@ -8,10 +8,10 @@ description: Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree r references: - https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/ author: Sittikorn S -date: 2022/04/15 -modified: 2023/02/08 +date: 2022-04-15 +modified: 2023-02-08 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562 logsource: product: windows diff --git a/rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml b/rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml index ae9eb724605..27b24208b14 100644 --- a/rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml +++ b/rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml @@ -5,8 +5,8 @@ description: Sysmon registry detection of a local hidden user account. references: - https://twitter.com/SBousseaden/status/1387530414185664538 author: Christian Burkard (Nextron Systems) -date: 2021/05/03 -modified: 2022/08/05 +date: 2021-05-03 +modified: 2022-08-05 tags: - attack.persistence - attack.t1136.001 diff --git a/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml b/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml index 2a6c82476eb..2ef031e2a56 100755 --- a/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml +++ b/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml @@ -6,10 +6,10 @@ references: - https://wikileaks.org/vault7/#Pandemic - https://twitter.com/MalwareJake/status/870349480356454401 author: Florian Roth (Nextron Systems) -date: 2017/06/01 -modified: 2022/10/09 +date: 2017-06-01 +modified: 2022-10-09 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: registry_event diff --git a/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml b/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml index b2cc65feaf6..86fb0e9944d 100644 --- a/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml +++ b/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml @@ -6,11 +6,11 @@ references: - https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly - https://lolbas-project.github.io/lolbas/Binaries/Wsreset author: oscd.community, Dmitry Uchakin -date: 2020/10/07 -modified: 2021/11/27 +date: 2020-10-07 +modified: 2021-11-27 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: registry_event diff --git a/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml b/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml index 74ce8d30a8e..d90563ee5fb 100755 --- a/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml +++ b/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml @@ -5,10 +5,10 @@ description: Detects various indicators of Microsoft Connection Manager Profile references: - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ author: Nik Seetharaman -date: 2018/07/16 -modified: 2020/12/23 +date: 2018-07-16 +modified: 2020-12-23 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.execution - attack.t1218.003 - attack.g0069 diff --git a/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml b/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml index daf5c3715b9..3c289fed49d 100755 --- a/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml +++ b/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml @@ -5,10 +5,10 @@ description: Detects the addition of a key 'MiniNt' to the registry. Upon a rebo references: - https://twitter.com/0gtweet/status/1182516740955226112 author: Ilyas Ochkov, oscd.community -date: 2019/10/25 -modified: 2021/11/27 +date: 2019-10-25 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml b/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml index 4414184fd55..56a249bb1d2 100644 --- a/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml +++ b/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml @@ -8,10 +8,10 @@ description: | references: - https://teamhydra.blog/2020/08/25/bypassing-credential-guard/ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2019/08/25 -modified: 2021/11/27 +date: 2019-08-25 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_event diff --git a/rules/windows/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml b/rules/windows/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml index 11f9c478e07..edcea9a7b0b 100644 --- a/rules/windows/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml +++ b/rules/windows/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml @@ -5,10 +5,10 @@ description: Detects the volume shadow copy service initialization and processin references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/10/20 -modified: 2022/12/25 +date: 2020-10-20 +modified: 2022-12-25 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.002 logsource: category: registry_event diff --git a/rules/windows/registry/registry_event/registry_event_hack_wce_reg.yml b/rules/windows/registry/registry_event/registry_event_hack_wce_reg.yml index 99265f73f42..8ed273e1ed0 100755 --- a/rules/windows/registry/registry_event/registry_event_hack_wce_reg.yml +++ b/rules/windows/registry/registry_event/registry_event_hack_wce_reg.yml @@ -5,10 +5,10 @@ description: Detects the use of Windows Credential Editor (WCE) references: - https://www.ampliasecurity.com/research/windows-credentials-editor/ author: Florian Roth (Nextron Systems) -date: 2019/12/31 -modified: 2021/11/27 +date: 2019-12-31 +modified: 2021-11-27 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 - attack.s0005 logsource: diff --git a/rules/windows/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml b/rules/windows/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml index 950d2d30115..70c4224660c 100644 --- a/rules/windows/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml +++ b/rules/windows/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml @@ -5,10 +5,10 @@ description: Detects the installation of the Azure Hybrid Connection Manager ser references: - https://twitter.com/Cyb3rWard0g/status/1381642789369286662 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2021/04/12 -modified: 2022/11/27 +date: 2021-04-12 +modified: 2022-11-27 tags: - - attack.resource_development + - attack.resource-development - attack.t1608 logsource: category: registry_event diff --git a/rules/windows/registry/registry_event/registry_event_mal_azorult.yml b/rules/windows/registry/registry_event/registry_event_mal_azorult.yml index b20358d3613..21e4fcd2cd1 100644 --- a/rules/windows/registry/registry_event/registry_event_mal_azorult.yml +++ b/rules/windows/registry/registry_event/registry_event_mal_azorult.yml @@ -5,8 +5,8 @@ description: Detects the presence of a registry key created during Azorult execu references: - https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a author: Trent Liffick -date: 2020/05/08 -modified: 2021/11/27 +date: 2020-05-08 +modified: 2021-11-27 tags: - attack.execution - attack.t1112 diff --git a/rules/windows/registry/registry_event/registry_event_malware_qakbot_registry.yml b/rules/windows/registry/registry_event/registry_event_malware_qakbot_registry.yml index d56a0e72245..52adb226f85 100644 --- a/rules/windows/registry/registry_event/registry_event_malware_qakbot_registry.yml +++ b/rules/windows/registry/registry_event/registry_event_malware_qakbot_registry.yml @@ -5,9 +5,9 @@ description: Detects a registry key used by IceID in a campaign that distributes references: - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution author: Hieu Tran -date: 2023/03/13 +date: 2023-03-13 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_event diff --git a/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml b/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml index 93125c35c93..7a8481464e6 100644 --- a/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml +++ b/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml @@ -9,13 +9,13 @@ references: - https://nvd.nist.gov/vuln/detail/cve-2021-1675 - https://nvd.nist.gov/vuln/detail/cve-2021-34527 author: Markus Neis, @markus_neis, Florian Roth -date: 2021/07/04 -modified: 2023/06/12 +date: 2021-07-04 +modified: 2023-06-12 tags: - attack.execution - attack.t1204 - - cve.2021.1675 - - cve.2021.34527 + - cve.2021-1675 + - cve.2021-34527 logsource: product: windows category: registry_event diff --git a/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml b/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml index 06320c02f38..9188354d8f7 100644 --- a/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml +++ b/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml @@ -6,11 +6,11 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md - https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf author: Bartlomiej Czyz @bczyz1, oscd.community -date: 2020/10/11 -modified: 2021/11/27 +date: 2020-10-11 +modified: 2021-11-27 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1546.002 logsource: category: registry_event diff --git a/rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml b/rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml index 5920c1ab35a..c8ab8533915 100755 --- a/rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml +++ b/rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml @@ -5,8 +5,8 @@ description: Detects abusing Windows 10 Narrator's Feedback-Hub references: - https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html author: Dmitriy Lifanov, oscd.community -date: 2019/10/25 -modified: 2022/03/26 +date: 2019-10-25 +modified: 2022-03-26 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml b/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml index c5266767b62..d982ab65fd6 100644 --- a/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml +++ b/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml @@ -5,10 +5,10 @@ description: Detects NetNTLM downgrade attack references: - https://web.archive.org/web/20171113231705/https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks author: Florian Roth (Nextron Systems), wagga -date: 2018/03/20 -modified: 2022/11/29 +date: 2018-03-20 +modified: 2022-11-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml b/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml index 982ed006601..93d902ac561 100755 --- a/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml +++ b/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml @@ -8,8 +8,8 @@ references: - http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ - https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html author: Ilyas Ochkov, oscd.community -date: 2019/10/25 -modified: 2021/11/27 +date: 2019-10-25 +modified: 2021-11-27 tags: - attack.persistence - attack.t1546.009 diff --git a/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml index e285d3b37b1..71bdd12881a 100755 --- a/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml +++ b/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml @@ -5,8 +5,8 @@ description: DLLs that are specified in the AppInit_DLLs value in the Registry k references: - https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html author: Ilyas Ochkov, oscd.community, Tim Shelton -date: 2019/10/25 -modified: 2022/12/25 +date: 2019-10-25 +modified: 2022-12-25 tags: - attack.persistence - attack.t1546.010 diff --git a/rules/windows/registry/registry_event/registry_event_office_test_regadd.yml b/rules/windows/registry/registry_event/registry_event_office_test_regadd.yml index 6ea18b6b1a5..81010fa9a06 100644 --- a/rules/windows/registry/registry_event/registry_event_office_test_regadd.yml +++ b/rules/windows/registry/registry_event/registry_event_office_test_regadd.yml @@ -5,8 +5,8 @@ description: Detects the addition of office test registry that allows a user to references: - https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/ author: omkar72 -date: 2020/10/25 -modified: 2023/11/08 +date: 2020-10-25 +modified: 2023-11-08 tags: - attack.persistence - attack.t1137.002 diff --git a/rules/windows/registry/registry_event/registry_event_office_trust_record_modification.yml b/rules/windows/registry/registry_event/registry_event_office_trust_record_modification.yml index a465f04249a..6125dd99c97 100644 --- a/rules/windows/registry/registry_event/registry_event_office_trust_record_modification.yml +++ b/rules/windows/registry/registry_event/registry_event_office_trust_record_modification.yml @@ -10,10 +10,10 @@ references: - http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html - https://twitter.com/inversecos/status/1494174785621819397 author: Antonlovesdnb, Trent Liffick (@tliffick) -date: 2020/02/19 -modified: 2023/06/21 +date: 2020-02-19 +modified: 2023-06-21 tags: - - attack.initial_access + - attack.initial-access - attack.t1566.001 logsource: category: registry_event diff --git a/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml b/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml index 2653e50cb2a..4f6a06aef32 100644 --- a/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml +++ b/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml @@ -7,8 +7,8 @@ references: - https://persistence-info.github.io/Data/recyclebin.html - https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/ author: frack113 -date: 2021/11/18 -modified: 2022/12/06 +date: 2021-11-18 +modified: 2022-12-06 tags: - attack.persistence - attack.t1547 diff --git a/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml b/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml index f54722ecba6..bde71a2cb13 100644 --- a/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml +++ b/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml @@ -7,12 +7,12 @@ references: - https://adepts.of0x.cc/netsh-portproxy-code/ - https://www.dfirnotes.net/portproxy_detection/ author: Andreas Hunkeler (@Karneades) -date: 2021/06/22 -modified: 2024/03/25 +date: 2021-06-22 +modified: 2024-03-25 tags: - - attack.lateral_movement - - attack.defense_evasion - - attack.command_and_control + - attack.lateral-movement + - attack.defense-evasion + - attack.command-and-control - attack.t1090 logsource: category: registry_event diff --git a/rules/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yml b/rules/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yml index 61dc1ff8091..c31f0ad855d 100644 --- a/rules/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yml +++ b/rules/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yml @@ -5,10 +5,10 @@ description: Detects actions caused by the RedMimicry Winnti playbook references: - https://redmimicry.com author: Alexander Rausch -date: 2020/06/24 -modified: 2021/11/27 +date: 2020-06-24 +modified: 2021-11-27 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: product: windows diff --git a/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml b/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml index 3a4efef7cb0..7819beef522 100644 --- a/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml +++ b/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml @@ -5,8 +5,8 @@ description: Detects potential malicious modification of run keys by winekey or references: - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html author: omkar72 -date: 2020/10/30 -modified: 2021/11/27 +date: 2020-10-30 +modified: 2021-11-27 tags: - attack.persistence - attack.t1547 diff --git a/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml b/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml index c5bd35846a4..ece118bc42f 100644 --- a/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml +++ b/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/pabraeken/status/990717080805789697 - https://lolbas-project.github.io/lolbas/Binaries/Runonce/ author: 'Avneet Singh @v3t0_, oscd.community' -date: 2020/11/15 -modified: 2024/03/25 +date: 2020-11-15 +modified: 2024-03-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: product: windows diff --git a/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml b/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml index b2e7385f6b6..e7a7cf01bcb 100644 --- a/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml +++ b/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml @@ -8,11 +8,11 @@ references: - https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass - https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021] author: Christian Burkard (Nextron Systems) -date: 2021/08/30 -modified: 2022/01/13 +date: 2021-08-30 +modified: 2022-01-13 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 - attack.t1546.001 logsource: diff --git a/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml b/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml index d5c90bbfcbd..9f8b1f2d6e8 100644 --- a/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml +++ b/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml @@ -9,10 +9,10 @@ references: - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/ - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ author: Florian Roth (Nextron Systems) -date: 2021/02/26 -modified: 2022/12/19 +date: 2021-02-26 +modified: 2022-12-19 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: category: registry_event diff --git a/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml b/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml index d0d081b30ba..45bf4bee00c 100755 --- a/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml +++ b/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml @@ -7,8 +7,8 @@ references: - https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/ - https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Install-SSP.ps1#L157 author: iwillkeepwatch -date: 2019/01/18 -modified: 2022/08/09 +date: 2019-01-18 +modified: 2022-08-09 tags: - attack.persistence - attack.t1547.005 diff --git a/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml b/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml index fbc2081faf6..42d7350fcb3 100755 --- a/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml +++ b/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml @@ -6,10 +6,10 @@ references: - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/ - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/ author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community -date: 2018/03/15 -modified: 2022/11/26 +date: 2018-03-15 +modified: 2022-11-26 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.persistence - attack.t1546.008 - car.2014-11-003 diff --git a/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml b/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml index a30a328ef84..772eaf2fda3 100644 --- a/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml +++ b/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml @@ -6,10 +6,10 @@ references: - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ - https://lolbas-project.github.io/lolbas/Binaries/Atbroker/ author: Mateusz Wydra, oscd.community -date: 2020/10/13 -modified: 2023/01/19 +date: 2020-10-13 +modified: 2023-01-19 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 - attack.persistence - attack.t1547 diff --git a/rules/windows/registry/registry_event/registry_event_susp_download_run_key.yml b/rules/windows/registry/registry_event/registry_event_susp_download_run_key.yml index 59e7c09b9c4..2448e57ad95 100755 --- a/rules/windows/registry/registry_event/registry_event_susp_download_run_key.yml +++ b/rules/windows/registry/registry_event/registry_event_susp_download_run_key.yml @@ -5,8 +5,8 @@ description: Detects the suspicious RUN keys created by software located in Down references: - https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/ author: Florian Roth (Nextron Systems) -date: 2019/10/01 -modified: 2021/11/27 +date: 2019-10-01 +modified: 2021-11-27 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml b/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml index c29fea94cad..088f2c485e6 100644 --- a/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml +++ b/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml @@ -6,8 +6,8 @@ references: - https://blog.xpnsec.com/exploring-mimikatz-part-1/ - https://twitter.com/SBousseaden/status/1183745981189427200 author: Florian Roth (Nextron Systems) -date: 2019/10/16 -modified: 2022/04/21 +date: 2019-10-16 +modified: 2022-04-21 tags: - attack.execution - attack.persistence diff --git a/rules/windows/registry/registry_event/registry_event_susp_mic_cam_access.yml b/rules/windows/registry/registry_event/registry_event_susp_mic_cam_access.yml index 42e1bef7054..ae8eff655aa 100644 --- a/rules/windows/registry/registry_event/registry_event_susp_mic_cam_access.yml +++ b/rules/windows/registry/registry_event/registry_event_susp_mic_cam_access.yml @@ -5,8 +5,8 @@ description: Detects Processes accessing the camera and microphone from suspicio references: - https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072 author: Den Iuzvyk -date: 2020/06/07 -modified: 2022/10/09 +date: 2020-06-07 +modified: 2022-10-09 tags: - attack.collection - attack.t1125 diff --git a/rules/windows/registry/registry_event/registry_set_enable_anonymous_connection.yml b/rules/windows/registry/registry_event/registry_set_enable_anonymous_connection.yml index 900365dd141..9ed2f7e71f4 100644 --- a/rules/windows/registry/registry_event/registry_set_enable_anonymous_connection.yml +++ b/rules/windows/registry/registry_event/registry_set_enable_anonymous_connection.yml @@ -5,9 +5,9 @@ description: Detects enabling of the "AllowAnonymousCallback" registry value, wh references: - https://learn.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmi-remotely-starting-with-vista author: X__Junior (Nextron Systems) -date: 2023/11/03 +date: 2023-11-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml b/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml index 34c7ebc3734..8b3a681b329 100644 --- a/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml +++ b/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network author: frack113 -date: 2022/04/04 -modified: 2024/03/25 +date: 2022-04-04 +modified: 2024-03-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.001 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml b/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml index f758eae1ccd..9ab7067df90 100644 --- a/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml +++ b/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml @@ -7,8 +7,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.010/T1547.010.md author: frack113 -date: 2021/12/30 -modified: 2024/03/25 +date: 2021-12-30 +modified: 2024-03-25 tags: - attack.persistence - attack.t1547.010 diff --git a/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml b/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml index eb34f8af837..bda1b66b8dc 100644 --- a/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml @@ -6,8 +6,8 @@ references: - https://persistence-info.github.io/Data/aedebug.html - https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/21 -modified: 2023/08/17 +date: 2022-07-21 +modified: 2023-08-17 tags: - attack.persistence logsource: diff --git a/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml b/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml index 3eda2311854..050a8bad631 100644 --- a/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml +++ b/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml @@ -5,10 +5,10 @@ description: Detect enable rdp feature to allow specific user to rdp connect on references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md author: frack113 -date: 2022/08/19 -modified: 2023/08/17 +date: 2022-08-19 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml b/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml index c78f4fe4eb0..3626597f335 100644 --- a/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml +++ b/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml @@ -6,10 +6,10 @@ references: - https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/ - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/04 -modified: 2023/08/17 +date: 2023-01-04 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml index fd8502fac03..b799dd05be2 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml @@ -2,7 +2,7 @@ title: Classes Autorun Keys Modification id: 9df5f547-c86a-433e-b533-f2794357e242 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + type: obsolete status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: @@ -10,8 +10,8 @@ references: - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -date: 2019/10/25 -modified: 2023/08/17 +date: 2019-10-25 +modified: 2023-08-17 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml index cb5ca3db38f..c7378498ede 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml @@ -2,7 +2,7 @@ title: Common Autorun Keys Modification id: f59c3faf-50f3-464b-9f4c-1b67ab512d99 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + type: obsolete status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: @@ -11,8 +11,8 @@ references: - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys - https://persistence-info.github.io/Data/userinitmprlogonscript.html # UserInitMprLogonScript author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name) -date: 2019/10/25 -modified: 2023/08/17 +date: 2019-10-25 +modified: 2023-08-17 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml index e279685e7fc..1e9344aa9bb 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml @@ -2,7 +2,7 @@ title: CurrentControlSet Autorun Keys Modification id: f674e36a-4b91-431e-8aef-f8a96c2aca35 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + type: obsolete status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: @@ -10,8 +10,8 @@ references: - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -date: 2019/10/25 -modified: 2023/08/17 +date: 2019-10-25 +modified: 2023-08-17 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml index c7e4ee004f4..7db2b8c697b 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml @@ -2,7 +2,7 @@ title: CurrentVersion Autorun Keys Modification id: 20f0ee37-5942-4e45-b7d5-c5b5db9df5cd related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + type: obsolete status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: @@ -11,8 +11,8 @@ references: - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys - https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/ author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -date: 2019/10/25 -modified: 2023/08/17 +date: 2019-10-25 +modified: 2023-08-17 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml index be904f88746..1ca1eb9f8e7 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml @@ -2,7 +2,7 @@ title: CurrentVersion NT Autorun Keys Modification id: cbf93e5d-ca6c-4722-8bea-e9119007c248 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + type: obsolete status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: @@ -10,8 +10,8 @@ references: - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -date: 2019/10/25 -modified: 2023/08/17 +date: 2019-10-25 +modified: 2023-08-17 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml index b8c34acbf7a..9f57805778d 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml @@ -2,7 +2,7 @@ title: Internet Explorer Autorun Keys Modification id: a80f662f-022f-4429-9b8c-b1a41aaa6688 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + type: obsolete status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: @@ -10,8 +10,8 @@ references: - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -date: 2019/10/25 -modified: 2023/08/17 +date: 2019-10-25 +modified: 2023-08-17 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml index cf3d316acfc..cfbaa067c6c 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml @@ -2,7 +2,7 @@ title: Office Autorun Keys Modification id: baecf8fb-edbf-429f-9ade-31fc3f22b970 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + type: obsolete status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: @@ -10,8 +10,8 @@ references: - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -date: 2019/10/25 -modified: 2023/08/17 +date: 2019-10-25 +modified: 2023-08-17 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml index 437353071dc..1bfaea456e9 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml @@ -2,7 +2,7 @@ title: Session Manager Autorun Keys Modification id: 046218bd-e0d8-4113-a3c3-895a12b2b298 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + type: obsolete status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: @@ -10,8 +10,8 @@ references: - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -date: 2019/10/25 -modified: 2023/08/17 +date: 2019-10-25 +modified: 2023-08-17 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml index e3764524400..20d89348b72 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml @@ -2,7 +2,7 @@ title: System Scripts Autorun Keys Modification id: e7a2fd40-3ae1-4a85-bf80-15cf624fb1b1 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + type: obsolete status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: @@ -10,8 +10,8 @@ references: - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -date: 2019/10/25 -modified: 2023/08/17 +date: 2019-10-25 +modified: 2023-08-17 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml index a8b8522fe73..0beedb07ebc 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml @@ -10,8 +10,8 @@ references: - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -date: 2019/10/25 -modified: 2023/08/17 +date: 2019-10-25 +modified: 2023-08-17 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml index 7f5aa44311a..d1f91723b5d 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml @@ -2,7 +2,7 @@ title: Wow6432Node CurrentVersion Autorun Keys Modification id: b29aed60-ebd1-442b-9cb5-16a1d0324adb related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + type: obsolete status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: @@ -11,8 +11,8 @@ references: - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys - https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/ author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -date: 2019/10/25 -modified: 2023/08/17 +date: 2019-10-25 +modified: 2023-08-17 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml index b70ea092494..4cb70d032de 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml @@ -2,7 +2,7 @@ title: Wow6432Node Classes Autorun Keys Modification id: 18f2065c-d36c-464a-a748-bcf909acb2e3 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + type: obsolete status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: @@ -10,8 +10,8 @@ references: - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -date: 2019/10/25 -modified: 2023/08/17 +date: 2019-10-25 +modified: 2023-08-17 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml index b68db8e1245..d99258b0775 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml @@ -2,7 +2,7 @@ title: Wow6432Node Windows NT CurrentVersion Autorun Keys Modification id: 480421f9-417f-4d3b-9552-fd2728443ec8 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + type: obsolete status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: @@ -10,8 +10,8 @@ references: - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -date: 2019/10/25 -modified: 2023/08/17 +date: 2019-10-25 +modified: 2023-08-17 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml b/rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml index fb87c2fca27..fe95cd9b65c 100644 --- a/rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml +++ b/rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml @@ -5,9 +5,9 @@ description: Detects setting of a new registry database value related to BgInfo references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/16 +date: 2023-08-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml b/rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml index 49defb4a9f1..483a428f946 100644 --- a/rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml +++ b/rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml @@ -8,9 +8,9 @@ description: Detects setting of a new registry value related to BgInfo configura references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/16 +date: 2023-08-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml b/rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml index f3469c63fee..c68567d41b9 100644 --- a/rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml +++ b/rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml @@ -8,9 +8,9 @@ description: Detects setting of a new registry value related to BgInfo configura references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/16 +date: 2023-08-16 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml b/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml index 9bccc0fdbaf..0c401d10230 100644 --- a/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml +++ b/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml @@ -6,10 +6,10 @@ references: - https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/ author: frack113 -date: 2022/01/24 -modified: 2023/08/17 +date: 2022-01-24 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml index ef628a4e68b..d502fa46eff 100644 --- a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml +++ b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml @@ -7,11 +7,11 @@ references: - https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute author: frack113 -date: 2022/01/05 -modified: 2023/08/17 +date: 2022-01-05 +modified: 2023-08-17 tags: - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.t1548.002 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml index 1566e450ffc..a229c550bdf 100644 --- a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml +++ b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml @@ -6,8 +6,8 @@ references: - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd author: frack113 -date: 2022/01/05 -modified: 2023/08/17 +date: 2022-01-05 +modified: 2023-08-17 tags: - attack.persistence - attack.t1547.010 diff --git a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml index 7e9b5f36158..e9082ba3b27 100644 --- a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml +++ b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml @@ -10,11 +10,11 @@ references: - https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/ - https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign author: frack113, Nextron Systems -date: 2022/01/06 -modified: 2024/01/30 +date: 2022-01-06 +modified: 2024-01-30 tags: - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.t1548.002 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml b/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml index 4dc1a98e8e7..8d36c147b1f 100644 --- a/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml +++ b/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml @@ -8,8 +8,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#atomic-test-1---rdp-to-domaincontroller author: frack113 -date: 2022/01/01 -modified: 2024/03/25 +date: 2022-01-01 +modified: 2024-03-25 tags: - attack.persistence - attack.t1547.010 diff --git a/rules/windows/registry/registry_set/registry_set_change_security_zones.yml b/rules/windows/registry/registry_set/registry_set_change_security_zones.yml index 09f677b8118..847597d5834 100644 --- a/rules/windows/registry/registry_set/registry_set_change_security_zones.yml +++ b/rules/windows/registry/registry_set/registry_set_change_security_zones.yml @@ -9,8 +9,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone - https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries author: frack113 -date: 2022/01/22 -modified: 2023/08/17 +date: 2022-01-22 +modified: 2023-08-17 tags: - attack.persistence - attack.t1137 diff --git a/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml b/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml index 71a3c0b6b14..c7fd6a068c0 100644 --- a/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml +++ b/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml @@ -8,10 +8,10 @@ references: - https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650 - https://youtu.be/zSihR3lTf7g author: B.Talebi -date: 2022/07/28 -modified: 2024/03/25 +date: 2022-07-28 +modified: 2024-03-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml b/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml index 2d472b0e919..02892198ec1 100644 --- a/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml +++ b/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml @@ -7,10 +7,10 @@ references: - https://learn.microsoft.com/en-us/windows/win32/api/winevt/ - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/ author: frack113 -date: 2022/09/17 -modified: 2024/03/25 +date: 2022-09-17 +modified: 2024-03-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.002 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_chrome_extension.yml b/rules/windows/registry/registry_set/registry_set_chrome_extension.yml index 1f8f7810bd1..0771d6288f2 100644 --- a/rules/windows/registry/registry_set/registry_set_chrome_extension.yml +++ b/rules/windows/registry/registry_set/registry_set_chrome_extension.yml @@ -5,8 +5,8 @@ description: Running Chrome VPN Extensions via the Registry install 2 vpn extens references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1133/T1133.md#atomic-test-1---running-chrome-vpn-extensions-via-the-registry-2-vpn-extension author: frack113 -date: 2021/12/28 -modified: 2023/08/17 +date: 2021-12-28 +modified: 2023-08-17 tags: - attack.persistence - attack.t1133 diff --git a/rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml b/rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml index d04bfa4f3a3..32370ff286a 100644 --- a/rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml +++ b/rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml @@ -6,10 +6,10 @@ references: - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 - https://learn.microsoft.com/en-us/visualstudio/deployment/how-to-configure-the-clickonce-trust-prompt-behavior author: '@SerkinValery, Nasreddine Bencherchali (Nextron Systems)' -date: 2023/06/12 -modified: 2023/08/17 +date: 2023-06-12 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml b/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml index e0f79a4fa10..a393bbf48cb 100644 --- a/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml +++ b/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml @@ -6,12 +6,12 @@ description: | references: - https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395 author: Wojciech Lesicki -date: 2021/06/29 -modified: 2024/03/25 +date: 2021-06-29 +modified: 2024-03-25 tags: - attack.execution - - attack.privilege_escalation - - attack.lateral_movement + - attack.privilege-escalation + - attack.lateral-movement - attack.t1021.002 - attack.t1543.003 - attack.t1569.002 diff --git a/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml b/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml index 0fa6d6b4b48..9fd6561e0db 100644 --- a/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml +++ b/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml @@ -6,10 +6,10 @@ references: - http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass - https://www.exploit-db.com/exploits/47696 author: Omkar Gudhate -date: 2020/09/27 -modified: 2023/09/28 +date: 2020-09-27 +modified: 2023-09-28 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1546 - attack.t1548 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml b/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml index a7c710e5be0..1770352e232 100644 --- a/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml +++ b/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml @@ -5,8 +5,8 @@ description: Detects disabling the CrashDump per registry (as used by HermeticWi references: - https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/ author: Tobias Michalski (Nextron Systems) -date: 2022/02/24 -modified: 2023/08/17 +date: 2022-02-24 +modified: 2023-08-17 tags: - attack.t1564 - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml b/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml index 6ab02f4c16a..4049e8a8386 100644 --- a/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml +++ b/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml @@ -2,16 +2,16 @@ title: Service Binary in Suspicious Folder id: a07f0359-4c90-4dc4-a681-8ffea40b4f47 related: - id: c0abc838-36b0-47c9-b3b3-a90c39455382 - type: obsoletes + type: obsolete status: test description: Detect the creation of a service with a service binary located in a suspicious directory references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md author: Florian Roth (Nextron Systems), frack113 -date: 2022/05/02 -modified: 2023/08/17 +date: 2022-05-02 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml b/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml index 17190aee47c..d5ea0d83ff3 100644 --- a/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml +++ b/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml @@ -5,10 +5,10 @@ description: Detects the abuse of custom file open handler, executing powershell references: - https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/?cmp=30728 author: CD_R0M_ -date: 2022/06/11 -modified: 2023/08/17 +date: 2022-06-11 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1202 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml b/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml index 6ca04e90e11..4821a80b6ef 100644 --- a/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml @@ -6,8 +6,8 @@ references: - https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ - https://github.com/last-byte/PersistenceSniper author: frack113 -date: 2022/08/07 -modified: 2023/08/17 +date: 2022-08-07 +modified: 2023-08-17 tags: - attack.persistence - attack.t1574 diff --git a/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml b/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml index 235ad8ab31a..5bfba1cb692 100644 --- a/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml +++ b/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml @@ -8,10 +8,10 @@ description: Detects the Setting of Windows Defender Exclusions references: - https://twitter.com/_nullbind/status/1204923340810543109 author: Christian Burkard (Nextron Systems) -date: 2021/07/06 -modified: 2023/08/17 +date: 2021-07-06 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml b/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml index 0200136f98b..6617d2e6ee4 100644 --- a/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml +++ b/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml @@ -15,9 +15,9 @@ references: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI author: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ) -date: 2023/12/21 +date: 2023-12-21 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.impact - attack.t1112 - attack.t1491.001 diff --git a/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml b/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml index 0b09702b07f..84efde879a6 100644 --- a/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml +++ b/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml @@ -7,10 +7,10 @@ references: - https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/ - https://github.com/redcanaryco/atomic-red-team/blob/04e487c1828d76df3e834621f4f893ea756d5232/atomics/T1562.001/T1562.001.md#atomic-test-43---disable-hypervisor-enforced-code-integrity-hvci author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati -date: 2023/03/14 -modified: 2024/07/05 +date: 2023-03-14 +modified: 2024-07-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedpagingtranslation_disabled.yml b/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedpagingtranslation_disabled.yml index a379a4e1cee..7aa766d20f1 100644 --- a/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedpagingtranslation_disabled.yml +++ b/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedpagingtranslation_disabled.yml @@ -7,9 +7,9 @@ references: - https://twitter.com/standa_t/status/1808868985678803222 - https://github.com/AaLl86/WindowsInternals/blob/070dc4f317726dfb6ffd2b7a7c121a33a8659b5e/Slides/Hypervisor-enforced%20Paging%20Translation%20-%20The%20end%20of%20non%20data-driven%20Kernel%20Exploits%20(Recon2024).pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/07/05 +date: 2024-07-05 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml b/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml index 283d2a20be8..f48a1e31974 100755 --- a/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml +++ b/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml @@ -7,10 +7,10 @@ references: - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx author: Dimitrios Slamaris -date: 2017/05/15 -modified: 2023/08/17 +date: 2017-05-15 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml b/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml index 788d750e86e..7a5593f2d8f 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml @@ -5,10 +5,10 @@ description: Administrative shares are hidden network shares created by Microsof references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md#atomic-test-4---disable-administrative-share-creation-at-startup author: frack113 -date: 2022/01/16 -modified: 2024/03/25 +date: 2022-01-16 +modified: 2024-03-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.005 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml b/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml index a40b5f8410f..460b38b7ca5 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml @@ -7,10 +7,10 @@ references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/01 -modified: 2023/08/17 +date: 2022-08-01 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml b/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml index cfdb97ff339..0f17d39055a 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml @@ -5,10 +5,10 @@ description: Adversaries may disable or modify system firewalls in order to bypa references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-2---disable-microsoft-defender-firewall-via-registry author: frack113 -date: 2022/01/09 -modified: 2024/03/25 +date: 2022-01-09 +modified: 2024-03-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_disable_function_user.yml b/rules/windows/registry/registry_set/registry_set_disable_function_user.yml index 88a0ca6686e..f8d68d58bbf 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_function_user.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_function_user.yml @@ -9,10 +9,10 @@ references: - https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage - https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl author: frack113, Nasreddine Bencherchali (Nextron Systems), CrimpSec -date: 2022/03/18 -modified: 2023/11/20 +date: 2022-03-18 +modified: 2023-11-20 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml b/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml index 8208a430d20..68ea1de2215 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml @@ -2,15 +2,15 @@ title: Disable Macro Runtime Scan Scope id: ab871450-37dc-4a3a-997f-6662aa8ae0f1 description: Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros status: test -date: 2022/10/25 -modified: 2023/08/17 +date: 2022-10-25 +modified: 2023-08-17 author: Nasreddine Bencherchali (Nextron Systems) references: - https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/ - https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope - https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml b/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml index 652eb65dfd1..055cc35148c 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml @@ -5,10 +5,10 @@ description: Detects registry modifications that disable Privacy Settings Experi references: - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1562.001/T1562.001.md author: frack113 -date: 2022/10/02 -modified: 2023/08/17 +date: 2022-10-02 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml b/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml index 2f2abbbd1cf..e69c0e5cc19 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml @@ -5,10 +5,10 @@ description: Detect set UseActionCenterExperience to 0 to disable the Windows se references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md author: frack113 -date: 2022/08/19 -modified: 2023/08/17 +date: 2022-08-19 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml b/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml index d002b7a5ae5..a59931d4d7f 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml @@ -5,8 +5,8 @@ description: Detects the modification of the registry to disable a system restor references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry author: frack113 -date: 2022/04/04 -modified: 2023/08/17 +date: 2022-04-04 +modified: 2023-08-17 tags: - attack.impact - attack.t1490 diff --git a/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml b/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml index 561196ca8dc..011974d7f23 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml @@ -6,10 +6,10 @@ references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ - https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105 author: Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali -date: 2022/08/01 -modified: 2024/03/25 +date: 2022-08-01 +modified: 2024-03-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml b/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml index 7a36346450e..a4951a7415d 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml @@ -5,10 +5,10 @@ description: Detect set EnableFirewall to 0 to disable the Windows firewall references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.004/T1562.004.md author: frack113 -date: 2022/08/19 -modified: 2023/08/17 +date: 2022-08-19 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.004 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml index 7e9ea11df53..eab8aeb9540 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/WhichbufferArda/status/1543900539280293889 - https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/04 -modified: 2024/03/25 +date: 2022-07-04 +modified: 2024-03-25 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.002 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml b/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml index cbf4d6474ef..ca48b994dd8 100644 --- a/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml +++ b/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml @@ -5,10 +5,10 @@ description: Detects disabling Windows Defender Exploit Guard Network Protection references: - https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html author: Austin Songer @austinsonger -date: 2021/08/04 -modified: 2023/08/17 +date: 2021-08-04 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml b/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml index d6ed06a3389..275d92bd4cc 100644 --- a/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml +++ b/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml @@ -5,10 +5,10 @@ description: Detects the disabling of the Windows Defender eventlog as seen in r references: - https://twitter.com/WhichbufferArda/status/1543900539280293889/photo/2 author: Florian Roth (Nextron Systems) -date: 2022/07/04 -modified: 2023/08/17 +date: 2022-07-04 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml b/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml index edae0b44863..366956027a5 100644 --- a/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml +++ b/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml @@ -5,10 +5,10 @@ description: Detects disabling Windows Defender PUA protection references: - https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html author: Austin Songer @austinsonger -date: 2021/08/04 -modified: 2023/08/17 +date: 2021-08-04 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml b/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml index ab8b138eb5f..537d21a78e5 100644 --- a/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml +++ b/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml @@ -5,10 +5,10 @@ description: Detects disabling Windows Defender Tamper Protection references: - https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html author: Austin Songer @austinsonger -date: 2021/08/04 -modified: 2023/08/17 +date: 2021-08-04 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml b/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml index 7f209fa3f23..241d0948a61 100644 --- a/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml +++ b/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml @@ -5,10 +5,10 @@ description: Detect set DisallowRun to 1 to prevent user running specific comput references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md author: frack113 -date: 2022/08/19 -modified: 2023/08/17 +date: 2022-08-19 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml b/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml index ccc7551f5b6..ee6e8e4867c 100644 --- a/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml @@ -12,8 +12,8 @@ references: - https://persistence-info.github.io/Data/diskcleanuphandler.html - https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/21 -modified: 2023/08/17 +date: 2022-07-21 +modified: 2023-08-17 tags: - attack.persistence logsource: diff --git a/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml b/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml index 6e65496389d..ae806c898a4 100644 --- a/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml +++ b/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml @@ -11,10 +11,10 @@ references: - https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode - https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS author: Austin Songer -date: 2021/07/22 -modified: 2023/08/17 +date: 2021-07-22 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1140 - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml b/rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml index 85c35451d0c..bf25982333a 100644 --- a/rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml +++ b/rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml @@ -11,10 +11,10 @@ references: - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 - https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html author: Florian Roth (Nextron Systems) -date: 2017/05/08 -modified: 2023/08/17 +date: 2017-05-08 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1574.002 - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml index f125102ed94..b71ae4c380e 100644 --- a/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml @@ -18,10 +18,10 @@ references: - https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/ - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/06/05 -modified: 2023/08/17 +date: 2020-06-05 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 - attack.t1562 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_dsrm_tampering.yml b/rules/windows/registry/registry_set/registry_set_dsrm_tampering.yml index 82ad89b43d2..2570713f843 100644 --- a/rules/windows/registry/registry_set/registry_set_dsrm_tampering.yml +++ b/rules/windows/registry/registry_set/registry_set_dsrm_tampering.yml @@ -16,7 +16,7 @@ references: - https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/ - https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials author: Nischal Khadgi -date: 2024/07/11 +date: 2024-07-11 tags: - attack.persistence - attack.t1556 diff --git a/rules/windows/registry/registry_set/registry_set_enable_periodic_backup.yml b/rules/windows/registry/registry_set/registry_set_enable_periodic_backup.yml index 190e3e1d967..42186441636 100644 --- a/rules/windows/registry/registry_set/registry_set_enable_periodic_backup.yml +++ b/rules/windows/registry/registry_set/registry_set_enable_periodic_backup.yml @@ -7,7 +7,7 @@ description: | references: - https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/07/01 +date: 2024-07-01 tags: - attack.collection - attack.t1113 diff --git a/rules/windows/registry/registry_set/registry_set_enable_windows_recall.yml b/rules/windows/registry/registry_set/registry_set_enable_windows_recall.yml index f8efa5f921b..2091216de3e 100755 --- a/rules/windows/registry/registry_set/registry_set_enable_windows_recall.yml +++ b/rules/windows/registry/registry_set/registry_set_enable_windows_recall.yml @@ -14,7 +14,7 @@ references: - https://learn.microsoft.com/en-us/windows/client-management/manage-recall - https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis author: Sajid Nawaz Khan -date: 2024/06/02 +date: 2024-06-02 tags: - attack.collection - attack.t1113 diff --git a/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml b/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml index 2877af3245d..cb85fb1f8e7 100644 --- a/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml +++ b/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml @@ -8,12 +8,12 @@ references: - https://www.sans.org/cyber-security-summit/archives - https://learn.microsoft.com/en-us/dotnet/core/runtime-config/debugging-profiling author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research), Jimmy Bayne (@bohops) -date: 2020/09/10 -modified: 2023/11/24 +date: 2020-09-10 +modified: 2023-11-24 tags: - attack.persistence - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.t1574.012 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml b/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml index 4357c02879a..d718e8560e8 100644 --- a/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml +++ b/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml @@ -5,10 +5,10 @@ description: Detects enabling TurnOffCheck which can be used to bypass defense o references: - https://twitter.com/wdormann/status/1537075968568877057?s=20&t=0lr18OAnmAGoGpma6grLUw author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io' -date: 2022/06/15 -modified: 2023/08/17 +date: 2022-06-15 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_evtx_file_key_tamper.yml b/rules/windows/registry/registry_set/registry_set_evtx_file_key_tamper.yml index d5fa767e55f..cb1fcfb5be1 100644 --- a/rules/windows/registry/registry_set/registry_set_evtx_file_key_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_evtx_file_key_tamper.yml @@ -5,10 +5,10 @@ description: Detects tampering with EventLog service "file" key. In order to cha references: - https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key author: D3F7A5105 -date: 2023/01/02 -modified: 2023/08/17 +date: 2023-01-02 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.002 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml b/rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml index ba3932f2c74..2adef7e9acf 100644 --- a/rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml +++ b/rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml @@ -5,10 +5,10 @@ description: Detects applications being added to the "allowed applications" list references: - https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/05 -modified: 2023/08/17 +date: 2022-08-05 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml b/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml index a5e9ca1038a..f3ea04cf0b5 100644 --- a/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml +++ b/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/dottor_morte/status/1544652325570191361 - https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf author: frack113 -date: 2022/07/17 -modified: 2022/12/30 +date: 2022-07-17 +modified: 2022-12-30 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml b/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml index d3d44b9c6c3..74ea732a0c3 100644 --- a/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml +++ b/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml @@ -6,10 +6,10 @@ references: - https://twitter.com/dottor_morte/status/1544652325570191361 - https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf author: frack113 -date: 2022/07/17 -modified: 2022/12/30 +date: 2022-07-17 +modified: 2022-12-30 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_file_association_exefile.yml b/rules/windows/registry/registry_set/registry_set_file_association_exefile.yml index 223526e6ed2..d2c844b4aaa 100644 --- a/rules/windows/registry/registry_set/registry_set_file_association_exefile.yml +++ b/rules/windows/registry/registry_set/registry_set_file_association_exefile.yml @@ -5,10 +5,10 @@ description: Detects the abuse of the exefile handler in new file association. U references: - https://twitter.com/mrd0x/status/1461041276514623491 author: Andreas Hunkeler (@Karneades) -date: 2021/11/19 -modified: 2023/08/17 +date: 2021-11-19 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml b/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml index 401a14e51bf..e16069030f0 100644 --- a/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml @@ -6,8 +6,8 @@ references: - https://persistence-info.github.io/Data/wer_debugger.html - https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/21 -modified: 2023/08/17 +date: 2022-07-21 +modified: 2023-08-17 tags: - attack.persistence logsource: diff --git a/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml b/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml index 633e83856ca..6f342436c71 100644 --- a/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml @@ -6,8 +6,8 @@ references: - https://persistence-info.github.io/Data/hhctrl.html - https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/21 -modified: 2023/08/17 +date: 2022-07-21 +modified: 2023-08-17 tags: - attack.persistence logsource: diff --git a/rules/windows/registry/registry_set/registry_set_hidden_extention.yml b/rules/windows/registry/registry_set/registry_set_hidden_extention.yml index ccee6a73c81..e991594e436 100644 --- a/rules/windows/registry/registry_set/registry_set_hidden_extention.yml +++ b/rules/windows/registry/registry_set/registry_set_hidden_extention.yml @@ -7,8 +7,8 @@ references: - https://unit42.paloaltonetworks.com/ransomware-families/ - https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A author: frack113 -date: 2022/01/22 -modified: 2023/08/17 +date: 2022-01-22 +modified: 2023-08-17 tags: - attack.persistence - attack.t1137 diff --git a/rules/windows/registry/registry_set/registry_set_hide_file.yml b/rules/windows/registry/registry_set/registry_set_hide_file.yml index 99a2c1ebf09..c861b98a596 100644 --- a/rules/windows/registry/registry_set/registry_set_hide_file.yml +++ b/rules/windows/registry/registry_set/registry_set_hide_file.yml @@ -7,10 +7,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-8---hide-files-through-registry author: frack113 -date: 2022/04/02 -modified: 2024/03/26 +date: 2022-04-02 +modified: 2024-03-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.001 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_hide_function_user.yml b/rules/windows/registry/registry_set/registry_set_hide_function_user.yml index 0cf0e73a454..f902886972b 100644 --- a/rules/windows/registry/registry_set/registry_set_hide_function_user.yml +++ b/rules/windows/registry/registry_set/registry_set_hide_function_user.yml @@ -5,10 +5,10 @@ description: Detects registry modifications that hide internal tools or function references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md author: frack113 -date: 2022/03/18 -modified: 2023/08/17 +date: 2022-03-18 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml b/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml index 76c1c3232b6..a1b72c79a96 100644 --- a/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml @@ -12,10 +12,10 @@ description: | references: - https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/26 -modified: 2023/08/17 +date: 2022-08-26 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml b/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml index fcb619000b7..952af7f01b4 100644 --- a/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml +++ b/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml @@ -12,9 +12,9 @@ references: - https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries - https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content author: Nasreddine Bencherchali (Nextron Systems), Michael Haag (idea) -date: 2023/09/05 +date: 2023-09-05 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_ime_non_default_extension.yml b/rules/windows/registry/registry_set/registry_set_ime_non_default_extension.yml index 8d8b5e9469f..8ef3bc865f8 100644 --- a/rules/windows/registry/registry_set/registry_set_ime_non_default_extension.yml +++ b/rules/windows/registry/registry_set/registry_set_ime_non_default_extension.yml @@ -11,9 +11,9 @@ description: | references: - https://www.linkedin.com/pulse/guntior-story-advanced-bootkit-doesnt-rely-windows-disk-baranov-wue8e/ author: X__Junior (Nextron Systems) -date: 2023/11/21 +date: 2023-11-21 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_ime_suspicious_paths.yml b/rules/windows/registry/registry_set/registry_set_ime_suspicious_paths.yml index 83f6c752e75..cdfa2e9b7b8 100644 --- a/rules/windows/registry/registry_set/registry_set_ime_suspicious_paths.yml +++ b/rules/windows/registry/registry_set/registry_set_ime_suspicious_paths.yml @@ -11,9 +11,9 @@ description: | references: - https://www.linkedin.com/pulse/guntior-story-advanced-bootkit-doesnt-rely-windows-disk-baranov-wue8e/ author: X__Junior (Nextron Systems) -date: 2023/11/21 +date: 2023-11-21 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml b/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml index e0297e85699..a460c837baf 100644 --- a/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml +++ b/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml @@ -6,8 +6,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store - https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec author: frack113 -date: 2022/04/04 -modified: 2023/08/17 +date: 2022-04-04 +modified: 2023-08-17 tags: - attack.impact - attack.t1490 diff --git a/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml b/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml index 219d8230b36..8f0d08d4e71 100644 --- a/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml +++ b/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml @@ -8,10 +8,10 @@ references: - https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/ - https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/16 -modified: 2023/08/17 +date: 2023-05-16 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_legalnotice_susp_message.yml b/rules/windows/registry/registry_set/registry_set_legalnotice_susp_message.yml index 9a8cb300b5a..fb1045a6441 100644 --- a/rules/windows/registry/registry_set/registry_set_legalnotice_susp_message.yml +++ b/rules/windows/registry/registry_set/registry_set_legalnotice_susp_message.yml @@ -5,8 +5,8 @@ description: Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" reg references: - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1491.001/T1491.001.md author: frack113 -date: 2022/12/11 -modified: 2023/08/17 +date: 2022-12-11 +modified: 2023-08-17 tags: - attack.impact - attack.t1491.001 diff --git a/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml b/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml index a00b28cab11..24bc4ee297f 100644 --- a/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml +++ b/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml @@ -7,10 +7,10 @@ description: | references: - https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/ author: frack113 -date: 2022/05/28 -modified: 2023/08/17 +date: 2022-05-28 +modified: 2023-08-17 tags: - - attack.command_and_control + - attack.command-and-control - attack.t1105 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml b/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml index df75d08f2a6..db0023f6d26 100644 --- a/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml +++ b/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml @@ -12,10 +12,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md - https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx author: frack113 -date: 2023/01/13 -modified: 2023/12/15 +date: 2023-01-13 +modified: 2023-12-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml b/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml index 5ec29f14783..53a5860e568 100644 --- a/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml +++ b/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml @@ -7,10 +7,10 @@ references: - https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf author: '@pbssubhash' -date: 2022/12/08 -modified: 2023/08/17 +date: 2022-12-08 +modified: 2023-08-17 tags: - - attack.credential_access + - attack.credential-access - attack.t1003.001 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml b/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml index 2f8b0c8af9f..99c3642f9df 100644 --- a/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml +++ b/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml @@ -8,8 +8,8 @@ description: Attempts to detect system changes made by Blue Mockingbird references: - https://redcanary.com/blog/blue-mockingbird-cryptominer/ author: Trent Liffick (@tliffick) -date: 2020/05/14 -modified: 2023/08/17 +date: 2020-05-14 +modified: 2023-08-17 tags: - attack.execution - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml b/rules/windows/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml index bf347afaf4f..3df719ef0bf 100644 --- a/rules/windows/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml +++ b/rules/windows/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml @@ -8,10 +8,10 @@ description: | references: - https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/ author: frack113 -date: 2022/11/18 -modified: 2023/08/17 +date: 2022-11-18 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml b/rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml index f6fa8daf7c4..e19b5f7b8d3 100644 --- a/rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml +++ b/rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml @@ -12,7 +12,7 @@ references: - https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll - https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/11/28 +date: 2023-11-28 tags: - attack.persistence - attack.t1546.007 diff --git a/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml b/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml index 61c0586bc77..58adbbad219 100644 --- a/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml @@ -12,7 +12,7 @@ references: - https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll - https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/ author: Anish Bogati -date: 2023/11/28 +date: 2023-11-28 tags: - attack.persistence - attack.t1546.007 diff --git a/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml b/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml index 45bf656ff73..2c78c7d2310 100644 --- a/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml +++ b/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml @@ -6,8 +6,8 @@ references: - https://github.com/OTRF/detection-hackathon-apt29/issues/1 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.md author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/05/02 -modified: 2023/08/17 +date: 2020-05-02 +modified: 2023-08-17 tags: - attack.execution - attack.t1204.002 diff --git a/rules/windows/registry/registry_set/registry_set_new_network_provider.yml b/rules/windows/registry/registry_set/registry_set_new_network_provider.yml index 67adfa6bc60..93cc89fefa6 100644 --- a/rules/windows/registry/registry_set/registry_set_new_network_provider.yml +++ b/rules/windows/registry/registry_set/registry_set_new_network_provider.yml @@ -9,10 +9,10 @@ references: - https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade - https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/23 -modified: 2023/08/17 +date: 2022-08-23 +modified: 2023-08-17 tags: - - attack.credential_access + - attack.credential-access - attack.t1003 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_odbc_driver_registered.yml b/rules/windows/registry/registry_set/registry_set_odbc_driver_registered.yml index 5194a35d429..844b7568b2e 100644 --- a/rules/windows/registry/registry_set/registry_set_odbc_driver_registered.yml +++ b/rules/windows/registry/registry_set/registry_set_odbc_driver_registered.yml @@ -5,8 +5,8 @@ description: Detects the registration of a new ODBC driver. references: - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/23 -modified: 2023/08/17 +date: 2023-05-23 +modified: 2023-08-17 tags: - attack.persistence logsource: diff --git a/rules/windows/registry/registry_set/registry_set_odbc_driver_registered_susp.yml b/rules/windows/registry/registry_set/registry_set_odbc_driver_registered_susp.yml index b40cb96248e..5f21200068c 100644 --- a/rules/windows/registry/registry_set/registry_set_odbc_driver_registered_susp.yml +++ b/rules/windows/registry/registry_set/registry_set_odbc_driver_registered_susp.yml @@ -5,8 +5,8 @@ description: Detects the registration of a new ODBC driver where the driver is l references: - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/05/23 -modified: 2023/08/17 +date: 2023-05-23 +modified: 2023-08-17 tags: - attack.persistence - attack.t1003 diff --git a/rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml b/rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml index 424a37a547a..bf362b6220e 100644 --- a/rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml @@ -2,7 +2,7 @@ title: Trust Access Disable For VBApplications id: 1a5c46e9-f32f-42f7-b2bc-6e9084db7fbf related: - id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd - type: obsoletes + type: obsolete status: test description: Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings. references: @@ -10,10 +10,10 @@ references: - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/ - https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/ author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems) -date: 2020/05/22 -modified: 2023/08/17 +date: 2020-05-22 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yml b/rules/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yml index f0bc6a6a599..11379e15c93 100644 --- a/rules/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yml +++ b/rules/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yml @@ -2,7 +2,7 @@ title: Microsoft Office Protected View Disabled id: a5c7a43f-6009-4a8c-80c5-32abf1c53ecc related: - id: 7c637634-c95d-4bbf-b26c-a82510874b34 - type: obsoletes + type: obsolete status: test description: Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature. references: @@ -11,10 +11,10 @@ references: - https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/ - https://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2021/06/08 -modified: 2023/08/17 +date: 2021-06-08 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml b/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml index 5bf1c1e7305..efdb4df4c0c 100644 --- a/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml +++ b/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml @@ -5,8 +5,8 @@ description: Enable Dynamic Data Exchange protocol (DDE) in all supported editio references: - https://msrc.microsoft.com/update-guide/vulnerability/ADV170021 author: frack113 -date: 2022/02/26 -modified: 2023/08/17 +date: 2022-02-26 +modified: 2023-08-17 tags: - attack.execution - attack.t1559.002 diff --git a/rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml b/rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml index 919485c555e..9865487ee21 100644 --- a/rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml +++ b/rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml @@ -6,11 +6,11 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53 - https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2021/04/05 -modified: 2023/08/17 +date: 2021-04-05 +modified: 2023-08-17 tags: - attack.persistence - - attack.command_and_control + - attack.command-and-control - attack.t1137 - attack.t1008 - attack.t1546 diff --git a/rules/windows/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml b/rules/windows/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml index 8924a5e4696..264e7acf1a5 100644 --- a/rules/windows/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml +++ b/rules/windows/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml @@ -6,11 +6,11 @@ references: - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53 author: '@ScoubiMtl' -date: 2021/04/05 -modified: 2023/08/17 +date: 2021-04-05 +modified: 2023-08-17 tags: - attack.persistence - - attack.command_and_control + - attack.command-and-control - attack.t1137 - attack.t1008 - attack.t1546 diff --git a/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml b/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml index cba1062f071..fa2a2c5d48e 100644 --- a/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml +++ b/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml @@ -11,10 +11,10 @@ references: - https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048 - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/08 -modified: 2023/08/17 +date: 2023-02-08 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml b/rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml index c93c12d5081..6c36fdfc892 100644 --- a/rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml +++ b/rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml @@ -9,8 +9,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md - https://learn.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings author: frack113 -date: 2021/12/28 -modified: 2023/08/17 +date: 2021-12-28 +modified: 2023-08-17 tags: - attack.persistence - attack.t1137 diff --git a/rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml b/rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml index ebcc2a7cb68..2ad8ad3f9a5 100644 --- a/rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml +++ b/rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml @@ -9,10 +9,10 @@ references: - https://twitter.com/inversecos/status/1494174785621819397 - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/21 -modified: 2023/08/17 +date: 2023-06-21 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml b/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml index c0f7b532125..a459bf57fc3 100644 --- a/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml +++ b/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml @@ -9,10 +9,10 @@ references: - Internal Research - https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/06/21 -modified: 2023/09/29 +date: 2023-06-21 +modified: 2023-09-29 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml b/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml index bdf47246396..d9a2515c995 100644 --- a/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml @@ -2,7 +2,7 @@ title: Office Macros Warning Disabled id: 91239011-fe3c-4b54-9f24-15c86bb65913 related: - id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd - type: obsoletes + type: obsolete status: test description: Detects registry changes to Microsoft Office "VBAWarning" to a value of "1" which enables the execution of all macros, whether signed or unsigned. references: @@ -10,10 +10,10 @@ references: - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/ - https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/ author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems) -date: 2020/05/22 -modified: 2024/03/19 +date: 2020-05-22 +modified: 2024-03-19 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml b/rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml index af6864318e7..cdd2cdc28ae 100644 --- a/rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml +++ b/rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml @@ -11,9 +11,9 @@ references: - https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1 - https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/03/19 +date: 2024-03-19 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1070.005 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml b/rules/windows/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml index a9bed453b32..1880756efb7 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml @@ -8,7 +8,7 @@ description: | references: - https://github.com/nasbench/Misc-Research/blob/d114d6a5e0a437d3818e492ef9864367152543e7/Other/Persistence-Via-RegisterAppRestart-Shim.md author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/01/01 +date: 2024-01-01 tags: - attack.persistence - attack.t1546.011 diff --git a/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml b/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml index 9348cc02430..3e047066a30 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml @@ -10,8 +10,8 @@ references: - https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ - https://learn.microsoft.com/en-us/windows/win32/shell/app-registration author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/10 -modified: 2023/08/17 +date: 2022-08-10 +modified: 2023-08-17 tags: - attack.persistence - attack.t1546.012 diff --git a/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml b/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml index 4c7af534f55..e864f47692a 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml @@ -6,8 +6,8 @@ references: - https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/ - https://github.com/rootm0s/WinPwnage author: frack113 -date: 2022/07/27 -modified: 2023/08/17 +date: 2022-07-27 +modified: 2023-08-17 tags: - attack.persistence - attack.t1546.015 diff --git a/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml b/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml index 9403fb0c822..c8af0fc53d3 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml @@ -6,8 +6,8 @@ references: - https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ - https://persistence-info.github.io/Data/autodialdll.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/10 -modified: 2023/08/17 +date: 2022-08-10 +modified: 2023-08-17 tags: - attack.persistence logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_chm.yml b/rules/windows/registry/registry_set/registry_set_persistence_chm.yml index 63480e3104f..3eec5f091bf 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_chm.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_chm.yml @@ -6,8 +6,8 @@ references: - https://persistence-info.github.io/Data/htmlhelpauthor.html - https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/21 -modified: 2023/08/17 +date: 2022-07-21 +modified: 2023-08-17 tags: - attack.persistence logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml index e38b095a58e..2830d87e085 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml @@ -5,7 +5,7 @@ description: Detects potential COM object hijacking via modification of default references: - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea) author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/07/16 +date: 2024-07-16 tags: - attack.persistence - attack.t1546.015 diff --git a/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml b/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml index 078b977cbf8..024ff90f1e7 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml @@ -8,8 +8,8 @@ references: - https://www.virustotal.com/gui/file/6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d/detection - https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html author: BlackBerry Threat Research and Intelligence Team - @Joseliyo_Jstnk -date: 2023/06/07 -modified: 2023/08/17 +date: 2023-06-07 +modified: 2023-08-17 tags: - attack.persistence - attack.t1546.015 diff --git a/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml b/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml index 5cd432a87bd..1d13b5b9929 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml @@ -5,10 +5,10 @@ description: Detects potential persistence activity via the registering of a new references: - https://ladydebug.com/blog/2019/06/21/custom-protocol-handler-cph/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/05/30 -modified: 2023/05/12 +date: 2022-05-30 +modified: 2023-05-12 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml b/rules/windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml index a79a3148a8f..af4f7c8c2ff 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml @@ -8,11 +8,11 @@ references: - https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/ - https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1112/T1112.md author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/02/17 -modified: 2023/03/05 +date: 2023-02-17 +modified: 2023-03-05 tags: - attack.persistence - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_persistence_globalflags.yml b/rules/windows/registry/registry_set/registry_set_persistence_globalflags.yml index 4ed6fd8959c..baebcc278e8 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_globalflags.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_globalflags.yml @@ -2,19 +2,19 @@ title: Potential Persistence Via GlobalFlags id: 36803969-5421-41ec-b92f-8500f79c23b0 related: - id: c81fe886-cac0-4913-a511-2822d72ff505 - type: obsoletes + type: obsolete status: test description: Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys references: - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/ author: Karneades, Jonhnathan Ribeiro, Florian Roth -date: 2018/04/11 -modified: 2023/06/05 +date: 2018-04-11 +modified: 2023-06-05 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.persistence - - attack.defense_evasion + - attack.defense-evasion - attack.t1546.012 - car.2013-01-002 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_ie.yml b/rules/windows/registry/registry_set/registry_set_persistence_ie.yml index 70108639d40..7b3e46a5c64 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_ie.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_ie.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry author: frack113 -date: 2022/01/22 -modified: 2023/08/17 +date: 2022-01-22 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml b/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml index 82c205f8d24..2859ab5115e 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml @@ -10,8 +10,8 @@ references: - https://github.com/gtworek/PSBits/tree/master/IFilter - https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/21 -modified: 2024/03/26 +date: 2022-07-21 +modified: 2024-03-26 tags: - attack.persistence logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_lsa_extension.yml b/rules/windows/registry/registry_set/registry_set_persistence_lsa_extension.yml index 26c034ce8ae..c9289a7d1ff 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_lsa_extension.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_lsa_extension.yml @@ -8,8 +8,8 @@ references: - https://persistence-info.github.io/Data/lsaaextension.html - https://twitter.com/0gtweet/status/1476286368385019906 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/21 -modified: 2023/08/17 +date: 2022-07-21 +modified: 2023-08-17 tags: - attack.persistence logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml b/rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml index 7155db954e0..c19c2acfe95 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml @@ -6,8 +6,8 @@ references: - https://persistence-info.github.io/Data/mpnotify.html - https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/21 -modified: 2023/08/17 +date: 2022-07-21 +modified: 2023-08-17 tags: - attack.persistence logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml b/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml index 37ed60e828d..5175d1fd3ef 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml @@ -5,8 +5,8 @@ description: Detects modification to the "Default" value of the "MyComputer" key references: - https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/09 -modified: 2024/01/11 +date: 2022-08-09 +modified: 2024-01-11 tags: - attack.persistence logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_natural_language.yml b/rules/windows/registry/registry_set/registry_set_persistence_natural_language.yml index 55b80796bd6..12dcbeddd1d 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_natural_language.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_natural_language.yml @@ -6,8 +6,8 @@ references: - https://persistence-info.github.io/Data/naturallanguage6.html - https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/21 -modified: 2023/08/17 +date: 2022-07-21 +modified: 2023-08-17 tags: - attack.persistence logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml b/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml index f6a5ec1fce0..fd2950617e0 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml @@ -6,8 +6,8 @@ references: - https://twitter.com/_vivami/status/1347925307643355138 - https://vanmieghem.io/stealth-outlook-persistence/ author: Bhabesh Raj -date: 2021/01/10 -modified: 2023/08/28 +date: 2021-01-10 +modified: 2023-08-28 tags: - attack.t1137.006 - attack.persistence diff --git a/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml b/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml index 5ed2b5ae1d4..d3bfa4b7dfb 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml @@ -12,8 +12,8 @@ references: - https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us - https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change author: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand -date: 2021/06/09 -modified: 2024/08/07 +date: 2021-06-09 +modified: 2024-08-07 tags: - attack.persistence - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml b/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml index 63489638474..045fc46882c 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml @@ -11,8 +11,8 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=74 - https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change author: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand -date: 2021/06/10 -modified: 2024/08/07 +date: 2021-06-10 +modified: 2024-08-07 tags: - attack.persistence - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml b/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml index 0be6813dbf2..ea7048a8967 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml @@ -9,9 +9,9 @@ references: - https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html - https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ author: X__Junior -date: 2023/05/18 +date: 2023-05-18 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.003 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_persistence_scrobj_dll.yml b/rules/windows/registry/registry_set/registry_set_persistence_scrobj_dll.yml index 013622adfde..19605f38597 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_scrobj_dll.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_scrobj_dll.yml @@ -5,8 +5,8 @@ description: Detect use of scrobj.dll as this DLL looks for the ScriptletURL key references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md author: frack113 -date: 2022/08/20 -modified: 2023/08/17 +date: 2022-08-20 +modified: 2023-08-17 tags: - attack.persistence - attack.t1546.015 diff --git a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml index 9f0efd19884..9168883524f 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml @@ -5,8 +5,8 @@ description: Detects potential COM object hijacking leveraging the COM Search Or references: - https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/ author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien -date: 2020/04/14 -modified: 2023/09/28 +date: 2020-04-14 +modified: 2023-09-28 tags: - attack.persistence - attack.t1546.015 diff --git a/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml b/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml index a533eeae8b6..0090b5367d3 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml @@ -9,8 +9,8 @@ references: - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html - https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/ author: frack113 -date: 2021/12/30 -modified: 2023/08/17 +date: 2021-12-30 +modified: 2023-08-17 tags: - attack.persistence - attack.t1546.011 diff --git a/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml b/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml index b844fc617fa..18d5a0facdb 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml @@ -6,8 +6,8 @@ references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/ - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/01 -modified: 2023/12/06 +date: 2023-08-01 +modified: 2023-12-06 tags: - attack.persistence - attack.t1546.011 diff --git a/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml b/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml index e5ee4a4eeeb..febab1a54fd 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml @@ -7,8 +7,8 @@ references: - https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/ - https://www.blackhat.com/docs/asia-14/materials/Erickson/Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/08/01 -modified: 2023/08/17 +date: 2023-08-01 +modified: 2023-08-17 tags: - attack.persistence - attack.t1546.011 diff --git a/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml b/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml index dc1f06d839f..f4d472a8e83 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml @@ -6,8 +6,8 @@ references: - https://twitter.com/dez_/status/1560101453150257154 - https://forensafe.com/blogs/typedpaths.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/22 -modified: 2023/08/17 +date: 2022-08-22 +modified: 2023-08-17 tags: - attack.persistence logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_xll.yml b/rules/windows/registry/registry_set/registry_set_persistence_xll.yml index d83a980835e..e8af311273b 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_xll.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_xll.yml @@ -6,8 +6,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md - https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence author: frack113 -date: 2023/01/15 -modified: 2023/08/17 +date: 2023-01-15 +modified: 2023-08-17 tags: - attack.persistence - attack.t1137.006 diff --git a/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml b/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml index 12a299fc4f1..36bcae54611 100644 --- a/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml @@ -6,10 +6,10 @@ references: - https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738 - https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/01 -modified: 2023/08/17 +date: 2022-08-01 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml b/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml index 9df32c117f1..cca70c730a4 100644 --- a/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml @@ -6,10 +6,10 @@ references: - https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738 - https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/01 -modified: 2023/08/17 +date: 2022-08-01 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml b/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml index 5e908ca13ed..f0950c99397 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml @@ -5,8 +5,8 @@ description: Detects that a powershell code is written to the registry as a serv references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: oscd.community, Natalia Shornikova -date: 2020/10/06 -modified: 2023/08/17 +date: 2020-10-06 +modified: 2023-08-17 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml b/rules/windows/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml index 3a1e71bd1c1..d17f5d335a5 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml @@ -8,7 +8,7 @@ description: Detects the enabling of the PowerShell script execution policy. Onc references: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScripts author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo -date: 2023/10/18 +date: 2023-10-18 tags: - attack.execution logsource: diff --git a/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml b/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml index 7b887ab6506..b2ec4054504 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml @@ -12,10 +12,10 @@ description: Detects changes to the PowerShell execution policy in order to bypa references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/11 -modified: 2023/12/14 +date: 2023-01-11 +modified: 2023-12-14 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml b/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml index 6ed5827916f..21e3fc81c71 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml @@ -6,8 +6,8 @@ references: - https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry - https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html author: frack113, Florian Roth (Nextron Systems) -date: 2022/03/17 -modified: 2023/08/17 +date: 2022-03-17 +modified: 2023-08-17 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml b/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml index ebab3cb5a81..b86391a832f 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml @@ -5,10 +5,10 @@ description: Detects changes to the registry for the currently logged-in user. I references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-32---windows-powershell-logging-disabled author: frack113 -date: 2022/04/02 -modified: 2023/08/17 +date: 2022-04-02 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.001 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml b/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml index c59e88c8844..744dcee6a49 100644 --- a/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml +++ b/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml @@ -13,10 +13,10 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ - https://twitter.com/0gtweet/status/1674399582162153472 author: Swachchhanda Shrawan Poudel -date: 2023/08/02 -modified: 2023/08/17 +date: 2023-08-02 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml b/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml index 7ab2871c752..eedd84d2b33 100644 --- a/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml +++ b/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml @@ -10,10 +10,10 @@ description: Detects non-sysinternals tools setting the "accepteula" key which n references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/24 -modified: 2023/08/17 +date: 2022-08-24 +modified: 2023-08-17 tags: - - attack.resource_development + - attack.resource-development - attack.t1588.002 logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml index fa0f016169e..6fa1557bebc 100644 --- a/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml @@ -5,10 +5,10 @@ description: Detects changes to the "ExtErrorInformation" key in order to disabl references: - http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/09 -modified: 2023/08/17 +date: 2022-12-09 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 - attack.t1562 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml b/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml index 25dc01e4e00..198ffffda44 100644 --- a/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml +++ b/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml @@ -7,10 +7,10 @@ references: - https://twitter.com/pabraeken/status/998627081360695297 - https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk) -date: 2022/05/04 -modified: 2023/08/17 +date: 2022-05-04 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218.011 logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_sentinelone_shell_context_tampering.yml b/rules/windows/registry/registry_set/registry_set_sentinelone_shell_context_tampering.yml index 45fe8e74fc7..6ab23312f4a 100644 --- a/rules/windows/registry/registry_set/registry_set_sentinelone_shell_context_tampering.yml +++ b/rules/windows/registry/registry_set/registry_set_sentinelone_shell_context_tampering.yml @@ -5,7 +5,7 @@ description: Detects potentially suspicious changes to the SentinelOne context m references: - https://mrd0x.com/sentinelone-persistence-via-menu-context/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2024/03/06 +date: 2024-03-06 tags: - attack.persistence logsource: diff --git a/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml b/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml index 785781e7a26..b4ccf276412 100644 --- a/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml +++ b/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml @@ -8,11 +8,11 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time - https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ author: frack113 -date: 2022/02/04 -modified: 2024/04/03 +date: 2022-02-04 +modified: 2024-04-03 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1543.003 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml index 1b78e5b1d1d..e466ab1ad4c 100644 --- a/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml @@ -5,10 +5,10 @@ description: Detects changes to the "TracingDisabled" key in order to disable ET references: - http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/09 -modified: 2023/08/17 +date: 2022-12-09 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 - attack.t1562 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml b/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml index 1658eebba22..cdb33222ca3 100644 --- a/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml +++ b/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml @@ -5,10 +5,10 @@ description: Detects registry modifications that disable internal tools or funct references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md author: frack113 -date: 2022/03/18 -modified: 2023/08/17 +date: 2022-03-18 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_sip_persistence.yml b/rules/windows/registry/registry_set/registry_set_sip_persistence.yml index 1b5539655d7..67bb2f14587 100644 --- a/rules/windows/registry/registry_set/registry_set_sip_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_sip_persistence.yml @@ -7,11 +7,11 @@ references: - https://github.com/gtworek/PSBits/tree/master/SIP - https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/07/21 -modified: 2023/08/17 +date: 2022-07-21 +modified: 2023-08-17 tags: - attack.persistence - - attack.defense_evasion + - attack.defense-evasion - attack.t1553.003 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_sophos_av_tamper.yml b/rules/windows/registry/registry_set/registry_set_sophos_av_tamper.yml index da9081de68a..c6a71beb755 100644 --- a/rules/windows/registry/registry_set/registry_set_sophos_av_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_sophos_av_tamper.yml @@ -5,10 +5,10 @@ description: Detects tamper attempts to sophos av functionality via registry key references: - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/02 -modified: 2023/08/17 +date: 2022-09-02 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_special_accounts.yml b/rules/windows/registry/registry_set/registry_set_special_accounts.yml index e4ceacf627d..f9ed701d55c 100644 --- a/rules/windows/registry/registry_set/registry_set_special_accounts.yml +++ b/rules/windows/registry/registry_set/registry_set_special_accounts.yml @@ -2,17 +2,17 @@ title: Hiding User Account Via SpecialAccounts Registry Key id: f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd related: - id: 8a58209c-7ae6-4027-afb0-307a78e4589a - type: obsoletes + type: obsolete status: test description: Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen. references: - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md author: Nasreddine Bencherchali (Nextron Systems), frack113 -date: 2022/07/12 -modified: 2023/01/26 +date: 2022-07-12 +modified: 2023-01-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564.002 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml b/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml index fe1029069e9..75aa70f2c11 100644 --- a/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml +++ b/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml @@ -5,10 +5,10 @@ description: Detect set Notification_Suppress to 1 to disable the Windows securi references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md author: frack113 -date: 2022/08/19 -modified: 2023/08/17 +date: 2022-08-19 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml b/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml index 2a19b695e9c..81998e0595f 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml @@ -6,10 +6,10 @@ references: - https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index - https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files author: Florian Roth (Nextron Systems) -date: 2019/10/12 -modified: 2023/08/17 +date: 2019-10-12 +modified: 2023-08-17 tags: - - attack.resource_development + - attack.resource-development - attack.t1588.002 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml b/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml index 8b9eac659ba..77fb0505996 100644 --- a/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml @@ -10,10 +10,10 @@ references: - https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html - https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html author: frack113 -date: 2023/01/27 -modified: 2024/07/03 +date: 2023-01-27 +modified: 2024-07-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1036.003 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml b/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml index 0444c4c9968..a6f0d4deddd 100644 --- a/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml @@ -5,12 +5,12 @@ description: Detects a suspicious printer driver installation with an empty Manu references: - https://twitter.com/SBousseaden/status/1410545674773467140 author: Florian Roth (Nextron Systems) -date: 2020/07/01 -modified: 2023/08/17 +date: 2020-07-01 +modified: 2023-08-17 tags: - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1574 - - cve.2021.1675 + - cve.2021-1675 logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml b/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml index 9360fd0afc4..daaf3cef5e5 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml @@ -5,8 +5,8 @@ description: Detects a possible persistence mechanism using RUN key for Windows references: - https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/ author: Florian Roth (Nextron Systems), oscd.community -date: 2018/07/18 -modified: 2023/12/11 +date: 2018-07-18 +modified: 2023-12-11 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml b/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml index d4efbf7c6af..ef023e64ad4 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml @@ -5,8 +5,8 @@ description: Detects suspicious new RUN key element pointing to an executable in references: - https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing -date: 2018/08/25 -modified: 2024/07/16 +date: 2018-08-25 +modified: 2024-07-16 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml b/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml index 8cc43b1e8a0..d8e81e3e3c7 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml @@ -7,11 +7,11 @@ description: | references: - https://web.archive.org/web/20200419024230/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ author: xknow (@xknow_infosec), xorxes (@xor_xes) -date: 2019/04/08 -modified: 2023/08/17 +date: 2019-04-08 +modified: 2023-08-17 tags: - attack.t1562.001 - - attack.defense_evasion + - attack.defense-evasion logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders.yml b/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders.yml index e5bf14bd728..0de2f0ab74d 100644 --- a/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders.yml @@ -5,11 +5,11 @@ description: Detect modification of the startup key to a path where a payload co references: - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1547.001/T1547.001.md author: frack113 -date: 2022/10/01 -modified: 2023/08/17 +date: 2022-10-01 +modified: 2023-08-17 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1547.001 logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_suspicious_env_variables.yml b/rules/windows/registry/registry_set/registry_set_suspicious_env_variables.yml index e6deae463e9..e28e40d7b70 100644 --- a/rules/windows/registry/registry_set/registry_set_suspicious_env_variables.yml +++ b/rules/windows/registry/registry_set/registry_set_suspicious_env_variables.yml @@ -5,10 +5,10 @@ description: Detects the creation of user-specific or system-wide environment va references: - https://infosec.exchange/@sbousseaden/109542254124022664 author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/12/20 -modified: 2023/08/17 +date: 2022-12-20 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml b/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml index 72a748c8d16..aecb6d1c2e2 100644 --- a/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml +++ b/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml @@ -12,9 +12,9 @@ references: - https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password - https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/12/15 +date: 2023-12-15 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml b/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml index 9a0e400605c..f9c39557fd0 100644 --- a/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml +++ b/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml @@ -6,8 +6,8 @@ references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://labs.f-secure.com/blog/scheduled-task-tampering/ author: Syed Hasan (@syedhasan009) -date: 2021/06/18 -modified: 2023/08/17 +date: 2021-06-18 +modified: 2023-08-17 tags: - attack.persistence - attack.t1053 diff --git a/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml b/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml index af6c27bd79e..c251bd1a849 100644 --- a/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml @@ -2,7 +2,7 @@ title: Potential Registry Persistence Attempt Via Windows Telemetry id: 73a883d0-0348-4be4-a8d8-51031c2564f8 related: - id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5 - type: obsoletes + type: obsolete status: test description: | Detects potential persistence behavior using the windows telemetry registry key. @@ -12,8 +12,8 @@ description: | references: - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/ author: Lednyov Alexey, oscd.community, Sreeman -date: 2020/10/16 -modified: 2023/08/17 +date: 2020-10-16 +modified: 2023-08-17 tags: - attack.persistence - attack.t1053.005 diff --git a/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml b/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml index b1ad77fb237..8b60903e662 100644 --- a/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml +++ b/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml @@ -16,10 +16,10 @@ references: - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contain description for most of the keys mentioned here (check it out if you want more information - https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contain description for most of the keys mentioned here (check it out if you want more information) author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali -date: 2022/09/29 -modified: 2022/11/26 +date: 2022-09-29 +modified: 2022-11-26 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml b/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml index e2130531b91..59d36524f78 100644 --- a/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml +++ b/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml @@ -2,9 +2,9 @@ title: RDP Sensitive Settings Changed id: 3f6b7b62-61aa-45db-96bd-9c31b36b653c related: - id: 171b67e1-74b4-460e-8d55-b331f3e32d67 - type: obsoletes + type: obsolete - id: 41904ebe-d56c-4904-b9ad-7a77bdf154b3 - type: obsoletes + type: obsolete - id: a2863fbc-d5cb-48d5-83fb-d976d4b1743b type: similar status: test @@ -23,10 +23,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry - https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali -date: 2022/08/06 -modified: 2024/02/08 +date: 2022-08-06 +modified: 2024-02-08 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml b/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml index 9f68d3f7914..9e4e6b7c425 100644 --- a/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml +++ b/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml @@ -8,11 +8,11 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.003/T1547.003.md author: frack113 -date: 2022/06/19 -modified: 2024/03/26 +date: 2022-06-19 +modified: 2024-03-26 tags: - attack.persistence - - attack.privilege_escalation + - attack.privilege-escalation - attack.t1547.003 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml b/rules/windows/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml index a558027d01d..fea51da0fa8 100644 --- a/rules/windows/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml +++ b/rules/windows/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml @@ -5,9 +5,9 @@ description: Detects applications or users re-enabling old TLS versions by setti references: - https://techcommunity.microsoft.com/t5/windows-it-pro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/ba-p/3887947 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/09/05 +date: 2023-09-05 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml b/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml index 6cbb89226a4..07b0def0069 100644 --- a/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml @@ -6,8 +6,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md - https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s author: frack113 -date: 2022/08/28 -modified: 2023/08/17 +date: 2022-08-28 +modified: 2023-08-17 tags: - attack.persistence - attack.t1546.015 diff --git a/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml b/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml index a02443607a7..2939bc7a54b 100644 --- a/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml +++ b/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml @@ -9,10 +9,10 @@ references: - https://twitter.com/malmoeb/status/1560536653709598721 - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/01/12 -modified: 2023/08/17 +date: 2023-01-12 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml b/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml index e57b719f791..9bbbdeed403 100755 --- a/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml +++ b/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml @@ -6,11 +6,11 @@ references: - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ - https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100 author: Florian Roth (Nextron Systems) -date: 2017/03/19 -modified: 2023/09/28 +date: 2017-03-19 +modified: 2023-09-28 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 - car.2019-04-001 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml b/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml index f7bdc8b8567..947763b3aee 100755 --- a/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml +++ b/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml @@ -6,11 +6,11 @@ references: - https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ - https://github.com/hfiref0x/UACME author: Omer Yampel, Christian Burkard (Nextron Systems) -date: 2017/03/17 -modified: 2023/08/17 +date: 2017-03-17 +modified: 2023-08-17 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 - car.2019-04-001 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml b/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml index 2998c77162e..3ee9a26d290 100644 --- a/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml +++ b/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml @@ -5,11 +5,11 @@ description: Detects the pattern of UAC Bypass using a path parsing issue in win references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) -date: 2021/08/30 -modified: 2023/08/17 +date: 2021-08-30 +modified: 2023-08-17 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml b/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml index 9427fadcf9d..d3deb306436 100644 --- a/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml +++ b/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml @@ -5,11 +5,11 @@ description: Detects the pattern of UAC Bypass using Windows Media Player osksup references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) -date: 2021/08/23 -modified: 2023/08/17 +date: 2021-08-23 +modified: 2023-08-17 tags: - - attack.defense_evasion - - attack.privilege_escalation + - attack.defense-evasion + - attack.privilege-escalation - attack.t1548.002 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_uac_disable.yml b/rules/windows/registry/registry_set/registry_set_uac_disable.yml index 00b2609e377..568dd6b0093 100644 --- a/rules/windows/registry/registry_set/registry_set_uac_disable.yml +++ b/rules/windows/registry/registry_set/registry_set_uac_disable.yml @@ -11,11 +11,11 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md author: frack113 -date: 2022/01/05 -modified: 2024/05/10 +date: 2022-01-05 +modified: 2024-05-10 tags: - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.t1548.002 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_uac_disable_notification.yml b/rules/windows/registry/registry_set/registry_set_uac_disable_notification.yml index a03d96d232d..f909085e397 100644 --- a/rules/windows/registry/registry_set/registry_set_uac_disable_notification.yml +++ b/rules/windows/registry/registry_set/registry_set_uac_disable_notification.yml @@ -14,10 +14,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md - https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/ author: frack113, Nasreddine Bencherchali (Nextron Systems) -date: 2024/05/10 +date: 2024-05-10 tags: - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.t1548.002 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_uac_disable_secure_desktop_prompt.yml b/rules/windows/registry/registry_set/registry_set_uac_disable_secure_desktop_prompt.yml index 33007656a73..cbb253d4fa0 100644 --- a/rules/windows/registry/registry_set/registry_set_uac_disable_secure_desktop_prompt.yml +++ b/rules/windows/registry/registry_set/registry_set_uac_disable_secure_desktop_prompt.yml @@ -13,10 +13,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md author: frack113 -date: 2024/05/10 +date: 2024-05-10 tags: - - attack.privilege_escalation - - attack.defense_evasion + - attack.privilege-escalation + - attack.defense-evasion - attack.t1548.002 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml b/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml index 7d69e14ef76..52aeb3c5dc6 100644 --- a/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml +++ b/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml @@ -5,8 +5,8 @@ description: Detects VBScript content stored into registry keys as seen being us references: - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ author: Florian Roth (Nextron Systems) -date: 2021/03/05 -modified: 2023/08/17 +date: 2021-03-05 +modified: 2023-08-17 tags: - attack.persistence - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml b/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml index 489caf7f28e..803ea44bc0f 100644 --- a/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml +++ b/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml @@ -7,10 +7,10 @@ references: - https://twitter.com/Hexacorn/status/991447379864932352 - http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ author: oscd.community, Natalia Shornikova -date: 2020/10/13 -modified: 2023/08/17 +date: 2020-10-13 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1218 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml b/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml index f7ff9019e47..7781c7f092b 100644 --- a/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml +++ b/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml @@ -7,10 +7,10 @@ references: - https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649 - https://github.com/redcanaryco/atomic-red-team/blob/73fcfa1d4863f6a4e17f90e54401de6e30a312bb/atomics/T1112/T1112.md#atomic-test-3---modify-registry-to-store-logon-credentials author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2019/09/12 -modified: 2023/08/17 +date: 2019-09-12 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml b/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml index 545fb2e9b45..4c1ac1db187 100644 --- a/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml @@ -2,9 +2,9 @@ title: Disable Windows Defender Functionalities Via Registry Keys id: 0eb46774-f1ab-4a74-8238-1155855f2263 related: - id: a64e4198-c1c8-46a5-bc9c-324c86455fd4 - type: obsoletes + type: obsolete - id: fd115e64-97c7-491f-951c-fc8da7e042fa - type: obsoletes + type: obsolete status: test description: Detects when attackers or tools disable Windows Defender functionalities via the Windows registry references: @@ -16,10 +16,10 @@ references: - https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html - https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html author: AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudel -date: 2022/08/01 -modified: 2024/07/03 +date: 2022-08-01 +modified: 2024-07-03 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1562.001 logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_winget_admin_settings_tampering.yml b/rules/windows/registry/registry_set/registry_set_winget_admin_settings_tampering.yml index 22d667fe9ef..41834b28a75 100644 --- a/rules/windows/registry/registry_set/registry_set_winget_admin_settings_tampering.yml +++ b/rules/windows/registry/registry_set/registry_set_winget_admin_settings_tampering.yml @@ -6,10 +6,10 @@ references: - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget - https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCommonCore/Public/winget/AdminSettings.h#L13 author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/17 -modified: 2023/08/17 +date: 2023-04-17 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_winget_enable_local_manifest.yml b/rules/windows/registry/registry_set/registry_set_winget_enable_local_manifest.yml index 56aedbcd7d2..68035abbf16 100644 --- a/rules/windows/registry/registry_set/registry_set_winget_enable_local_manifest.yml +++ b/rules/windows/registry/registry_set/registry_set_winget_enable_local_manifest.yml @@ -5,10 +5,10 @@ description: Detects changes to the AppInstaller (winget) policy. Specifically t references: - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget author: Nasreddine Bencherchali (Nextron Systems) -date: 2023/04/17 -modified: 2023/08/17 +date: 2023-04-17 +modified: 2023-08-17 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.persistence logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml b/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml index 2434a5aa43c..4d054935dd2 100644 --- a/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml +++ b/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml @@ -8,11 +8,11 @@ description: | references: - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/09 -modified: 2023/08/17 +date: 2022-09-09 +modified: 2023-08-17 tags: - attack.persistence - - attack.defense_evasion + - attack.defense-evasion - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml b/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml index 926c99621b6..f37acde0327 100644 --- a/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml +++ b/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml @@ -7,8 +7,8 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md#atomic-test-3---winlogon-notify-key-logon-persistence---powershell author: frack113 -date: 2021/12/30 -modified: 2023/08/17 +date: 2021-12-30 +modified: 2023-08-17 tags: - attack.persistence - attack.t1547.004 diff --git a/rules/windows/sysmon/sysmon_config_modification.yml b/rules/windows/sysmon/sysmon_config_modification.yml index f8101ba4676..5e190f95b61 100644 --- a/rules/windows/sysmon/sysmon_config_modification.yml +++ b/rules/windows/sysmon/sysmon_config_modification.yml @@ -5,9 +5,9 @@ description: Detects a Sysmon configuration change, which could be the result of references: - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon author: frack113 -date: 2022/01/12 +date: 2022-01-12 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_config_modification_error.yml b/rules/windows/sysmon/sysmon_config_modification_error.yml index 4ae36165807..e82d37bfe96 100644 --- a/rules/windows/sysmon/sysmon_config_modification_error.yml +++ b/rules/windows/sysmon/sysmon_config_modification_error.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html author: frack113 -date: 2021/06/04 -modified: 2022/07/07 +date: 2021-06-04 +modified: 2022-07-07 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564 logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_config_modification_status.yml b/rules/windows/sysmon/sysmon_config_modification_status.yml index aabad87fbf7..4b0de59e864 100644 --- a/rules/windows/sysmon/sysmon_config_modification_status.yml +++ b/rules/windows/sysmon/sysmon_config_modification_status.yml @@ -6,10 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html author: frack113 -date: 2021/06/04 -modified: 2022/08/02 +date: 2021-06-04 +modified: 2022-08-02 tags: - - attack.defense_evasion + - attack.defense-evasion - attack.t1564 logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_file_block_executable.yml b/rules/windows/sysmon/sysmon_file_block_executable.yml index 0768df81a14..44b06396f18 100644 --- a/rules/windows/sysmon/sysmon_file_block_executable.yml +++ b/rules/windows/sysmon/sysmon_file_block_executable.yml @@ -5,10 +5,10 @@ description: Triggers on any Sysmon "FileBlockExecutable" event, which indicates references: - https://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/08/16 -modified: 2023/09/16 +date: 2022-08-16 +modified: 2023-09-16 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_file_block_shredding.yml b/rules/windows/sysmon/sysmon_file_block_shredding.yml index 65d8823c85f..52b01cba324 100644 --- a/rules/windows/sysmon/sysmon_file_block_shredding.yml +++ b/rules/windows/sysmon/sysmon_file_block_shredding.yml @@ -5,9 +5,9 @@ description: Triggers on any Sysmon "FileBlockShredding" event, which indicates references: - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon author: frack113 -date: 2023/07/20 +date: 2023-07-20 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_file_executable_detected.yml b/rules/windows/sysmon/sysmon_file_executable_detected.yml index 3d42f54130d..7263bc3b484 100644 --- a/rules/windows/sysmon/sysmon_file_executable_detected.yml +++ b/rules/windows/sysmon/sysmon_file_executable_detected.yml @@ -6,9 +6,9 @@ references: - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon - https://medium.com/@olafhartong/sysmon-15-0-file-executable-detected-40fd64349f36 author: frack113 -date: 2023/07/20 +date: 2023-07-20 tags: - - attack.defense_evasion + - attack.defense-evasion logsource: product: windows service: sysmon diff --git a/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml b/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml index f49f503e833..173f03817e4 100644 --- a/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml +++ b/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml @@ -7,8 +7,8 @@ references: - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-20-wmievent-wmieventconsumer-activity-detected - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-21-wmievent-wmieventconsumertofilter-activity-detected author: Tom Ueltschi (@c_APT_ure) -date: 2019/01/12 -modified: 2021/11/27 +date: 2019-01-12 +modified: 2021-11-27 tags: - attack.persistence - attack.t1546.003 diff --git a/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml b/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml index 6d8b3d5588e..7bea92992e3 100644 --- a/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml +++ b/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml @@ -5,8 +5,8 @@ description: Detects suspicious encoded payloads in WMI Event Consumers references: - https://github.com/RiccardoAncarani/LiquidSnake author: Florian Roth (Nextron Systems) -date: 2021/09/01 -modified: 2022/10/09 +date: 2021-09-01 +modified: 2022-10-09 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml b/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml index 23dfd17be25..2c9e0152bee 100644 --- a/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml +++ b/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml @@ -7,8 +7,8 @@ references: - https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19 - https://github.com/RiccardoAncarani/LiquidSnake author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro -date: 2019/04/15 -modified: 2023/09/09 +date: 2019-04-15 +modified: 2023-09-09 tags: - attack.execution - attack.t1059.005 diff --git a/tests/test_rules.py b/tests/test_rules.py index 07cb11a25bf..25c1014e298 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -1257,7 +1257,6 @@ def check_item_for_bad_escapes(item): faulty_rules, [], Fore.RED + "There are rules using illegal re-escapes" ) - # def test_confirm_extension_is_yml(self): # files_with_incorrect_extensions = [] @@ -1411,7 +1410,7 @@ def check_item_for_bad_escapes(item): # faulty_rules, # [], # Fore.RED - # + "There are rules with malformed 'modified' fields. (create one, e.g. date: 2019/01/14)", + # + "There are rules with malformed 'modified' fields. (create one, e.g. date: 2019-01-14)", # ) # sigma-cli error and validator status_existence status_unsupported @@ -1654,7 +1653,7 @@ def check_item_for_bad_escapes(item): # Fore.RED # + "There are rules with unknown value modifiers. Most often it is just a typo.", # ) - + # sigma error and validator attacktag,cartag,cvetag,detection_tag,stptag,tlptag # def test_optional_tags(self): # files_with_incorrect_tags = [] @@ -1783,7 +1782,7 @@ def check_item_for_bad_escapes(item): # faulty_rules, # [], # Fore.RED - # + "There are rules with missing or malformed 'date' fields. (create one, e.g. date: 2019/01/14)", + # + "There are rules with missing or malformed 'date' fields. (create one, e.g. date: 2019-01-14)", # ) # sigma validators description_existence description_length @@ -1895,7 +1894,6 @@ def check_item_for_bad_escapes(item): # + "There are rules with malformed optional 'falsepositives' fields. (has to be a list of values even if it contains only a single value)", # ) - # sigma error # # Upgrade Detection Rule License 1.1 # def test_optional_author(self): diff --git a/tests/thor.yml b/tests/thor.yml index 40525a1d5c9..4c4f97f1b22 100644 --- a/tests/thor.yml +++ b/tests/thor.yml @@ -478,7 +478,7 @@ logsources: - 'WinEventLog:OpenSSH/Operational' windows-ldap-debug: product: windows - service: ldap_debug + service: ldap sources: - 'WinEventLog:Microsoft-Windows-LDAP-Client/Debug' windows-bitlocker: @@ -558,6 +558,12 @@ logsources: service: sense sources: - 'WinEventLog:Microsoft-Windows-SENSE/Operational' + windows-servicebus: + product: windows + service: servicebus-client + sources: + - 'WinEventLog:Microsoft-ServiceBus-Client/Admin' + - 'WinEventLog:Microsoft-ServiceBus-Client/Operational' apache: category: webserver sources: diff --git a/tests/validate-sigma-schema/sigma-schema.json b/tests/validate-sigma-schema/sigma-schema.json index 3faeeeae9a8..49dccd1ab66 100644 --- a/tests/validate-sigma-schema/sigma-schema.json +++ b/tests/validate-sigma-schema/sigma-schema.json @@ -1,6 +1,6 @@ { - "$schema": "http://json-schema.org/draft-07/schema#", - "title": "Sigma rule specification V1.0.4 (2023/06/29)", + "$schema": "https://json-schema.org/draft/2020-12/schema#", + "title": "Sigma rule specification V2.0.0 (2024-08-08)", "type": "object", "required": ["title", "logsource", "detection"], "properties": { @@ -34,7 +34,7 @@ "description": "The rule was derived from the referred rule or rules, which may remain active" }, { - "const": "obsoletes", + "const": "obsolete", "description": "The rule obsoletes the referred rule or rules, which aren't used anymore" }, { @@ -54,6 +54,16 @@ } } }, + "name": { + "type": "string", + "maxLength": 256, + "description": "a unique human-readable name that can be used instead of the id as a reference in correlation rules" + }, + "taxonomy":{ + "type": "string", + "maxLength": 256, + "description": "Defines the taxonomy used in the Sigma rule" + }, "status": { "type": "string", "oneOf": [ @@ -102,13 +112,13 @@ }, "date": { "type": "string", - "description": "Creation date of the rule. Use the format YYYY/MM/DD", - "pattern": "^\\d{4}/(0[1-9]|1[012])/(0[1-9]|[12][0-9]|3[01])$" + "description": "Creation date of the rule. Use the ISO 8601 format YYYY-MM-DD", + "pattern": "^\\d{4}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])$" }, "modified": { "type": "string", - "description": "Last modification date of the rule. Use the format YYYY/MM/DD", - "pattern": "^\\d{4}/(0[1-9]|1[012])/(0[1-9]|[12][0-9]|3[01])$" + "description": "Last modification date of the rule. Use the ISO 8601 format YYYY-MM-DD", + "pattern": "^\\d{4}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])$" }, "logsource": { "type": "object", @@ -125,6 +135,10 @@ "service": { "description": "A subset of a product's logs, like sshd", "type": "string" + }, + "definition":{ + "description": "can be used to describe the log source", + "type": "string" } } }, @@ -228,6 +242,14 @@ "type": "string", "pattern": "^[a-z0-9_-]+\\.[a-z0-9._-]+$" } + }, + "scope":{ + "description": "A list of intended scope of the rule", + "type": "array", + "items": { + "type": "string", + "minLength": 2 + } } } -} \ No newline at end of file +} From 4c017020dd238064536bc15b13f2f7e99eaf0494 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 12 Aug 2024 12:04:30 +0200 Subject: [PATCH 022/144] Merge PR #4956 from @frack113 - Update `promote_rules_status` script to use the native `datetime.date` chore: workflow - update `promote_rules_status` script to use the native `datetime.date` --- tests/promote_rules_status.py | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/tests/promote_rules_status.py b/tests/promote_rules_status.py index ca8b1a537cf..ecba567e55b 100644 --- a/tests/promote_rules_status.py +++ b/tests/promote_rules_status.py @@ -8,10 +8,11 @@ "rules-threat-hunting", "rules-compliance", ] +nb_days = 300 def get_rules_to_promote(): - today = datetime.today().strftime("%Y/%m/%d") + today = datetime.now().date() rules_to_promote = [] rule_paths = SigmaCollection.resolve_paths(path_to_rules) @@ -21,12 +22,8 @@ def get_rules_to_promote(): last_update = ( sigmaHQrule.modified if sigmaHQrule.modified else sigmaHQrule.date ) - last_update = last_update.strftime("%Y/%m/%d") - difference = ( - datetime.strptime(today, "%Y/%m/%d") - - datetime.strptime(last_update, "%Y/%m/%d") - ).days - if difference >= 300: + difference = (today - last_update).days + if difference >= nb_days: rules_to_promote.append(sigmaHQrule.source.path) return rules_to_promote From 760597da11cd5cfde39b64de06efa8175e98ce7a Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 12 Aug 2024 12:09:18 +0200 Subject: [PATCH 023/144] Merge PR #4923 from frack113 - Update `test_rules.py` to remove the tests covered by `pySigma-validators-sigmahq` v0.7.0 chore: Update `test_rules.py` to remove the tests covered by `pySigma-validators-sigmahq` v0.7.0 --- tests/test_rules.py | 480 ++++++++++++++++++++++---------------------- 1 file changed, 243 insertions(+), 237 deletions(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 25c1014e298..a34a361254b 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -107,110 +107,113 @@ def test_legal_trademark_violations(self): + "There are rule files which contains a trademark or reference that doesn't comply with the respective trademark requirements - please remove the trademark to avoid legal issues", ) - def test_look_for_duplicate_filters(self): - def check_list_or_recurse_on_dict(item, depth: int, special: bool) -> None: - if type(item) == list: - check_if_list_contain_duplicates(item, depth, special) - elif type(item) == dict and depth <= MAX_DEPTH: - for keys, sub_item in item.items(): - if ( - "|base64" in keys or "|re" in keys - ): # Covers both "base64" and "base64offset" modifiers, and "re" modifier - check_list_or_recurse_on_dict(sub_item, depth + 1, True) - else: - check_list_or_recurse_on_dict(sub_item, depth + 1, special) - - def check_if_list_contain_duplicates( - item: list, depth: int, special: bool - ) -> None: - try: - # We use a list comprehension to convert all the element to lowercase. Since we don't care about casing in SIGMA except for the following modifiers - # - "base64offset" - # - "base64" - # - "re" - if special: - item_ = item - else: - item_ = [i.lower() for i in item] - if len(item_) != len(set(item_)): - # We find the duplicates and then print them to the user - duplicates = [ - i - for i, count in collections.Counter(item_).items() - if count > 1 - ] - print( - Fore.RED - + "Rule {} has duplicate filters {}".format(file, duplicates) - ) - files_with_duplicate_filters.append(file) - except: - # unhashable types like dictionaries - for sub_item in item: - if type(sub_item) == dict and depth <= MAX_DEPTH: - check_list_or_recurse_on_dict(sub_item, depth + 1, special) + # sigma cli SigmahqFieldDuplicateValueIssue + # def test_look_for_duplicate_filters(self): + # def check_list_or_recurse_on_dict(item, depth: int, special: bool) -> None: + # if type(item) == list: + # check_if_list_contain_duplicates(item, depth, special) + # elif type(item) == dict and depth <= MAX_DEPTH: + # for keys, sub_item in item.items(): + # if ( + # "|base64" in keys or "|re" in keys + # ): # Covers both "base64" and "base64offset" modifiers, and "re" modifier + # check_list_or_recurse_on_dict(sub_item, depth + 1, True) + # else: + # check_list_or_recurse_on_dict(sub_item, depth + 1, special) + + # def check_if_list_contain_duplicates( + # item: list, depth: int, special: bool + # ) -> None: + # try: + # # We use a list comprehension to convert all the element to lowercase. Since we don't care about casing in SIGMA except for the following modifiers + # # - "base64offset" + # # - "base64" + # # - "re" + # if special: + # item_ = item + # else: + # item_ = [i.lower() for i in item] + # if len(item_) != len(set(item_)): + # # We find the duplicates and then print them to the user + # duplicates = [ + # i + # for i, count in collections.Counter(item_).items() + # if count > 1 + # ] + # print( + # Fore.RED + # + "Rule {} has duplicate filters {}".format(file, duplicates) + # ) + # files_with_duplicate_filters.append(file) + # except: + # # unhashable types like dictionaries + # for sub_item in item: + # if type(sub_item) == dict and depth <= MAX_DEPTH: + # check_list_or_recurse_on_dict(sub_item, depth + 1, special) - MAX_DEPTH = 3 - files_with_duplicate_filters = [] + # MAX_DEPTH = 3 + # files_with_duplicate_filters = [] - for file in self.yield_next_rule_file_path(self.path_to_rules): - detection = self.get_rule_part(file_path=file, part_name="detection") - check_list_or_recurse_on_dict(detection, 1, False) + # for file in self.yield_next_rule_file_path(self.path_to_rules): + # detection = self.get_rule_part(file_path=file, part_name="detection") + # check_list_or_recurse_on_dict(detection, 1, False) - self.assertEqual( - files_with_duplicate_filters, - [], - Fore.RED + "There are rules with duplicate filters", - ) + # self.assertEqual( + # files_with_duplicate_filters, + # [], + # Fore.RED + "There are rules with duplicate filters", + # ) - def test_field_name_with_space(self): - def key_iterator(fields, faulty): - for key, value in fields.items(): - if " " in key: - faulty.append(key) - print( - Fore.YELLOW - + "Rule {} has a space in field name ({}).".format(file, key) - ) - if type(value) == dict: - key_iterator(value, faulty) + #sigma cli SigmahqFieldWithSpaceIssue + # def test_field_name_with_space(self): + # def key_iterator(fields, faulty): + # for key, value in fields.items(): + # if " " in key: + # faulty.append(key) + # print( + # Fore.YELLOW + # + "Rule {} has a space in field name ({}).".format(file, key) + # ) + # if type(value) == dict: + # key_iterator(value, faulty) - faulty_fieldnames = [] - for file in self.yield_next_rule_file_path(self.path_to_rules): - detection = self.get_rule_part(file_path=file, part_name="detection") - key_iterator(detection, faulty_fieldnames) + # faulty_fieldnames = [] + # for file in self.yield_next_rule_file_path(self.path_to_rules): + # detection = self.get_rule_part(file_path=file, part_name="detection") + # key_iterator(detection, faulty_fieldnames) - self.assertEqual( - faulty_fieldnames, - [], - Fore.RED - + "There are rules with an unsupported field name. Spaces are not allowed. (Replace space with an underscore character '_' )", - ) + # self.assertEqual( + # faulty_fieldnames, + # [], + # Fore.RED + # + "There are rules with an unsupported field name. Spaces are not allowed. (Replace space with an underscore character '_' )", + # ) - def test_single_named_condition_with_x_of_them(self): - faulty_detections = [] + #sigma cli AllOfThemConditionIssue + # def test_single_named_condition_with_x_of_them(self): + # faulty_detections = [] - for file in self.yield_next_rule_file_path(self.path_to_rules): - yaml = self.get_rule_yaml(file_path=file) - detection = self.get_rule_part(file_path=file, part_name="detection") + # for file in self.yield_next_rule_file_path(self.path_to_rules): + # yaml = self.get_rule_yaml(file_path=file) + # detection = self.get_rule_part(file_path=file, part_name="detection") - has_them_in_condition = "them" in detection["condition"] - has_only_one_named_condition = len(detection) == 2 - not_multipart_yaml_file = len(yaml) == 1 + # has_them_in_condition = "them" in detection["condition"] + # has_only_one_named_condition = len(detection) == 2 + # not_multipart_yaml_file = len(yaml) == 1 - if ( - has_them_in_condition - and has_only_one_named_condition - and not_multipart_yaml_file - ): - faulty_detections.append(file) + # if ( + # has_them_in_condition + # and has_only_one_named_condition + # and not_multipart_yaml_file + # ): + # faulty_detections.append(file) - self.assertEqual( - faulty_detections, - [], - Fore.RED - + "There are rules using '1/all of them' style conditions but only have one condition", - ) + # self.assertEqual( + # faulty_detections, + # [], + # Fore.RED + # + "There are rules using '1/all of them' style conditions but only have one condition", + # ) def test_duplicate_detections(self): def compare_detections(detection1: dict, detection2: dict) -> bool: @@ -733,79 +736,80 @@ def test_file_names(self): + r"There are rules with malformed file names (too short, too long, uppercase letters, a minus sign etc.). Please see the file names used in our repository and adjust your file names accordingly. The pattern for a valid file name is \'[a-z0-9_]{10,90}\.yml\' and it has to contain at least an underline character. It also has to follow the following naming convention https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/Sigmahq_filename_rule.md", ) - def test_title(self): - faulty_rules = [] - allowed_lowercase_words = [ - "the", - "for", - "in", - "with", - "via", - "on", - "to", - "without", - "of", - "through", - "from", - "by", - "as", - "a", - "or", - "at", - "and", - "an", - "over", - "new", - ] - for file in self.yield_next_rule_file_path(self.path_to_rules): - title = self.get_rule_part(file_path=file, part_name="title") - if not title: - print(Fore.RED + "Rule {} has no field 'title'.".format(file)) - faulty_rules.append(file) - continue - elif len(title) > 110: - print( - Fore.YELLOW - + "Rule {} has a title field with too many characters (>110)".format( - file - ) - ) - faulty_rules.append(file) - if title.startswith("Detects "): - print( - Fore.RED - + "Rule {} has a title that starts with 'Detects'".format(file) - ) - faulty_rules.append(file) - if title.endswith("."): - print(Fore.RED + "Rule {} has a title that ends with '.'".format(file)) - faulty_rules.append(file) - wrong_casing = [] - for word in title.split(" "): - if ( - word.islower() - and not word.lower() in allowed_lowercase_words - and not "." in word - and not "/" in word - and not "_" in word - and not word[0].isdigit() - ): - wrong_casing.append(word) - if len(wrong_casing) > 0: - print( - Fore.RED - + "Rule {} has a title that has not title capitalization. Words: '{}'".format( - file, ", ".join(wrong_casing) - ) - ) - faulty_rules.append(file) + # sigma cli sigmahq_title_caseIssue, sigmahq_title_endIssue, sigmahq_title_lengthIssue, sigmahq_title_startIssue + # def test_title(self): + # faulty_rules = [] + # allowed_lowercase_words = [ + # "the", + # "for", + # "in", + # "with", + # "via", + # "on", + # "to", + # "without", + # "of", + # "through", + # "from", + # "by", + # "as", + # "a", + # "or", + # "at", + # "and", + # "an", + # "over", + # "new", + # ] + # for file in self.yield_next_rule_file_path(self.path_to_rules): + # title = self.get_rule_part(file_path=file, part_name="title") + # if not title: + # print(Fore.RED + "Rule {} has no field 'title'.".format(file)) + # faulty_rules.append(file) + # continue + # elif len(title) > 110: + # print( + # Fore.YELLOW + # + "Rule {} has a title field with too many characters (>110)".format( + # file + # ) + # ) + # faulty_rules.append(file) + # if title.startswith("Detects "): + # print( + # Fore.RED + # + "Rule {} has a title that starts with 'Detects'".format(file) + # ) + # faulty_rules.append(file) + # if title.endswith("."): + # print(Fore.RED + "Rule {} has a title that ends with '.'".format(file)) + # faulty_rules.append(file) + # wrong_casing = [] + # for word in title.split(" "): + # if ( + # word.islower() + # and not word.lower() in allowed_lowercase_words + # and not "." in word + # and not "/" in word + # and not "_" in word + # and not word[0].isdigit() + # ): + # wrong_casing.append(word) + # if len(wrong_casing) > 0: + # print( + # Fore.RED + # + "Rule {} has a title that has not title capitalization. Words: '{}'".format( + # file, ", ".join(wrong_casing) + # ) + # ) + # faulty_rules.append(file) - self.assertEqual( - faulty_rules, - [], - Fore.RED - + "There are rules with non-conform 'title' fields. Please check: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#title", - ) + # self.assertEqual( + # faulty_rules, + # [], + # Fore.RED + # + "There are rules with non-conform 'title' fields. Please check: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#title", + # ) def test_title_in_first_line(self): faulty_rules = [] @@ -899,46 +903,47 @@ def treat_dict(file, values, valid_, selection_name): Fore.RED + "There are rules using list with only 1 element", ) - def test_selection_start_or_and(self): - faulty_rules = [] - for file in self.yield_next_rule_file_path(self.path_to_rules): - detection = self.get_rule_part(file_path=file, part_name="detection") - if detection: - # This test is a best effort to avoid breaking SIGMAC parser. You could do more testing and try to fix this once and for all by modifiying the token regular expressions https://github.com/SigmaHQ/sigma/blob/b9ae5303f12cda8eb6b5b90a32fd7f11ad65645d/tools/sigma/parser/condition.py#L107-L127 - for key in detection: - if key[:3].lower() == "sel": - continue - elif key[:2].lower() == "or": - print( - Fore.RED - + "Rule {} has a selection '{}' that starts with the string 'or'".format( - file, key - ) - ) - faulty_rules.append(file) - elif key[:3].lower() == "and": - print( - Fore.RED - + "Rule {} has a selection '{}' that starts with the string 'and'".format( - file, key - ) - ) - faulty_rules.append(file) - elif key[:3].lower() == "not": - print( - Fore.RED - + "Rule {} has a selection '{}' that starts with the string 'not'".format( - file, key - ) - ) - faulty_rules.append(file) + # simga cli SigmahqSigmacIssue + # def test_selection_start_or_and(self): + # faulty_rules = [] + # for file in self.yield_next_rule_file_path(self.path_to_rules): + # detection = self.get_rule_part(file_path=file, part_name="detection") + # if detection: + # # This test is a best effort to avoid breaking SIGMAC parser. You could do more testing and try to fix this once and for all by modifiying the token regular expressions https://github.com/SigmaHQ/sigma/blob/b9ae5303f12cda8eb6b5b90a32fd7f11ad65645d/tools/sigma/parser/condition.py#L107-L127 + # for key in detection: + # if key[:3].lower() == "sel": + # continue + # elif key[:2].lower() == "or": + # print( + # Fore.RED + # + "Rule {} has a selection '{}' that starts with the string 'or'".format( + # file, key + # ) + # ) + # faulty_rules.append(file) + # elif key[:3].lower() == "and": + # print( + # Fore.RED + # + "Rule {} has a selection '{}' that starts with the string 'and'".format( + # file, key + # ) + # ) + # faulty_rules.append(file) + # elif key[:3].lower() == "not": + # print( + # Fore.RED + # + "Rule {} has a selection '{}' that starts with the string 'not'".format( + # file, key + # ) + # ) + # faulty_rules.append(file) - self.assertEqual( - faulty_rules, - [], - Fore.RED - + "There are rules with bad selection names. Can't start a selection name with an 'or*' or an 'and*' or a 'not*' ", - ) + # self.assertEqual( + # faulty_rules, + # [], + # Fore.RED + # + "There are rules with bad selection names. Can't start a selection name with an 'or*' or an 'and*' or a 'not*' ", + # ) # sigma validator dangling_detection # def test_unused_selection(self): @@ -1023,41 +1028,42 @@ def test_selection_start_or_and(self): # + "If you use it as a workaround to duplicate a field in a selection, use a new selection instead.", # ) - def test_field_user_localization(self): - def checkUser(faulty_rules, dict): - for key, value in dict.items(): - if "User" in key: - if type(value) == str: - if "AUTORI" in value or "AUTHORI" in value: - print("Localized user name '{}'.".format(value)) - faulty_rules.append(file) + # sigma cli SigmahqFieldUserIssue + # def test_field_user_localization(self): + # def checkUser(faulty_rules, dict): + # for key, value in dict.items(): + # if "User" in key: + # if type(value) == str: + # if "AUTORI" in value or "AUTHORI" in value: + # print("Localized user name '{}'.".format(value)) + # faulty_rules.append(file) - faulty_rules = [] - for file in self.yield_next_rule_file_path(self.path_to_rules): - detection = self.get_rule_part(file_path=file, part_name="detection") - for sel_key, sel_value in detection.items(): - if sel_key == "condition" or sel_key == "timeframe": - continue - # single item selection - if type(sel_value) == dict: - checkUser(faulty_rules, sel_value) - if type(sel_value) == list: - # skip keyword selection - if type(sel_value[0]) != dict: - continue - # multiple item selection - for item in sel_value: - checkUser(faulty_rules, item) + # faulty_rules = [] + # for file in self.yield_next_rule_file_path(self.path_to_rules): + # detection = self.get_rule_part(file_path=file, part_name="detection") + # for sel_key, sel_value in detection.items(): + # if sel_key == "condition" or sel_key == "timeframe": + # continue + # # single item selection + # if type(sel_value) == dict: + # checkUser(faulty_rules, sel_value) + # if type(sel_value) == list: + # # skip keyword selection + # if type(sel_value[0]) != dict: + # continue + # # multiple item selection + # for item in sel_value: + # checkUser(faulty_rules, item) - self.assertEqual( - faulty_rules, - [], - Fore.RED - + "There are rules that match using localized user accounts. Better employ a generic version such as:\n" - + "User|contains: # covers many language settings\n" - + " - 'AUTHORI'\n" - + " - 'AUTORI'", - ) + # self.assertEqual( + # faulty_rules, + # [], + # Fore.RED + # + "There are rules that match using localized user accounts. Better employ a generic version such as:\n" + # + "User|contains: # covers many language settings\n" + # + " - 'AUTHORI'\n" + # + " - 'AUTORI'", + # ) # sigma condition error # def test_condition_operator_casesensitive(self): From 69012217675b4d73056c6d3a0aee89453728a5d7 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 13 Aug 2024 02:59:39 +0200 Subject: [PATCH 024/144] Merge PR #4967 from @nasbench - Revert accidental change introduced in #4950 chore: fix `Powershell Token Obfuscation - Powershell` - Revert accidental change introduced in #4950 --- .../powershell_script/posh_ps_token_obfuscation.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml b/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml index 87fc5a937c3..a24ba072e2c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml @@ -23,11 +23,13 @@ detection: # IN`V`o`Ke-eXp`ResSIOn (Ne`W-ob`ject Net.WebClient).DownloadString # &('In'+'voke-Expressi'+'o'+'n') (.('New-Ob'+'jec'+'t') Net.WebClient).DownloadString # &("{2}{3}{0}{4}{1}"-f 'e','Expression','I','nvok','-') (&("{0}{1}{2}"-f'N','ew-O','bject') Net.WebClient).DownloadString - # ${e`Nv:pATh} - ScriptBlockText|re: '\w+`(\w+|-|.)`[\w+|\s]' # - ScriptBlockText|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme - ScriptBlockText|re: '"(\{\d\}){2,}"\s*-f' # trigger on at least two placeholders. One might be used for legitimate string formatting - - ScriptBlockText|re: '\$\{((e|n|v)*`(e|n|v)*)+:path\}|\$\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\}|\$\{env:((p|a|t|h)*`(p|a|t|h)*)+\}' + # ${e`Nv:pATh} + - ScriptBlockText|re: '(?i)\$\{`?e`?n`?v`?:`?p`?a`?t`?h`?\}' + filter_envpath: + ScriptBlockText|contains: '${env:path}' # TODO: Fix this. See https://github.com/SigmaHQ/sigma/pull/4964 filter_chocolatey: ScriptBlockText|contains: - 'it will return true or false instead' # Chocolatey install script https://github.com/chocolatey/chocolatey From 8bf0ef1253580e37d85098b0ae51ebb1581c74ca Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 15 Aug 2024 11:13:47 +0200 Subject: [PATCH 025/144] Merge PR #4970 from @nasbench - Archive new rule references and update cache file chore: archive new rule references and update cache file Co-authored-by: nasbench --- .github/latest_archiver_output.md | 972 +++++++++++++++--------------- tests/rule-references.txt | 40 ++ 2 files changed, 539 insertions(+), 473 deletions(-) diff --git a/.github/latest_archiver_output.md b/.github/latest_archiver_output.md index 2f423c63cae..d598550c261 100644 --- a/.github/latest_archiver_output.md +++ b/.github/latest_archiver_output.md @@ -1,522 +1,548 @@ # Reference Archiver Results -Last Execution: 2024-08-01 02:00:18 +Last Execution: 2024-08-15 02:17:53 ### Archiver Script Results #### Newly Archived References -- https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html +- https://github.com/elastic/detection-rules/blob/5fe7833312031a4787e07893e27e4ea7a7665745/rules/_deprecated/privilege_escalation_krbrelayup_suspicious_logon.toml#L38 +- https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/800c0e06571993a54e39571cf27fd474dcc5c0bc/2017/2017.11.14.Muddying_the_Water/muddying-the-water-targeted-attacks.pdf +- https://www.loobins.io/binaries/sysctl/# +- https://web.archive.org/web/20200530031708/https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua +- https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.Common/Data/DPAPI/DPAPIBackupKey.cs#L28-L32 +- https://github.com/AaLl86/WindowsInternals/blob/070dc4f317726dfb6ffd2b7a7c121a33a8659b5e/Slides/Hypervisor-enforced%20Paging%20Translation%20-%20The%20end%20of%20non%20data-driven%20Kernel%20Exploits%20(Recon2024).pdf #### Already Archived References -- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html -- https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6416 -- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a -- https://docs.github.com/en/migrations -- https://learn.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps -- https://security.padok.fr/en/blog/kubernetes-webhook-attackers -- https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/ -- https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11) -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4701 -- https://github.com/Voyag3r-Security/CVE-2023-1389/blob/4ecada7335b17bf543c0e33b2c9fb6b6215c09ae/archer-rev-shell.py -- https://asec.ahnlab.com/en/58878/ -- https://learn.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules - -#### Error While Archiving References - -- https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin -- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html -- https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698 -- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create -- https://www.cyberciti.biz/faq/how-force-kill-process-linux/ -- https://hijacklibs.net/entries/microsoft/built-in/dbgmodel.html -- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ -- https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf -- https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html -- https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates -- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml -- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus +- https://learn.microsoft.com/en-us/sysinternals/downloads/psservice +- https://learn.microsoft.com/en-gb/sysinternals/downloads/sdelete +- https://tria.ge/240301-rk34sagf5x/behavioral2 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/whoami +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-registrations-and-joins-outside-policy +- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#unfamiliar-sign-in-properties +- https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-administrator-roles +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#end-user-consent +- https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/ +- https://learn.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo?view=windowsserver2022-ps - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil -- https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html -- https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e -- https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/ -- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101 -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently -- https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/800c0e06571993a54e39571cf27fd474dcc5c0bc/2017/2017.11.14.Muddying_the_Water/muddying-the-water-targeted-attacks.pdf -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc -- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address -- https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983 -- https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html -- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/ -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4 -- https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/ -- https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/ -- https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF -- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing -- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer -- https://github.com/CICADA8-Research/RemoteKrbRelay -- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/ -- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ -- https://www.tenable.com/security/research/tra-2023-11 -- https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps -- https://github.com/elastic/detection-rules/blob/5fe7833312031a4787e07893e27e4ea7a7665745/rules/_deprecated/privilege_escalation_krbrelayup_suspicious_logon.toml#L38 -- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195 -- https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/ -- https://twitter.com/DTCERT/status/1712785421845790799 - https://twitter.com/DTCERT/status/1712785426895839339 -- https://tria.ge/240123-rapteaahhr/behavioral1 -- https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/ +- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment -- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf -- https://cloud.google.com/logging/docs/audit/understanding-audit-logs -- https://www.fortiguard.com/psirt/FG-IR-22-398 -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated -- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ -- https://bazaar.abuse.ch/browse/signature/RaspberryRobin/ -- https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps +- https://learn.microsoft.com/en-us/windows-hardware/drivers/taef/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/clip +- https://help.duo.com/s/article/6327?language=en_US - https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights -- https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg -- https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/ -- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/ -- https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487 -- https://adsecurity.org/?p=1785 -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding -- https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.4 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#unfamiliar-sign-in-properties -- https://learn.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture -- https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/ -- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11) -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script -- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction -- https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging -- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml -- https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609 -- https://github.com/grayhatkiller/SharpExShell -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038 -- https://medium.com/@NullByteWht/hacking-macos-how-to-dump-1password-keepassx-lastpass-passwords-in-plaintext-723c5b1c311b -- https://securelist.com/network-tunneling-with-qemu/111803/ -- https://github.com/search?q=repo%3AHackplayers%2Fevil-winrm++shell.run%28&type=code -- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations -- https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/ -- https://learn.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo?view=windowsserver2022-ps -- https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d -- https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md -- https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.Common/Data/DPAPI/DPAPIBackupKey.cs#L28-L32 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-administrator-roles -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647 -- https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029 -- https://github.com/rapid7/metasploit-framework/issues/11337 -- https://tria.ge/231212-r1bpgaefar/behavioral2 -- https://www.loobins.io/binaries/tmutil/ -- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/ -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token -- https://www.cve.org/CVERecord?id=CVE-2024-1709 -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4 -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4 -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management -- https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b +- https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/ +- https://www.elastic.co/guide/en/security/current/execution-of-com-object-via-xwizard.html +- https://hijacklibs.net/entries/microsoft/built-in/mscorsvc.html +- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10) +- https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass +- https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware +- https://learn.microsoft.com/en-us/sysinternals/downloads/psexec +- https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html +- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-user-activity + +#### Error While Archiving References + +- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ - https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/initial_access_via_system_manager.toml -- https://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content -- https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/ -- https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/ -- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ -- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html -- https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure +- https://www.cyberciti.biz/faq/linux-remove-user-command/ +- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services +- https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens +- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address +- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +- https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/ +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101 +- https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html +- https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609 +- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe +- https://www.sans.org/cyber-security-summit/archives +- https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.4 +- https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html +- https://learn.microsoft.com/en-us/windows/client-management/manage-recall +- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/ +- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ +- https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616 +- https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13 +- https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address +- https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/ +- https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token +- https://app.any.run/tasks/9a8fd563-4c54-4d0a-9ad8-1fe08339cbc3/ +- https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps +- https://research.splunk.com/endpoint/10399c1e-f51e-11eb-b920-acde48001122/ +- https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1 +- https://evasions.checkpoint.com/techniques/macos.html +- https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html - https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts -- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/ +- https://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771 +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4 +- https://learn.microsoft.com/de-de/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions +- https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis +- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b +- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration - https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp -- https://www.qemu.org/docs/master/system/invocation.html#hxtool-5 -- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/ -- https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html +- https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings +- https://learn.microsoft.com/en-us/windows/win32/msi/event-logging +- https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001 +- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 +- https://web.archive.org/web/20190508165435/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf +- https://web.archive.org/web/20220614030603/http://www.powertheshell.com/ntfsstreams/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd +- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html +- https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details +- https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216 +- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns +- https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012 - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials -- https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/ -- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/ -- https://us-cert.cisa.gov/ncas/alerts/aa21-259a -- https://github.com/embedi/CVE-2017-11882 -- https://redcanary.com/blog/msix-installers/ -- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ -- https://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40 -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423 +- https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown +- https://www.loobins.io/binaries/hdiutil/ +- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/ +- https://tria.ge/240123-rapteaahhr/behavioral1 +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user +- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/ +- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ +- https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2 +- https://tria.ge/231023-lpw85she57/behavioral2 +- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 +- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::SecurityPage_AutoDetect +- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/ +- https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change +- https://support.google.com/a/answer/9261439 +- https://tria.ge/240307-1hlldsfe7t/behavioral2/analog?main_event=Registry&op=SetValueKeyInt +- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers +- https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps +- https://cloud.google.com/access-context-manager/docs/audit-logging - http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/ -- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace -- https://web.archive.org/web/20230329172447/https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html -- https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet -- https://learn.microsoft.com/en-gb/sysinternals/downloads/sdelete -- https://malware.guide/browser-hijacker/remove-onelaunch-virus/ +- https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/ +- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/ +- https://web.archive.org/web/20220519091349/https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/ +- https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022 +- https://www.tarasco.org/security/pwdump_7/ +- https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html +- https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/ +- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ +- https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade - https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe -- https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps -- https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa -- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks -- https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1 -- https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand -- https://help.duo.com/s/article/6327?language=en_US -- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx -- https://learn.microsoft.com/de-de/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide -- https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool -- https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/ -- https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html -- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup -- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml -- https://www.virustotal.com/gui/file/bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f/behavior -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2 -- https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4699 -- https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624 -- https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027 -- https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal -- https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys -- https://learn.microsoft.com/en-us/windows/win32/msi/event-logging -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6281 -- https://ss64.com/osx/sw_vers.html -- https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#private_repository_forking -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#end-user-consent -- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html -- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software -- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ -- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4 -- https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85) -- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins -- https://objective-see.org/blog/blog_0x1E.html -- https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html -- https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change -- https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776 -- https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware -- https://github.com/0xthirteen/SharpMove/ -- https://learn.microsoft.com/en-us/windows/win32/shell/launch -- https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb -- https://www.loobins.io/binaries/sysctl/# -- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel -- https://app.any.run/tasks/9a8fd563-4c54-4d0a-9ad8-1fe08339cbc3/ -- https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension -- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows -- https://learn.microsoft.com/en-us/windows/client-management/manage-recall -- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4706 -- https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/ -- https://x.com/_st0pp3r_/status/1742203752361128162?s=20 -- https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details -- https://ngrok.com/blog-post/new-ngrok-domains -- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ -- https://www.group-ib.com/blog/apt41-world-tour-2021/ -- https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname -- https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install -- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization -- https://blackpointcyber.com/resources/blog/breaking-through-the-screen/ -- https://labs.withsecure.com/publications/kapeka -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010 -- https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661 +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3 -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-browser +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount/ +- https://us-cert.cisa.gov/ncas/alerts/aa21-259a +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4 +- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/ +- https://twitter.com/Max_Mal_/status/1775222576639291859 +- https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/ +- https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html +- https://www.virustotal.com/gui/file/bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f/behavior - https://paper.seebug.org/1495/ -- https://cloud.google.com/access-context-manager/docs/audit-logging -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-registrations-and-joins-outside-policy -- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/ -- https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor -- https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78 +- https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address +- https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-browser +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 +- https://tria.ge/240225-jlylpafb24/behavioral1/analog?main_event=Registry&op=SetValueKeyInt +- https://www.loobins.io/binaries/tmutil/ +- https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661 +- https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732 +- https://github.com/amjcyber/EDRNoiseMaker +- https://tria.ge/231212-r1bpgaefar/behavioral2 +- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html +- https://bazaar.abuse.ch/browse/signature/RaspberryRobin/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634 +- https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85) +- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory +- https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/ +- https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations +- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ +- https://x.com/_st0pp3r_/status/1742203752361128162?s=20 +- https://github.com/embedi/CVE-2017-11882 +- https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/ +- https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand - https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4 -- https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#things-to-monitor -- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 -- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown -- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ -- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf -- https://twitter.com/Max_Mal_/status/1775222576639291859 -- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands -- https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues +- https://tria.ge/240521-ynezpagf56/behavioral1 +- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ +- https://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/ +- https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html +- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf +- https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776 +- https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create +- https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/ +- https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding +- https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) +- https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps - https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4 -- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b -- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult -- https://support.google.com/a/answer/9261439 -- https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/ +- https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support +- https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html +- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ - https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access -- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/ -- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/ -- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/ -- https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt -- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts -- https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine -- https://news.ycombinator.com/item?id=29504755 -- https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated +- https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/ - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1 -- https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/ -- https://learn.microsoft.com/en-us/sysinternals/downloads/psexec -- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/ -- https://twitter.com/NathanMcNulty/status/1785051227568632263 -- https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/ -- https://twitter.com/MsftSecIntel/status/1737895710169628824 -- https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html -- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed -- https://localtonet.com/documents/supported-tunnels -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration -- https://tria.ge/231023-lpw85she57/behavioral2 -- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4649 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11) -- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory -- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers -- https://megatools.megous.com/ -- https://github.com/GhostPack/SharpDPAPI -- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations -- https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/ -- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ -- https://nvd.nist.gov/vuln/detail/CVE-2024-3400 -- https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps -- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/whoami +- https://learn.microsoft.com/en-us/windows/win32/shell/app-registration - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2 -- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash -- https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure -- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis -- https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html -- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/ -- https://anydesk.com/en/changelog/windows -- https://learn.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings +- https://learn.microsoft.com/en-us/azure/dns/dns-zones-records +- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/ +- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038 +- https://securelist.com/network-tunneling-with-qemu/111803/ - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8 -- https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0 -- https://thehackernews.com/2024/03/github-rolls-out-default-secret.html -- https://objective-see.org/blog/blog_0x6D.html -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions +- https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/ +- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/ +- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide +- https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension +- https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010 +- https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/ +- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc +- https://tria.ge/240226-fhbe7sdc39/behavioral1 +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_IncludeUnspecifiedLocalSites +- https://www.elastic.co/security-labs/operation-bleeding-bear +- https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029 +- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials +- https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091 +- https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files +- https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b +- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/ - https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html -- https://www.loobins.io/binaries/pbpaste/ -- https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/ -- https://learn.microsoft.com/en-us/azure/dns/dns-zones-records +- https://www.fortiguard.com/psirt/FG-IR-22-398 +- https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ +- https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump +- https://www.tenable.com/security/research/tra-2023-11 +- https://web.archive.org/web/20231210115125/http://www.xuetr.com/ +- https://medium.com/@NullByteWht/hacking-macos-how-to-dump-1password-keepassx-lastpass-passwords-in-plaintext-723c5b1c311b +- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction +- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 - https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete -- https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services -- https://www.sans.org/cyber-security-summit/archives -- https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625 -- https://tria.ge/240521-ynezpagf56/behavioral1 -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7 -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/ -- https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps -- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations -- https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10) -- https://learn.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml- -- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode -- https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens -- https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership -- https://github.com/amjcyber/EDRNoiseMaker -- https://learn.microsoft.com/en-us/windows-hardware/drivers/taef/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#token-issuer-anomaly -- https://boinc.berkeley.edu/ -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 -- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/ -- https://github.com/AaLl86/WindowsInternals/blob/070dc4f317726dfb6ffd2b7a7c121a33a8659b5e/Slides/Hypervisor-enforced%20Paging%20Translation%20-%20The%20end%20of%20non%20data-driven%20Kernel%20Exploits%20(Recon2024).pdf -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes +- https://anydesk.com/en/changelog/windows - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown -- https://www.tarasco.org/security/pwdump_7/ -- https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities -- https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections -- https://nored0x.github.io/red-teaming/office-persistence/#what-is-a-wll-file -- https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps -- https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-user-activity -- https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in -- https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool +- https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior +- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ +- https://www.loobins.io/binaries/nscurl/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/replace +- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2 -- https://evasions.checkpoint.com/techniques/macos.html -- https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/ -- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) -- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/ -- https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2 -- https://us-cert.cisa.gov/ncas/alerts/aa21-008a -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423 -- https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/ -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac -- https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html -- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/ -- https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1 -- https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/ -- https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins +- https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487 +- https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0 +- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ +- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/ - https://www.group-ib.com/resources/threat-research/red-curl-2.html -- https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl -- https://www.cyberciti.biz/faq/linux-remove-user-command/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10) -- https://www.loobins.io/binaries/nscurl/ -- https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule -- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1 -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount/ -- https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/ -- https://pentestlab.blog/tag/svchost/ -- https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior -- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616 -- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16 -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address -- https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/ -- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins -- https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019 -- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf -- https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ -- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ +- https://strontic.github.io/xcyclopedia/library/aclui.dll-F883E9CA757B622B032FDCA5BF33D0DF.html +- https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/ +- https://www.group-ib.com/blog/apt41-world-tour-2021/ +- https://web.archive.org/web/20200530031906/https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/ +- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml +- https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/ +- https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps +- https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code +- https://thehackernews.com/2024/03/github-rolls-out-default-secret.html +- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role +- https://redcanary.com/blog/msix-installers/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4706 +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN +- https://malware.guide/browser-hijacker/remove-onelaunch-virus/ +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 +- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage - https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder -- https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/ - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#new-owner -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in -- https://learn.microsoft.com/en-us/windows/win32/shell/app-registration -- https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code +- https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf +- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf +- https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/ +- https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/ +- https://github.com/CICADA8-Research/RemoteKrbRelay +- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml +- https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn +- https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation +- https://tria.ge/240731-jh4crsycnb/behavioral2 +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel +- https://github.com/rapid7/metasploit-framework/issues/11337 +- https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository +- https://linux.die.net/man/1/arecord +- https://web.archive.org/web/20230329172447/https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html +- https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors +- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ +- https://ngrok.com/blog-post/new-ngrok-domains +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic +- https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420 +- https://boinc.berkeley.edu/ +- https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/ +- https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/ +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78 +- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications +- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16 +- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings +- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/ +- https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ +- https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/ +- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script +- https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/ +- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change +- https://github.com/search?q=repo%3AHackplayers%2Fevil-winrm++shell.run%28&type=code +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11) +- https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior +- https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa +- https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access +- https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections +- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx +- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html +- https://nvd.nist.gov/vuln/detail/CVE-2024-3400 +- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis +- https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/ +- https://learn.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml- +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4649 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#things-to-monitor +- https://objective-see.org/blog/blog_0x1E.html +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery +- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ +- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes +- https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/ +- https://learn.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps +- https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2 +- https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16 +- https://github.com/GhostPack/SharpDPAPI +- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ +- https://gist.github.com/nasbench/ca6ef95db04ae04ffd1e0b1ce709cadd +- https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/ +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_UNCAsIntranet +- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ +- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html +- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations +- https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/ +- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#token-issuer-anomaly - https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/ -- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 -- https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/ -- https://learn.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps -- https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support -- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval -- https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html -- https://research.splunk.com/endpoint/10399c1e-f51e-11eb-b920-acde48001122/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins -- https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps -- https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html - https://www.loobins.io/binaries/launchctl/ -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001 -- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN -- https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/ -- https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html -- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user +- https://nored0x.github.io/red-teaming/office-persistence/#what-is-a-wll-file +- https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority +- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 +- https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/ +- https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983 +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/ +- https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) +- https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult - https://www.attackiq.com/2023/09/20/emulating-rhysida/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/clip -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4 -- https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer -- https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/ -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services -- https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183 +- https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625 +- https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup - https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ -- https://www.softperfect.com/products/networkscanner/ -- https://tria.ge/240226-fhbe7sdc39/behavioral1 -- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/ -- https://hijacklibs.net/entries/microsoft/built-in/mscorsvc.html -- https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/ -- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/ -- https://www.loobins.io/binaries/xattr/ -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2 -- https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html -- https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia -- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage +- https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb +- https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/ +- https://adsecurity.org/?p=1785 +- https://labs.withsecure.com/publications/kapeka +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7 +- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/ +- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ +- https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt +- https://github.com/gentilkiwi/mimikatz +- https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/ +- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ +- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/ +- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 - https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/ -- https://learn.microsoft.com/en-us/sysinternals/downloads/psservice +- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule +- https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things +- https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4 +- https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf +- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/ +- https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging +- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ +- https://redcanary.com/blog/threat-detection/process-masquerading/ +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10) +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country +- https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html +- https://us-cert.cisa.gov/ncas/alerts/aa21-008a +- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue +- https://pentestlab.blog/tag/svchost/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6281 +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators +- https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/ +- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4 +- https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2 +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise +- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac +- https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/ - https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/ -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo -- https://gist.github.com/nasbench/ca6ef95db04ae04ffd1e0b1ce709cadd -- https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216 -- https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1 -- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations -- https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743 +- https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/ - https://twitter.com/standa_t/status/1808868985678803222 -- https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html -- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes -- https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis -- https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool -- https://github.com/antonioCoco/RoguePotato -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn -- https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc -- https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository -- https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt +- https://cloud.google.com/logging/docs/audit/understanding-audit-logs +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794 +- https://twitter.com/DTCERT/status/1712785421845790799 +- https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624 +- https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/ +- https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1 +- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins +- https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer +- https://ss64.com/osx/sw_vers.html +- https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps +- https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/ +- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software +- https://www.cyberciti.biz/faq/how-force-kill-process-linux/ +- https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ +- https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks +- https://learn.microsoft.com/en-us/windows/win32/shell/launch +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4699 +- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195 +- https://github.com/grayhatkiller/SharpExShell +- https://megatools.megous.com/ +- https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation +- https://learn.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture +- https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/ +- https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211 +- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/ +- https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_ProxyByPass +- https://www.cve.org/CVERecord?id=CVE-2024-1709 +- https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#private_repository_forking +- https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF +- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml +- https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete +- https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet +- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ +- https://blackpointcyber.com/resources/blog/breaking-through-the-screen/ +- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing +- https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior +- https://twitter.com/NathanMcNulty/status/1785051227568632263 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11) +- https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini -- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts -- https://blog.sekoia.io/darkgate-internals/ -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority -- https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo +- https://localtonet.com/documents/supported-tunnels +- https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1 +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/ +- https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/ +- https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4 +- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ +- https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows +- https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29 +- https://hijacklibs.net/entries/microsoft/built-in/dbgmodel.html +- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ +- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer +- https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor +- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967 +- https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps +- https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps +- https://www.softperfect.com/products/networkscanner/ +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/ - https://www.mandiant.com/resources/blog/triton-actor-ttp-profile-custom-attack-tools-detections -- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ -- https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details -- https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/ -- https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/ -- https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors -- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ +- https://ss64.com/mac/hdiutil.html +- https://github.com/antonioCoco/RoguePotato +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7 +- https://objective-see.org/blog/blog_0x6D.html +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts +- https://news.ycombinator.com/item?id=29504755 - https://unit42.paloaltonetworks.com/chromeloader-malware/ -- https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps -- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html +- https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues +- https://github.com/0xthirteen/SharpMove/ +- https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl +- https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps +- https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently +- https://www.loobins.io/binaries/pbpaste/ - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673 -- https://www.elastic.co/guide/en/security/current/execution-of-com-object-via-xwizard.html -- https://linux.die.net/man/1/arecord -- https://github.com/gentilkiwi/mimikatz -- https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/replace -- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval +- https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/ +- https://www.loobins.io/binaries/xattr/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in - https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680 -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29 +- https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ +- https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/ +- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference +- https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v +- https://twitter.com/MsftSecIntel/status/1737895710169628824 +- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage +- https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html +- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/ +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4 +- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted +- https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/ +- https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16 +- https://www.qemu.org/docs/master/system/invocation.html#hxtool-5 +- https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647 +- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts +- https://blog.sekoia.io/darkgate-internals/ +- https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia +- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698 +- https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html +- https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack +- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ +- https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal +- https://learn.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings diff --git a/tests/rule-references.txt b/tests/rule-references.txt index 533e26bbbbe..cd41296ed3e 100644 --- a/tests/rule-references.txt +++ b/tests/rule-references.txt @@ -3734,3 +3734,43 @@ https://asec.ahnlab.com/en/58878/ https://learn.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html +https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus +https://learn.microsoft.com/en-us/sysinternals/downloads/psservice +https://learn.microsoft.com/en-gb/sysinternals/downloads/sdelete +https://tria.ge/240301-rk34sagf5x/behavioral2 +https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/whoami +https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import +https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-registrations-and-joins-outside-policy +https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services +https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#unfamiliar-sign-in-properties +https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d +https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-administrator-roles +https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2 +https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#end-user-consent +https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/ +https://learn.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo?view=windowsserver2022-ps +https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil +https://twitter.com/DTCERT/status/1712785426895839339 +https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization +https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment +https://learn.microsoft.com/en-us/windows-hardware/drivers/taef/ +https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/clip +https://help.duo.com/s/article/6327?language=en_US +https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights +https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/ +https://www.elastic.co/guide/en/security/current/execution-of-com-object-via-xwizard.html +https://hijacklibs.net/entries/microsoft/built-in/mscorsvc.html +https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins +https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10) +https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass +https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware +https://learn.microsoft.com/en-us/sysinternals/downloads/psexec +https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html +https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml +https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-user-activity +https://github.com/elastic/detection-rules/blob/5fe7833312031a4787e07893e27e4ea7a7665745/rules/_deprecated/privilege_escalation_krbrelayup_suspicious_logon.toml#L38 +https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/800c0e06571993a54e39571cf27fd474dcc5c0bc/2017/2017.11.14.Muddying_the_Water/muddying-the-water-targeted-attacks.pdf +https://www.loobins.io/binaries/sysctl/# +https://web.archive.org/web/20200530031708/https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua +https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.Common/Data/DPAPI/DPAPIBackupKey.cs#L28-L32 +https://github.com/AaLl86/WindowsInternals/blob/070dc4f317726dfb6ffd2b7a7c121a33a8659b5e/Slides/Hypervisor-enforced%20Paging%20Translation%20-%20The%20end%20of%20non%20data-driven%20Kernel%20Exploits%20(Recon2024).pdf From adff65f9aa103ad9665eec2bf1e399c1b1231c70 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 16 Aug 2024 12:37:51 +0200 Subject: [PATCH 026/144] Merge PR #4973 from @frack113 - Fix date format for some rules along with a broken logsource field chore: update date format for some rules fix: HackTool - LaZagne Execution - Fix incorrect logsource --- .../proc_creation_win_rundll32_js_runhtmlapplication.yml | 3 ++- .../proc_creation_win_wmic_recon_system_info.yml | 2 +- .../proc_creation_win_diskshadow_script_mode_susp_location.yml | 2 +- .../process_creation/proc_creation_win_hktl_lazagne.yml | 2 +- 4 files changed, 5 insertions(+), 4 deletions(-) diff --git a/deprecated/windows/proc_creation_win_rundll32_js_runhtmlapplication.yml b/deprecated/windows/proc_creation_win_rundll32_js_runhtmlapplication.yml index 5507c6b2948..41e1cb14739 100644 --- a/deprecated/windows/proc_creation_win_rundll32_js_runhtmlapplication.yml +++ b/deprecated/windows/proc_creation_win_rundll32_js_runhtmlapplication.yml @@ -6,7 +6,8 @@ references: - http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt - https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt author: Florian Roth (Nextron Systems) -date: 2024/02/23 +date: 2022-01-14 +modified: 2024-02-23 tags: - attack.defense_evasion logsource: diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_wmic_recon_system_info.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_wmic_recon_system_info.yml index 0821f2af420..1a54737a100 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_wmic_recon_system_info.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_wmic_recon_system_info.yml @@ -17,7 +17,7 @@ references: - https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior author: Joseliyo Sanchez, @Joseliyo_Jstnk date: 2023-12-19 -updated: 2024/01/15 +modified: 2024-01-15 tags: - attack.discovery - attack.t1082 diff --git a/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml b/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml index e551880bb51..da4dd14bacf 100644 --- a/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml +++ b/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml @@ -21,7 +21,7 @@ references: - https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-09-15 -modifier: 2024/03/05 +modified: 2024-03-05 tags: - attack.defense-evasion - attack.t1218 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_lazagne.yml b/rules/windows/process_creation/proc_creation_win_hktl_lazagne.yml index c12af326b95..4cafe311749 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_lazagne.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_lazagne.yml @@ -12,11 +12,11 @@ references: - https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/800c0e06571993a54e39571cf27fd474dcc5c0bc/2017/2017.11.14.Muddying_the_Water/muddying-the-water-targeted-attacks.pdf author: Nasreddine Bencherchali (Nextron Systems) date: 2024-06-24 +modified: 2024-08-16 tags: - attack.credential-access logsource: product: windows - service: windows category: process_creation detection: selection_img: From 7e93682e0d87324a49408d0d76a70192c3890e26 Mon Sep 17 00:00:00 2001 From: Kostas Date: Fri, 16 Aug 2024 12:16:56 -0700 Subject: [PATCH 027/144] Merge PR #4974 from @tsale - Add `Potentially Suspicious Rundll32.EXE Execution of UDL File` new: Potentially Suspicious Rundll32.EXE Execution of UDL File --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- .../proc_creation_win_rundll32_udl_exec.yml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_rundll32_udl_exec.yml diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_udl_exec.yml b/rules/windows/process_creation/proc_creation_win_rundll32_udl_exec.yml new file mode 100644 index 00000000000..4bb2f09de8c --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_rundll32_udl_exec.yml @@ -0,0 +1,33 @@ +title: Potentially Suspicious Rundll32.EXE Execution of UDL File +id: 0ea52357-cd59-4340-9981-c46c7e900428 +status: experimental +description: | + Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file. + Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data. +references: + - https://trustedsec.com/blog/oops-i-udld-it-again +author: '@kostastsale' +date: 2024-08-16 +tags: + - attack.execution + - attack.t1218.011 + - attack.t1071 +logsource: + category: process_creation + product: windows +detection: + selection_parent: + ParentImage|endswith: '\explorer.exe' + selection_img: + - Image|endswith: '\rundll32.exe' + - OriginalFileName: 'RUNDLL32.EXE' + selection_cli: + CommandLine|contains|all: + - 'oledb32.dll' + - ',OpenDSLFile ' + - '\\Users\\*\\Downloads\\' # Note: You can adjust the path to the download directory or other directories according to your environment. + CommandLine|endswith: '.udl' + condition: all of selection_* +falsepositives: + - UDL files serve as a convenient and flexible tool for managing and testing database connections in various development and administrative scenarios. +level: medium From 0504f18f6b657ef7632b1849a257fb9134f43657 Mon Sep 17 00:00:00 2001 From: "Omar A." Date: Tue, 20 Aug 2024 15:26:12 +0300 Subject: [PATCH 028/144] Merge PR #4948 from @omaramin17 - Add `Data Export From MSSQL Table Via BCP.EXE` new: Data Export From MSSQL Table Via BCP.EXE --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> Thanks: @Mahir-Ali-khan --- .../proc_creation_win_bcp_export_data.yml | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_bcp_export_data.yml diff --git a/rules/windows/process_creation/proc_creation_win_bcp_export_data.yml b/rules/windows/process_creation/proc_creation_win_bcp_export_data.yml new file mode 100644 index 00000000000..d1aab0f5d4d --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_bcp_export_data.yml @@ -0,0 +1,34 @@ +title: Data Export From MSSQL Table Via BCP.EXE +id: c615d676-f655-46b9-b913-78729021e5d7 +status: experimental +description: | + Detects the execution of the BCP utility in order to export data from the database. + Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file. +references: + - https://docs.microsoft.com/en-us/sql/tools/bcp-utility + - https://asec.ahnlab.com/en/61000/ + - https://asec.ahnlab.com/en/78944/ + - https://www.huntress.com/blog/attacking-mssql-servers + - https://www.huntress.com/blog/attacking-mssql-servers-pt-ii + - https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/ + - https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/ +author: Omar Khaled (@beacon_exe), MahirAli Khan (in/mahiralikhan), Nasreddine Bencherchali (Nextron Systems) +date: 2024-08-20 +tags: + - attack.execution + - attack.t1048 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\bcp.exe' + - OriginalFileName: 'BCP.exe' + selection_cli: + CommandLine|contains: + - ' out ' # Export data from a table + - ' queryout ' # Export data based on a SQL query + condition: all of selection_* +falsepositives: + - Legitimate data export operations. +level: medium From d1143955c7a4bcab318a602f673074c838735fa6 Mon Sep 17 00:00:00 2001 From: cyb3rjy0t Date: Wed, 21 Aug 2024 07:11:57 -0400 Subject: [PATCH 029/144] Merge PR #4978 from @cyb3rjy0t - Add `Multi Factor Authentication Disabled For User Account` new: Multi Factor Authentication Disabled For User Account --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- .../azure_user_account_mfa_disable.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/cloud/azure/audit_logs/azure_user_account_mfa_disable.yml diff --git a/rules/cloud/azure/audit_logs/azure_user_account_mfa_disable.yml b/rules/cloud/azure/audit_logs/azure_user_account_mfa_disable.yml new file mode 100644 index 00000000000..b4fc0bdef1d --- /dev/null +++ b/rules/cloud/azure/audit_logs/azure_user_account_mfa_disable.yml @@ -0,0 +1,28 @@ +title: Multi Factor Authentication Disabled For User Account +id: b18454c8-0be3-41f7-86bc-9c614611b839 +status: experimental +description: | + Detects changes to the "StrongAuthenticationRequirement" value, where the state is set to "0" or "Disabled". + Threat actors were seen disabling multi factor authentication for users in order to maintain or achieve access to the account. Also see in SIM Swap attacks. +references: + - https://www.sans.org/blog/defending-against-scattered-spider-and-the-com-with-cybercrime-intelligence/ +author: Harjot Singh (@cyb3rjy0t) +date: 2024-08-21 +tags: + - attack.credential-access + - attack.persistence +logsource: + product: azure + service: auditlogs + definition: 'Requirements: The TargetResources array needs to be mapped accurately in order for this rule to work' +detection: + selection: + LoggedByService: 'Core Directory' + Category: 'UserManagement' + OperationName: 'Update user' + TargetResources.ModifiedProperties.DisplayName: 'StrongAuthenticationRequirement' + TargetResources.ModifiedProperties.NewValue|contains: "State\":0" + condition: selection +falsepositives: + - Legitimate authorized activity. +level: medium From 78abfd5700cfb247a5309eef861a559989e509fa Mon Sep 17 00:00:00 2001 From: cyb3rjy0t Date: Wed, 21 Aug 2024 08:46:20 -0400 Subject: [PATCH 030/144] Merge PR #4977 from @cyb3rjy0t - Add `User Risk and MFA Registration Policy Updated` new: User Risk and MFA Registration Policy Updated --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- ...pdate_risk_and_mfa_registration_policy.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/cloud/azure/audit_logs/azure_update_risk_and_mfa_registration_policy.yml diff --git a/rules/cloud/azure/audit_logs/azure_update_risk_and_mfa_registration_policy.yml b/rules/cloud/azure/audit_logs/azure_update_risk_and_mfa_registration_policy.yml new file mode 100644 index 00000000000..1ecd54663b3 --- /dev/null +++ b/rules/cloud/azure/audit_logs/azure_update_risk_and_mfa_registration_policy.yml @@ -0,0 +1,25 @@ +title: User Risk and MFA Registration Policy Updated +id: d4c7758e-9417-4f2e-9109-6125d66dabef +status: experimental +description: | + Detects changes and updates to the user risk and MFA registration policy. + Attackers can modified the policies to Bypass MFA, weaken security thresholds, facilitate further attacks, maintain persistence. +references: + - https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy + - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities +author: Harjot Singh (@cyb3rjy0t) +date: 2024-08-13 +tags: + - attack.persistence +logsource: + product: azure + service: auditlogs +detection: + selection: + LoggedByService: 'AAD Management UX' + Category: 'Policy' + OperationName: 'Update User Risk and MFA Registration Policy' + condition: selection +falsepositives: + - Known updates by administrators. +level: high From a21ab6763b42c21b7be8fd50a68edb03c7182267 Mon Sep 17 00:00:00 2001 From: "Omar A." Date: Wed, 21 Aug 2024 16:25:47 +0300 Subject: [PATCH 031/144] Merge PR #4951 from @omaramin17 - Add `Hidden Flag Set On File/Directory Via Chflags - MacOS` new: Hidden Flag Set On File/Directory Via Chflags - MacOS --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- ...roc_creation_macos_chflags_hidden_flag.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/macos/process_creation/proc_creation_macos_chflags_hidden_flag.yml diff --git a/rules/macos/process_creation/proc_creation_macos_chflags_hidden_flag.yml b/rules/macos/process_creation/proc_creation_macos_chflags_hidden_flag.yml new file mode 100644 index 00000000000..35dc4576f0f --- /dev/null +++ b/rules/macos/process_creation/proc_creation_macos_chflags_hidden_flag.yml @@ -0,0 +1,30 @@ +title: Hidden Flag Set On File/Directory Via Chflags - MacOS +id: 3b2c1059-ae5f-40b6-b5d4-6106d3ac20fe +status: experimental +description: | + Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS. + When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers. +references: + - https://www.sentinelone.com/labs/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/ + - https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/ + - https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf + - https://ss64.com/mac/chflags.html +author: Omar Khaled (@beacon_exe) +date: 2024-08-21 +tags: + - attack.defense-evasion + - attack.t1218 + - attack.t1564.004 + - attack.t1552.001 + - attack.t1105 +logsource: + product: macos + category: process_creation +detection: + selection: + Image|endswith: '/chflags' + CommandLine|contains: 'hidden ' + condition: selection +falsepositives: + - Legitimate usage of chflags by administrators and users. +level: medium From b1a2d412dad752667002d1460be84e9f94a832d9 Mon Sep 17 00:00:00 2001 From: "Omar A." Date: Wed, 21 Aug 2024 16:38:53 +0300 Subject: [PATCH 032/144] Merge PR #4965 from @omaramin17 - Add `Driver Added To Disallowed Images In HVCI - Registry` new: Driver Added To Disallowed Images In HVCI - Registry --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- .../registry_set_hvci_disallowed_images.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/windows/registry/registry_set/registry_set_hvci_disallowed_images.yml diff --git a/rules/windows/registry/registry_set/registry_set_hvci_disallowed_images.yml b/rules/windows/registry/registry_set/registry_set_hvci_disallowed_images.yml new file mode 100644 index 00000000000..17a9a268315 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_hvci_disallowed_images.yml @@ -0,0 +1,28 @@ +title: Driver Added To Disallowed Images In HVCI - Registry +id: 555155a2-03bf-4fe7-af74-d176b3fdbe16 +related: + - id: 44cee399-f6b1-45cc-a87c-ea14c6064d6b + type: similar +status: experimental +description: | + Detects changes to the "HVCIDisallowedImages" registry value to potentially add a driver to the list, in order to prevent it from loading. +references: + - https://github.com/yardenshafir/conference_talks/blob/3de1f5d7c02656c35117f067fbff0a219c304b09/OffensiveCon_2023_Your_Mitigations_are_My_Opportunities.pdf + - https://x.com/yarden_shafir/status/1822667605175324787 +author: Nasreddine Bencherchali (Nextron Systems), Omar Khaled (@beacon_exe) +date: 2023-12-05 +modified: 2024-08-21 +tags: + - attack.defense-evasion +logsource: + category: registry_set + product: windows +detection: + selection: + TargetObject|contains|all: + - '\Control\CI\' + - '\HVCIDisallowedImages' + condition: selection +falsepositives: + - Legitimate usage of this key would also trigger this. Investigate the driver being added and make sure its intended +level: high From 17d1977449b433e92d44f90a632451f771458a94 Mon Sep 17 00:00:00 2001 From: MahirAli Khan Date: Fri, 23 Aug 2024 03:01:52 +0530 Subject: [PATCH 033/144] Merge PR #4969 from @Mahir-Ali-khan - Add `Potential File Override/Append Via SET Command` new: Potential File Override/Append Via SET Command --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- ...proc_creation_win_cmd_set_prompt_abuse.yml | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 rules-threat-hunting/windows/process_creation/proc_creation_win_cmd_set_prompt_abuse.yml diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_cmd_set_prompt_abuse.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_cmd_set_prompt_abuse.yml new file mode 100644 index 00000000000..b3fe1645189 --- /dev/null +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_cmd_set_prompt_abuse.yml @@ -0,0 +1,34 @@ +title: Potential File Override/Append Via SET Command +id: 65e4c134-ee52-4099-9e35-5e17a4b45c62 +status: experimental +description: | + Detects the use of the "SET" internal command of Cmd.EXE with the /p flag followed directly by an "=" sign. + Attackers used this technique along with an append redirection operator ">>" in order to update the content of a file indirectly. + Ex: cmd /c >> example.txt set /p="test data". This will append "test data" to contents of "example.txt". + The typical use case of the "set /p=" command is to prompt the user for input. +references: + - https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/ + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/set_1 + - https://ss64.com/nt/set.html +author: Nasreddine Bencherchali (Nextron Systems), MahirAli Khan (in/mahiralikhan) +date: 2024-08-22 +tags: + - attack.execution + - attack.defense-evasion + - detection.threat-hunting +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\cmd.exe' + - OriginalFileName: 'Cmd.Exe' + selection_cli: + CommandLine|contains: + - '/c set /p=' + - '"set /p=' + - '>>*set /p=' # To catch edge cases where the attacker passes it via a "cmd /c" + condition: all of selection_* +falsepositives: + - Legitimate use of the SET with the "/p" flag for user prompting. command in administrative scripts or user-generated scripts. +level: low From 9b3c363cd0c4fd9dd0ded3b922190c30eff5d98b Mon Sep 17 00:00:00 2001 From: "Omar A." Date: Fri, 23 Aug 2024 12:16:06 +0300 Subject: [PATCH 034/144] Merge PR #4954 from @omaramin17 - Update multiple rules with additional sharing domains update: BITS Transfer Job Download From File Sharing Domains - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev` update: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev` update: Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev` update: New Connection Initiated To Potential Dead Drop Resolver Domain - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev` update: Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev` update: Suspicious Download From File-Sharing Website Via Bitsadmin - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev` update: Suspicious File Download From File Sharing Domain Via Curl.EXE - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev` update: Suspicious File Download From File Sharing Domain Via Wget.EXE - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev` update: Suspicious File Download From File Sharing Websites - File Stream - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev` update: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev` update: Suspicious Remote AppX Package Locations - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev` update: Unusual File Download From File Sharing Websites - File Stream - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev` --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- ...win_appxdeployment_server_susp_domains.yml | 10 ++++++--- ..._new_transfer_via_file_sharing_domains.yml | 7 +++++-- ...haring_domains_download_susp_extension.yml | 21 +++++++++++-------- ...ing_domains_download_unusual_extension.yml | 16 +++++++------- ...nection_win_domain_dead_drop_resolvers.yml | 10 ++++++--- ...susp_file_sharing_domains_susp_folders.yml | 7 +++++-- ...iated_uncommon_or_suspicious_locations.yml | 7 +++++-- ...itsadmin_download_file_sharing_domains.yml | 10 ++++----- ...certutil_download_file_sharing_domains.yml | 7 +++++-- ...url_download_susp_file_sharing_domains.yml | 7 +++++-- ...ell_download_susp_file_sharing_domains.yml | 6 +++++- ...get_download_susp_file_sharing_domains.yml | 7 +++++-- 12 files changed, 74 insertions(+), 41 deletions(-) diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml index 4609d8dc0f5..be0fbf3d461 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml @@ -1,7 +1,8 @@ title: Suspicious Remote AppX Package Locations id: 8b48ad89-10d8-4382-a546-50588c410f0d status: experimental -description: Detects an appx package added the pipeline of the "to be processed" packages which is downloaded from a suspicious domain +description: | + Detects an appx package added to the pipeline of the "to be processed" packages which was downloaded from a suspicious domain. references: - Internal Research - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ @@ -9,7 +10,7 @@ references: - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-01-11 -modified: 2024-02-09 +modified: 2024-08-22 tags: - attack.defense-evasion logsource: @@ -22,7 +23,6 @@ detection: - '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea) - 'anonfiles.com' - 'cdn.discordapp.com' - - 'cdn.discordapp.com/attachments/' - 'ddns.net' - 'dl.dropboxusercontent.com' - 'ghostbin.co' @@ -32,6 +32,7 @@ detection: - 'mediafire.com' - 'mega.nz' - 'onrender.com' + - 'pages.dev' - 'paste.ee' - 'pastebin.com' - 'pastebin.pl' @@ -45,7 +46,10 @@ detection: - 'supabase.co' - 'temp.sh' - 'transfer.sh' + - 'trycloudflare.com' - 'ufile.io' + - 'w3spaces.com' + - 'workers.dev' condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml index 41986fcf02c..05bfd3298a3 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml @@ -9,7 +9,7 @@ references: - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ author: Florian Roth (Nextron Systems) date: 2022-06-28 -modified: 2024-02-09 +modified: 2024-08-22 tags: - attack.defense-evasion - attack.persistence @@ -24,7 +24,6 @@ detection: - '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea) - 'anonfiles.com' - 'cdn.discordapp.com' - - 'cdn.discordapp.com/attachments/' - 'ddns.net' - 'dl.dropboxusercontent.com' - 'ghostbin.co' @@ -34,6 +33,7 @@ detection: - 'mediafire.com' - 'mega.nz' - 'onrender.com' + - 'pages.dev' - 'paste.ee' - 'pastebin.com' - 'pastebin.pl' @@ -47,7 +47,10 @@ detection: - 'supabase.co' - 'temp.sh' - 'transfer.sh' + - 'trycloudflare.com' - 'ufile.io' + - 'w3spaces.com' + - 'workers.dev' condition: selection falsepositives: - Unknown diff --git a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml index 158c9e898d7..951a45678d7 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml @@ -1,4 +1,4 @@ -title: Suspicious File Download From File Sharing Websites +title: Suspicious File Download From File Sharing Websites - File Stream id: 52182dfb-afb7-41db-b4bc-5336cb29b464 related: - id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99 @@ -12,7 +12,7 @@ references: - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ author: Florian Roth (Nextron Systems) date: 2022-08-24 -modified: 2024-02-09 +modified: 2024-08-22 tags: - attack.defense-evasion - attack.s0139 @@ -26,7 +26,6 @@ detection: - '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea) - 'anonfiles.com' - 'cdn.discordapp.com' - - 'cdn.discordapp.com/attachments/' - 'ddns.net' - 'dl.dropboxusercontent.com' - 'ghostbin.co' @@ -36,6 +35,7 @@ detection: - 'mediafire.com' - 'mega.nz' - 'onrender.com' + - 'pages.dev' - 'paste.ee' - 'pastebin.com' - 'pastebin.pl' @@ -49,19 +49,22 @@ detection: - 'supabase.co' - 'temp.sh' - 'transfer.sh' + - 'trycloudflare.com' - 'ufile.io' + - 'w3spaces.com' + - 'workers.dev' selection_extension: TargetFilename|contains: - - '.exe:Zone' - - '.vbs:Zone' - - '.vbe:Zone' + - '.cpl:Zone' - '.dll:Zone' - - '.one:Zone' + - '.exe:Zone' - '.hta:Zone' - '.lnk:Zone' + - '.one:Zone' + - '.vbe:Zone' + - '.vbs:Zone' - '.xll:Zone' - - '.cpl:Zone' - condition: all of selection* + condition: all of selection_* falsepositives: - Some false positives might occur with binaries download via Github level: high diff --git a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml index 39a51f17d01..0bee642bfc0 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml @@ -1,4 +1,4 @@ -title: Unusual File Download From File Sharing Websites +title: Unusual File Download From File Sharing Websites - File Stream id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99 related: - id: 52182dfb-afb7-41db-b4bc-5336cb29b464 @@ -11,7 +11,7 @@ references: - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ author: Florian Roth (Nextron Systems) date: 2022-08-24 -modified: 2024-02-09 +modified: 2024-08-22 tags: - attack.defense-evasion - attack.s0139 @@ -25,7 +25,6 @@ detection: - '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea) - 'anonfiles.com' - 'cdn.discordapp.com' - - 'cdn.discordapp.com/attachments/' - 'ddns.net' - 'dl.dropboxusercontent.com' - 'ghostbin.co' @@ -35,6 +34,7 @@ detection: - 'mediafire.com' - 'mega.nz' - 'onrender.com' + - 'pages.dev' - 'paste.ee' - 'pastebin.com' - 'pastebin.pl' @@ -48,16 +48,16 @@ detection: - 'supabase.co' - 'temp.sh' - 'transfer.sh' + - 'trycloudflare.com' - 'ufile.io' + - 'w3spaces.com' + - 'workers.dev' selection_extension: TargetFilename|contains: - - '.ps1:Zone' - '.bat:Zone' - '.cmd:Zone' - condition: all of selection* -fields: - - TargetFilename - - Image + - '.ps1:Zone' + condition: all of selection_* falsepositives: - Unknown level: medium diff --git a/rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml b/rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml index f40a7f06aff..0b877691e88 100644 --- a/rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml +++ b/rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml @@ -1,4 +1,4 @@ -title: Potential Dead Drop Resolvers +title: New Connection Initiated To Potential Dead Drop Resolver Domain id: 297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7 related: - id: d7b09985-95a3-44be-8450-b6eadf49833e @@ -16,7 +16,7 @@ references: - https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al author: Sorina Ionescu, X__Junior (Nextron Systems) date: 2022-08-17 -modified: 2024-07-16 +modified: 2024-08-22 tags: - attack.command-and-control - attack.t1102 @@ -30,6 +30,7 @@ detection: DestinationHostname|endswith: - '.t.me' - '4shared.com' + - 'abuse.ch' - 'anonfiles.com' - 'cdn.discordapp.com' - 'cloudflare.com' @@ -52,6 +53,7 @@ detection: - 'mega.co.nz' - 'mega.nz' - 'onedrive.com' + - 'pages.dev' - 'paste.ee' - 'pastebin.com' - 'pastebin.pl' @@ -66,11 +68,13 @@ detection: - 'technet.microsoft.com' - 'temp.sh' - 'transfer.sh' + - 'trycloudflare.com' - 'twitter.com' - 'ufile.io' - - 'abuse.ch' - 'vimeo.com' + - 'w3spaces.com' - 'wetransfer.com' + - 'workers.dev' - 'youtube.com' # Note: Add/Remove browsers/applications that you don't use or those that have custom install locations # Note: To avoid complex conditions the filters for some apps are generic by name only. A custom tuning is recommended for best results diff --git a/rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml b/rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml index 5e44c393396..de62477fbd8 100644 --- a/rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml +++ b/rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml @@ -13,7 +13,7 @@ references: - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2018-08-30 -modified: 2024-05-31 +modified: 2024-08-22 tags: - attack.command-and-control - attack.t1105 @@ -42,7 +42,6 @@ detection: - '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea) - 'anonfiles.com' - 'cdn.discordapp.com' - - 'cdn.discordapp.com/attachments/' - 'ddns.net' - 'dl.dropboxusercontent.com' - 'ghostbin.co' @@ -53,6 +52,7 @@ detection: - 'mega.co.nz' - 'mega.nz' - 'onrender.com' + - 'pages.dev' - 'paste.ee' - 'pastebin.com' - 'pastebin.pl' @@ -66,7 +66,10 @@ detection: - 'supabase.co' - 'temp.sh' - 'transfer.sh' + - 'trycloudflare.com' - 'ufile.io' + - 'w3spaces.com' + - 'workers.dev' condition: all of selection_* falsepositives: - Some installers located in the temp directory might communicate with the Github domains in order to download additional software. Baseline these cases or move the github domain to a lower level hunting rule. diff --git a/rules/windows/network_connection/net_connection_win_susp_initiated_uncommon_or_suspicious_locations.yml b/rules/windows/network_connection/net_connection_win_susp_initiated_uncommon_or_suspicious_locations.yml index 9de239a105c..4037c6136c3 100644 --- a/rules/windows/network_connection/net_connection_win_susp_initiated_uncommon_or_suspicious_locations.yml +++ b/rules/windows/network_connection/net_connection_win_susp_initiated_uncommon_or_suspicious_locations.yml @@ -7,7 +7,7 @@ references: - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2017-03-19 -modified: 2024-05-31 +modified: 2024-08-22 tags: - attack.command-and-control - attack.t1105 @@ -34,7 +34,6 @@ detection: - '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea) - 'anonfiles.com' - 'cdn.discordapp.com' - - 'cdn.discordapp.com/attachments/' - 'ddns.net' - 'dl.dropboxusercontent.com' - 'ghostbin.co' @@ -45,6 +44,7 @@ detection: - 'mega.co.nz' - 'mega.nz' - 'onrender.com' + - 'pages.dev' - 'paste.ee' - 'pastebin.com' - 'pastebin.pl' @@ -59,7 +59,10 @@ detection: - 'supabase.co' - 'temp.sh' - 'transfer.sh' + - 'trycloudflare.com' - 'ufile.io' + - 'w3spaces.com' + - 'workers.dev' condition: selection and not 1 of filter_main_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml index 007beb6bdac..a0e3b7499a5 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml @@ -11,7 +11,7 @@ references: - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ author: Florian Roth (Nextron Systems) date: 2022-06-28 -modified: 2024-02-09 +modified: 2024-08-22 tags: - attack.defense-evasion - attack.persistence @@ -35,7 +35,6 @@ detection: - '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea) - 'anonfiles.com' - 'cdn.discordapp.com' - - 'cdn.discordapp.com/attachments/' - 'ddns.net' - 'dl.dropboxusercontent.com' - 'ghostbin.co' @@ -45,6 +44,7 @@ detection: - 'mediafire.com' - 'mega.nz' - 'onrender.com' + - 'pages.dev' - 'paste.ee' - 'pastebin.com' - 'pastebin.pl' @@ -58,11 +58,11 @@ detection: - 'supabase.co' - 'temp.sh' - 'transfer.sh' + - 'trycloudflare.com' - 'ufile.io' + - 'w3spaces.com' + - 'workers.dev' condition: all of selection_* -fields: - - CommandLine - - ParentCommandLine falsepositives: - Some legitimate apps use this, but limited. level: high diff --git a/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml index afb604f263b..01458a0704f 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml @@ -16,7 +16,7 @@ references: - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-02-15 -modified: 2024-02-09 +modified: 2024-08-22 tags: - attack.defense-evasion - attack.t1027 @@ -36,7 +36,6 @@ detection: - '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea) - 'anonfiles.com' - 'cdn.discordapp.com' - - 'cdn.discordapp.com/attachments/' - 'ddns.net' - 'dl.dropboxusercontent.com' - 'ghostbin.co' @@ -46,6 +45,7 @@ detection: - 'mediafire.com' - 'mega.nz' - 'onrender.com' + - 'pages.dev' - 'paste.ee' - 'pastebin.com' - 'pastebin.pl' @@ -59,7 +59,10 @@ detection: - 'supabase.co' - 'temp.sh' - 'transfer.sh' + - 'trycloudflare.com' - 'ufile.io' + - 'w3spaces.com' + - 'workers.dev' condition: all of selection_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml index dd57b6b9da2..bc9e1660c40 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml @@ -7,7 +7,7 @@ references: - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv author: Nasreddine Bencherchali (Nextron Systems) date: 2023-05-05 -modified: 2024-02-09 +modified: 2024-08-22 tags: - attack.execution logsource: @@ -22,7 +22,6 @@ detection: - '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea) - 'anonfiles.com' - 'cdn.discordapp.com' - - 'cdn.discordapp.com/attachments/' - 'ddns.net' - 'dl.dropboxusercontent.com' - 'ghostbin.co' @@ -32,6 +31,7 @@ detection: - 'mediafire.com' - 'mega.nz' - 'onrender.com' + - 'pages.dev' - 'paste.ee' - 'pastebin.com' - 'pastebin.pl' @@ -45,7 +45,10 @@ detection: - 'supabase.co' - 'temp.sh' - 'transfer.sh' + - 'trycloudflare.com' - 'ufile.io' + - 'w3spaces.com' + - 'workers.dev' selection_http: CommandLine|contains: 'http' selection_flag: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml index c6afa475dfa..6967bf3518f 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml @@ -9,6 +9,7 @@ references: - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 author: Nasreddine Bencherchali (Nextron Systems) date: 2024-02-23 +modified: 2024-08-22 tags: - attack.execution logsource: @@ -28,7 +29,6 @@ detection: # - '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea). - 'anonfiles.com' - 'cdn.discordapp.com' - - 'cdn.discordapp.com/attachments/' - 'ddns.net' - 'dl.dropboxusercontent.com' - 'ghostbin.co' @@ -38,6 +38,7 @@ detection: - 'mediafire.com' - 'mega.nz' - 'onrender.com' + - 'pages.dev' - 'paste.ee' - 'pastebin.com' - 'pastebin.pl' @@ -51,7 +52,10 @@ detection: - 'supabase.co' - 'temp.sh' - 'transfer.sh' + - 'trycloudflare.com' - 'ufile.io' + - 'w3spaces.com' + - 'workers.dev' selection_download: CommandLine|contains: - '.DownloadString(' diff --git a/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml index fd62eb5e093..5b2fc21271d 100644 --- a/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml @@ -8,7 +8,7 @@ references: - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-05-05 -modified: 2024-02-09 +modified: 2024-08-22 tags: - attack.execution logsource: @@ -23,7 +23,6 @@ detection: - '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea) - 'anonfiles.com' - 'cdn.discordapp.com' - - 'cdn.discordapp.com/attachments/' - 'ddns.net' - 'dl.dropboxusercontent.com' - 'ghostbin.co' @@ -33,6 +32,7 @@ detection: - 'mediafire.com' - 'mega.nz' - 'onrender.com' + - 'pages.dev' - 'paste.ee' - 'pastebin.com' - 'pastebin.pl' @@ -46,7 +46,10 @@ detection: - 'supabase.co' - 'temp.sh' - 'transfer.sh' + - 'trycloudflare.com' - 'ufile.io' + - 'w3spaces.com' + - 'workers.dev' selection_http: CommandLine|contains: 'http' selection_flag: From 29dce312bc49a9101d33e4d390a7c349c8d985a2 Mon Sep 17 00:00:00 2001 From: "Omar A." Date: Fri, 23 Aug 2024 13:08:08 +0300 Subject: [PATCH 035/144] Merge PR #4947 from @omaramin17 - Add `DNS Query To Put.io - DNS Client` new: DNS Query To Put.io - DNS Client --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- .../dns_client/win_dns_client_put_io.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/builtin/dns_client/win_dns_client_put_io.yml diff --git a/rules/windows/builtin/dns_client/win_dns_client_put_io.yml b/rules/windows/builtin/dns_client/win_dns_client_put_io.yml new file mode 100644 index 00000000000..a729d2a8709 --- /dev/null +++ b/rules/windows/builtin/dns_client/win_dns_client_put_io.yml @@ -0,0 +1,24 @@ +title: DNS Query To Put.io - DNS Client +id: 8b69fd42-9dad-4674-abef-7fdef43ef92a +status: experimental +description: Detects DNS queries for subdomains related to "Put.io" sharing website. +references: + - https://darkatlas.io/blog/medusa-ransomware-group-opsec-failure +author: Omar Khaled (@beacon_exe) +date: 2024-08-23 +tags: + - attack.command-and-control +logsource: + product: windows + service: dns-client + definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.' +detection: + selection: + EventID: 3008 + QueryName|contains: + - 'api.put.io' + - 'upload.put.io' + condition: selection +falsepositives: + - Legitimate DNS queries and usage of Put.io +level: medium From 5c4f599e3a0ce4986e3ad8c02f3a47122456224a Mon Sep 17 00:00:00 2001 From: Mohamed Ashraf <47338567+X-Junior@users.noreply.github.com> Date: Mon, 26 Aug 2024 11:20:57 +0300 Subject: [PATCH 036/144] Merge PR #4982 from @X-Junior - Update scheduled task related rules update: Suspicious Windows Service Tampering - Add additional services and PsService.EXE update: Disable Important Scheduled Task - Add `\Windows\ExploitGuard\ExploitGuard MDM policy Refresh` --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- .../proc_creation_win_schtasks_disable.yml | 5 +- .../proc_creation_win_susp_service_tamper.yml | 100 +++++++++++++----- 2 files changed, 74 insertions(+), 31 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml b/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml index 4fa4b178415..a3ce9380f62 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml @@ -9,9 +9,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task - https://twitter.com/MichalKoczwara/status/1553634816016498688 - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ -author: frack113, Nasreddine Bencherchali (Nextron Systems) +author: frack113, Nasreddine Bencherchali (Nextron Systems), X__Junior date: 2021-12-26 -modified: 2022-09-02 +modified: 2024-08-25 tags: - attack.impact - attack.t1489 @@ -29,6 +29,7 @@ detection: # Add more important tasks - '\Windows\BitLocker' - '\Windows\ExploitGuard' + - '\Windows\ExploitGuard\ExploitGuard MDM policy Refresh' - '\Windows\SystemRestore\SR' - '\Windows\UpdateOrchestrator\' - '\Windows\Windows Defender\' diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml index acf23b465a8..9a88356d8a8 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml @@ -8,16 +8,16 @@ related: - id: 7fd4bb39-12d0-45ab-bb36-cebabc73dc7b type: obsolete status: test -description: Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts +description: Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts references: - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg - https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/ - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955 -author: Nasreddine Bencherchali (Nextron Systems), frack113 +author: Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior date: 2022-09-01 -modified: 2023-08-07 +modified: 2024-08-25 tags: - attack.defense-evasion - attack.t1489 @@ -25,60 +25,65 @@ logsource: category: process_creation product: windows detection: - selection_net_img: + selection_tools_img: - OriginalFileName: - 'net.exe' - 'net1.exe' - - Image|endswith: - - '\net.exe' - - '\net1.exe' - selection_net_cli: - CommandLine|contains: ' stop ' - selection_sc_img: - - OriginalFileName: 'sc.exe' - - Image|endswith: '\sc.exe' - selection_sc_cli: - CommandLine|contains: - - ' stop ' - - ' delete ' - - ' pause ' - selection_pwsh_img: - - OriginalFileName: - 'PowerShell.EXE' + - 'psservice.exe' - 'pwsh.dll' + - 'sc.exe' - Image|endswith: + - '\net.exe' + - '\net1.exe' - '\powershell.exe' + - '\PsService.exe' + - '\PsService64.exe' - '\pwsh.exe' - selection_pwsh_cli: - CommandLine|contains: - - 'Stop-Service ' - - 'Remove-Service ' + - '\sc.exe' + selection_tools_cli: + - CommandLine|contains: + - ' delete ' + - ' pause ' # Covers flags from: PsService and Sc.EXE + - ' stop ' # Covers flags from: PsService.EXE, Net.EXE and Sc.EXE + - 'Stop-Service ' + - 'Remove-Service ' + - CommandLine|contains|all: + - 'config' + - 'start=disabled' selection_services: CommandLine|contains: - '143Svc' - 'Acronis VSS Provider' - 'AcronisAgent' - 'AcrSch2Svc' + - 'AdobeARMservice' + - 'AHS Service' - 'Antivirus' + - 'Apache4' - 'ARSM' - 'aswBcc' + - 'AteraAgent' - 'Avast Business Console Client Antivirus Service' - 'avast! Antivirus' - 'AVG Antivirus' - 'avgAdminClient' - 'AvgAdminServer' - - 'AVP1' # Covers multiple AVP versions + - 'AVP1' - 'BackupExec' - 'bedbg' - 'BITS' - 'BrokerInfrastructure' + - 'CASLicenceServer' + - 'CASWebServer' - 'Client Agent 7.60' - 'Core Browsing Protection' - 'Core Mail Protection' - - 'Core Scanning Server' # Covers 'Core Scanning ServerEx' + - 'Core Scanning Server' - 'DCAgent' - - 'EhttpSr' # Covers 'EhttpSry', 'EhttpSrv' - - 'ekrn' # Covers 'ekrnEpsw' + - 'dwmrcs' + - 'EhttpSr' + - 'ekrn' - 'Enterprise Client Service' - 'epag' - 'EPIntegrationService' @@ -92,16 +97,23 @@ detection: - 'FA_Scheduler' - 'FirebirdGuardianDefaultInstance' - 'FirebirdServerDefaultInstance' + - 'FontCache3.0.0.0' - 'HealthTLService' - - 'MSSQLFDLauncher$' # Covers 'SHAREPOINT', 'TPS', 'SBSMonitoring', etc. - 'hmpalertsvc' - 'HMS' + - 'HostControllerService' + - 'hvdsvc' + - 'IAStorDataMgrSvc' + - 'IBMHPS' + - 'ibmspsvc' - 'IISAdmin' - 'IMANSVC' - 'IMAP4Svc' + - 'instance2' - 'KAVFS' - 'KAVFSGT' - 'kavfsslp' + - 'KeyIso' - 'klbackupdisk' - 'klbackupflt' - 'klflt' @@ -135,10 +147,13 @@ detection: - 'mfewc' - 'MMS' - 'mozyprobackup' + - 'MSComplianceAudit' + - 'MSDTC' - 'MsDtsServer' - 'MSExchange' - 'msftesq1SPROO' - 'msftesql$PROD' + - 'msftesql$SQLEXPRESS' - 'MSOLAP$SQL_2008' - 'MSOLAP$SYSTEM_BGC' - 'MSOLAP$TPS' @@ -150,17 +165,30 @@ detection: - 'MSSQ0SHAREPOINT' - 'MSSQ0SOPHOS' - 'MSSQL' + - 'MSSQLFDLauncher$' - 'MySQL' - 'NanoServiceMain' - 'NetMsmqActivator' + - 'NetPipeActivator' + - 'netprofm' + - 'NetTcpActivator' + - 'NetTcpPortSharing' - 'ntrtscan' + - 'nvspwmi' - 'ofcservice' - 'Online Protection System' - 'OracleClientCache80' + - 'OracleDBConsole' + - 'OracleMTSRecoveryService' + - 'OracleOraDb11g_home1' + - 'OracleService' + - 'OracleVssWriter' + - 'osppsvc' - 'PandaAetherAgent' - 'PccNTUpd' - 'PDVFSService' - 'POP3Svc' + - 'postgresql-x64-9.4' - 'POVFSService' - 'PSUAService' - 'Quick Update Service' @@ -175,6 +203,7 @@ detection: - 'SAVService' - 'ScSecSvc' - 'SDRSVC' + - 'SearchExchangeTracing' - 'sense' - 'SentinelAgent' - 'SentinelHelperService' @@ -190,6 +219,7 @@ detection: - 'SQL Backups' - 'SQL Server' - 'SQLAgent' + - 'SQLANYs_Sage_FAS_Fixed_Assets' - 'SQLBrowser' - 'SQLsafe' - 'SQLSERVERAGENT' @@ -197,12 +227,14 @@ detection: - 'SQLWriter' - 'SSISTELEMETRY130' - 'SstpSvc' + - 'storflt' - 'svcGenericHost' - 'swc_service' - 'swi_filter' - 'swi_service' - 'swi_update' - 'Symantec' + - 'TeamViewer' - 'Telemetryserver' - 'ThreatLockerService' - 'TMBMServer' @@ -216,13 +248,20 @@ detection: - 'TmProxy' - 'TMSmartRelayService' - 'tmusa' + - 'Tomcat' - 'Trend Micro Deep Security Manager' - 'TrueKey' + - 'UFNet' - 'UI0Detect' + - 'UniFi' - 'UTODetect' + - 'vds' - 'Veeam' - 'VeeamDeploySvc' - 'Veritas System Recovery' + - 'vmic' + - 'VMTools' + - 'vmvss' - 'VSApiNt' - 'VSS' - 'W3Svc' @@ -231,10 +270,13 @@ detection: - 'WeanClOudSve' - 'Weems JY' - 'WinDefend' + - 'wmms' - 'wozyprobackup' + - 'WPFFontCache_v0400' - 'WRSVC' + - 'wsbexchange' - 'Zoolz 2 Service' - condition: selection_services and (all of selection_net_* or all of selection_pwsh_* or all of selection_sc_*) + condition: all of selection_* falsepositives: - Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry level: high From 5550ccd280217d9f49190cb8c3815436c2497e0f Mon Sep 17 00:00:00 2001 From: secDre4mer <61268450+secDre4mer@users.noreply.github.com> Date: Tue, 27 Aug 2024 13:36:15 +0200 Subject: [PATCH 037/144] Merge PR #4985 from @secDre4mer - Update `Potential Active Directory Reconnaissance/Enumeration Via LDAP` update: Potential Active Directory Reconnaissance/Enumeration Via LDAP - add enumeration of distinguished names --- rules/windows/builtin/ldap/win_ldap_recon.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/ldap/win_ldap_recon.yml b/rules/windows/builtin/ldap/win_ldap_recon.yml index a9687d3bdfd..2012a0cf2cf 100644 --- a/rules/windows/builtin/ldap/win_ldap_recon.yml +++ b/rules/windows/builtin/ldap/win_ldap_recon.yml @@ -8,9 +8,10 @@ references: - https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs - https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c - https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427 + - https://ipurple.team/2024/07/15/sharphound-detection/ author: Adeem Mawani date: 2021-06-22 -modified: 2023-11-03 +modified: 2024-08-27 tags: - attack.discovery - attack.t1069.002 @@ -55,6 +56,14 @@ detection: - 'Domain Admins' - 'objectGUID=\*' - '(schemaIDGUID=\*)' + - 'admincount=1' + distinguished_name_enumeration: + EventID: 30 + SearchFilter: '(objectclass=\*)' + DistinguishedName|contains: + - 'CN=Domain Admins' + - 'CN=Enterprise Admins' + - 'CN=Group Policy Creator Owners' suspicious_flag: EventID: 30 SearchFilter|contains: @@ -78,5 +87,5 @@ detection: SearchFilter|contains: - '(domainSid=*)' - '(objectSid=*)' - condition: (generic_search and not narrow_down_filter) or suspicious_flag + condition: (generic_search and not narrow_down_filter) or suspicious_flag or distinguished_name_enumeration level: medium From 4cd51a3dd58540656f5ab415ceef6e336aed23c4 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 29 Aug 2024 14:43:32 +0200 Subject: [PATCH 038/144] Merge PR #4937 from @nasbench - Multiple updates and fixes fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Exclude additional edge cases fix: Relevant Anti-Virus Signature Keywords In Application Log - Exclude common keywords found in legitimate programs fix: Suspicious Child Process Of Wermgr.EXE - Add new exclusions fix: Uncommon Sigverif.EXE Child Process - Exclude werfault.exe fix: Wusa.EXE Executed By Parent Process Located In Suspicious Location - Exclude ".msu" files fix: Xwizard.EXE Execution From Non-Default Location - Exclude "WinSxS" update: Cab File Extraction Via Wusa.EXE - Move to TH folder update: COM Object Execution via Xwizard.EXE - Update logic update: Potential DLL Injection Via AccCheckConsole - Enhance coverage and logic update: Potential DLL Sideloading Activity Via ExtExport.EXE - Metadata and logic update update: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities - Increase coverage update: Process Memory Dump via RdrLeakDiag.EXE - Enhance coverage --- .../proc_creation_win_extexport_execution.yml | 32 ++++++++++++++++++ ..._microsoft_workflow_compiler_execution.yml | 7 ++-- ...on_win_wsl_arbitrary_command_execution.yml | 4 ++- ...creation_win_wusa_cab_files_extraction.yml | 10 ++++-- .../Other/win_av_relevant_match.yml | 4 ++- .../image_load_side_load_coregen.yml | 10 +++--- ...creation_win_acccheckconsole_execution.yml | 33 +++++++++++++++++++ ..._win_dxcap_arbitrary_binary_execution.yml} | 5 +-- .../proc_creation_win_lolbin_extexport.yml | 24 -------------- ...eation_win_lolbin_susp_acccheckconsole.yml | 27 --------------- ...eation_win_rdrleakdiag_process_dumping.yml | 24 ++++++-------- ...n_win_sigverif_uncommon_child_process.yml} | 12 +++++-- ...proc_creation_win_ssh_proxy_execution.yml} | 6 ++-- ...n_susp_bad_opsec_sacrificial_processes.yml | 22 ++++++------- ...eation_win_susp_eventlog_content_recon.yml | 19 ++++++----- ...creation_win_wermgr_susp_child_process.yml | 7 ++-- ...ion_win_wsl_windows_binaries_execution.yml | 4 ++- ...a_cab_files_extraction_from_susp_paths.yml | 8 +++-- ...reation_win_wusa_susp_parent_execution.yml | 8 ++++- ...xwizard_execution_non_default_location.yml | 3 +- ..._win_xwizard_runwizard_com_object_exec.yml | 9 ++--- 21 files changed, 160 insertions(+), 118 deletions(-) create mode 100644 rules-threat-hunting/windows/process_creation/proc_creation_win_extexport_execution.yml rename rules/windows/process_creation/proc_creation_win_lolbin_workflow_compiler.yml => rules-threat-hunting/windows/process_creation/proc_creation_win_microsoft_workflow_compiler_execution.yml (84%) rename rules/windows/process_creation/proc_creation_win_wsl_lolbin_execution.yml => rules-threat-hunting/windows/process_creation/proc_creation_win_wsl_arbitrary_command_execution.yml (91%) rename {rules => rules-threat-hunting}/windows/process_creation/proc_creation_win_wusa_cab_files_extraction.yml (67%) create mode 100644 rules/windows/process_creation/proc_creation_win_acccheckconsole_execution.yml rename rules/windows/process_creation/{proc_creation_win_lolbin_susp_dxcap.yml => proc_creation_win_dxcap_arbitrary_binary_execution.yml} (72%) delete mode 100644 rules/windows/process_creation/proc_creation_win_lolbin_extexport.yml delete mode 100644 rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml rename rules/windows/process_creation/{proc_creation_win_lolbin_sigverif.yml => proc_creation_win_sigverif_uncommon_child_process.yml} (53%) rename rules/windows/process_creation/{proc_creation_win_lolbin_ssh.yml => proc_creation_win_ssh_proxy_execution.yml} (91%) diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_extexport_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_extexport_execution.yml new file mode 100644 index 00000000000..836431d29cd --- /dev/null +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_extexport_execution.yml @@ -0,0 +1,32 @@ +title: Potential DLL Sideloading Activity Via ExtExport.EXE +id: fb0b815b-f5f6-4f50-970f-ffe21f253f7a +status: test +description: | + Detects the execution of "Extexport.exe".A utility that is part of the Internet Explorer browser and is used to export and import various settings and data, particularly when switching between Internet Explorer and other web browsers like Firefox. It allows users to transfer bookmarks, browsing history, and other preferences from Internet Explorer to Firefox or vice versa. + It can be abused as a tool to side load any DLL. If a folder is provided in the command line it'll load any DLL with one of the following names "mozcrt19.dll", "mozsqlite3.dll", or "sqlite.dll". + Arbitrary DLLs can also be loaded if a specific number of flags was provided. +references: + - https://lolbas-project.github.io/lolbas/Binaries/Extexport/ + - https://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/ + - https://www.microsoft.com/en-us/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/ + - https://res.armor.com/resources/threat-intelligence/astaroth-banking-trojan/ + - https://securelist.com/the-tetrade-brazilian-banking-malware/97779/ + - https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/ +author: frack113, Nasreddine Bencherchali (Nextron Systems) +date: 2021-11-26 +modified: 2024-08-26 +tags: + - attack.defense-evasion + - attack.t1218 + - detection.threat-hunting +logsource: + category: process_creation + product: windows +detection: + selection: + - Image|endswith: '\Extexport.exe' + - OriginalFileName: 'extexport.exe' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_workflow_compiler.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_microsoft_workflow_compiler_execution.yml similarity index 84% rename from rules/windows/process_creation/proc_creation_win_lolbin_workflow_compiler.yml rename to rules-threat-hunting/windows/process_creation/proc_creation_win_microsoft_workflow_compiler_execution.yml index e84763bbccd..2df26f9bbb0 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_workflow_compiler.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_microsoft_workflow_compiler_execution.yml @@ -1,7 +1,8 @@ title: Microsoft Workflow Compiler Execution id: 419dbf2b-8a9b-4bea-bf99-7544b050ec8d status: test -description: Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code. +description: | + Detects the execution of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code. references: - https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md @@ -14,6 +15,7 @@ tags: - attack.execution - attack.t1127 - attack.t1218 + - detection.threat-hunting logsource: category: process_creation product: windows @@ -22,9 +24,6 @@ detection: - Image|endswith: '\Microsoft.Workflow.Compiler.exe' - OriginalFileName: 'Microsoft.Workflow.Compiler.exe' condition: selection -fields: - - CommandLine - - ParentCommandLine falsepositives: - Legitimate MWC use (unlikely in modern enterprise environments) level: medium diff --git a/rules/windows/process_creation/proc_creation_win_wsl_lolbin_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_wsl_arbitrary_command_execution.yml similarity index 91% rename from rules/windows/process_creation/proc_creation_win_wsl_lolbin_execution.yml rename to rules-threat-hunting/windows/process_creation/proc_creation_win_wsl_arbitrary_command_execution.yml index 304e23b3c20..279c5e1484e 100644 --- a/rules/windows/process_creation/proc_creation_win_wsl_lolbin_execution.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_wsl_arbitrary_command_execution.yml @@ -4,7 +4,8 @@ related: - id: 2267fe65-0681-42ad-9a6d-46553d3f3480 # Generic susp child processes rules type: similar status: test -description: Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a LOLBIN to execute arbitrary Linux or Windows commands +description: | + Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a Living of the Land binary in order to execute arbitrary Linux or Windows commands. references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/ - https://twitter.com/nas_bench/status/1535431474429808642 @@ -16,6 +17,7 @@ tags: - attack.defense-evasion - attack.t1218 - attack.t1202 + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_wusa_cab_files_extraction.yml similarity index 67% rename from rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction.yml rename to rules-threat-hunting/windows/process_creation/proc_creation_win_wusa_cab_files_extraction.yml index a1db4fe0ecb..74ec6f375b6 100644 --- a/rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_wusa_cab_files_extraction.yml @@ -1,13 +1,19 @@ -title: Wusa Extracting Cab Files +title: Cab File Extraction Via Wusa.EXE id: 59b39960-5f9d-4a49-9cef-1e4d2c1d0cb9 +related: + - id: c74c0390-3e20-41fd-a69a-128f0275a5ea + type: derived status: test -description: Detects usage of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument which is not longer supported. This could indicate an attacker using an old technique +description: | + Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument that is no longer supported. references: - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-04 +modified: 2024-08-15 tags: - attack.execution + - detection.threat-hunting logsource: category: process_creation product: windows diff --git a/rules/windows/builtin/application/Other/win_av_relevant_match.yml b/rules/windows/builtin/application/Other/win_av_relevant_match.yml index ec8c6bb71f5..6fe2530d1b1 100644 --- a/rules/windows/builtin/application/Other/win_av_relevant_match.yml +++ b/rules/windows/builtin/application/Other/win_av_relevant_match.yml @@ -10,7 +10,7 @@ references: - https://www.nextron-systems.com/?s=antivirus author: Florian Roth (Nextron Systems), Arnim Rupp date: 2017-02-19 -modified: 2024-07-17 +modified: 2024-08-29 tags: - attack.resource-development - attack.t1588 @@ -94,8 +94,10 @@ detection: # - 'Ryuk' filter_optional_generic: - 'anti_ransomware_service.exe' + - 'Anti-Ransomware' - 'Crack' - 'cyber-protect-service.exe' + - 'encryptor' - 'Keygen' filter_optional_information: Level: 4 # Information level diff --git a/rules/windows/image_load/image_load_side_load_coregen.yml b/rules/windows/image_load/image_load_side_load_coregen.yml index dca2161600f..55fdb35e29f 100644 --- a/rules/windows/image_load/image_load_side_load_coregen.yml +++ b/rules/windows/image_load/image_load_side_load_coregen.yml @@ -1,7 +1,7 @@ title: Potential DLL Sideloading Using Coregen.exe id: 0fa66f66-e3f6-4a9c-93f8-4f2610b00171 status: test -description: Detect usage of DLL "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs. +description: Detect usage of the "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs. references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Coregen/ author: frack113 @@ -16,13 +16,13 @@ logsource: detection: selection: Image|endswith: '\coregen.exe' - filter: + filter_main_legit_paths: ImageLoaded|startswith: + - 'C:\Program Files (x86)\Microsoft Silverlight\' + - 'C:\Program Files\Microsoft Silverlight\' - 'C:\Windows\System32\' - 'C:\Windows\SysWOW64\' - - 'C:\Program Files\Microsoft Silverlight\' - - 'C:\Program Files (x86)\Microsoft Silverlight\' - condition: selection and not filter + condition: selection and not 1 of filter_main_* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_acccheckconsole_execution.yml b/rules/windows/process_creation/proc_creation_win_acccheckconsole_execution.yml new file mode 100644 index 00000000000..94019b6ce65 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_acccheckconsole_execution.yml @@ -0,0 +1,33 @@ +title: Potential DLL Injection Via AccCheckConsole +id: 0f6da907-5854-4be6-859a-e9958747b0aa +status: test +description: | + Detects the execution "AccCheckConsole" a command-line tool for verifying the accessibility implementation of an application's UI. + One of the tests that this checker can run are called "verification routine", which tests for things like Consistency, Navigation, etc. + The tool allows a user to provide a DLL that can contain a custom "verification routine". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the "AccCheckConsole" utility. +references: + - https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340 + - https://twitter.com/bohops/status/1477717351017680899?s=12 + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/ +author: Florian Roth (Nextron Systems) +date: 2022-01-06 +modified: 2024-08-29 +tags: + - attack.execution + - detection.threat-hunting +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\AccCheckConsole.exe' + - OriginalFileName: 'AccCheckConsole.exe' + selection_cli: + CommandLine|contains: + - ' -hwnd' + - ' -process ' + - ' -window ' + condition: all of selection_* +falsepositives: + - Legitimate use of the UI Accessibility Checker +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml b/rules/windows/process_creation/proc_creation_win_dxcap_arbitrary_binary_execution.yml similarity index 72% rename from rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml rename to rules/windows/process_creation/proc_creation_win_dxcap_arbitrary_binary_execution.yml index 786cc9065ea..642e589d194 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml +++ b/rules/windows/process_creation/proc_creation_win_dxcap_arbitrary_binary_execution.yml @@ -1,7 +1,8 @@ -title: Application Whitelisting Bypass via Dxcap.exe +title: New Capture Session Launched Via DXCap.EXE id: 60f16a96-db70-42eb-8f76-16763e333590 status: test -description: Detects execution of of Dxcap.exe +description: | + Detects the execution of "DXCap.EXE" with the "-c" flag, which allows a user to launch any arbitrary binary or windows package through DXCap itself. This can be abused to potentially bypass application whitelisting. references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/ - https://twitter.com/harr0ey/status/992008180904419328 diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_extexport.yml b/rules/windows/process_creation/proc_creation_win_lolbin_extexport.yml deleted file mode 100644 index 5b42115a3d1..00000000000 --- a/rules/windows/process_creation/proc_creation_win_lolbin_extexport.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Suspicious Extexport Execution -id: fb0b815b-f5f6-4f50-970f-ffe21f253f7a -status: test -description: Extexport.exe loads dll and is execute from other folder the original path -references: - - https://lolbas-project.github.io/lolbas/Binaries/Extexport/ -author: frack113 -date: 2021-11-26 -modified: 2022-05-16 -tags: - - attack.defense-evasion - - attack.t1218 -logsource: - category: process_creation - product: windows -detection: - selection: - - CommandLine|contains: Extexport.exe - - Image|endswith: '\Extexport.exe' - - OriginalFileName: 'extexport.exe' - condition: selection -falsepositives: - - Unknown -level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml deleted file mode 100644 index 6f1aad9655a..00000000000 --- a/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: Suspicious LOLBIN AccCheckConsole -id: 0f6da907-5854-4be6-859a-e9958747b0aa -status: test -description: Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL -references: - - https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340 - - https://twitter.com/bohops/status/1477717351017680899?s=12 - - https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/ -author: Florian Roth (Nextron Systems) -date: 2022-01-06 -tags: - - attack.execution -logsource: - category: process_creation - product: windows -detection: - selection_img: - - Image|endswith: '\AccCheckConsole.exe' - - OriginalFileName: 'AccCheckConsole.exe' - selection_cli: - CommandLine|contains|all: - - ' -window ' - - '.dll' - condition: all of selection* -falsepositives: - - Legitimate use of the UI Accessibility Checker -level: high diff --git a/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml b/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml index 2a0e1ff9108..7a4314c80c4 100644 --- a/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml +++ b/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml @@ -10,9 +10,10 @@ references: - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/ - https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/ - https://twitter.com/0gtweet/status/1299071304805560321?s=21 + - https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive author: Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) date: 2021-09-24 -modified: 2023-04-24 +modified: 2024-08-15 tags: - attack.credential-access - attack.t1003.001 @@ -24,19 +25,14 @@ detection: - Image|endswith: '\rdrleakdiag.exe' - OriginalFileName: RdrLeakDiag.exe selection_cli_dump: - CommandLine|contains: - - 'fullmemdmp' + CommandLine|contains|windash: - '/memdmp' - - '-memdmp' - selection_cli_output: - CommandLine|contains: - - ' -o ' - - ' /o ' - selection_cli_process: - CommandLine|contains: - - ' -p ' - - ' /p ' - condition: all of selection_cli_* or (selection_img and selection_cli_dump) + - 'fullmemdmp' + selection_cli_output_process: + CommandLine|contains|windash: + - ' /o ' # Output + - ' /p ' # Process + condition: all of selection_* falsepositives: - - Unknown + - Unlikely level: high diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_sigverif.yml b/rules/windows/process_creation/proc_creation_win_sigverif_uncommon_child_process.yml similarity index 53% rename from rules/windows/process_creation/proc_creation_win_lolbin_sigverif.yml rename to rules/windows/process_creation/proc_creation_win_sigverif_uncommon_child_process.yml index ba2fcdbed99..95a0e581c75 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_sigverif.yml +++ b/rules/windows/process_creation/proc_creation_win_sigverif_uncommon_child_process.yml @@ -1,12 +1,14 @@ -title: Suspicious Sigverif Execution +title: Uncommon Sigverif.EXE Child Process id: 7d4aaec2-08ed-4430-8b96-28420e030e04 status: test -description: Detects the execution of sigverif binary as a parent process which could indicate it being used as a LOLBIN to proxy execution +description: | + Detects uncommon child processes spawning from "sigverif.exe", which could indicate potential abuse of the latter as a living of the land binary in order to proxy execution. references: - https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/ - https://twitter.com/0gtweet/status/1457676633809330184 author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-19 +modified: 2024-08-27 tags: - attack.defense-evasion - attack.t1216 @@ -16,7 +18,11 @@ logsource: detection: selection: ParentImage|endswith: '\sigverif.exe' - condition: selection + filter_main_werfault: + Image: + - 'C:\Windows\System32\WerFault.exe' + - 'C:\Windows\SysWOW64\WerFault.exe' + condition: selection and not 1 of filter_main_* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml b/rules/windows/process_creation/proc_creation_win_ssh_proxy_execution.yml similarity index 91% rename from rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml rename to rules/windows/process_creation/proc_creation_win_ssh_proxy_execution.yml index 99ab0eff600..521b89ba058 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml +++ b/rules/windows/process_creation/proc_creation_win_ssh_proxy_execution.yml @@ -1,7 +1,7 @@ -title: Lolbin Ssh.exe Use As Proxy +title: Program Executed Using Proxy/Local Command Via SSH.EXE id: 7d6d30b8-5b91-4b90-a891-46cccaf29598 status: test -description: Detect usage of the "ssh.exe" binary as a proxy to launch other programs +description: Detect usage of the "ssh.exe" binary as a proxy to launch other programs. references: - https://lolbas-project.github.io/lolbas/Binaries/Ssh/ - https://github.com/LOLBAS-Project/LOLBAS/pull/211/files @@ -13,7 +13,7 @@ date: 2022-12-29 modified: 2023-01-25 tags: - attack.defense-evasion - - attack.t1202 + - attack.t1218 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml index 6c414fefcdd..e9c8f37dc88 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml @@ -18,7 +18,7 @@ references: - https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems) date: 2020-10-23 -modified: 2023-12-02 +modified: 2024-08-15 tags: - attack.defense-evasion - attack.t1218.011 @@ -41,20 +41,20 @@ detection: selection_regsvr32: Image|endswith: '\regsvr32.exe' CommandLine|endswith: 'regsvr32.exe' - filter_main_edge_update: - ParentImage|contains|all: - - ':\Users\' - - '\AppData\Local\Microsoft\EdgeUpdate\Install\{' - filter_optional_chrome_installer: - # As reported in https://github.com/SigmaHQ/sigma/issues/4570 - ParentImage|contains|all: - - ':\Users\' + filter_optional_edge_update: + ParentImage|contains: '\AppData\Local\Microsoft\EdgeUpdate\Install\{' + Image|endswith: '\rundll32.exe' + CommandLine|endswith: 'rundll32.exe' + filter_optional_chromium_installer: + # As reported in https://github.com/SigmaHQ/sigma/issues/4570 and others + ParentImage|contains: + - '\AppData\Local\BraveSoftware\Brave-Browser\Application\' - '\AppData\Local\Google\Chrome\Application\' ParentImage|endswith: '\Installer\setup.exe' - ParentCommandLine|contains: '--uninstall --channel=stable' + ParentCommandLine|contains: '--uninstall ' Image|endswith: '\rundll32.exe' CommandLine|endswith: 'rundll32.exe' - condition: 1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_* + condition: 1 of selection_* and not 1 of filter_optional_* falsepositives: - Unlikely level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml b/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml index 1fe8c0efe8f..6708b98d40c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml @@ -19,7 +19,7 @@ references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) date: 2022-09-09 -modified: 2024-07-12 +modified: 2024-08-15 tags: - attack.credential-access - attack.discovery @@ -64,21 +64,24 @@ detection: # Note: We use the "?" to account for both a single and a double quote # Note: Please add additional interesting event IDs # Note: As this only focuses on EIDs and we know EIDs are not unique across providers. Rare FPs might occur with legit queries to EIDs from different providers. - # This covers EID 4624 from Security Log - - '-InstanceId 4624' - - 'System[EventID=4624]' - - 'EventCode=?4624?' - - "EventIdentifier=?4624?" + # This covers EID 4624 and 4628 from Security Log + - '-InstanceId 462?' + - '.eventid -eq 462?' + - 'EventCode=?462?' + - 'EventIdentifier=?462?' + - 'System[EventID=462?]' # This covers EID 4778 from Security Log - '-InstanceId 4778' + - '.eventid -eq 4778' - 'System[EventID=4778]' - 'EventCode=?4778?' - - "EventIdentifier=?4778?" + - 'EventIdentifier=?4778?' # This covers EID 25 from Microsoft-Windows-TerminalServices-LocalSessionManager/Operational log - '-InstanceId 25' + - '.eventid -eq 25' - 'System[EventID=25]' - 'EventCode=?25?' - - "EventIdentifier=?25?" + - 'EventIdentifier=?25?' condition: 1 of selection_logs_* and (selection_wmi or all of selection_wevtutil_* or all of selection_wmic_* or selection_cmdlet) falsepositives: - Legitimate usage of the utility by administrators to query the event log diff --git a/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml index 182b17941b3..3cd5f4b787e 100644 --- a/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml @@ -11,7 +11,7 @@ references: - https://github.com/binderlabs/DirCreate2System author: Florian Roth (Nextron Systems) date: 2022-10-14 -modified: 2024-06-20 +modified: 2024-08-29 tags: - attack.defense-evasion - attack.privilege-escalation @@ -44,7 +44,10 @@ detection: Image|endswith: '\rundll32.exe' CommandLine|contains|all: - 'C:\Windows\system32\WerConCpl.dll' - - 'LaunchErcApp -queuereporting' + - 'LaunchErcApp ' + CommandLine|contains: + - '-queuereporting' + - '-responsepester' condition: selection and not 1 of filter_main_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml b/rules/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml index 1773330abf6..7d8cdfdc49e 100644 --- a/rules/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml @@ -1,7 +1,9 @@ title: Windows Binary Executed From WSL id: ed825c86-c009-4014-b413-b76003e33d35 status: test -description: Detects the execution of Windows binaries from within a WSL instance. This could be used to masquerade parent-child relationships +description: | + Detects the execution of Windows binaries from within a WSL instance. + This could be used to masquerade parent-child relationships references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) diff --git a/rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml b/rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml index 5e0fb0bd75c..c91cbb94188 100644 --- a/rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml +++ b/rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml @@ -1,7 +1,11 @@ -title: Wusa.EXE Extracting Cab Files From Suspicious Paths +title: Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths id: c74c0390-3e20-41fd-a69a-128f0275a5ea +related: + - id: 59b39960-5f9d-4a49-9cef-1e4d2c1d0cb9 + type: derived status: test -description: Detects usage of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument from suspicious paths +description: | + Detects the execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract ".cab" files using the "/extract" argument from potentially suspicious paths. references: - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html - https://www.echotrail.io/insights/search/wusa.exe/ diff --git a/rules/windows/process_creation/proc_creation_win_wusa_susp_parent_execution.yml b/rules/windows/process_creation/proc_creation_win_wusa_susp_parent_execution.yml index 73fc7c9d67a..59b15ab0579 100644 --- a/rules/windows/process_creation/proc_creation_win_wusa_susp_parent_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_wusa_susp_parent_execution.yml @@ -3,10 +3,12 @@ id: ef64fc9c-a45e-43cc-8fd8-7d75d73b4c99 status: experimental description: | Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location. + Attackers could instantiate an instance of "wusa.exe" in order to bypass User Account Control (UAC). They can duplicate the access token from "wusa.exe" to gain elevated privileges. references: - https://www.fortinet.com/blog/threat-research/konni-campaign-distributed-via-malicious-document author: X__Junior (Nextron Systems) date: 2023-11-26 +modified: 2024-08-15 tags: - attack.execution logsource: @@ -17,6 +19,7 @@ detection: Image|endswith: '\wusa.exe' selection_paths_1: ParentImage|contains: + # Note: Add additional suspicious locations to increase coverage - ':\Perflogs\' - ':\Users\Public\' - ':\Windows\Temp\' @@ -35,7 +38,10 @@ detection: - ParentImage|contains|all: - ':\Users\' - '\Pictures\' - condition: selection_img and 1 of selection_paths_* + filter_main_msu: + # Note: We exclude MSU extension files. A better approach is to baseline installation of updates in your env to avoid false negatives. + CommandLine|contains: '.msu' + condition: selection_img and 1 of selection_paths_* and not 1 of filter_main_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_xwizard_execution_non_default_location.yml b/rules/windows/process_creation/proc_creation_win_xwizard_execution_non_default_location.yml index 808d8e8ae64..54e87b24011 100644 --- a/rules/windows/process_creation/proc_creation_win_xwizard_execution_non_default_location.yml +++ b/rules/windows/process_creation/proc_creation_win_xwizard_execution_non_default_location.yml @@ -9,7 +9,7 @@ references: - http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ author: Christian Burkard (Nextron Systems) date: 2021-09-20 -modified: 2024-04-22 +modified: 2024-08-15 tags: - attack.defense-evasion - attack.t1574.002 @@ -24,6 +24,7 @@ detection: Image|startswith: - 'C:\Windows\System32\' - 'C:\Windows\SysWOW64\' + - 'C:\Windows\WinSxS\' condition: selection and not 1 of filter_main_* falsepositives: - Windows installed on non-C drive diff --git a/rules/windows/process_creation/proc_creation_win_xwizard_runwizard_com_object_exec.yml b/rules/windows/process_creation/proc_creation_win_xwizard_runwizard_com_object_exec.yml index 6297fac2214..14f4630b24e 100644 --- a/rules/windows/process_creation/proc_creation_win_xwizard_runwizard_com_object_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_xwizard_runwizard_com_object_exec.yml @@ -10,7 +10,7 @@ references: - https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ author: Ensar Şamil, @sblmsrsn, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) date: 2020-10-07 -modified: 2024-04-22 +modified: 2024-08-15 tags: - attack.defense-evasion - attack.t1218 @@ -18,13 +18,10 @@ logsource: category: process_creation product: windows detection: - selection_img: - - Image|endswith: '\xwizard.exe' - - OriginalFileName: 'xwizard.exe' - selection_cli: + selection: CommandLine: 'RunWizard' CommandLine|re: '\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\}' - condition: all of selection_* or (selection_cli and not selection_img) + condition: selection falsepositives: - Unknown level: medium From 2851ef5d16a988934baeb59ad2f047ee37dc811d Mon Sep 17 00:00:00 2001 From: Kostas Date: Thu, 29 Aug 2024 10:21:47 -0700 Subject: [PATCH 039/144] Merge PR #4961 from @tsale - Add multiples rules and updates fix: Potential Privilege Escalation via Local Kerberos Relay over LDAP - Add new exclusion fix: Sdiagnhost Calling Suspicious Child Process - Add new filters new: Antivirus Filter Driver Disallowed On Dev Drive - Registry new: ChromeLoader Malware Execution new: Emotet Loader Execution Via .LNK File new: Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC new: FakeUpdates/SocGholish Activity new: File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell new: HackTool - SharpWSUS/WSUSpendu Execution new: HackTool - SOAPHound Execution new: Hiding User Account Via SpecialAccounts Registry Key - CommandLine new: Injected Browser Process Spawning Rundll32 - GuLoader Activity new: Kerberoasting Activity - Initial Query new: Manual Execution of Script Inside of a Compressed File new: Obfuscated PowerShell OneLiner Execution new: OneNote.EXE Execution of Malicious Embedded Scripts new: Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon new: Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1 new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2 new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3 new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4 new: Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE new: Python Function Execution Security Warning Disabled In Excel new: Python Function Execution Security Warning Disabled In Excel - Registry new: Raspberry Robin Initial Execution From External Drive new: Raspberry Robin Subsequent Execution of Commands new: Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions new: Remote Access Tool - Ammy Admin Agent Execution new: Remote Access Tool - Cmd.EXE Execution via AnyViewer new: Serpent Backdoor Payload Execution Via Scheduled Task new: Uncommon Connection to Active Directory Web Services new: Ursnif Redirection Of Discovery Commands update: Potential CVE-2022-29072 Exploitation Attempt - Add additional shells and flags --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- ...ion_win_exploit_cve_2020_1472_zero_poc.yml | 38 + ...it_cve_2021_44228_vmware_horizon_log4j.yml | 30 + ...ve_2022_22954_vmware_workspace_one_rce.yml | 33 + ...eation_win_exploit_cve_2022_29072_7zip.yml | 34 +- ...on_win_malware_chrome_loader_execution.yml | 31 + ...on_win_malware_emotet_loader_execution.yml | 38 + ..._win_malware_raspberry_robin_execution.yml | 40 + ...re_raspberry_robin_external_drive_exec.yml | 40 + ...are_serpent_backdoor_payload_execution.yml | 36 + ...alware_socgholish_fakeupdates_activity.yml | 40 + ...exploit_cve_2023_34362_moveit_transfer.yml | 4 +- ..._moveit_transfer_exploitation_activity.yml | 33 + ...reation_win_malware_guloader_execution.yml | 29 + ...ion_win_malware_ursnif_cmd_redirection.yml | 27 + ..._action1_code_exec_and_remote_sessions.yml | 49 + ...ote_access_tools_ammyy_admin_execution.yml | 23 + ...mote_access_tools_anyviewer_shell_exec.yml | 25 + ...usp_script_exec_from_compressed_parent.yml | 57 + ..._susp_privesc_kerberos_relay_over_ldap.yml | 6 +- .../win_security_kerberoasting_activity.yml | 32 + ...connection_win_adws_unusual_connection.yml | 34 + ...lorer_folder_shortcut_via_shell_binary.yml | 28 + ...win_hktl_sharpwsus_wsuspendu_execution.yml | 43 + ..._creation_win_hktl_soaphound_execution.yml | 33 + ...fice_onenote_embedded_script_execution.yml | 33 + ...win_powershell_amsi_init_failed_bypass.yml | 19 +- ..._powershell_download_cradle_obfuscated.yml | 29 + ...n_win_reg_lsa_disable_restricted_admin.yml | 1 + ...ffice_disable_python_security_warnings.yml | 30 + ...in_registry_special_accounts_hide_user.yml | 33 + ...roc_creation_win_sdiagnhost_susp_child.yml | 15 +- ...creation_win_susp_emoji_usage_in_cli_1.yml | 997 ++++++++++++++++ ...creation_win_susp_emoji_usage_in_cli_2.yml | 1014 ++++++++++++++++ ...creation_win_susp_emoji_usage_in_cli_3.yml | 1020 +++++++++++++++++ ...creation_win_susp_emoji_usage_in_cli_4.yml | 765 +++++++++++++ ...y_set_devdrv_disallow_antivirus_filter.yml | 24 + ...egistry_set_lsa_disablerestrictedadmin.yml | 4 +- ...ffice_disable_python_security_warnings.yml | 28 + .../registry_set_special_accounts.yml | 2 + tests/sigma_cli_conf.yml | 3 + 40 files changed, 4769 insertions(+), 31 deletions(-) create mode 100644 rules-emerging-threats/2020/Exploits/CVE-2020-1472/proc_creation_win_exploit_cve_2020_1472_zero_poc.yml create mode 100644 rules-emerging-threats/2021/Exploits/CVE-2021-44228/proc_creation_win_exploit_cve_2021_44228_vmware_horizon_log4j.yml create mode 100644 rules-emerging-threats/2022/Exploits/CVE-2022-22954/proc_creation_win_exploit_cve_2022_22954_vmware_workspace_one_rce.yml create mode 100644 rules-emerging-threats/2022/Malware/ChromeLoader/proc_creation_win_malware_chrome_loader_execution.yml create mode 100644 rules-emerging-threats/2022/Malware/Emotet/proc_creation_win_malware_emotet_loader_execution.yml create mode 100644 rules-emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_execution.yml create mode 100644 rules-emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_external_drive_exec.yml create mode 100644 rules-emerging-threats/2022/Malware/Serpent-Backdoor/proc_creation_win_malware_serpent_backdoor_payload_execution.yml create mode 100644 rules-emerging-threats/2022/Malware/SocGholish/proc_creation_win_malware_socgholish_fakeupdates_activity.yml create mode 100644 rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/proc_creation_win_exploit_cve_2023_34362_moveit_transfer_exploitation_activity.yml create mode 100644 rules-emerging-threats/2023/Malware/GuLoader/proc_creation_win_malware_guloader_execution.yml create mode 100644 rules-emerging-threats/2023/Malware/Ursnif/proc_creation_win_malware_ursnif_cmd_redirection.yml create mode 100644 rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_action1_code_exec_and_remote_sessions.yml create mode 100644 rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_ammyy_admin_execution.yml create mode 100644 rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_anyviewer_shell_exec.yml create mode 100644 rules-threat-hunting/windows/process_creation/proc_creation_win_susp_script_exec_from_compressed_parent.yml create mode 100644 rules/windows/builtin/security/win_security_kerberoasting_activity.yml create mode 100644 rules/windows/network_connection/net_connection_win_adws_unusual_connection.yml create mode 100644 rules/windows/process_creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary.yml create mode 100644 rules/windows/process_creation/proc_creation_win_hktl_sharpwsus_wsuspendu_execution.yml create mode 100644 rules/windows/process_creation/proc_creation_win_hktl_soaphound_execution.yml create mode 100644 rules/windows/process_creation/proc_creation_win_office_onenote_embedded_script_execution.yml create mode 100644 rules/windows/process_creation/proc_creation_win_powershell_download_cradle_obfuscated.yml create mode 100644 rules/windows/process_creation/proc_creation_win_registry_office_disable_python_security_warnings.yml create mode 100644 rules/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user.yml create mode 100644 rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_1.yml create mode 100644 rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_2.yml create mode 100644 rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_3.yml create mode 100644 rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_4.yml create mode 100644 rules/windows/registry/registry_set/registry_set_devdrv_disallow_antivirus_filter.yml create mode 100644 rules/windows/registry/registry_set/registry_set_office_disable_python_security_warnings.yml diff --git a/rules-emerging-threats/2020/Exploits/CVE-2020-1472/proc_creation_win_exploit_cve_2020_1472_zero_poc.yml b/rules-emerging-threats/2020/Exploits/CVE-2020-1472/proc_creation_win_exploit_cve_2020_1472_zero_poc.yml new file mode 100644 index 00000000000..ae9ff1a4edf --- /dev/null +++ b/rules-emerging-threats/2020/Exploits/CVE-2020-1472/proc_creation_win_exploit_cve_2020_1472_zero_poc.yml @@ -0,0 +1,38 @@ +title: Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC +id: dcc6a01e-9471-44a0-a699-71ea96f8ed8b +status: experimental +description: Detects the execution of the commonly used ZeroLogon PoC executable. +references: + - https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/ + - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ +author: '@Kostastsale, @TheDFIRReport' +date: 2022-02-12 +tags: + - attack.execution + - attack.lateral-movement + - attack.t1210 + - cve.2020-1472 + - detection.emerging-threats +logsource: + product: windows + category: process_creation +detection: + selection_main: + ParentImage|endswith: '\cmd.exe' + Image|endswith: + - '\cool.exe' + - '\zero.exe' + CommandLine|contains|all: + - 'Administrator' + - '-c' + selection_payloads_1: + CommandLine|contains|all: + - 'taskkill' + - '/f' + - '/im' + selection_payloads_2: + CommandLine|contains: 'powershell' + condition: selection_main and 1 of selection_payloads_* +falsepositives: + - Unknown +level: high diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-44228/proc_creation_win_exploit_cve_2021_44228_vmware_horizon_log4j.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-44228/proc_creation_win_exploit_cve_2021_44228_vmware_horizon_log4j.yml new file mode 100644 index 00000000000..489254786ee --- /dev/null +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-44228/proc_creation_win_exploit_cve_2021_44228_vmware_horizon_log4j.yml @@ -0,0 +1,30 @@ +title: Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon +id: 3eb91f0a-0060-424a-a676-59f5fdd75610 +status: experimental +description: | + Detects potential initial exploitation attempts against VMware Horizon deployments running a vulnerable versions of Log4j. +references: + - https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability + - https://twitter.com/TheDFIRReport/status/1482078434327244805 + - https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/ +author: '@kostastsale' +date: 2022-01-14 +tags: + - attack.initial-access + - attack.t1190 + - cve.2021-44228 + - detection.emerging-threats +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\ws_TomcatService.exe' + filter_main_shells: + Image|endswith: + - '\cmd.exe' + - '\powershell.exe' + condition: selection and not 1 of filter_main_* +falsepositives: + - Unlikely +level: high diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-22954/proc_creation_win_exploit_cve_2022_22954_vmware_workspace_one_rce.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-22954/proc_creation_win_exploit_cve_2022_22954_vmware_workspace_one_rce.yml new file mode 100644 index 00000000000..07d61ccd766 --- /dev/null +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-22954/proc_creation_win_exploit_cve_2022_22954_vmware_workspace_one_rce.yml @@ -0,0 +1,33 @@ +title: Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution +id: 5660d8db-6e25-411f-b92f-094420168a5d +status: experimental +description: | + Detects potential exploitation attempt of CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager. + As reported by Morphisec, part of the attack chain, threat actors used PowerShell commands that executed as a child processes of the legitimate Tomcat "prunsrv.exe" process application. +references: + - https://blog.morphisec.com/vmware-identity-manager-attack-backdoor + - https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC +author: '@kostastsale' +date: 2022-04-25 +tags: + - attack.execution + - attack.initial-access + - attack.t1059.006 + - attack.t1190 + - cve.2022-22954 + - detection.emerging-threats +logsource: + category: process_creation + product: windows +detection: + selection_parent: + ParentImage|endswith: '\prunsrv.exe' + selection_payload_pwsh: + Image|endswith: '\powershell.exe' + selection_payload_cmd: + Image|endswith: '\cmd.exe' + CommandLine|contains: '/c powershell' + condition: selection_parent and 1 of selection_payload_* +falsepositives: + - Some false positives are possible as part of a custom script implementation from admins executed with cmd.exe as the child process. +level: medium diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yml index dc5bd970f8f..678f9305c2d 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yml @@ -8,9 +8,9 @@ description: | references: - https://github.com/kagancapar/CVE-2022-29072 - https://twitter.com/kagancapar/status/1515219358234161153 -author: frack113 +author: frack113, @kostastsale date: 2022-04-17 -modified: 2023-02-07 +modified: 2024-08-15 tags: - attack.execution - cve.2022-29072 @@ -19,19 +19,29 @@ logsource: product: windows category: process_creation detection: - selection_img: - - Image|endswith: '\cmd.exe' - - OriginalFileName: 'Cmd.Exe' selection_parent: ParentImage|endswith: '\7zFM.exe' - filter_bat: - CommandLine|contains: - - ' /c ' - - ' /k ' - - ' /r ' - filter_null: + selection_img: + - Image|endswith: + - '\cmd.exe' + - '\powershell.exe' + - '\pwsh.exe' + - OriginalFileName: + - 'Cmd.Exe' + - 'PowerShell.EXE' + - 'pwsh.dll' + filter_main_extensions_and_flags: + - CommandLine|contains: + - ' /c ' + - ' /k ' + - ' /r ' + - CommandLine|endswith: + - '.bat' + - '.cmd' + - '.ps1' + filter_main_null: CommandLine: null - condition: all of selection_* and not 1 of filter_* + condition: all of selection_* and not 1 of filter_main_* falsepositives: - Unknown level: high diff --git a/rules-emerging-threats/2022/Malware/ChromeLoader/proc_creation_win_malware_chrome_loader_execution.yml b/rules-emerging-threats/2022/Malware/ChromeLoader/proc_creation_win_malware_chrome_loader_execution.yml new file mode 100644 index 00000000000..ea7fe91ca12 --- /dev/null +++ b/rules-emerging-threats/2022/Malware/ChromeLoader/proc_creation_win_malware_chrome_loader_execution.yml @@ -0,0 +1,31 @@ +title: ChromeLoader Malware Execution +id: 0a74c5a9-1b71-4475-9af2-7829d320d5c2 +status: experimental +description: Detects execution of ChromeLoader malware via a registered scheduled task +references: + - https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER + - https://twitter.com/th3_protoCOL/status/1480621526764322817 + - https://twitter.com/Kostastsale/status/1480716528421011458 + - https://www.virustotal.com/gui/file/ded20df574b843aaa3c8e977c2040e1498ae17c12924a19868df5b12dee6dfdd +author: '@kostastsale' +date: 2022-01-10 +tags: + - attack.execution + - attack.persistence + - attack.t1053.005 + - attack.t1059.001 + - attack.t1176 + - detection.emerging-threats +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\powershell.exe' + ParentCommandLine|contains: '-ExecutionPolicy Bypass -WindowStyle Hidden -E JAB' + CommandLine|contains: '--load-extension="*\Appdata\local\chrome"' + Image|endswith: '\chrome.exe' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules-emerging-threats/2022/Malware/Emotet/proc_creation_win_malware_emotet_loader_execution.yml b/rules-emerging-threats/2022/Malware/Emotet/proc_creation_win_malware_emotet_loader_execution.yml new file mode 100644 index 00000000000..0546cd286e5 --- /dev/null +++ b/rules-emerging-threats/2022/Malware/Emotet/proc_creation_win_malware_emotet_loader_execution.yml @@ -0,0 +1,38 @@ +title: Emotet Loader Execution Via .LNK File +id: 1f32d820-1d5c-43fe-8fe2-feef0c952eb7 +status: experimental +description: | + Detects the Emotet Epoch4 loader as reported by @malware_traffic back in 2022. + The ".lnk" file was delivered via phishing campaign. +references: + - https://web.archive.org/web/20220422215221/https://twitter.com/malware_traffic/status/1517622327000846338 + - https://twitter.com/Cryptolaemus1/status/1517634855940632576 + - https://tria.ge/220422-1pw1pscfdl/ + - https://tria.ge/220422-1nnmyagdf2/ +author: '@kostastsale' +date: 2022-04-22 +modified: 2024-08-15 +tags: + - attack.execution + - attack.t1059.006 + - detection.emerging-threats +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: + - '\cmd.exe' + - '\explorer.exe' + - '\powershell.exe' + Image|endswith: + - '\cmd.exe' + - '\powershell.exe' + CommandLine|contains|all: + - 'findstr' + - '.vbs' + - '.lnk' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules-emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_execution.yml b/rules-emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_execution.yml new file mode 100644 index 00000000000..1e63b4f2904 --- /dev/null +++ b/rules-emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_execution.yml @@ -0,0 +1,40 @@ +title: Raspberry Robin Subsequent Execution of Commands +id: d52d2e87-eb03-4fac-961d-eb616da79788 +related: + - id: 2c6bea3a-ef58-4f2e-a775-4928f6b7c58a + type: similar +status: experimental +description: Detects raspberry robin subsequent execution of commands. +references: + - https://redcanary.com/blog/raspberry-robin/ +author: '@kostastsale' +date: 2022-05-06 +tags: + - attack.execution + - attack.t1059.001 + - detection.emerging-threats +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\fodhelper.exe' + Image|endswith: + - '\rundll32.exe' + - '\regsvr32.exe' + CommandLine|contains|all: + - 'odbcconf.exe' + - 'regsvr' + - 'shellexec_rundll' + CommandLine|contains: + - 'installdriver' + - 'setfiledsndir' + - 'vkipdse' + CommandLine|endswith|windash: + - '/a' + - '/f' + - '/s' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules-emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_external_drive_exec.yml b/rules-emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_external_drive_exec.yml new file mode 100644 index 00000000000..dd9af0d0450 --- /dev/null +++ b/rules-emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_external_drive_exec.yml @@ -0,0 +1,40 @@ +title: Raspberry Robin Initial Execution From External Drive +id: 2c6bea3a-ef58-4f2e-a775-4928f6b7c58a +related: + - id: d52d2e87-eb03-4fac-961d-eb616da79788 + type: similar +status: experimental +description: Detects the initial execution of the Raspberry Robin malware from an external drive using "Cmd.EXE". +references: + - https://redcanary.com/blog/raspberry-robin/ +author: '@kostastsale' +date: 2022-05-06 +tags: + - attack.execution + - attack.t1059.001 + - detection.emerging-threats +logsource: + category: process_creation + product: windows +detection: + selection_parent: + ParentImage|endswith: '\cmd.exe' + ParentCommandLine|contains: '/r' + ParentCommandLine|endswith: + - '.bin' + - '.ico' + - '.lnk' + - '.lo' + - '.sv' + - '.usb' + selection_child_img: + Image|endswith: '\msiexec.exe' + CommandLine|contains|windash: '/q' + selection_child_http: + CommandLine|contains: + - 'http:' + - 'https:' + condition: all of selection_* +falsepositives: + - Unlikely +level: high diff --git a/rules-emerging-threats/2022/Malware/Serpent-Backdoor/proc_creation_win_malware_serpent_backdoor_payload_execution.yml b/rules-emerging-threats/2022/Malware/Serpent-Backdoor/proc_creation_win_malware_serpent_backdoor_payload_execution.yml new file mode 100644 index 00000000000..d7c1e22fc30 --- /dev/null +++ b/rules-emerging-threats/2022/Malware/Serpent-Backdoor/proc_creation_win_malware_serpent_backdoor_payload_execution.yml @@ -0,0 +1,36 @@ +title: Serpent Backdoor Payload Execution Via Scheduled Task +id: d5eb7432-fda4-4bba-a37f-ffa74d9ed639 +status: experimental +description: | + Detects post exploitation execution technique of the Serpent backdoor. + According to Proofpoint, one of the commands that the backdoor ran was via creating a temporary scheduled task using an unusual method. + It creates a fictitious windows event and a trigger in which once the event is created, it executes the payload. +references: + - https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain +author: '@kostastsale' +date: 2022-03-21 +tags: + - attack.execution + - attack.persistence + - attack.t1053.005 + - attack.t1059.006 + - detection.emerging-threats +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: + - '\cmd.exe' + - '\powershell.exe' + CommandLine|contains|all: + - '[System/EventID=' + - '/create' + - '/delete' + - '/ec' + - '/so' + - '/tn run' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules-emerging-threats/2022/Malware/SocGholish/proc_creation_win_malware_socgholish_fakeupdates_activity.yml b/rules-emerging-threats/2022/Malware/SocGholish/proc_creation_win_malware_socgholish_fakeupdates_activity.yml new file mode 100644 index 00000000000..9422aaba947 --- /dev/null +++ b/rules-emerging-threats/2022/Malware/SocGholish/proc_creation_win_malware_socgholish_fakeupdates_activity.yml @@ -0,0 +1,40 @@ +title: FakeUpdates/SocGholish Activity +id: 97805087-93ab-4203-b5cb-287cda6aecaa +status: experimental +description: Detects initial execution of FakeUpdates/SocGholish malware via wscript that later executes commands via cmd or powershell. +references: + - https://twitter.com/th3_protoCOL/status/1536788652889497600 + - https://twitter.com/1ZRR4H/status/1537501582727778304 +author: '@kostastsale' +date: 2022-06-16 +modified: 2024-08-23 +tags: + - attack.execution + - attack.t1059.001 + - detection.emerging-threats +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\wscript.exe' + ParentCommandLine|contains|all: + - '\AppData\Local\Temp' + - '.zip' + - 'update' + - '.js' + ParentCommandLine|contains: + - 'Chrome' + - 'Edge' + - 'Firefox' + - 'Opera' + - 'Brave' # Not seen in campaigns + - 'Vivaldi' # Not seen in campaigns + Image|endswith: + - '\cmd.exe' + - '\powershell.exe' + - '\pwsh.exe' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yml index 6836e626d87..9b08b8b6da8 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yml @@ -1,4 +1,4 @@ -title: Potential MOVEit Transfer CVE-2023-34362 Exploitation +title: Potential MOVEit Transfer CVE-2023-34362 Exploitation - File Activity id: c3b2a774-3152-4989-83c1-7afc48fd1599 status: test description: Detects file indicators of potential exploitation of MOVEit CVE-2023-34362. @@ -9,7 +9,7 @@ references: - https://www.reddit.com/r/sysadmin/comments/13wxuej/comment/jmhdg55/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2023-06-01 -modified: 2023-06-03 +modified: 2024-08-13 tags: - attack.initial-access - attack.t1190 diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/proc_creation_win_exploit_cve_2023_34362_moveit_transfer_exploitation_activity.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/proc_creation_win_exploit_cve_2023_34362_moveit_transfer_exploitation_activity.yml new file mode 100644 index 00000000000..35b92509931 --- /dev/null +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/proc_creation_win_exploit_cve_2023_34362_moveit_transfer_exploitation_activity.yml @@ -0,0 +1,33 @@ +title: Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE +id: 39ac1fb0-07f1-474b-b97e-c5c0eace0d79 +status: experimental +description: | + Detects the execution of "csc.exe" via "w3wp.exe" process. MOVEit affected hosts execute "csc.exe" via the "w3wp.exe" process to dynamically compile malicious DLL files. + + MOVEit is affected by a critical vulnerability. Exploited hosts show evidence of dynamically compiling a DLL and writing it under C:\\Windows\\Microsoft\.NET\\Framework64\\v4\.0\.30319\\Temporary ASP\.NET Files\\root\\([a-z0-9]{5,12})\\([a-z0-9]{5,12})\\App_Web_[a-z0-9]{5,12}\.dll. + + Hunting Opportunity + + Events from IIS dynamically compiling binaries via the csc.exe on behalf of the MOVEit application, especially since May 27th should be investigated. +references: + - https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response + - https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/ +author: '@kostastsale' +date: 2023-06-01 +tags: + - attack.execution + - attack.t1059 + - cve.2023-34362 + - detection.emerging-threats +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\w3wp.exe' + ParentCommandLine|contains: 'moveitdmz pool' + Image|endswith: '\csc.exe' + condition: selection +falsepositives: + - Initial software installation and software updates. +level: medium diff --git a/rules-emerging-threats/2023/Malware/GuLoader/proc_creation_win_malware_guloader_execution.yml b/rules-emerging-threats/2023/Malware/GuLoader/proc_creation_win_malware_guloader_execution.yml new file mode 100644 index 00000000000..56a80458131 --- /dev/null +++ b/rules-emerging-threats/2023/Malware/GuLoader/proc_creation_win_malware_guloader_execution.yml @@ -0,0 +1,29 @@ +title: Injected Browser Process Spawning Rundll32 - GuLoader Activity +id: 89e1490f-1a3e-452a-bbb8-b68a5f58072f +status: experimental +description: | + Detects the execution of installed GuLoader malware on the host. + GuLoader is initiating network connections via the rundll32.exe process that is spawned via a browser parent(injected) process. +references: + - Internal Research +author: '@kostastsale' +date: 2023-08-07 +tags: + - attack.defense-evasion + - attack.t1055 + - detection.emerging-threats +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: + - '\chrome.exe' + - '\firefox.exe' + - '\msedge.exe' + Image|endswith: '\rundll32.exe' + CommandLine|endswith: '\rundll32.exe' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules-emerging-threats/2023/Malware/Ursnif/proc_creation_win_malware_ursnif_cmd_redirection.yml b/rules-emerging-threats/2023/Malware/Ursnif/proc_creation_win_malware_ursnif_cmd_redirection.yml new file mode 100644 index 00000000000..e17e3c710a6 --- /dev/null +++ b/rules-emerging-threats/2023/Malware/Ursnif/proc_creation_win_malware_ursnif_cmd_redirection.yml @@ -0,0 +1,27 @@ +title: Ursnif Redirection Of Discovery Commands +id: 7aaa5739-12fc-41aa-b98b-23ec27d42bdf +status: experimental +description: | + Detects the redirection of Ursnif discovery commands as part of the initial execution of the malware. +references: + - Internal Research +author: '@kostastsale' +date: 2023-07-16 +tags: + - attack.execution + - attack.t1059 + - detection.emerging-threats +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\explorer.exe' + Image|endswith: '\cmd.exe' + CommandLine|contains|all: + - '/C ' + - ' >> *\AppData\local\temp\*.bin' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_action1_code_exec_and_remote_sessions.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_action1_code_exec_and_remote_sessions.yml new file mode 100644 index 00000000000..f199dadcfa0 --- /dev/null +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_action1_code_exec_and_remote_sessions.yml @@ -0,0 +1,49 @@ +title: Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions +id: aa3168fb-d594-4f93-a92d-7a9ba675b766 +status: experimental +description: | + Detects the execution of Action1 in order to execute arbitrary code or establish a remote session. + + Action1 is a powerful Remote Monitoring and Management tool that enables users to execute commands, scripts, and binaries. + Through the web interface of action1, the administrator must create a new policy or an app to establish remote execution and then points that the agent is installed. + + Hunting Opportunity 1- Weed Out The Noise + + When threat actors execute a script, a command, or a binary through these new policies and apps, the names of these become visible in the command line during the execution process. Below is an example of the command line that contains the deployment of a binary through a policy with name "test_app_1": + + ParentCommandLine: "C:\WINDOWS\Action1\action1_agent.exe schedule:Deploy_App__test_app_1_1681327673425 runaction:0" + + After establishing a baseline, we can split the command to extract the policy name and group all the policy names and inspect the results with a list of frequency occurrences. + + Hunting Opportunity 2 - Remote Sessions On Out Of Office Hours + + If you have admins within your environment using remote sessions to administer endpoints, you can create a threat-hunting query and modify the time of the initiated sessions looking for abnormal activity. +references: + - https://twitter.com/Kostastsale/status/1646256901506605063?s=20 + - https://www.action1.com/documentation/ +author: '@kostastsale' +date: 2023-04-13 +tags: + - attack.command-and-control + - attack.t1219 + - detection.threat-hunting +logsource: + category: process_creation + product: windows +detection: + selection_app_deployment_exec: + ParentImage|endswith: '\action1_agent.exe' + Image|contains: '\Windows\Action1\package_downloads\' + selection_command_exec: + ParentImage|endswith: + - '\cmd.exe' + - '\powershell.exe' + ParentCommandLine|contains: + - '\Action1\scripts\Run_Command_' + - '\Action1\scripts\Run_PowerShell_' + selection_remote_session_init: + Image|endswith: '\agent1_remote.exe' + condition: 1 of selection_* +falsepositives: + - If Action1 is among the approved software in your environment, you might find that this is a noisy query. See description for ideas on how to alter this query and start looking for suspicious activities. +level: medium diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_ammyy_admin_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_ammyy_admin_execution.yml new file mode 100644 index 00000000000..e1373fbde38 --- /dev/null +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_ammyy_admin_execution.yml @@ -0,0 +1,23 @@ +title: Remote Access Tool - Ammy Admin Agent Execution +id: 7da7809e-f3d5-47a3-9d5d-fc9d019caf14 +status: experimental +description: Detects the execution of the Ammy Admin RMM agent for remote management. +references: + - https://www.ammyy.com/en/admin_features.html +author: '@kostastsale' +date: 2024-08-05 +tags: + - attack.execution + - attack.persistence + - detection.threat-hunting +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\rundll32.exe' + CommandLine|contains: 'AMMYY\aa_nts.dll",run' + condition: selection +falsepositives: + - Legitimate use of Ammy Admin RMM agent for remote management by admins. +level: medium diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_anyviewer_shell_exec.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_anyviewer_shell_exec.yml new file mode 100644 index 00000000000..6cb7249e650 --- /dev/null +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_anyviewer_shell_exec.yml @@ -0,0 +1,25 @@ +title: Remote Access Tool - Cmd.EXE Execution via AnyViewer +id: bc533330-fc29-44c0-b245-7dc6e5939c87 +status: experimental +description: | + Detects execution of "cmd.exe" via the AnyViewer RMM agent on a remote management sessions. +references: + - https://www.anyviewer.com/help/remote-technical-support.html +author: '@kostastsale' +date: 2024-08-03 +tags: + - attack.execution + - attack.persistence + - detection.threat-hunting +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\AVCore.exe' + ParentCommandLine|contains: 'AVCore.exe" -d' + Image|endswith: '\cmd.exe' + condition: selection +falsepositives: + - Legitimate use for admin activity. +level: medium diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_script_exec_from_compressed_parent.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_script_exec_from_compressed_parent.yml new file mode 100644 index 00000000000..cf8837de1e1 --- /dev/null +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_script_exec_from_compressed_parent.yml @@ -0,0 +1,57 @@ +title: Manual Execution of Script Inside of a Compressed File +id: 95724fc1-a258-4674-97db-a30351981c5a +status: experimental +description: | + This is a threat-hunting query to collect information related to the interactive execution of a script from inside a compressed file (zip/rar). Windows will automatically run the script using scripting interpreters such as wscript and cscript binaries. + + From the query below, the child process is the script interpreter that will execute the script. The script extension is also a set of standard extensions that Windows OS recognizes. Selections 1-3 contain three different execution scenarios. + 1. Compressed file opened using 7zip. + 2. Compressed file opened using WinRar. + 3. Compressed file opened using native windows File Explorer capabilities. + + When the malicious script is double-clicked, it will be extracted to the respected directories as signified by the CommandLine on each of the three Selections. It will then be executed using the relevant script interpreter." +references: + - https://app.any.run/tasks/25970bb5-f864-4e9e-9e1b-cc8ff9e6386a + - https://app.any.run/tasks/fa99cedc-9d2f-4115-a08e-291429ce3692 +author: '@kostastsale' +date: 2023-02-15 +modified: 2024-08-13 +tags: + - attack.execution + - attack.t1059 + - detection.threat-hunting +logsource: + category: process_creation + product: windows +detection: + selection_parent_7zip: + ParentImage|endswith: '\7z*.exe' + CommandLine|contains: '\AppData\local\temp\7z*\' + selection_parent_winrar: + ParentImage|endswith: '\winrar.exe' + CommandLine|contains: '\AppData\local\temp\rar*\' + selection_parent_explorer: + ParentImage|endswith: '\explorer.exe' + CommandLine|contains: + - '\AppData\local\temp\*.rar\' + - '\AppData\local\temp\*.zip\' + selection_child: + Image|endswith: + - '\cscript.exe' + - '\mshta.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\wscript.exe' + CommandLine|endswith: + - '.hta' + - '.js' + - '.jse' + - '.ps1' + - '.vbe' + - '.vbs' + - '.wsf' + - '.wsh' + condition: 1 of selection_parent_* and selection_child +falsepositives: + - Batch files may produce a lot of noise, as many applications appear to bundle them as part of their installation process. You should baseline your environment and generate a new query excluding the noisy and expected activity. Some false positives may come up depending on your environment. All results should be investigated thoroughly before filtering out results. +level: medium diff --git a/rules/windows/builtin/security/account_management/win_security_susp_privesc_kerberos_relay_over_ldap.yml b/rules/windows/builtin/security/account_management/win_security_susp_privesc_kerberos_relay_over_ldap.yml index b40b4902dac..b1694d3d211 100644 --- a/rules/windows/builtin/security/account_management/win_security_susp_privesc_kerberos_relay_over_ldap.yml +++ b/rules/windows/builtin/security/account_management/win_security_susp_privesc_kerberos_relay_over_ldap.yml @@ -9,7 +9,7 @@ references: - https://github.com/elastic/detection-rules/blob/5fe7833312031a4787e07893e27e4ea7a7665745/rules/_deprecated/privilege_escalation_krbrelayup_suspicious_logon.toml#L38 author: Elastic, @SBousseaden date: 2022-04-27 -modified: 2024-07-02 +modified: 2024-08-13 tags: - attack.privilege-escalation - attack.credential-access @@ -25,7 +25,9 @@ detection: IpAddress: '127.0.0.1' TargetUserSid|startswith: 'S-1-5-21-' TargetUserSid|endswith: '-500' - condition: selection + filter_main_ip_null: + IpPort: '0' + condition: selection and not 1 of filter_main_* falsepositives: - Unknown level: high diff --git a/rules/windows/builtin/security/win_security_kerberoasting_activity.yml b/rules/windows/builtin/security/win_security_kerberoasting_activity.yml new file mode 100644 index 00000000000..188672a89da --- /dev/null +++ b/rules/windows/builtin/security/win_security_kerberoasting_activity.yml @@ -0,0 +1,32 @@ +title: Kerberoasting Activity - Initial Query +id: d04ae2b8-ad54-4de0-bd87-4bc1da66aa59 +status: experimental +description: | + This rule will collect the data needed to start looking into possible kerberoasting activity. + Further analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds. + You can then set a threshold for the number of requests and time between the requests to turn this into an alert. +references: + - https://www.trustedsec.com/blog/art_of_kerberoast/ + - https://adsecurity.org/?p=3513 +author: '@kostastsale' +date: 2022-01-21 +tags: + - attack.credential-access + - attack.t1558.003 +logsource: + product: windows + service: security +detection: + selection: + EventID: 4769 + Status: '0x0' # Translated as status from failure code field. Query only for successes + TicketEncryptionType: '0x17' # RC4 ticket encryption type + filter_main_: + ServiceName|endswith: + - 'krbtgt' # Ignore requests for the krbtgt service + - '$' # Ignore requests from service names that end with $ which are associated with genuine kerberos traffic + TargetUserName|contains: '$@' # Ignore requests from machines + condition: selection and not 1 of filter_main_* +falsepositives: + - Legacy applications. +level: medium diff --git a/rules/windows/network_connection/net_connection_win_adws_unusual_connection.yml b/rules/windows/network_connection/net_connection_win_adws_unusual_connection.yml new file mode 100644 index 00000000000..424a66b2cc7 --- /dev/null +++ b/rules/windows/network_connection/net_connection_win_adws_unusual_connection.yml @@ -0,0 +1,34 @@ +title: Uncommon Connection to Active Directory Web Services +id: b3ad3c0f-c949-47a1-a30e-b0491ccae876 +status: experimental +description: | + Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management. +references: + - https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c + - https://github.com/FalconForceTeam/FalconFriday/blob/master/Discovery/ADWS_Connection_from_Unexpected_Binary-Win.md +author: '@kostastsale' +date: 2024-01-26 +tags: + - attack.discovery + - attack.t1087 +logsource: + category: network_connection + product: windows +detection: + selection: + Initiated: true + DestinationPort: 9389 + filter_main_dsac: + Image: 'C:\Windows\system32\dsac.exe' + filter_main_ms_monitoring_agent: + Image: 'C:\Program Files\Microsoft Monitoring Agent\' + filter_main_powershell: + Image|startswith: + - 'C:\Program Files\PowerShell\7\pwsh.exe' + - 'C:\Program Files\PowerShell\7-preview\pwsh.ex' + - 'C:\Windows\System32\WindowsPowerShell\' + - 'C:\Windows\SysWOW64\WindowsPowerShell\' + condition: selection and not 1 of filter_main_* +falsepositives: + - ADWS is used by a number of legitimate applications that need to interact with Active Directory. These applications should be added to the allow-listing to avoid false positives. +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary.yml b/rules/windows/process_creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary.yml new file mode 100644 index 00000000000..d90af0a845e --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary.yml @@ -0,0 +1,28 @@ +title: File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell +id: c3d76afc-93df-461e-8e67-9b2bad3f2ac4 +status: experimental +description: | + Detects the initial execution of "cmd.exe" which spawns "explorer.exe" with the appropriate command line arguments for opening the "My Computer" folder. +author: '@Kostastsale' +references: + - https://ss64.com/nt/shell.html +date: 2022-12-22 +modified: 2024-08-23 +tags: + - attack.discovery + - attack.t1135 +logsource: + product: windows + category: process_creation +detection: + selection: + ParentImage|endswith: + - '\cmd.exe' + - '\powershell.exe' + - '\pwsh.exe' + Image|endswith: '\explorer.exe' + CommandLine|contains: 'shell:mycomputerfolder' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharpwsus_wsuspendu_execution.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharpwsus_wsuspendu_execution.yml new file mode 100644 index 00000000000..0758f13627d --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharpwsus_wsuspendu_execution.yml @@ -0,0 +1,43 @@ +title: HackTool - SharpWSUS/WSUSpendu Execution +id: b0ce780f-10bd-496d-9067-066d23dc3aa5 +status: experimental +description: | + Detects the execution of SharpWSUS or WSUSpendu, utilities that allow for lateral movement through WSUS. + Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations. +references: + - https://labs.nettitude.com/blog/introducing-sharpwsus/ + - https://github.com/nettitude/SharpWSUS + - https://web.archive.org/web/20210512154016/https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1 +author: '@Kostastsale, Nasreddine Bencherchali (Nextron Systems)' +date: 2022-10-07 +modified: 2024-08-23 +tags: + - attack.execution + - attack.lateral-movement + - attack.t1210 +logsource: + product: windows + category: process_creation +detection: + selection_wsuspendu_inject: + CommandLine|contains: ' -Inject ' + selection_wsuspendu_payload: + CommandLine|contains: + - ' -PayloadArgs ' + - ' -PayloadFile ' + selection_sharpwsus_commands: + CommandLine|contains: + - ' approve ' + - ' create ' + - ' check ' + - ' delete ' + selection_sharpwsus_flags: + CommandLine|contains: + - ' /payload:' + - ' /payload=' + - ' /updateid:' + - ' /updateid=' + condition: all of selection_wsuspendu_* or all of selection_sharpwsus_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_hktl_soaphound_execution.yml b/rules/windows/process_creation/proc_creation_win_hktl_soaphound_execution.yml new file mode 100644 index 00000000000..690f801871d --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_hktl_soaphound_execution.yml @@ -0,0 +1,33 @@ +title: HackTool - SOAPHound Execution +id: e92a4287-e072-4a40-9739-370c106bb750 +status: experimental +description: | + Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information. +references: + - https://github.com/FalconForceTeam/SOAPHound + - https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c +author: '@kostastsale' +date: 2024-01-26 +tags: + - attack.discovery + - attack.t1087 +logsource: + product: windows + category: process_creation +detection: + selection_1: + CommandLine|contains: + - ' --buildcache ' + - ' --bhdump ' + - ' --certdump ' + - ' --dnsdump ' + selection_2: + CommandLine|contains: + - ' -c ' + - ' --cachefilename ' + - ' -o ' + - ' --outputdirectory' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_office_onenote_embedded_script_execution.yml b/rules/windows/process_creation/proc_creation_win_office_onenote_embedded_script_execution.yml new file mode 100644 index 00000000000..69ac465849c --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_office_onenote_embedded_script_execution.yml @@ -0,0 +1,33 @@ +title: OneNote.EXE Execution of Malicious Embedded Scripts +id: 84b1706c-932a-44c4-ae28-892b28a25b94 +status: experimental +description: | + Detects the execution of malicious OneNote documents that contain embedded scripts. + When a user clicks on a OneNote attachment and then on the malicious link inside the ".one" file, it exports and executes the malicious embedded script from specific directories. +references: + - https://bazaar.abuse.ch/browse/tag/one/ +author: '@kostastsale' +date: 2023-02-02 +tags: + - attack.defense-evasion + - attack.t1218.001 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\onenote.exe' + Image|endswith: + - '\cmd.exe' + - '\cscript.exe' + - '\mshta.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\wscript.exe' + CommandLine|contains: + - '\exported\' + - '\onenoteofflinecache_files\' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml b/rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml index fc5e7dbfa06..4322be46eee 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml @@ -18,16 +18,15 @@ logsource: category: process_creation product: windows detection: - selection_1: - CommandLine|contains: - - 'System.Management.Automation.AmsiUtils' - - 'amsiInitFailed' - selection_2: - CommandLine|contains|all: - - '[Ref].Assembly.GetType' - - 'SetValue($null,$true)' - - 'NonPublic,Static' - condition: 1 of selection_* + selection: + - CommandLine|contains|all: + - 'System.Management.Automation.AmsiUtils' + - 'amsiInitFailed' + - CommandLine|contains|all: + - '[Ref].Assembly.GetType' + - 'SetValue($null,$true)' + - 'NonPublic,Static' + condition: selection falsepositives: - Unlikely level: high diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_cradle_obfuscated.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_cradle_obfuscated.yml new file mode 100644 index 00000000000..5d266405671 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_cradle_obfuscated.yml @@ -0,0 +1,29 @@ +title: Obfuscated PowerShell OneLiner Execution +id: 44e24481-6202-4c62-9127-5a0ae8e3fe3d +status: experimental +description: Detects the execution of a specific OneLiner to download and execute powershell modules in memory. +author: '@Kostastsale, @TheDFIRReport' +references: + - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ + - https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38 +date: 2022-05-09 +tags: + - attack.defense-evasion + - attack.execution + - attack.t1059.001 + - attack.t1562.001 +logsource: + product: windows + category: process_creation +detection: + selection: + Image|endswith: '\powershell.exe' + CommandLine|contains|all: + - 'http://127.0.0.1' + - '%{(IRM $_)}' + - '.SubString.ToString()[67,72,64]-Join' + - 'Import-Module' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml b/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml index d07c8619071..a91d3bea202 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml @@ -11,6 +11,7 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md - https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx + - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ author: frack113 date: 2023-01-13 modified: 2023-12-15 diff --git a/rules/windows/process_creation/proc_creation_win_registry_office_disable_python_security_warnings.yml b/rules/windows/process_creation/proc_creation_win_registry_office_disable_python_security_warnings.yml new file mode 100644 index 00000000000..6c70c6abe44 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_registry_office_disable_python_security_warnings.yml @@ -0,0 +1,30 @@ +title: Python Function Execution Security Warning Disabled In Excel +id: 023c654f-8f16-44d9-bb2b-00ff36a62af9 +related: + - id: 17e53739-a1fc-4a62-b1b9-87711c2d5e44 + type: similar +status: experimental +description: | + Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. + Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet. +references: + - https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327 +author: '@Kostastsale' +date: 2023-08-22 +tags: + - attack.defense-evasion + - attack.t1562.001 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - '\Microsoft\Office\' + - '\Excel\Security' + - 'PythonFunctionWarnings' + CommandLine|contains: ' 0' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user.yml b/rules/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user.yml new file mode 100644 index 00000000000..ecad43dab5d --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user.yml @@ -0,0 +1,33 @@ +title: Hiding User Account Via SpecialAccounts Registry Key - CommandLine +id: 9ec9fb1b-e059-4489-9642-f270c207923d +related: + - id: f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd + type: similar +status: experimental +description: | + Detects changes to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen. +references: + - https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/ + - https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/ + - https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/ + - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ +author: '@Kostastsale, @TheDFIRReport' +date: 2022-05-14 +modified: 2024-08-23 +tags: + - attack.t1564.002 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\reg.exe' + CommandLine|contains|all: + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList' + - 'add' + - '/v' + - '/d 0' + condition: selection +falsepositives: + - System administrator activities +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml b/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml index d885bf0fbae..b15151218db 100644 --- a/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml +++ b/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml @@ -4,12 +4,13 @@ status: test description: Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190) references: - https://twitter.com/nao_sec/status/1530196847679401984 + - https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/ - https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/ - https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/ -author: Nextron Systems +author: Nextron Systems, @Kostastsale date: 2022-06-01 -modified: 2022-10-31 +modified: 2024-08-23 tags: - attack.defense-evasion - attack.t1036 @@ -33,7 +34,15 @@ detection: - '\rundll32.exe' # - '\csc.exe' # https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/ - '\calc.exe' # https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/ - condition: selection + filter_main_cmd_bits: + Image|endswith: '\cmd.exe' + CommandLine|contains: 'bits' + filter_main_powershell_noprofile: + Image|endswith: '\powershell.exe' + CommandLine|endswith: + - '-noprofile -' + - '-noprofile' + condition: selection and not 1 of filter_main_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_1.yml b/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_1.yml new file mode 100644 index 00000000000..40d26c24a2f --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_1.yml @@ -0,0 +1,997 @@ +title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1 +id: 4a30ac0c-b9d6-4e01-b71a-5f851bbf4259 +status: experimental +description: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity. +author: '@Kostastsale, @TheDFIRReport' +references: + - Internal Research +tags: + - attack.defense-evasion +date: 2022-12-05 +logsource: + product: windows + category: process_creation +detection: + selection: + CommandLine|contains: + - '😀' + - '😃' + - '😄' + - '😁' + - '😆' + - '😅' + - '😂' + - '🤣' + - '🥲' + - '🥹' + - '☺️' + - '😊' + - '😇' + - '🙂' + - '🙃' + - '😉' + - '😌' + - '😍' + - '🥰' + - '😘' + - '😗' + - '😙' + - '😚' + - '😋' + - '😛' + - '😝' + - '😜' + - '🤪' + - '🤨' + - '🧐' + - '🤓' + - '😎' + - '🥸' + - '🤩' + - '🥳' + - '😏' + - '😒' + - '😞' + - '😔' + - '😟' + - '😕' + - '🙁' + - '☹️' + - '😣' + - '😖' + - '😫' + - '😩' + - '🥺' + - '😢' + - '😭' + - '😮‍💨' + - '😤' + - '😠' + - '😡' + - '🤬' + - '🤯' + - '😳' + - '🥵' + - '🥶' + - '😱' + - '😨' + - '😰' + - '😥' + - '😓' + - '🫣' + - '🤗' + - '🫡' + - '🤔' + - '🫢' + - '🤭' + - '🤫' + - '🤥' + - '😶' + - '😶‍🌫️' + - '😐' + - '😑' + - '😬' + - '🫠' + - '🙄' + - '😯' + - '😦' + - '😧' + - '😮' + - '😲' + - '🥱' + - '😴' + - '🤤' + - '😪' + - '😵' + - '😵‍💫' + - '🫥' + - '🤐' + - '🥴' + - '🤢' + - '🤮' + - '🤧' + - '😷' + - '🤒' + - '🤕' + - '🤑' + - '🤠' + - '😈' + - '👿' + - '👹' + - '👺' + - '🤡' + - '💩' + - '👻' + - '💀' + - '☠️' + - '👽' + - '👾' + - '🤖' + - '🎃' + - '😺' + - '😸' + - '😹' + - '😻' + - '😼' + - '😽' + - '🙀' + - '😿' + - '😾' + - '👋' + - '🤚' + - '🖐' + - '✋' + - '🖖' + - '👌' + - '🤌' + - '🤏' + - '✌️' + - '🤞' + - '🫰' + - '🤟' + - '🤘' + - '🤙' + - '🫵' + - '🫱' + - '🫲' + - '🫳' + - '🫴' + - '👈' + - '👉' + - '👆' + - '🖕' + - '👇' + - '☝️' + - '👍' + - '👎' + - '✊' + - '👊' + - '🤛' + - '🤜' + - '👏' + - '🫶' + - '🙌' + - '👐' + - '🤲' + - '🤝' + - '🙏' + - '✍️' + - '💪' + - '🦾' + - '🦵' + - '🦿' + - '🦶' + - '👣' + - '👂' + - '🦻' + - '👃' + - '🫀' + - '🫁' + - '🧠' + - '🦷' + - '🦴' + - '👀' + - '👁' + - '👅' + - '👄' + - '🫦' + - '💋' + - '🩸' + - '👶' + - '👧' + - '🧒' + - '👦' + - '👩' + - '🧑' + - '👨' + - '👩‍🦱' + - '🧑‍🦱' + - '👨‍🦱' + - '👩‍🦰' + - '🧑‍🦰' + - '👨‍🦰' + - '👱‍♀️' + - '👱' + - '👱‍♂️' + - '👩‍🦳' + - '🧑‍🦳' + - '👨‍🦳' + - '👩‍🦲' + - '🧑‍🦲' + - '👨‍🦲' + - '🧔‍♀️' + - '🧔' + - '🧔‍♂️' + - '👵' + - '🧓' + - '👴' + - '👲' + - '👳‍♀️' + - '👳' + - '👳‍♂️' + - '🧕' + - '👮‍♀️' + - '👮' + - '👮‍♂️' + - '👷‍♀️' + - '👷' + - '👷‍♂️' + - '💂‍♀️' + - '💂' + - '💂‍♂️' + - '🕵️‍♀️' + - '🕵️' + - '🕵️‍♂️' + - '👩‍⚕️' + - '🧑‍⚕️' + - '👨‍⚕️' + - '👩‍🌾' + - '🧑‍🌾' + - '👨‍🌾' + - '👩‍🍳' + - '🧑‍🍳' + - '👨‍🍳' + - '👩‍🎓' + - '🧑‍🎓' + - '👨‍🎓' + - '👩‍🎤' + - '🧑‍🎤' + - '👨‍🎤' + - '👩‍🏫' + - '🧑‍🏫' + - '👨‍🏫' + - '👩‍🏭' + - '🧑‍🏭' + - '👨‍🏭' + - '👩‍💻' + - '🧑‍💻' + - '👨‍💻' + - '👩‍💼' + - '🧑‍💼' + - '👨‍💼' + - '👩‍🔧' + - '🧑‍🔧' + - '👨‍🔧' + - '👩‍🔬' + - '🧑‍🔬' + - '👨‍🔬' + - '👩‍🎨' + - '🧑‍🎨' + - '👨‍🎨' + - '👩‍🚒' + - '🧑‍🚒' + - '👨‍🚒' + - '👩‍✈️' + - '🧑‍✈️' + - '👨‍✈️' + - '👩‍🚀' + - '🧑‍🚀' + - '👨‍🚀' + - '👩‍⚖️' + - '🧑‍⚖️' + - '👨‍⚖️' + - '👰‍♀️' + - '👰' + - '👰‍♂️' + - '🤵‍♀️' + - '🤵' + - '🤵‍♂️' + - '👸' + - '🫅' + - '🤴' + - '🥷' + - '🦸‍♀️' + - '🦸' + - '🦸‍♂️' + - '🦹‍♀️' + - '🦹' + - '🦹‍♂️' + - '🤶' + - '🧑‍🎄' + - '🎅' + - '🧙‍♀️' + - '🧙' + - '🧙‍♂️' + - '🧝‍♀️' + - '🧝' + - '🧝‍♂️' + - '🧛‍♀️' + - '🧛' + - '🧛‍♂️' + - '🧟‍♀️' + - '🧟' + - '🧟‍♂️' + - '🧞‍♀️' + - '🧞' + - '🧞‍♂️' + - '🧜‍♀️' + - '🧜' + - '🧜‍♂️' + - '🧚‍♀️' + - '🧚' + - '🧚‍♂️' + - '🧌' + - '👼' + - '🤰' + - '🫄' + - '🫃' + - '🤱' + - '👩‍🍼' + - '🧑‍🍼' + - '👨‍🍼' + - '🙇‍♀️' + - '🙇' + - '🙇‍♂️' + - '💁‍♀️' + - '💁' + - '💁‍♂️' + - '🙅‍♀️' + - '🙅' + - '🙅‍♂️' + - '🙆‍♀️' + - '🙆' + - '🙆‍♂️' + - '🙋‍♀️' + - '🙋' + - '🙋‍♂️' + - '🧏‍♀️' + - '🧏' + - '🧏‍♂️' + - '🤦‍♀️' + - '🤦' + - '🤦‍♂️' + - '🤷‍♀️' + - '🤷' + - '🤷‍♂️' + - '🙎‍♀️' + - '🙎' + - '🙎‍♂️' + - '🙍‍♀️' + - '🙍' + - '🙍‍♂️' + - '💇‍♀️' + - '💇' + - '💇‍♂️' + - '💆‍♀️' + - '💆' + - '💆‍♂️' + - '🧖‍♀️' + - '🧖' + - '🧖‍♂️' + - '💅' + - '💃' + - '🕺' + - '👯‍♀️' + - '👯' + - '👯‍♂️' + - '🕴' + - '👩‍🦽' + - '🧑‍🦽' + - '👨‍🦽' + - '👩‍🦼' + - '🧑‍🦼' + - '👨‍🦼' + - '🚶‍♀️' + - '🚶' + - '🚶‍♂️' + - '👩‍🦯' + - '🧑‍🦯' + - '👨‍🦯' + - '🧎‍♀️' + - '🧎' + - '🧎‍♂️' + - '🏃‍♀️' + - '🏃' + - '🏃‍♂️' + - '🧍‍♀️' + - '🧍' + - '🧍‍♂️' + - '👭' + - '🧑‍🤝‍🧑' + - '👬' + - '👫' + - '👩‍❤️‍👩' + - '💑' + - '👨‍❤️‍👨' + - '👩‍❤️‍👨' + - '👩‍❤️‍💋‍👩' + - '💏' + - '👨‍❤️‍💋‍👨' + - '👩‍❤️‍💋‍👨' + - '👪' + - '👨‍👩‍👦' + - '👨‍👩‍👧' + - '👨‍👩‍👧‍👦' + - '👨‍👩‍👦‍👦' + - '👨‍👩‍👧‍👧' + - '👨‍👨‍👦' + - '👨‍👨‍👧' + - '👨‍👨‍👧‍👦' + - '👨‍👨‍👦‍👦' + - '👨‍👨‍👧‍👧' + - '👩‍👩‍👦' + - '👩‍👩‍👧' + - '👩‍👩‍👧‍👦' + - '👩‍👩‍👦‍👦' + - '👩‍👩‍👧‍👧' + - '👨‍👦' + - '👨‍👦‍👦' + - '👨‍👧' + - '👨‍👧‍👦' + - '👨‍👧‍👧' + - '👩‍👦' + - '👩‍👦‍👦' + - '👩‍👧' + - '👩‍👧‍👦' + - '👩‍👧‍👧' + - '🗣' + - '👤' + - '👥' + - '🫂' + - '🧳' + - '🌂' + - '☂️' + - '🧵' + - '🪡' + - '🪢' + - '🧶' + - '👓' + - '🕶' + - '🥽' + - '🥼' + - '🦺' + - '👔' + - '👕' + - '👖' + - '🧣' + - '🧤' + - '🧥' + - '🧦' + - '👗' + - '👘' + - '🥻' + - '🩴' + - '🩱' + - '🩲' + - '🩳' + - '👙' + - '👚' + - '👛' + - '👜' + - '👝' + - '🎒' + - '👞' + - '👟' + - '🥾' + - '🥿' + - '👠' + - '👡' + - '🩰' + - '👢' + - '👑' + - '👒' + - '🎩' + - '🎓' + - '🧢' + - '⛑' + - '🪖' + - '💄' + - '💍' + - '💼' + - '👋🏻' + - '🤚🏻' + - '🖐🏻' + - '✋🏻' + - '🖖🏻' + - '👌🏻' + - '🤌🏻' + - '🤏🏻' + - '✌🏻' + - '🤞🏻' + - '🫰🏻' + - '🤟🏻' + - '🤘🏻' + - '🤙🏻' + - '🫵🏻' + - '🫱🏻' + - '🫲🏻' + - '🫳🏻' + - '🫴🏻' + - '👈🏻' + - '👉🏻' + - '👆🏻' + - '🖕🏻' + - '👇🏻' + - '☝🏻' + - '👍🏻' + - '👎🏻' + - '✊🏻' + - '👊🏻' + - '🤛🏻' + - '🤜🏻' + - '👏🏻' + - '🫶🏻' + - '🙌🏻' + - '👐🏻' + - '🤲🏻' + - '🙏🏻' + - '✍🏻' + - '💪🏻' + - '🦵🏻' + - '🦶🏻' + - '👂🏻' + - '🦻🏻' + - '👃🏻' + - '👶🏻' + - '👧🏻' + - '🧒🏻' + - '👦🏻' + - '👩🏻' + - '🧑🏻' + - '👨🏻' + - '👩🏻‍🦱' + - '🧑🏻‍🦱' + - '👨🏻‍🦱' + - '👩🏻‍🦰' + - '🧑🏻‍🦰' + - '👨🏻‍🦰' + - '👱🏻‍♀️' + - '👱🏻' + - '👱🏻‍♂️' + - '👩🏻‍🦳' + - '🧑🏻‍🦳' + - '👨🏻‍🦳' + - '👩🏻‍🦲' + - '🧑🏻‍🦲' + - '👨🏻‍🦲' + - '🧔🏻‍♀️' + - '🧔🏻' + - '🧔🏻‍♂️' + - '👵🏻' + - '🧓🏻' + - '👴🏻' + - '👲🏻' + - '👳🏻‍♀️' + - '👳🏻' + - '👳🏻‍♂️' + - '🧕🏻' + - '👮🏻‍♀️' + - '👮🏻' + - '👮🏻‍♂️' + - '👷🏻‍♀️' + - '👷🏻' + - '👷🏻‍♂️' + - '💂🏻‍♀️' + - '💂🏻' + - '💂🏻‍♂️' + - '🕵🏻‍♀️' + - '🕵🏻' + - '🕵🏻‍♂️' + - '👩🏻‍⚕️' + - '🧑🏻‍⚕️' + - '👨🏻‍⚕️' + - '👩🏻‍🌾' + - '🧑🏻‍🌾' + - '👨🏻‍🌾' + - '👩🏻‍🍳' + - '🧑🏻‍🍳' + - '👨🏻‍🍳' + - '👩🏻‍🎓' + - '🧑🏻‍🎓' + - '👨🏻‍🎓' + - '👩🏻‍🎤' + - '🧑🏻‍🎤' + - '👨🏻‍🎤' + - '👩🏻‍🏫' + - '🧑🏻‍🏫' + - '👨🏻‍🏫' + - '👩🏻‍🏭' + - '🧑🏻‍🏭' + - '👨🏻‍🏭' + - '👩🏻‍💻' + - '🧑🏻‍💻' + - '👨🏻‍💻' + - '👩🏻‍💼' + - '🧑🏻‍💼' + - '👨🏻‍💼' + - '👩🏻‍🔧' + - '🧑🏻‍🔧' + - '👨🏻‍🔧' + - '👩🏻‍🔬' + - '🧑🏻‍🔬' + - '👨🏻‍🔬' + - '👩🏻‍🎨' + - '🧑🏻‍🎨' + - '👨🏻‍🎨' + - '👩🏻‍🚒' + - '🧑🏻‍🚒' + - '👨🏻‍🚒' + - '👩🏻‍✈️' + - '🧑🏻‍✈️' + - '👨🏻‍✈️' + - '👩🏻‍🚀' + - '🧑🏻‍🚀' + - '👨🏻‍🚀' + - '👩🏻‍⚖️' + - '🧑🏻‍⚖️' + - '👨🏻‍⚖️' + - '👰🏻‍♀️' + - '👰🏻' + - '👰🏻‍♂️' + - '🤵🏻‍♀️' + - '🤵🏻' + - '🤵🏻‍♂️' + - '👸🏻' + - '🫅🏻' + - '🤴🏻' + - '🥷🏻' + - '🦸🏻‍♀️' + - '🦸🏻' + - '🦸🏻‍♂️' + - '🦹🏻‍♀️' + - '🦹🏻' + - '🦹🏻‍♂️' + - '🤶🏻' + - '🧑🏻‍🎄' + - '🎅🏻' + - '🧙🏻‍♀️' + - '🧙🏻' + - '🧙🏻‍♂️' + - '🧝🏻‍♀️' + - '🧝🏻' + - '🧝🏻‍♂️' + - '🧛🏻‍♀️' + - '🧛🏻' + - '🧛🏻‍♂️' + - '🧜🏻‍♀️' + - '🧜🏻' + - '🧜🏻‍♂️' + - '🧚🏻‍♀️' + - '🧚🏻' + - '🧚🏻‍♂️' + - '👼🏻' + - '🤰🏻' + - '🫄🏻' + - '🫃🏻' + - '🤱🏻' + - '👩🏻‍🍼' + - '🧑🏻‍🍼' + - '👨🏻‍🍼' + - '🙇🏻‍♀️' + - '🙇🏻' + - '🙇🏻‍♂️' + - '💁🏻‍♀️' + - '💁🏻' + - '💁🏻‍♂️' + - '🙅🏻‍♀️' + - '🙅🏻' + - '🙅🏻‍♂️' + - '🙆🏻‍♀️' + - '🙆🏻' + - '🙆🏻‍♂️' + - '🙋🏻‍♀️' + - '🙋🏻' + - '🙋🏻‍♂️' + - '🧏🏻‍♀️' + - '🧏🏻' + - '🧏🏻‍♂️' + - '🤦🏻‍♀️' + - '🤦🏻' + - '🤦🏻‍♂️' + - '🤷🏻‍♀️' + - '🤷🏻' + - '🤷🏻‍♂️' + - '🙎🏻‍♀️' + - '🙎🏻' + - '🙎🏻‍♂️' + - '🙍🏻‍♀️' + - '🙍🏻' + - '🙍🏻‍♂️' + - '💇🏻‍♀️' + - '💇🏻' + - '💇🏻‍♂️' + - '💆🏻‍♀️' + - '💆🏻' + - '💆🏻‍♂️' + - '🧖🏻‍♀️' + - '🧖🏻' + - '🧖🏻‍♂️' + - '💃🏻' + - '🕺🏻' + - '🕴🏻' + - '👩🏻‍🦽' + - '🧑🏻‍🦽' + - '👨🏻‍🦽' + - '👩🏻‍🦼' + - '🧑🏻‍🦼' + - '👨🏻‍🦼' + - '🚶🏻‍♀️' + - '🚶🏻' + - '🚶🏻‍♂️' + - '👩🏻‍🦯' + - '🧑🏻‍🦯' + - '👨🏻‍🦯' + - '🧎🏻‍♀️' + - '🧎🏻' + - '🧎🏻‍♂️' + - '🏃🏻‍♀️' + - '🏃🏻' + - '🏃🏻‍♂️' + - '🧍🏻‍♀️' + - '🧍🏻' + - '🧍🏻‍♂️' + - '👭🏻' + - '🧑🏻‍🤝‍🧑🏻' + - '👬🏻' + - '👫🏻' + - '🧗🏻‍♀️' + - '🧗🏻' + - '🧗🏻‍♂️' + - '🏇🏻' + - '🏂🏻' + - '🏌🏻‍♀️' + - '🏌🏻' + - '🏌🏻‍♂️' + - '🏄🏻‍♀️' + - '🏄🏻' + - '🏄🏻‍♂️' + - '🚣🏻‍♀️' + - '🚣🏻' + - '🚣🏻‍♂️' + - '🏊🏻‍♀️' + - '🏊🏻' + - '🏊🏻‍♂️' + - '⛹🏻‍♀️' + - '⛹🏻' + - '⛹🏻‍♂️' + - '🏋🏻‍♀️' + - '🏋🏻' + - '🏋🏻‍♂️' + - '🚴🏻‍♀️' + - '🚴🏻' + - '🚴🏻‍♂️' + - '🚵🏻‍♀️' + - '🚵🏻' + - '🚵🏻‍♂️' + - '🤸🏻‍♀️' + - '🤸🏻' + - '🤸🏻‍♂️' + - '🤽🏻‍♀️' + - '🤽🏻' + - '🤽🏻‍♂️' + - '🤾🏻‍♀️' + - '🤾🏻' + - '🤾🏻‍♂️' + - '🤹🏻‍♀️' + - '🤹🏻' + - '🤹🏻‍♂️' + - '🧘🏻‍♀️' + - '🧘🏻' + - '🧘🏻‍♂️' + - '🛀🏻' + - '🛌🏻' + - '👋🏼' + - '🤚🏼' + - '🖐🏼' + - '✋🏼' + - '🖖🏼' + - '👌🏼' + - '🤌🏼' + - '🤏🏼' + - '✌🏼' + - '🤞🏼' + - '🫰🏼' + - '🤟🏼' + - '🤘🏼' + - '🤙🏼' + - '🫵🏼' + - '🫱🏼' + - '🫲🏼' + - '🫳🏼' + - '🫴🏼' + - '👈🏼' + - '👉🏼' + - '👆🏼' + - '🖕🏼' + - '👇🏼' + - '☝🏼' + - '👍🏼' + - '👎🏼' + - '✊🏼' + - '👊🏼' + - '🤛🏼' + - '🤜🏼' + - '👏🏼' + - '🫶🏼' + - '🙌🏼' + - '👐🏼' + - '🤲🏼' + - '🙏🏼' + - '✍🏼' + - '💪🏼' + - '🦵🏼' + - '🦶🏼' + - '👂🏼' + - '🦻🏼' + - '👃🏼' + - '👶🏼' + - '👧🏼' + - '🧒🏼' + - '👦🏼' + - '👩🏼' + - '🧑🏼' + - '👨🏼' + - '👩🏼‍🦱' + - '🧑🏼‍🦱' + - '👨🏼‍🦱' + - '👩🏼‍🦰' + - '🧑🏼‍🦰' + - '👨🏼‍🦰' + - '👱🏼‍♀️' + - '👱🏼' + - '👱🏼‍♂️' + - '👩🏼‍🦳' + - '🧑🏼‍🦳' + - '👨🏼‍🦳' + - '👩🏼‍🦲' + - '🧑🏼‍🦲' + - '👨🏼‍🦲' + - '🧔🏼‍♀️' + - '🧔🏼' + - '🧔🏼‍♂️' + - '👵🏼' + - '🧓🏼' + - '👴🏼' + - '👲🏼' + - '👳🏼‍♀️' + - '👳🏼' + - '👳🏼‍♂️' + - '🧕🏼' + - '👮🏼‍♀️' + - '👮🏼' + - '👮🏼‍♂️' + - '👷🏼‍♀️' + - '👷🏼' + - '👷🏼‍♂️' + - '💂🏼‍♀️' + - '💂🏼' + - '💂🏼‍♂️' + - '🕵🏼‍♀️' + - '🕵🏼' + - '🕵🏼‍♂️' + - '👩🏼‍⚕️' + - '🧑🏼‍⚕️' + - '👨🏼‍⚕️' + - '👩🏼‍🌾' + - '🧑🏼‍🌾' + - '👨🏼‍🌾' + - '👩🏼‍🍳' + - '🧑🏼‍🍳' + - '👨🏼‍🍳' + - '👩🏼‍🎓' + - '🧑🏼‍🎓' + - '👨🏼‍🎓' + - '👩🏼‍🎤' + - '🧑🏼‍🎤' + - '👨🏼‍🎤' + - '👩🏼‍🏫' + - '🧑🏼‍🏫' + - '👨🏼‍🏫' + - '👩🏼‍🏭' + - '🧑🏼‍🏭' + - '👨🏼‍🏭' + - '👩🏼‍💻' + - '🧑🏼‍💻' + - '👨🏼‍💻' + - '👩🏼‍💼' + - '🧑🏼‍💼' + - '👨🏼‍💼' + - '👩🏼‍🔧' + - '🧑🏼‍🔧' + - '👨🏼‍🔧' + - '👩🏼‍🔬' + - '🧑🏼‍🔬' + - '👨🏼‍🔬' + - '👩🏼‍🎨' + - '🧑🏼‍🎨' + - '👨🏼‍🎨' + - '👩🏼‍🚒' + - '🧑🏼‍🚒' + - '👨🏼‍🚒' + - '👩🏼‍✈️' + - '🧑🏼‍✈️' + - '👨🏼‍✈️' + - '👩🏼‍🚀' + - '🧑🏼‍🚀' + - '👨🏼‍🚀' + - '👩🏼‍⚖️' + - '🧑🏼‍⚖️' + - '👨🏼‍⚖️' + - '👰🏼‍♀️' + - '👰🏼' + - '👰🏼‍♂️' + - '🤵🏼‍♀️' + - '🤵🏼' + - '🤵🏼‍♂️' + - '👸🏼' + - '🫅🏼' + - '🤴🏼' + - '🥷🏼' + - '🦸🏼‍♀️' + - '🦸🏼' + - '🦸🏼‍♂️' + - '🦹🏼‍♀️' + - '🦹🏼' + - '🦹🏼‍♂️' + - '🤶🏼' + - '🧑🏼‍🎄' + - '🎅🏼' + - '🧙🏼‍♀️' + - '🧙🏼' + - '🧙🏼‍♂️' + - '🧝🏼‍♀️' + - '🧝🏼' + - '🧝🏼‍♂️' + - '🧛🏼‍♀️' + - '🧛🏼' + - '🧛🏼‍♂️' + - '🧜🏼‍♀️' + - '🧜🏼' + - '🧜🏼‍♂️' + - '🧚🏼‍♀️' + - '🧚🏼' + - '🧚🏼‍♂️' + - '👼🏼' + - '🤰🏼' + - '🫄🏼' + - '🫃🏼' + - '🤱🏼' + - '👩🏼‍🍼' + - '🧑🏼‍🍼' + - '👨🏼‍🍼' + - '🙇🏼‍♀️' + - '🙇🏼' + - '🙇🏼‍♂️' + - '💁🏼‍♀️' + - '💁🏼' + - '💁🏼‍♂️' + - '🙅🏼‍♀️' + - '🙅🏼' + - '🙅🏼‍♂️' + - '🙆🏼‍♀️' + - '🙆🏼' + - '🙆🏼‍♂️' + - '🙋🏼‍♀️' + - '🙋🏼' + - '🙋🏼‍♂️' + - '🧏🏼‍♀️' + - '🧏🏼' + - '🧏🏼‍♂️' + - '🤦🏼‍♀️' + - '🤦🏼' + - '🤦🏼‍♂️' + - '🤷🏼‍♀️' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_2.yml b/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_2.yml new file mode 100644 index 00000000000..834f7c81cd9 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_2.yml @@ -0,0 +1,1014 @@ +title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2 +id: c98f2a0d-e1b8-4f76-90d3-359caf88d6b9 +status: experimental +description: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity. +author: '@Kostastsale, @TheDFIRReport' +references: + - Internal Research +tags: + - attack.defense-evasion +date: 2022-12-05 +logsource: + product: windows + category: process_creation +detection: + selection: + CommandLine|contains: + - '🤷🏼' + - '🤷🏼‍♂️' + - '🙎🏼‍♀️' + - '🙎🏼' + - '🙎🏼‍♂️' + - '🙍🏼‍♀️' + - '🙍🏼' + - '🙍🏼‍♂️' + - '💇🏼‍♀️' + - '💇🏼' + - '💇🏼‍♂️' + - '💆🏼‍♀️' + - '💆🏼' + - '💆🏼‍♂️' + - '🧖🏼‍♀️' + - '🧖🏼' + - '🧖🏼‍♂️' + - '💃🏼' + - '🕺🏼' + - '🕴🏼' + - '👩🏼‍🦽' + - '🧑🏼‍🦽' + - '👨🏼‍🦽' + - '👩🏼‍🦼' + - '🧑🏼‍🦼' + - '👨🏼‍🦼' + - '🚶🏼‍♀️' + - '🚶🏼' + - '🚶🏼‍♂️' + - '👩🏼‍🦯' + - '🧑🏼‍🦯' + - '👨🏼‍🦯' + - '🧎🏼‍♀️' + - '🧎🏼' + - '🧎🏼‍♂️' + - '🏃🏼‍♀️' + - '🏃🏼' + - '🏃🏼‍♂️' + - '🧍🏼‍♀️' + - '🧍🏼' + - '🧍🏼‍♂️' + - '👭🏼' + - '🧑🏼‍🤝‍🧑🏼' + - '👬🏼' + - '👫🏼' + - '🧗🏼‍♀️' + - '🧗🏼' + - '🧗🏼‍♂️' + - '🏇🏼' + - '🏂🏼' + - '🏌🏼‍♀️' + - '🏌🏼' + - '🏌🏼‍♂️' + - '🏄🏼‍♀️' + - '🏄🏼' + - '🏄🏼‍♂️' + - '🚣🏼‍♀️' + - '🚣🏼' + - '🚣🏼‍♂️' + - '🏊🏼‍♀️' + - '🏊🏼' + - '🏊🏼‍♂️' + - '⛹🏼‍♀️' + - '⛹🏼' + - '⛹🏼‍♂️' + - '🏋🏼‍♀️' + - '🏋🏼' + - '🏋🏼‍♂️' + - '🚴🏼‍♀️' + - '🚴🏼' + - '🚴🏼‍♂️' + - '🚵🏼‍♀️' + - '🚵🏼' + - '🚵🏼‍♂️' + - '🤸🏼‍♀️' + - '🤸🏼' + - '🤸🏼‍♂️' + - '🤽🏼‍♀️' + - '🤽🏼' + - '🤽🏼‍♂️' + - '🤾🏼‍♀️' + - '🤾🏼' + - '🤾🏼‍♂️' + - '🤹🏼‍♀️' + - '🤹🏼' + - '🤹🏼‍♂️' + - '🧘🏼‍♀️' + - '🧘🏼' + - '🧘🏼‍♂️' + - '🛀🏼' + - '🛌🏼' + - '👋🏽' + - '🤚🏽' + - '🖐🏽' + - '✋🏽' + - '🖖🏽' + - '👌🏽' + - '🤌🏽' + - '🤏🏽' + - '✌🏽' + - '🤞🏽' + - '🫰🏽' + - '🤟🏽' + - '🤘🏽' + - '🤙🏽' + - '🫵🏽' + - '🫱🏽' + - '🫲🏽' + - '🫳🏽' + - '🫴🏽' + - '👈🏽' + - '👉🏽' + - '👆🏽' + - '🖕🏽' + - '👇🏽' + - '☝🏽' + - '👍🏽' + - '👎🏽' + - '✊🏽' + - '👊🏽' + - '🤛🏽' + - '🤜🏽' + - '👏🏽' + - '🫶🏽' + - '🙌🏽' + - '👐🏽' + - '🤲🏽' + - '🙏🏽' + - '✍🏽' + - '💪🏽' + - '🦵🏽' + - '🦶🏽' + - '👂🏽' + - '🦻🏽' + - '👃🏽' + - '👶🏽' + - '👧🏽' + - '🧒🏽' + - '👦🏽' + - '👩🏽' + - '🧑🏽' + - '👨🏽' + - '👩🏽‍🦱' + - '🧑🏽‍🦱' + - '👨🏽‍🦱' + - '👩🏽‍🦰' + - '🧑🏽‍🦰' + - '👨🏽‍🦰' + - '👱🏽‍♀️' + - '👱🏽' + - '👱🏽‍♂️' + - '👩🏽‍🦳' + - '🧑🏽‍🦳' + - '👨🏽‍🦳' + - '👩🏽‍🦲' + - '🧑🏽‍🦲' + - '👨🏽‍🦲' + - '🧔🏽‍♀️' + - '🧔🏽' + - '🧔🏽‍♂️' + - '👵🏽' + - '🧓🏽' + - '👴🏽' + - '👲🏽' + - '👳🏽‍♀️' + - '👳🏽' + - '👳🏽‍♂️' + - '🧕🏽' + - '👮🏽‍♀️' + - '👮🏽' + - '👮🏽‍♂️' + - '👷🏽‍♀️' + - '👷🏽' + - '👷🏽‍♂️' + - '💂🏽‍♀️' + - '💂🏽' + - '💂🏽‍♂️' + - '🕵🏽‍♀️' + - '🕵🏽' + - '🕵🏽‍♂️' + - '👩🏽‍⚕️' + - '🧑🏽‍⚕️' + - '👨🏽‍⚕️' + - '👩🏽‍🌾' + - '🧑🏽‍🌾' + - '👨🏽‍🌾' + - '👩🏽‍🍳' + - '🧑🏽‍🍳' + - '👨🏽‍🍳' + - '👩🏽‍🎓' + - '🧑🏽‍🎓' + - '👨🏽‍🎓' + - '👩🏽‍🎤' + - '🧑🏽‍🎤' + - '👨🏽‍🎤' + - '👩🏽‍🏫' + - '🧑🏽‍🏫' + - '👨🏽‍🏫' + - '👩🏽‍🏭' + - '🧑🏽‍🏭' + - '👨🏽‍🏭' + - '👩🏽‍💻' + - '🧑🏽‍💻' + - '👨🏽‍💻' + - '👩🏽‍💼' + - '🧑🏽‍💼' + - '👨🏽‍💼' + - '👩🏽‍🔧' + - '🧑🏽‍🔧' + - '👨🏽‍🔧' + - '👩🏽‍🔬' + - '🧑🏽‍🔬' + - '👨🏽‍🔬' + - '👩🏽‍🎨' + - '🧑🏽‍🎨' + - '👨🏽‍🎨' + - '👩🏽‍🚒' + - '🧑🏽‍🚒' + - '👨🏽‍🚒' + - '👩🏽‍✈️' + - '🧑🏽‍✈️' + - '👨🏽‍✈️' + - '👩🏽‍🚀' + - '🧑🏽‍🚀' + - '👨🏽‍🚀' + - '👩🏽‍⚖️' + - '🧑🏽‍⚖️' + - '👨🏽‍⚖️' + - '👰🏽‍♀️' + - '👰🏽' + - '👰🏽‍♂️' + - '🤵🏽‍♀️' + - '🤵🏽' + - '🤵🏽‍♂️' + - '👸🏽' + - '🫅🏽' + - '🤴🏽' + - '🥷🏽' + - '🦸🏽‍♀️' + - '🦸🏽' + - '🦸🏽‍♂️' + - '🦹🏽‍♀️' + - '🦹🏽' + - '🦹🏽‍♂️' + - '🤶🏽' + - '🧑🏽‍🎄' + - '🎅🏽' + - '🧙🏽‍♀️' + - '🧙🏽' + - '🧙🏽‍♂️' + - '🧝🏽‍♀️' + - '🧝🏽' + - '🧝🏽‍♂️' + - '🧛🏽‍♀️' + - '🧛🏽' + - '🧛🏽‍♂️' + - '🧜🏽‍♀️' + - '🧜🏽' + - '🧜🏽‍♂️' + - '🧚🏽‍♀️' + - '🧚🏽' + - '🧚🏽‍♂️' + - '👼🏽' + - '🤰🏽' + - '🫄🏽' + - '🫃🏽' + - '🤱🏽' + - '👩🏽‍🍼' + - '🧑🏽‍🍼' + - '👨🏽‍🍼' + - '🙇🏽‍♀️' + - '🙇🏽' + - '🙇🏽‍♂️' + - '💁🏽‍♀️' + - '💁🏽' + - '💁🏽‍♂️' + - '🙅🏽‍♀️' + - '🙅🏽' + - '🙅🏽‍♂️' + - '🙆🏽‍♀️' + - '🙆🏽' + - '🙆🏽‍♂️' + - '🙋🏽‍♀️' + - '🙋🏽' + - '🙋🏽‍♂️' + - '🧏🏽‍♀️' + - '🧏🏽' + - '🧏🏽‍♂️' + - '🤦🏽‍♀️' + - '🤦🏽' + - '🤦🏽‍♂️' + - '🤷🏽‍♀️' + - '🤷🏽' + - '🤷🏽‍♂️' + - '🙎🏽‍♀️' + - '🙎🏽' + - '🙎🏽‍♂️' + - '🙍🏽‍♀️' + - '🙍🏽' + - '🙍🏽‍♂️' + - '💇🏽‍♀️' + - '💇🏽' + - '💇🏽‍♂️' + - '💆🏽‍♀️' + - '💆🏽' + - '💆🏽‍♂️' + - '🧖🏽‍♀️' + - '🧖🏽' + - '🧖🏽‍♂️' + - '💃🏽' + - '🕺🏽' + - '🕴🏽' + - '👩🏽‍🦽' + - '🧑🏽‍🦽' + - '👨🏽‍🦽' + - '👩🏽‍🦼' + - '🧑🏽‍🦼' + - '👨🏽‍🦼' + - '🚶🏽‍♀️' + - '🚶🏽' + - '🚶🏽‍♂️' + - '👩🏽‍🦯' + - '🧑🏽‍🦯' + - '👨🏽‍🦯' + - '🧎🏽‍♀️' + - '🧎🏽' + - '🧎🏽‍♂️' + - '🏃🏽‍♀️' + - '🏃🏽' + - '🏃🏽‍♂️' + - '🧍🏽‍♀️' + - '🧍🏽' + - '🧍🏽‍♂️' + - '👭🏽' + - '🧑🏽‍🤝‍🧑🏽' + - '👬🏽' + - '👫🏽' + - '🧗🏽‍♀️' + - '🧗🏽' + - '🧗🏽‍♂️' + - '🏇🏽' + - '🏂🏽' + - '🏌🏽‍♀️' + - '🏌🏽' + - '🏌🏽‍♂️' + - '🏄🏽‍♀️' + - '🏄🏽' + - '🏄🏽‍♂️' + - '🚣🏽‍♀️' + - '🚣🏽' + - '🚣🏽‍♂️' + - '🏊🏽‍♀️' + - '🏊🏽' + - '🏊🏽‍♂️' + - '⛹🏽‍♀️' + - '⛹🏽' + - '⛹🏽‍♂️' + - '🏋🏽‍♀️' + - '🏋🏽' + - '🏋🏽‍♂️' + - '🚴🏽‍♀️' + - '🚴🏽' + - '🚴🏽‍♂️' + - '🚵🏽‍♀️' + - '🚵🏽' + - '🚵🏽‍♂️' + - '🤸🏽‍♀️' + - '🤸🏽' + - '🤸🏽‍♂️' + - '🤽🏽‍♀️' + - '🤽🏽' + - '🤽🏽‍♂️' + - '🤾🏽‍♀️' + - '🤾🏽' + - '🤾🏽‍♂️' + - '🤹🏽‍♀️' + - '🤹🏽' + - '🤹🏽‍♂️' + - '🧘🏽‍♀️' + - '🧘🏽' + - '🧘🏽‍♂️' + - '🛀🏽' + - '🛌🏽' + - '👋🏾' + - '🤚🏾' + - '🖐🏾' + - '✋🏾' + - '🖖🏾' + - '👌🏾' + - '🤌🏾' + - '🤏🏾' + - '✌🏾' + - '🤞🏾' + - '🫰🏾' + - '🤟🏾' + - '🤘🏾' + - '🤙🏾' + - '🫵🏾' + - '🫱🏾' + - '🫲🏾' + - '🫳🏾' + - '🫴🏾' + - '👈🏾' + - '👉🏾' + - '👆🏾' + - '🖕🏾' + - '👇🏾' + - '☝🏾' + - '👍🏾' + - '👎🏾' + - '✊🏾' + - '👊🏾' + - '🤛🏾' + - '🤜🏾' + - '👏🏾' + - '🫶🏾' + - '🙌🏾' + - '👐🏾' + - '🤲🏾' + - '🙏🏾' + - '✍🏾' + - '💪🏾' + - '🦵🏾' + - '🦶🏾' + - '👂🏾' + - '🦻🏾' + - '👃🏾' + - '👶🏾' + - '👧🏾' + - '🧒🏾' + - '👦🏾' + - '👩🏾' + - '🧑🏾' + - '👨🏾' + - '👩🏾‍🦱' + - '🧑🏾‍🦱' + - '👨🏾‍🦱' + - '👩🏾‍🦰' + - '🧑🏾‍🦰' + - '👨🏾‍🦰' + - '👱🏾‍♀️' + - '👱🏾' + - '👱🏾‍♂️' + - '👩🏾‍🦳' + - '🧑🏾‍🦳' + - '👨🏾‍🦳' + - '👩🏾‍🦲' + - '🧑🏾‍🦲' + - '👨🏾‍🦲' + - '🧔🏾‍♀️' + - '🧔🏾' + - '🧔🏾‍♂️' + - '👵🏾' + - '🧓🏾' + - '👴🏾' + - '👲🏾' + - '👳🏾‍♀️' + - '👳🏾' + - '👳🏾‍♂️' + - '🧕🏾' + - '👮🏾‍♀️' + - '👮🏾' + - '👮🏾‍♂️' + - '👷🏾‍♀️' + - '👷🏾' + - '👷🏾‍♂️' + - '💂🏾‍♀️' + - '💂🏾' + - '💂🏾‍♂️' + - '🕵🏾‍♀️' + - '🕵🏾' + - '🕵🏾‍♂️' + - '👩🏾‍⚕️' + - '🧑🏾‍⚕️' + - '👨🏾‍⚕️' + - '👩🏾‍🌾' + - '🧑🏾‍🌾' + - '👨🏾‍🌾' + - '👩🏾‍🍳' + - '🧑🏾‍🍳' + - '👨🏾‍🍳' + - '👩🏾‍🎓' + - '🧑🏾‍🎓' + - '👨🏾‍🎓' + - '👩🏾‍🎤' + - '🧑🏾‍🎤' + - '👨🏾‍🎤' + - '👩🏾‍🏫' + - '🧑🏾‍🏫' + - '👨🏾‍🏫' + - '👩🏾‍🏭' + - '🧑🏾‍🏭' + - '👨🏾‍🏭' + - '👩🏾‍💻' + - '🧑🏾‍💻' + - '👨🏾‍💻' + - '👩🏾‍💼' + - '🧑🏾‍💼' + - '👨🏾‍💼' + - '👩🏾‍🔧' + - '🧑🏾‍🔧' + - '👨🏾‍🔧' + - '👩🏾‍🔬' + - '🧑🏾‍🔬' + - '👨🏾‍🔬' + - '👩🏾‍🎨' + - '🧑🏾‍🎨' + - '👨🏾‍🎨' + - '👩🏾‍🚒' + - '🧑🏾‍🚒' + - '👨🏾‍🚒' + - '👩🏾‍✈️' + - '🧑🏾‍✈️' + - '👨🏾‍✈️' + - '👩🏾‍🚀' + - '🧑🏾‍🚀' + - '👨🏾‍🚀' + - '👩🏾‍⚖️' + - '🧑🏾‍⚖️' + - '👨🏾‍⚖️' + - '👰🏾‍♀️' + - '👰🏾' + - '👰🏾‍♂️' + - '🤵🏾‍♀️' + - '🤵🏾' + - '🤵🏾‍♂️' + - '👸🏾' + - '🫅🏾' + - '🤴🏾' + - '🥷🏾' + - '🦸🏾‍♀️' + - '🦸🏾' + - '🦸🏾‍♂️' + - '🦹🏾‍♀️' + - '🦹🏾' + - '🦹🏾‍♂️' + - '🤶🏾' + - '🧑🏾‍🎄' + - '🎅🏾' + - '🧙🏾‍♀️' + - '🧙🏾' + - '🧙🏾‍♂️' + - '🧝🏾‍♀️' + - '🧝🏾' + - '🧝🏾‍♂️' + - '🧛🏾‍♀️' + - '🧛🏾' + - '🧛🏾‍♂️' + - '🧜🏾‍♀️' + - '🧜🏾' + - '🧜🏾‍♂️' + - '🧚🏾‍♀️' + - '🧚🏾' + - '🧚🏾‍♂️' + - '👼🏾' + - '🤰🏾' + - '🫄🏾' + - '🫃🏾' + - '🤱🏾' + - '👩🏾‍🍼' + - '🧑🏾‍🍼' + - '👨🏾‍🍼' + - '🙇🏾‍♀️' + - '🙇🏾' + - '🙇🏾‍♂️' + - '💁🏾‍♀️' + - '💁🏾' + - '💁🏾‍♂️' + - '🙅🏾‍♀️' + - '🙅🏾' + - '🙅🏾‍♂️' + - '🙆🏾‍♀️' + - '🙆🏾' + - '🙆🏾‍♂️' + - '🙋🏾‍♀️' + - '🙋🏾' + - '🙋🏾‍♂️' + - '🧏🏾‍♀️' + - '🧏🏾' + - '🧏🏾‍♂️' + - '🤦🏾‍♀️' + - '🤦🏾' + - '🤦🏾‍♂️' + - '🤷🏾‍♀️' + - '🤷🏾' + - '🤷🏾‍♂️' + - '🙎🏾‍♀️' + - '🙎🏾' + - '🙎🏾‍♂️' + - '🙍🏾‍♀️' + - '🙍🏾' + - '🙍🏾‍♂️' + - '💇🏾‍♀️' + - '💇🏾' + - '💇🏾‍♂️' + - '💆🏾‍♀️' + - '💆🏾' + - '💆🏾‍♂️' + - '🧖🏾‍♀️' + - '🧖🏾' + - '🧖🏾‍♂️' + - '💃🏾' + - '🕺🏾' + - '👩🏾‍🦽' + - '🧑🏾‍🦽' + - '👨🏾‍🦽' + - '👩🏾‍🦼' + - '🧑🏾‍🦼' + - '👨🏾‍🦼' + - '🚶🏾‍♀️' + - '🚶🏾' + - '🚶🏾‍♂️' + - '👩🏾‍🦯' + - '🧑🏾‍🦯' + - '👨🏾‍🦯' + - '🧎🏾‍♀️' + - '🧎🏾' + - '🧎🏾‍♂️' + - '🏃🏾‍♀️' + - '🏃🏾' + - '🏃🏾‍♂️' + - '🧍🏾‍♀️' + - '🧍🏾' + - '🧍🏾‍♂️' + - '👭🏾' + - '🧑🏾‍🤝‍🧑🏾' + - '👬🏾' + - '👫🏾' + - '🧗🏾‍♀️' + - '🧗🏾' + - '🧗🏾‍♂️' + - '🏇🏾' + - '🏂🏾' + - '🏌🏾‍♀️' + - '🏌🏾' + - '🏌🏾‍♂️' + - '🏄🏾‍♀️' + - '🏄🏾' + - '🏄🏾‍♂️' + - '🚣🏾‍♀️' + - '🚣🏾' + - '🚣🏾‍♂️' + - '🏊🏾‍♀️' + - '🏊🏾' + - '🏊🏾‍♂️' + - '⛹🏾‍♀️' + - '⛹🏾' + - '⛹🏾‍♂️' + - '🏋🏾‍♀️' + - '🏋🏾' + - '🏋🏾‍♂️' + - '🚴🏾‍♀️' + - '🚴🏾' + - '🚴🏾‍♂️' + - '🚵🏾‍♀️' + - '🚵🏾' + - '🚵🏾‍♂️' + - '🤸🏾‍♀️' + - '🤸🏾' + - '🤸🏾‍♂️' + - '🤽🏾‍♀️' + - '🤽🏾' + - '🤽🏾‍♂️' + - '🤾🏾‍♀️' + - '🤾🏾' + - '🤾🏾‍♂️' + - '🤹🏾‍♀️' + - '🤹🏾' + - '🤹🏾‍♂️' + - '🧘🏾‍♀️' + - '🧘🏾' + - '🧘🏾‍♂️' + - '🛀🏾' + - '🛌🏾' + - '👋🏿' + - '🤚🏿' + - '🖐🏿' + - '✋🏿' + - '🖖🏿' + - '👌🏿' + - '🤌🏿' + - '🤏🏿' + - '✌🏿' + - '🤞🏿' + - '🫰🏿' + - '🤟🏿' + - '🤘🏿' + - '🤙🏿' + - '🫵🏿' + - '🫱🏿' + - '🫲🏿' + - '🫳🏿' + - '🫴🏿' + - '👈🏿' + - '👉🏿' + - '👆🏿' + - '🖕🏿' + - '👇🏿' + - '☝🏿' + - '👍🏿' + - '👎🏿' + - '✊🏿' + - '👊🏿' + - '🤛🏿' + - '🤜🏿' + - '👏🏿' + - '🫶🏿' + - '🙌🏿' + - '👐🏿' + - '🤲🏿' + - '🙏🏿' + - '✍🏿' + - '🤳🏿' + - '💪🏿' + - '🦵🏿' + - '🦶🏿' + - '👂🏿' + - '🦻🏿' + - '👃🏿' + - '👶🏿' + - '👧🏿' + - '🧒🏿' + - '👦🏿' + - '👩🏿' + - '🧑🏿' + - '👨🏿' + - '👩🏿‍🦱' + - '🧑🏿‍🦱' + - '👨🏿‍🦱' + - '👩🏿‍🦰' + - '🧑🏿‍🦰' + - '👨🏿‍🦰' + - '👱🏿‍♀️' + - '👱🏿' + - '👱🏿‍♂️' + - '👩🏿‍🦳' + - '🧑🏿‍🦳' + - '👨🏿‍🦳' + - '👩🏿‍🦲' + - '🧑🏿‍🦲' + - '👨🏿‍🦲' + - '🧔🏿‍♀️' + - '🧔🏿' + - '🧔🏿‍♂️' + - '👵🏿' + - '🧓🏿' + - '👴🏿' + - '👲🏿' + - '👳🏿‍♀️' + - '👳🏿' + - '👳🏿‍♂️' + - '🧕🏿' + - '👮🏿‍♀️' + - '👮🏿' + - '👮🏿‍♂️' + - '👷🏿‍♀️' + - '👷🏿' + - '👷🏿‍♂️' + - '💂🏿‍♀️' + - '💂🏿' + - '💂🏿‍♂️' + - '🕵🏿‍♀️' + - '🕵🏿' + - '🕵🏿‍♂️' + - '👩🏿‍⚕️' + - '🧑🏿‍⚕️' + - '👨🏿‍⚕️' + - '👩🏿‍🌾' + - '🧑🏿‍🌾' + - '👨🏿‍🌾' + - '👩🏿‍🍳' + - '🧑🏿‍🍳' + - '👨🏿‍🍳' + - '👩🏿‍🎓' + - '🧑🏿‍🎓' + - '👨🏿‍🎓' + - '👩🏿‍🎤' + - '🧑🏿‍🎤' + - '👨🏿‍🎤' + - '👩🏿‍🏫' + - '🧑🏿‍🏫' + - '👨🏿‍🏫' + - '👩🏿‍🏭' + - '🧑🏿‍🏭' + - '👨🏿‍🏭' + - '👩🏿‍💻' + - '🧑🏿‍💻' + - '👨🏿‍💻' + - '👩🏿‍💼' + - '🧑🏿‍💼' + - '👨🏿‍💼' + - '👩🏿‍🔧' + - '🧑🏿‍🔧' + - '👨🏿‍🔧' + - '👩🏿‍🔬' + - '🧑🏿‍🔬' + - '👨🏿‍🔬' + - '👩🏿‍🎨' + - '🧑🏿‍🎨' + - '👨🏿‍🎨' + - '👩🏿‍🚒' + - '🧑🏿‍🚒' + - '👨🏿‍🚒' + - '👩🏿‍✈️' + - '🧑🏿‍✈️' + - '👨🏿‍✈️' + - '👩🏿‍🚀' + - '🧑🏿‍🚀' + - '👨🏿‍🚀' + - '👩🏿‍⚖️' + - '🧑🏿‍⚖️' + - '👨🏿‍⚖️' + - '👰🏿‍♀️' + - '👰🏿' + - '👰🏿‍♂️' + - '🤵🏿‍♀️' + - '🤵🏿' + - '🤵🏿‍♂️' + - '👸🏿' + - '🫅🏿' + - '🤴🏿' + - '🥷🏿' + - '🦸🏿‍♀️' + - '🦸🏿' + - '🦸🏿‍♂️' + - '🦹🏿‍♀️' + - '🦹🏿' + - '🦹🏿‍♂️' + - '🤶🏿' + - '🧑🏿‍🎄' + - '🎅🏿' + - '🧙🏿‍♀️' + - '🧙🏿' + - '🧙🏿‍♂️' + - '🧝🏿‍♀️' + - '🧝🏿' + - '🧝🏿‍♂️' + - '🧛🏿‍♀️' + - '🧛🏿' + - '🧛🏿‍♂️' + - '🧜🏿‍♀️' + - '🧜🏿' + - '🧜🏿‍♂️' + - '🧚🏿‍♀️' + - '🧚🏿' + - '🧚🏿‍♂️' + - '👼🏿' + - '🤰🏿' + - '🫄🏿' + - '🫃🏿' + - '🤱🏿' + - '👩🏿‍🍼' + - '🧑🏿‍🍼' + - '👨🏿‍🍼' + - '🙇🏿‍♀️' + - '🙇🏿' + - '🙇🏿‍♂️' + - '💁🏿‍♀️' + - '💁🏿' + - '💁🏿‍♂️' + - '🙅🏿‍♀️' + - '🙅🏿' + - '🙅🏿‍♂️' + - '🙆🏿‍♀️' + - '🙆🏿' + - '🙆🏿‍♂️' + - '🙋🏿‍♀️' + - '🙋🏿' + - '🙋🏿‍♂️' + - '🧏🏿‍♀️' + - '🧏🏿' + - '🧏🏿‍♂️' + - '🤦🏿‍♀️' + - '🤦🏿' + - '🤦🏿‍♂️' + - '🤷🏿‍♀️' + - '🤷🏿' + - '🤷🏿‍♂️' + - '🙎🏿‍♀️' + - '🙎🏿' + - '🙎🏿‍♂️' + - '🙍🏿‍♀️' + - '🙍🏿' + - '🙍🏿‍♂️' + - '💇🏿‍♀️' + - '💇🏿' + - '💇🏿‍♂️' + - '💆🏿‍♀️' + - '💆🏿' + - '💆🏿‍♂️' + - '🧖🏿‍♀️' + - '🧖🏿' + - '🧖🏿‍♂️' + - '💃🏿' + - '🕺🏿' + - '🕴🏿' + - '👩🏿‍🦽' + - '🧑🏿‍🦽' + - '👨🏿‍🦽' + - '👩🏿‍🦼' + - '🧑🏿‍🦼' + - '👨🏿‍🦼' + - '🚶🏿‍♀️' + - '🚶🏿' + - '🚶🏿‍♂️' + - '👩🏿‍🦯' + - '🧑🏿‍🦯' + - '👨🏿‍🦯' + - '🧎🏿‍♀️' + - '🧎🏿' + - '🧎🏿‍♂️' + - '🏃🏿‍♀️' + - '🏃🏿' + - '🏃🏿‍♂️' + - '🧍🏿‍♀️' + - '🧍🏿' + - '🧍🏿‍♂️' + - '👭🏿' + - '🧑🏿‍🤝‍🧑🏿' + - '👬🏿' + - '👫🏿' + - '🧗🏿‍♀️' + - '🧗🏿' + - '🧗🏿‍♂️' + - '🏇🏿' + - '🏂🏿' + - '🏌🏿‍♀️' + - '🏌🏿' + - '🏌🏿‍♂️' + - '🏄🏿‍♀️' + - '🏄🏿' + - '🏄🏿‍♂️' + - '🚣🏿‍♀️' + - '🚣🏿' + - '🚣🏿‍♂️' + - '🏊🏿‍♀️' + - '🏊🏿' + - '🏊🏿‍♂️' + - '⛹🏿‍♀️' + - '⛹🏿' + - '⛹🏿‍♂️' + - '🏋🏿‍♀️' + - '🏋🏿' + - '🏋🏿‍♂️' + - '🚴🏿‍♀️' + - '🚴🏿' + - '🚴🏿‍♂️' + - '🚵🏿‍♀️' + - '🚵🏿' + - '🚵🏿‍♂️' + - '🤸🏿‍♀️' + - '🤸🏿' + - '🤸🏿‍♂️' + - '🤽🏿‍♀️' + - '🤽🏿' + - '🤽🏿‍♂️' + - '🤾🏿‍♀️' + - '🤾🏿' + - '🤾🏿‍♂️' + - '🤹🏿‍♀️' + - '🤹🏿' + - '🤹🏿‍♂️' + - '🧘🏿‍♀️' + - '🧘🏿' + - '🧘🏿‍♂️' + - '🛀🏿' + - '🛌🏿' + - '🐶' + - '🐱' + - '🐭' + - '🐹' + - '🐰' + - '🦊' + - '🐻' + - '🐼' + - '🐻‍❄️' + - '🐨' + - '🐯' + - '🦁' + - '🐮' + - '🐷' + - '🐽' + - '🐸' + - '🐵' + - '🙈' + - '🙉' + - '🙊' + - '🐒' + - '🐔' + - '🐧' + - '🐦' + - '🐤' + - '🐣' + - '🐥' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_3.yml b/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_3.yml new file mode 100644 index 00000000000..a8830e43078 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_3.yml @@ -0,0 +1,1020 @@ +title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3 +id: f9578658-9e71-4711-b634-3f9b50cd3c06 +status: experimental +description: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity. +author: '@Kostastsale, @TheDFIRReport' +references: + - Internal Research +tags: + - attack.defense-evasion +date: 2022-12-05 +logsource: + product: windows + category: process_creation +detection: + selection: + CommandLine|contains: + - '🦆' + - '🦅' + - '🦉' + - '🦇' + - '🐺' + - '🐗' + - '🐴' + - '🦄' + - '🐝' + - '🪱' + - '🐛' + - '🦋' + - '🐌' + - '🐞' + - '🐜' + - '🪰' + - '🪲' + - '🪳' + - '🦟' + - '🦗' + - '🕷' + - '🕸' + - '🦂' + - '🐢' + - '🐍' + - '🦎' + - '🦖' + - '🦕' + - '🐙' + - '🦑' + - '🦐' + - '🦞' + - '🦀' + - '🪸' + - '🐡' + - '🐠' + - '🐟' + - '🐬' + - '🐳' + - '🐋' + - '🦈' + - '🐊' + - '🐅' + - '🐆' + - '🦓' + - '🦍' + - '🦧' + - '🦣' + - '🐘' + - '🦛' + - '🦏' + - '🐪' + - '🐫' + - '🦒' + - '🦘' + - '🦬' + - '🐃' + - '🐂' + - '🐄' + - '🐎' + - '🐖' + - '🐏' + - '🐑' + - '🦙' + - '🐐' + - '🦌' + - '🐕' + - '🐩' + - '🦮' + - '🐕‍🦺' + - '🐈' + - '🐈‍⬛' + - '🪶' + - '🐓' + - '🦃' + - '🦤' + - '🦚' + - '🦜' + - '🦢' + - '🦩' + - '🕊' + - '🐇' + - '🦝' + - '🦨' + - '🦡' + - '🦫' + - '🦦' + - '🦥' + - '🐁' + - '🐀' + - '🐿' + - '🦔' + - '🐾' + - '🐉' + - '🐲' + - '🌵' + - '🎄' + - '🌲' + - '🌳' + - '🌴' + - '🪹' + - '🪺' + - '🪵' + - '🌱' + - '🌿' + - '☘️' + - '🍀' + - '🎍' + - '🪴' + - '🎋' + - '🍃' + - '🍂' + - '🍁' + - '🍄' + - '🐚' + - '🪨' + - '🌾' + - '💐' + - '🌷' + - '🪷' + - '🌹' + - '🥀' + - '🌺' + - '🌸' + - '🌼' + - '🌻' + - '🌞' + - '🌝' + - '🌛' + - '🌜' + - '🌚' + - '🌕' + - '🌖' + - '🌗' + - '🌘' + - '🌑' + - '🌒' + - '🌓' + - '🌔' + - '🌙' + - '🌎' + - '🌍' + - '🌏' + - '🪐' + - '💫' + - '⭐️' + - '🌟' + - '✨' + - '⚡️' + - '☄️' + - '💥' + - '🔥' + - '🌪' + - '🌈' + - '☀️' + - '🌤' + - '⛅️' + - '🌥' + - '☁️' + - '🌦' + - '🌧' + - '⛈' + - '🌩' + - '🌨' + - '❄️' + - '☃️' + - '⛄️' + - '🌬' + - '💨' + - '💧' + - '💦' + - '🫧' + - '☔️' + - '☂️' + - '🌊' + - '🌫🍏' + - '🍎' + - '🍐' + - '🍊' + - '🍋' + - '🍌' + - '🍉' + - '🍇' + - '🍓' + - '🫐' + - '🍈' + - '🍒' + - '🍑' + - '🥭' + - '🍍' + - '🥥' + - '🥝' + - '🍅' + - '🍆' + - '🥑' + - '🥦' + - '🥬' + - '🥒' + - '🌶' + - '🫑' + - '🌽' + - '🥕' + - '🫒' + - '🧄' + - '🧅' + - '🥔' + - '🍠' + - '🫘' + - '🥐' + - '🥯' + - '🍞' + - '🥖' + - '🥨' + - '🧀' + - '🥚' + - '🍳' + - '🧈' + - '🥞' + - '🧇' + - '🥓' + - '🥩' + - '🍗' + - '🍖' + - '🦴' + - '🌭' + - '🍔' + - '🍟' + - '🍕' + - '🫓' + - '🥪' + - '🥙' + - '🧆' + - '🌮' + - '🌯' + - '🫔' + - '🥗' + - '🥘' + - '🫕' + - '🥫' + - '🍝' + - '🍜' + - '🍲' + - '🍛' + - '🍣' + - '🍱' + - '🥟' + - '🦪' + - '🍤' + - '🍙' + - '🍚' + - '🍘' + - '🍥' + - '🥠' + - '🥮' + - '🍢' + - '🍡' + - '🍧' + - '🍨' + - '🍦' + - '🥧' + - '🧁' + - '🍰' + - '🎂' + - '🍮' + - '🍭' + - '🍬' + - '🍫' + - '🍿' + - '🍩' + - '🍪' + - '🌰' + - '🥜' + - '🍯' + - '🥛' + - '🍼' + - '🫖' + - '☕️' + - '🍵' + - '🧃' + - '🥤' + - '🧋' + - '🫙' + - '🍶' + - '🍺' + - '🍻' + - '🥂' + - '🍷' + - '🫗' + - '🥃' + - '🍸' + - '🍹' + - '🧉' + - '🍾' + - '🧊' + - '🥄' + - '🍴' + - '🍽' + - '🥣' + - '🥡' + - '🥢' + - '🧂' + - '⚽️' + - '🏀' + - '🏈' + - '⚾️' + - '🥎' + - '🎾' + - '🏐' + - '🏉' + - '🥏' + - '🎱' + - '🪀' + - '🏓' + - '🏸' + - '🏒' + - '🏑' + - '🥍' + - '🏏' + - '🪃' + - '🥅' + - '⛳️' + - '🪁' + - '🏹' + - '🎣' + - '🤿' + - '🥊' + - '🥋' + - '🎽' + - '🛹' + - '🛼' + - '🛷' + - '⛸' + - '🥌' + - '🎿' + - '⛷' + - '🏂' + - '🪂' + - '🏋️‍♀️' + - '🏋️' + - '🏋️‍♂️' + - '🤼‍♀️' + - '🤼' + - '🤼‍♂️' + - '🤸‍♀️' + - '🤸' + - '🤸‍♂️' + - '⛹️‍♀️' + - '⛹️' + - '⛹️‍♂️' + - '🤺' + - '🤾‍♀️' + - '🤾' + - '🤾‍♂️' + - '🏌️‍♀️' + - '🏌️' + - '🏌️‍♂️' + - '🏇' + - '🧘‍♀️' + - '🧘' + - '🧘‍♂️' + - '🏄‍♀️' + - '🏄' + - '🏄‍♂️' + - '🏊‍♀️' + - '🏊' + - '🏊‍♂️' + - '🤽‍♀️' + - '🤽' + - '🤽‍♂️' + - '🚣‍♀️' + - '🚣' + - '🚣‍♂️' + - '🧗‍♀️' + - '🧗' + - '🧗‍♂️' + - '🚵‍♀️' + - '🚵' + - '🚵‍♂️' + - '🚴‍♀️' + - '🚴' + - '🚴‍♂️' + - '🏆' + - '🥇' + - '🥈' + - '🥉' + - '🏅' + - '🎖' + - '🏵' + - '🎗' + - '🎫' + - '🎟' + - '🎪' + - '🤹' + - '🤹‍♂️' + - '🤹‍♀️' + - '🎭' + - '🩰' + - '🎨' + - '🎬' + - '🎤' + - '🎧' + - '🎼' + - '🎹' + - '🥁' + - '🪘' + - '🎷' + - '🎺' + - '🪗' + - '🎸' + - '🪕' + - '🎻' + - '🎲' + - '♟' + - '🎯' + - '🎳' + - '🎮' + - '🎰' + - '🧩' + - '🚗' + - '🚕' + - '🚙' + - '🚌' + - '🚎' + - '🏎' + - '🚓' + - '🚑' + - '🚒' + - '🚐' + - '🛻' + - '🚚' + - '🚛' + - '🚜' + - '🦯' + - '🦽' + - '🦼' + - '🛴' + - '🚲' + - '🛵' + - '🏍' + - '🛺' + - '🚨' + - '🚔' + - '🚍' + - '🚘' + - '🚖' + - '🛞' + - '🚡' + - '🚠' + - '🚟' + - '🚃' + - '🚋' + - '🚞' + - '🚝' + - '🚄' + - '🚅' + - '🚈' + - '🚂' + - '🚆' + - '🚇' + - '🚊' + - '🚉' + - '✈️' + - '🛫' + - '🛬' + - '🛩' + - '💺' + - '🛰' + - '🚀' + - '🛸' + - '🚁' + - '🛶' + - '⛵️' + - '🚤' + - '🛥' + - '🛳' + - '⛴' + - '🚢' + - '⚓️' + - '🛟' + - '🪝' + - '⛽️' + - '🚧' + - '🚦' + - '🚥' + - '🚏' + - '🗺' + - '🗿' + - '🗽' + - '🗼' + - '🏰' + - '🏯' + - '🏟' + - '🎡' + - '🎢' + - '🛝' + - '🎠' + - '⛲️' + - '⛱' + - '🏖' + - '🏝' + - '🏜' + - '🌋' + - '⛰' + - '🏔' + - '🗻' + - '🏕' + - '⛺️' + - '🛖' + - '🏠' + - '🏡' + - '🏘' + - '🏚' + - '🏗' + - '🏭' + - '🏢' + - '🏬' + - '🏣' + - '🏤' + - '🏥' + - '🏦' + - '🏨' + - '🏪' + - '🏫' + - '🏩' + - '💒' + - '🏛' + - '⛪️' + - '🕌' + - '🕍' + - '🛕' + - '🕋' + - '⛩' + - '🛤' + - '🛣' + - '🗾' + - '🎑' + - '🏞' + - '🌅' + - '🌄' + - '🌠' + - '🎇' + - '🎆' + - '🌇' + - '🌆' + - '🏙' + - '🌃' + - '🌌' + - '🌉' + - '🌁' + - '⌚️' + - '📱' + - '📲' + - '💻' + - '⌨️' + - '🖥' + - '🖨' + - '🖱' + - '🖲' + - '🕹' + - '🗜' + - '💽' + - '💾' + - '💿' + - '📀' + - '📼' + - '📷' + - '📸' + - '📹' + - '🎥' + - '📽' + - '🎞' + - '📞' + - '☎️' + - '📟' + - '📠' + - '📺' + - '📻' + - '🎙' + - '🎚' + - '🎛' + - '🧭' + - '⏱' + - '⏲' + - '⏰' + - '🕰' + - '⌛️' + - '⏳' + - '📡' + - '🔋' + - '🪫' + - '🔌' + - '💡' + - '🔦' + - '🕯' + - '🪔' + - '🧯' + - '🛢' + - '💸' + - '💵' + - '💴' + - '💶' + - '💷' + - '🪙' + - '💰' + - '💳' + - '💎' + - '⚖️' + - '🪜' + - '🧰' + - '🪛' + - '🔧' + - '🔨' + - '⚒' + - '🛠' + - '⛏' + - '🪚' + - '🔩' + - '⚙️' + - '🪤' + - '🧱' + - '⛓' + - '🧲' + - '🔫' + - '💣' + - '🧨' + - '🪓' + - '🔪' + - '🗡' + - '⚔️' + - '🛡' + - '🚬' + - '⚰️' + - '🪦' + - '⚱️' + - '🏺' + - '🔮' + - '📿' + - '🧿' + - '🪬' + - '💈' + - '⚗️' + - '🔭' + - '🔬' + - '🕳' + - '🩹' + - '🩺' + - '🩻' + - '🩼' + - '💊' + - '💉' + - '🩸' + - '🧬' + - '🦠' + - '🧫' + - '🧪' + - '🌡' + - '🧹' + - '🪠' + - '🧺' + - '🧻' + - '🚽' + - '🚰' + - '🚿' + - '🛁' + - '🛀' + - '🧼' + - '🪥' + - '🪒' + - '🧽' + - '🪣' + - '🧴' + - '🛎' + - '🔑' + - '🗝' + - '🚪' + - '🪑' + - '🛋' + - '🛏' + - '🛌' + - '🧸' + - '🪆' + - '🖼' + - '🪞' + - '🪟' + - '🛍' + - '🛒' + - '🎁' + - '🎈' + - '🎏' + - '🎀' + - '🪄' + - '🪅' + - '🎊' + - '🎉' + - '🪩' + - '🎎' + - '🏮' + - '🎐' + - '🧧' + - '✉️' + - '📩' + - '📨' + - '📧' + - '💌' + - '📥' + - '📤' + - '📦' + - '🏷' + - '🪧' + - '📪' + - '📫' + - '📬' + - '📭' + - '📮' + - '📯' + - '📜' + - '📃' + - '📄' + - '📑' + - '🧾' + - '📊' + - '📈' + - '📉' + - '🗒' + - '🗓' + - '📆' + - '📅' + - '🗑' + - '🪪' + - '📇' + - '🗃' + - '🗳' + - '🗄' + - '📋' + - '📁' + - '📂' + - '🗂' + - '🗞' + - '📰' + - '📓' + - '📔' + - '📒' + - '📕' + - '📗' + - '📘' + - '📙' + - '📚' + - '📖' + - '🔖' + - '🧷' + - '🔗' + - '📎' + - '🖇' + - '📐' + - '📏' + - '🧮' + - '📌' + - '📍' + - '✂️' + - '🖊' + - '🖋' + - '✒️' + - '🖌' + - '🖍' + - '📝' + - '✏️' + - '🔍' + - '🔎' + - '🔏' + - '🔐' + - '🔒' + - '🔓❤️' + - '🧡' + - '💛' + - '💚' + - '💙' + - '💜' + - '🖤' + - '🤍' + - '🤎' + - '❤️‍🔥' + - '❤️‍🩹' + - '💔' + - '❣️' + - '💕' + - '💞' + - '💓' + - '💗' + - '💖' + - '💘' + - '💝' + - '💟' + - '☮️' + - '✝️' + - '☪️' + - '🕉' + - '☸️' + - '✡️' + - '🔯' + - '🕎' + - '☯️' + - '☦️' + - '🛐' + - '⛎' + - '♈️' + - '♉️' + - '♊️' + - '♋️' + - '♌️' + - '♍️' + - '♎️' + - '♏️' + - '♐️' + - '♑️' + - '♒️' + - '♓️' + - '🆔' + - '⚛️' + - '🉑' + - '☢️' + - '☣️' + - '📴' + - '📳' + - '🈶' + - '🈚️' + - '🈸' + - '🈺' + - '🈷️' + - '✴️' + - '🆚' + - '💮' + - '🉐' + - '㊙️' + - '㊗️' + - '🈴' + - '🈵' + - '🈹' + - '🈲' + - '🅰️' + - '🅱️' + - '🆎' + - '🆑' + - '🅾️' + - '🆘' + - '❌' + - '⭕️' + - '🛑' + - '⛔️' + - '📛' + - '🚫' + - '💯' + - '💢' + - '♨️' + - '🚷' + - '🚯' + - '🚳' + - '🚱' + - '🔞' + - '📵' + - '🚭' + - '❗️' + - '❕' + - '❓' + - '❔' + - '‼️' + - '⁉️' + - '🔅' + - '🔆' + - '〽️' + - '⚠️' + - '🚸' + - '🔱' + - '⚜️' + - '🔰' + - '♻️' + - '✅' + - '🈯️' + - '💹' + - '❇️' + - '✳️' + - '❎' + - '🌐' + - '💠' + - 'Ⓜ️' + - '🌀' + - '💤' + - '🏧' + - '🚾' + - '♿️' + - '🅿️' + - '🛗' + - '🈳' + - '🈂️' + - '🛂' + - '🛃' + - '🛄' + - '🛅' + - '🚹' + - '🚺' + - '🚼' + - '⚧' + - '🚻' + - '🚮' + - '🎦' + - '📶' + - '🈁' + - '🔣' + - 'ℹ️' + - '🔤' + - '🔡' + - '🔠' + - '🆖' + - '🆗' + - '🆙' + - '🆒' + - '🆕' + - '🆓' + - '0️⃣' + - '1️⃣' + - '2️⃣' + - '3️⃣' + - '4️⃣' + - '5️⃣' + - '6️⃣' + - '7️⃣' + - '8️⃣' + - '9️⃣' + - '🔟' + - '🔢' + - '#️⃣' + - '*️⃣' + - '⏏️' + - '▶️' + - '⏸' + - '⏯' + - '⏹' + - '⏺' + - '⏭' + - '⏮' + - '⏩' + - '⏪' + - '⏫' + - '⏬' + - '◀️' + - '🔼' + - '🔽' + - '➡️' + - '⬅️' + - '⬆️' + - '⬇️' + - '↗️' + - '↘️' + - '↙️' + - '↖️' + - '↕️' + - '↔️' + - '↪️' + - '↩️' + - '⤴️' + - '⤵️' + - '🔀' + - '🔁' + - '🔂' + - '🔄' + - '🔃' + - '🎵' + - '🎶' + - '➕' + - '➖' + - '➗' + - '✖️' + - '🟰' + - '♾' + - '💲' + - '💱' + - '™️' + - '©️' + - '®️' + - '〰️' + - '➰' + - '➿' + - '🔚' + - '🔙' + - '🔛' + - '🔝' + - '🔜' + - '✔️' + - '☑️' + - '🔘' + - '🔴' + - '🟠' + - '🟡' + - '🟢' + - '🔵' + - '🟣' + - '⚫️' + - '⚪️' + - '🟤' + - '🔺' + - '🔻' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_4.yml b/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_4.yml new file mode 100644 index 00000000000..55baf53e3a7 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_4.yml @@ -0,0 +1,765 @@ +title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4 +id: 225274c4-8dd1-40db-9e09-71dff4f6fb3c +status: experimental +description: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity. +author: '@Kostastsale, @TheDFIRReport' +references: + - Internal Research +tags: + - attack.defense-evasion +date: 2022-12-05 +logsource: + product: windows + category: process_creation +detection: + selection: + CommandLine|contains: + - '🔸' + - '🔹' + - '🔶' + - '🔷' + - '🔳' + - '🔲' + - '▪️' + - '▫️' + - '◾️' + - '◽️' + - '◼️' + - '◻️' + - '🟥' + - '🟧' + - '🟨' + - '🟩' + - '🟦' + - '🟪' + - '⬛️' + - '⬜️' + - '🟫' + - '🔈' + - '🔇' + - '🔉' + - '🔊' + - '🔔' + - '🔕' + - '📣' + - '📢' + - '👁‍🗨' + - '💬' + - '💭' + - '🗯' + - '♠️' + - '♣️' + - '♥️' + - '♦️' + - '🃏' + - '🎴' + - '🀄️' + - '🕐' + - '🕑' + - '🕒' + - '🕓' + - '🕔' + - '🕕' + - '🕖' + - '🕗' + - '🕘' + - '🕙' + - '🕚' + - '🕛' + - '🕜' + - '🕝' + - '🕞' + - '🕟' + - '🕠' + - '🕡' + - '🕢' + - '🕣' + - '🕤' + - '🕥' + - '🕦' + - '🕧✢' + - '✣' + - '✤' + - '✥' + - '✦' + - '✧' + - '★' + - '☆' + - '✯' + - '✡︎' + - '✩' + - '✪' + - '✫' + - '✬' + - '✭' + - '✮' + - '✶' + - '✷' + - '✵' + - '✸' + - '✹' + - '→' + - '⇒' + - '⟹' + - '⇨' + - '⇾' + - '➾' + - '⇢' + - '☛' + - '☞' + - '➔' + - '➜' + - '➙' + - '➛' + - '➝' + - '➞' + - '♠︎' + - '♣︎' + - '♥︎' + - '♦︎' + - '♤' + - '♧' + - '♡' + - '♢' + - '♚' + - '♛' + - '♜' + - '♝' + - '♞' + - '♟' + - '♔' + - '♕' + - '♖' + - '♗' + - '♘' + - '♙' + - '⚀' + - '⚁' + - '⚂' + - '⚃' + - '⚄' + - '⚅' + - '🂠' + - '⚈' + - '⚉' + - '⚆' + - '⚇' + - '𓀀' + - '𓀁' + - '𓀂' + - '𓀃' + - '𓀄' + - '𓀅' + - '𓀆' + - '𓀇' + - '𓀈' + - '𓀉' + - '𓀊' + - '𓀋' + - '𓀌' + - '𓀍' + - '𓀎' + - '𓀏' + - '𓀐' + - '𓀑' + - '𓀒' + - '𓀓' + - '𓀔' + - '𓀕' + - '𓀖' + - '𓀗' + - '𓀘' + - '𓀙' + - '𓀚' + - '𓀛' + - '𓀜' + - '𓀝🏳️' + - '🏴' + - '🏁' + - '🚩' + - '🏳️‍🌈' + - '🏳️‍⚧️' + - '🏴‍☠️' + - '🇦🇫' + - '🇦🇽' + - '🇦🇱' + - '🇩🇿' + - '🇦🇸' + - '🇦🇩' + - '🇦🇴' + - '🇦🇮' + - '🇦🇶' + - '🇦🇬' + - '🇦🇷' + - '🇦🇲' + - '🇦🇼' + - '🇦🇺' + - '🇦🇹' + - '🇦🇿' + - '🇧🇸' + - '🇧🇭' + - '🇧🇩' + - '🇧🇧' + - '🇧🇾' + - '🇧🇪' + - '🇧🇿' + - '🇧🇯' + - '🇧🇲' + - '🇧🇹' + - '🇧🇴' + - '🇧🇦' + - '🇧🇼' + - '🇧🇷' + - '🇮🇴' + - '🇻🇬' + - '🇧🇳' + - '🇧🇬' + - '🇧🇫' + - '🇧🇮' + - '🇰🇭' + - '🇨🇲' + - '🇨🇦' + - '🇮🇨' + - '🇨🇻' + - '🇧🇶' + - '🇰🇾' + - '🇨🇫' + - '🇹🇩' + - '🇨🇱' + - '🇨🇳' + - '🇨🇽' + - '🇨🇨' + - '🇨🇴' + - '🇰🇲' + - '🇨🇬' + - '🇨🇩' + - '🇨🇰' + - '🇨🇷' + - '🇨🇮' + - '🇭🇷' + - '🇨🇺' + - '🇨🇼' + - '🇨🇾' + - '🇨🇿' + - '🇩🇰' + - '🇩🇯' + - '🇩🇲' + - '🇩🇴' + - '🇪🇨' + - '🇪🇬' + - '🇸🇻' + - '🇬🇶' + - '🇪🇷' + - '🇪🇪' + - '🇪🇹' + - '🇪🇺' + - '🇫🇰' + - '🇫🇴' + - '🇫🇯' + - '🇫🇮' + - '🇫🇷' + - '🇬🇫' + - '🇵🇫' + - '🇹🇫' + - '🇬🇦' + - '🇬🇲' + - '🇬🇪' + - '🇩🇪' + - '🇬🇭' + - '🇬🇮' + - '🇬🇷' + - '🇬🇱' + - '🇬🇩' + - '🇬🇵' + - '🇬🇺' + - '🇬🇹' + - '🇬🇬' + - '🇬🇳' + - '🇬🇼' + - '🇬🇾' + - '🇭🇹' + - '🇭🇳' + - '🇭🇰' + - '🇭🇺' + - '🇮🇸' + - '🇮🇳' + - '🇮🇩' + - '🇮🇷' + - '🇮🇶' + - '🇮🇪' + - '🇮🇲' + - '🇮🇱' + - '🇮🇹' + - '🇯🇲' + - '🇯🇵' + - '🎌' + - '🇯🇪' + - '🇯🇴' + - '🇰🇿' + - '🇰🇪' + - '🇰🇮' + - '🇽🇰' + - '🇰🇼' + - '🇰🇬' + - '🇱🇦' + - '🇱🇻' + - '🇱🇧' + - '🇱🇸' + - '🇱🇷' + - '🇱🇾' + - '🇱🇮' + - '🇱🇹' + - '🇱🇺' + - '🇲🇴' + - '🇲🇰' + - '🇲🇬' + - '🇲🇼' + - '🇲🇾' + - '🇲🇻' + - '🇲🇱' + - '🇲🇹' + - '🇲🇭' + - '🇲🇶' + - '🇲🇷' + - '🇲🇺' + - '🇾🇹' + - '🇲🇽' + - '🇫🇲' + - '🇲🇩' + - '🇲🇨' + - '🇲🇳' + - '🇲🇪' + - '🇲🇸' + - '🇲🇦' + - '🇲🇿' + - '🇲🇲' + - '🇳🇦' + - '🇳🇷' + - '🇳🇵' + - '🇳🇱' + - '🇳🇨' + - '🇳🇿' + - '🇳🇮' + - '🇳🇪' + - '🇳🇬' + - '🇳🇺' + - '🇳🇫' + - '🇰🇵' + - '🇲🇵' + - '🇳🇴' + - '🇴🇲' + - '🇵🇰' + - '🇵🇼' + - '🇵🇸' + - '🇵🇦' + - '🇵🇬' + - '🇵🇾' + - '🇵🇪' + - '🇵🇭' + - '🇵🇳' + - '🇵🇱' + - '🇵🇹' + - '🇵🇷' + - '🇶🇦' + - '🇷🇪' + - '🇷🇴' + - '🇷🇺' + - '🇷🇼' + - '🇼🇸' + - '🇸🇲' + - '🇸🇦' + - '🇸🇳' + - '🇷🇸' + - '🇸🇨' + - '🇸🇱' + - '🇸🇬' + - '🇸🇽' + - '🇸🇰' + - '🇸🇮' + - '🇬🇸' + - '🇸🇧' + - '🇸🇴' + - '🇿🇦' + - '🇰🇷' + - '🇸🇸' + - '🇪🇸' + - '🇱🇰' + - '🇧🇱' + - '🇸🇭' + - '🇰🇳' + - '🇱🇨' + - '🇵🇲' + - '🇻🇨' + - '🇸🇩' + - '🇸🇷' + - '🇸🇿' + - '🇸🇪' + - '🇨🇭' + - '🇸🇾' + - '🇹🇼' + - '🇹🇯' + - '🇹🇿' + - '🇹🇭' + - '🇹🇱' + - '🇹🇬' + - '🇹🇰' + - '🇹🇴' + - '🇹🇹' + - '🇹🇳' + - '🇹🇷' + - '🇹🇲' + - '🇹🇨' + - '🇹🇻' + - '🇻🇮' + - '🇺🇬' + - '🇺🇦' + - '🇦🇪' + - '🇬🇧' + - '🏴󠁧󠁢󠁥󠁮󠁧󠁿' + - '🏴󠁧󠁢󠁳󠁣󠁴󠁿' + - '🏴󠁧󠁢󠁷󠁬󠁳󠁿' + - '🇺🇳' + - '🇺🇸' + - '🇺🇾' + - '🇺🇿' + - '🇻🇺' + - '🇻🇦' + - '🇻🇪' + - '🇻🇳' + - '🇼🇫' + - '🇪🇭' + - '🇾🇪' + - '🇿🇲' + - '🇿🇼🫠' + - '🫢' + - '🫣' + - '🫡' + - '🫥' + - '🫤' + - '🥹' + - '🫱' + - '🫱🏻' + - '🫱🏼' + - '🫱🏽' + - '🫱🏾' + - '🫱🏿' + - '🫲' + - '🫲🏻' + - '🫲🏼' + - '🫲🏽' + - '🫲🏾' + - '🫲🏿' + - '🫳' + - '🫳🏻' + - '🫳🏼' + - '🫳🏽' + - '🫳🏾' + - '🫳🏿' + - '🫴' + - '🫴🏻' + - '🫴🏼' + - '🫴🏽' + - '🫴🏾' + - '🫴🏿' + - '🫰' + - '🫰🏻' + - '🫰🏼' + - '🫰🏽' + - '🫰🏾' + - '🫰🏿' + - '🫵' + - '🫵🏻' + - '🫵🏼' + - '🫵🏽' + - '🫵🏾' + - '🫵🏿' + - '🫶' + - '🫶🏻' + - '🫶🏼' + - '🫶🏽' + - '🫶🏾' + - '🫶🏿' + - '🤝🏻' + - '🤝🏼' + - '🤝🏽' + - '🤝🏾' + - '🤝🏿' + - '🫱🏻‍🫲🏼' + - '🫱🏻‍🫲🏽' + - '🫱🏻‍🫲🏾' + - '🫱🏻‍🫲🏿' + - '🫱🏼‍🫲🏻' + - '🫱🏼‍🫲🏽' + - '🫱🏼‍🫲🏾' + - '🫱🏼‍🫲🏿' + - '🫱🏽‍🫲🏻' + - '🫱🏽‍🫲🏼' + - '🫱🏽‍🫲🏾' + - '🫱🏽‍🫲🏿' + - '🫱🏾‍🫲🏻' + - '🫱🏾‍🫲🏼' + - '🫱🏾‍🫲🏽' + - '🫱🏾‍🫲🏿' + - '🫱🏿‍🫲🏻' + - '🫱🏿‍🫲🏼' + - '🫱🏿‍🫲🏽' + - '🫱🏿‍🫲🏾' + - '🫦' + - '🫅' + - '🫅🏻' + - '🫅🏼' + - '🫅🏽' + - '🫅🏾' + - '🫅🏿' + - '🫃' + - '🫃🏻' + - '🫃🏼' + - '🫃🏽' + - '🫃🏾' + - '🫃🏿' + - '🫄' + - '🫄🏻' + - '🫄🏼' + - '🫄🏽' + - '🫄🏾' + - '🫄🏿' + - '🧌' + - '🪸' + - '🪷' + - '🪹' + - '🪺' + - '🫘' + - '🫗' + - '🫙' + - '🛝' + - '🛞' + - '🛟' + - '🪬' + - '🪩' + - '🪫' + - '🩼' + - '🩻' + - '🫧' + - '🪪' + - '🟰' + - '😮‍💨' + - '😵‍💫' + - '😶‍🌫️' + - '❤️‍🔥' + - '❤️‍🩹' + - '🧔‍♀️' + - '🧔🏻‍♀️' + - '🧔🏼‍♀️' + - '🧔🏽‍♀️' + - '🧔🏾‍♀️' + - '🧔🏿‍♀️' + - '🧔‍♂️' + - '🧔🏻‍♂️' + - '🧔🏼‍♂️' + - '🧔🏽‍♂️' + - '🧔🏾‍♂️' + - '🧔🏿‍♂️' + - '💑🏻' + - '💑🏼' + - '💑🏽' + - '💑🏾' + - '💑🏿' + - '💏🏻' + - '💏🏼' + - '💏🏽' + - '💏🏾' + - '💏🏿' + - '👨🏻‍❤️‍👨🏻' + - '👨🏻‍❤️‍👨🏼' + - '👨🏻‍❤️‍👨🏽' + - '👨🏻‍❤️‍👨🏾' + - '👨🏻‍❤️‍👨🏿' + - '👨🏼‍❤️‍👨🏻' + - '👨🏼‍❤️‍👨🏼' + - '👨🏼‍❤️‍👨🏽' + - '👨🏼‍❤️‍👨🏾' + - '👨🏼‍❤️‍👨🏿' + - '👨🏽‍❤️‍👨🏻' + - '👨🏽‍❤️‍👨🏼' + - '👨🏽‍❤️‍👨🏽' + - '👨🏽‍❤️‍👨🏾' + - '👨🏽‍❤️‍👨🏿' + - '👨🏾‍❤️‍👨🏻' + - '👨🏾‍❤️‍👨🏼' + - '👨🏾‍❤️‍👨🏽' + - '👨🏾‍❤️‍👨🏾' + - '👨🏾‍❤️‍👨🏿' + - '👨🏿‍❤️‍👨🏻' + - '👨🏿‍❤️‍👨🏼' + - '👨🏿‍❤️‍👨🏽' + - '👨🏿‍❤️‍👨🏾' + - '👨🏿‍❤️‍👨🏿' + - '👩🏻‍❤️‍👨🏻' + - '👩🏻‍❤️‍👨🏼' + - '👩🏻‍❤️‍👨🏽' + - '👩🏻‍❤️‍👨🏾' + - '👩🏻‍❤️‍👨🏿' + - '👩🏻‍❤️‍👩🏻' + - '👩🏻‍❤️‍👩🏼' + - '👩🏻‍❤️‍👩🏽' + - '👩🏻‍❤️‍👩🏾' + - '👩🏻‍❤️‍👩🏿' + - '👩🏼‍❤️‍👨🏻' + - '👩🏼‍❤️‍👨🏼' + - '👩🏼‍❤️‍👨🏽' + - '👩🏼‍❤️‍👨🏾' + - '👩🏼‍❤️‍👨🏿' + - '👩🏼‍❤️‍👩🏻' + - '👩🏼‍❤️‍👩🏼' + - '👩🏼‍❤️‍👩🏽' + - '👩🏼‍❤️‍👩🏾' + - '👩🏼‍❤️‍👩🏿' + - '👩🏽‍❤️‍👨🏻' + - '👩🏽‍❤️‍👨🏼' + - '👩🏽‍❤️‍👨🏽' + - '👩🏽‍❤️‍👨🏾' + - '👩🏽‍❤️‍👨🏿' + - '👩🏽‍❤️‍👩🏻' + - '👩🏽‍❤️‍👩🏼' + - '👩🏽‍❤️‍👩🏽' + - '👩🏽‍❤️‍👩🏾' + - '👩🏽‍❤️‍👩🏿' + - '👩🏾‍❤️‍👨🏻' + - '👩🏾‍❤️‍👨🏼' + - '👩🏾‍❤️‍👨🏽' + - '👩🏾‍❤️‍👨🏾' + - '👩🏾‍❤️‍👨🏿' + - '👩🏾‍❤️‍👩🏻' + - '👩🏾‍❤️‍👩🏼' + - '👩🏾‍❤️‍👩🏽' + - '👩🏾‍❤️‍👩🏾' + - '👩🏾‍❤️‍👩🏿' + - '👩🏿‍❤️‍👨🏻' + - '👩🏿‍❤️‍👨🏼' + - '👩🏿‍❤️‍👨🏽' + - '👩🏿‍❤️‍👨🏾' + - '👩🏿‍❤️‍👨🏿' + - '👩🏿‍❤️‍👩🏻' + - '👩🏿‍❤️‍👩🏼' + - '👩🏿‍❤️‍👩🏽' + - '👩🏿‍❤️‍👩🏾' + - '👩🏿‍❤️‍👩🏿' + - '🧑🏻‍❤️‍🧑🏼' + - '🧑🏻‍❤️‍🧑🏽' + - '🧑🏻‍❤️‍🧑🏾' + - '🧑🏻‍❤️‍🧑🏿' + - '🧑🏼‍❤️‍🧑🏻' + - '🧑🏼‍❤️‍🧑🏽' + - '🧑🏼‍❤️‍🧑🏾' + - '🧑🏼‍❤️‍🧑🏿' + - '🧑🏽‍❤️‍🧑🏻' + - '🧑🏽‍❤️‍🧑🏼' + - '🧑🏽‍❤️‍🧑🏾' + - '🧑🏽‍❤️‍🧑🏿' + - '🧑🏾‍❤️‍🧑🏻' + - '🧑🏾‍❤️‍🧑🏼' + - '🧑🏾‍❤️‍🧑🏽' + - '🧑🏾‍❤️‍🧑🏿' + - '🧑🏿‍❤️‍🧑🏻' + - '🧑🏿‍❤️‍🧑🏼' + - '🧑🏿‍❤️‍🧑🏽' + - '🧑🏿‍❤️‍🧑🏾' + - '👨🏻‍❤️‍💋‍👨🏻' + - '👨🏻‍❤️‍💋‍👨🏼' + - '👨🏻‍❤️‍💋‍👨🏽' + - '👨🏻‍❤️‍💋‍👨🏾' + - '👨🏻‍❤️‍💋‍👨🏿' + - '👨🏼‍❤️‍💋‍👨🏻' + - '👨🏼‍❤️‍💋‍👨🏼' + - '👨🏼‍❤️‍💋‍👨🏽' + - '👨🏼‍❤️‍💋‍👨🏾' + - '👨🏼‍❤️‍💋‍👨🏿' + - '👨🏽‍❤️‍💋‍👨🏻' + - '👨🏽‍❤️‍💋‍👨🏼' + - '👨🏽‍❤️‍💋‍👨🏽' + - '👨🏽‍❤️‍💋‍👨🏾' + - '👨🏽‍❤️‍💋‍👨🏿' + - '👨🏾‍❤️‍💋‍👨🏻' + - '👨🏾‍❤️‍💋‍👨🏼' + - '👨🏾‍❤️‍💋‍👨🏽' + - '👨🏾‍❤️‍💋‍👨🏾' + - '👨🏾‍❤️‍💋‍👨🏿' + - '👨🏿‍❤️‍💋‍👨🏻' + - '👨🏿‍❤️‍💋‍👨🏼' + - '👨🏿‍❤️‍💋‍👨🏽' + - '👨🏿‍❤️‍💋‍👨🏾' + - '👨🏿‍❤️‍💋‍👨🏿' + - '👩🏻‍❤️‍💋‍👨🏻' + - '👩🏻‍❤️‍💋‍👨🏼' + - '👩🏻‍❤️‍💋‍👨🏽' + - '👩🏻‍❤️‍💋‍👨🏾' + - '👩🏻‍❤️‍💋‍👨🏿' + - '👩🏻‍❤️‍💋‍👩🏻' + - '👩🏻‍❤️‍💋‍👩🏼' + - '👩🏻‍❤️‍💋‍👩🏽' + - '👩🏻‍❤️‍💋‍👩🏾' + - '👩🏻‍❤️‍💋‍👩🏿' + - '👩🏼‍❤️‍💋‍👨🏻' + - '👩🏼‍❤️‍💋‍👨🏼' + - '👩🏼‍❤️‍💋‍👨🏽' + - '👩🏼‍❤️‍💋‍👨🏾' + - '👩🏼‍❤️‍💋‍👨🏿' + - '👩🏼‍❤️‍💋‍👩🏻' + - '👩🏼‍❤️‍💋‍👩🏼' + - '👩🏼‍❤️‍💋‍👩🏽' + - '👩🏼‍❤️‍💋‍👩🏾' + - '👩🏼‍❤️‍💋‍👩🏿' + - '👩🏽‍❤️‍💋‍👨🏻' + - '👩🏽‍❤️‍💋‍👨🏼' + - '👩🏽‍❤️‍💋‍👨🏽' + - '👩🏽‍❤️‍💋‍👨🏾' + - '👩🏽‍❤️‍💋‍👨🏿' + - '👩🏽‍❤️‍💋‍👩🏻' + - '👩🏽‍❤️‍💋‍👩🏼' + - '👩🏽‍❤️‍💋‍👩🏽' + - '👩🏽‍❤️‍💋‍👩🏾' + - '👩🏽‍❤️‍💋‍👩🏿' + - '👩🏾‍❤️‍💋‍👨🏻' + - '👩🏾‍❤️‍💋‍👨🏼' + - '👩🏾‍❤️‍💋‍👨🏽' + - '👩🏾‍❤️‍💋‍👨🏾' + - '👩🏾‍❤️‍💋‍👨🏿' + - '👩🏾‍❤️‍💋‍👩🏻' + - '👩🏾‍❤️‍💋‍👩🏼' + - '👩🏾‍❤️‍💋‍👩🏽' + - '👩🏾‍❤️‍💋‍👩🏾' + - '👩🏾‍❤️‍💋‍👩🏿' + - '👩🏿‍❤️‍💋‍👨🏻' + - '👩🏿‍❤️‍💋‍👨🏼' + - '👩🏿‍❤️‍💋‍👨🏽' + - '👩🏿‍❤️‍💋‍👨🏾' + - '👩🏿‍❤️‍💋‍👨🏿' + - '👩🏿‍❤️‍💋‍👩🏻' + - '👩🏿‍❤️‍💋‍👩🏼' + - '👩🏿‍❤️‍💋‍👩🏽' + - '👩🏿‍❤️‍💋‍👩🏾' + - '👩🏿‍❤️‍💋‍👩🏿' + - '🧑🏻‍❤️‍💋‍🧑🏼' + - '🧑🏻‍❤️‍💋‍🧑🏽' + - '🧑🏻‍❤️‍💋‍🧑🏾' + - '🧑🏻‍❤️‍💋‍🧑🏿' + - '🧑🏼‍❤️‍💋‍🧑🏻' + - '🧑🏼‍❤️‍💋‍🧑🏽' + - '🧑🏼‍❤️‍💋‍🧑🏾' + - '🧑🏼‍❤️‍💋‍🧑🏿' + - '🧑🏽‍❤️‍💋‍🧑🏻' + - '🧑🏽‍❤️‍💋‍🧑🏼' + - '🧑🏽‍❤️‍💋‍🧑🏾' + - '🧑🏽‍❤️‍💋‍🧑🏿' + - '🧑🏾‍❤️‍💋‍🧑🏻' + - '🧑🏾‍❤️‍💋‍🧑🏼' + - '🧑🏾‍❤️‍💋‍🧑🏽' + - '🧑🏾‍❤️‍💋‍🧑🏿' + - '🧑🏿‍❤️‍💋‍🧑🏻' + - '🧑🏿‍❤️‍💋‍🧑🏼' + - '🧑🏿‍❤️‍💋‍🧑🏽' + - '🧑🏿‍❤️‍💋‍🧑🏾' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry/registry_set/registry_set_devdrv_disallow_antivirus_filter.yml b/rules/windows/registry/registry_set/registry_set_devdrv_disallow_antivirus_filter.yml new file mode 100644 index 00000000000..bfdca3021d4 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_devdrv_disallow_antivirus_filter.yml @@ -0,0 +1,24 @@ +title: Antivirus Filter Driver Disallowed On Dev Drive - Registry +id: 31e124fb-5dc4-42a0-83b3-44a69c77b271 +status: experimental +description: | + Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive". +references: + - https://twitter.com/0gtweet/status/1720419490519752955 +author: '@kostastsale, Nasreddine Bencherchali (Nextron Systems)' +date: 2023-11-05 +modified: 2024-08-16 +tags: + - attack.defense-evasion + - attack.t1562.001 +logsource: + category: registry_set + product: windows +detection: + selection: + TargetObject|endswith: '\FilterManager\FltmgrDevDriveAllowAntivirusFilter' + Details: 'DWORD (0x00000000)' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml b/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml index db0023f6d26..59be85afc22 100644 --- a/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml +++ b/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml @@ -3,7 +3,7 @@ id: d6ce7ebd-260b-4323-9768-a9631c8d4db2 related: - id: 28ac00d6-22d9-4a3c-927f-bbd770104573 # process_creation type: similar -status: experimental +status: test description: | Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. @@ -13,7 +13,7 @@ references: - https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx author: frack113 date: 2023-01-13 -modified: 2023-12-15 +modified: 2024-08-23 tags: - attack.defense-evasion - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_office_disable_python_security_warnings.yml b/rules/windows/registry/registry_set/registry_set_office_disable_python_security_warnings.yml new file mode 100644 index 00000000000..caa54f2997a --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_office_disable_python_security_warnings.yml @@ -0,0 +1,28 @@ +title: Python Function Execution Security Warning Disabled In Excel - Registry +id: 17e53739-a1fc-4a62-b1b9-87711c2d5e44 +related: + - id: 023c654f-8f16-44d9-bb2b-00ff36a62af9 + type: similar +status: test +description: | + Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. + Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet. +references: + - https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327 +author: Nasreddine Bencherchali (Nextron Systems), @Kostastsale +date: 2024-08-23 +tags: + - attack.defense-evasion + - attack.t1562.001 +logsource: + category: registry_set + product: windows +detection: + selection: + TargetObject|contains: '\Microsoft\Office\' + TargetObject|endswith: '\Excel\Security\PythonFunctionWarnings' + Details: 'DWORD (0x00000001)' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry/registry_set/registry_set_special_accounts.yml b/rules/windows/registry/registry_set/registry_set_special_accounts.yml index f9ed701d55c..568327cc99b 100644 --- a/rules/windows/registry/registry_set/registry_set_special_accounts.yml +++ b/rules/windows/registry/registry_set/registry_set_special_accounts.yml @@ -3,6 +3,8 @@ id: f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd related: - id: 8a58209c-7ae6-4027-afb0-307a78e4589a type: obsolete + - id: 9ec9fb1b-e059-4489-9642-f270c207923d + type: similar status: test description: Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen. references: diff --git a/tests/sigma_cli_conf.yml b/tests/sigma_cli_conf.yml index 263f943449d..7939a2860fe 100644 --- a/tests/sigma_cli_conf.yml +++ b/tests/sigma_cli_conf.yml @@ -49,9 +49,12 @@ exclusions: 59e938ff-0d6d-4dc3-b13f-36cc28734d4e: escaped_wildcard 2e7bbd54-2f26-476e-b4a1-ba5f1a012614: escaped_wildcard 7c9340a9-e2ee-4e43-94c5-c54ebbea1006: escaped_wildcard + 7aaa5739-12fc-41aa-b98b-23ec27d42bdf: escaped_wildcard + 95724fc1-a258-4674-97db-a30351981c5a: escaped_wildcard # number_as_string 5c84856b-55a5-45f1-826f-13f37250cf4e: number_as_string 85b88e05-dadc-430b-8a9e-53ff1cd30aae: number_as_string + 749c9f5e-b353-4b90-a9c1-05243357ca4b: number_as_string # specific_instead_of_generic_logsource 693a44e9-7f26-4cb6-b787-214867672d3a: specific_instead_of_generic_logsource 23b71bc5-953e-4971-be4c-c896cda73fc2: specific_instead_of_generic_logsource From 9c7b8bcd5504d937a19e479886d0752a82965a20 Mon Sep 17 00:00:00 2001 From: peterydzynski <25185548+peterydzynski@users.noreply.github.com> Date: Thu, 29 Aug 2024 14:30:47 -0400 Subject: [PATCH 040/144] Merge PR #4987 from @peterydzynski - Fix `System Network Discovery - macOS` fix: System Network Discovery - macOS - Add additional filter for `wifivelocityd` --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- ...on_macos_susp_system_network_discovery.yml} | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) rename rules/macos/process_creation/{proc_creation_macos_system_network_discovery.yml => proc_creation_macos_susp_system_network_discovery.yml} (81%) diff --git a/rules/macos/process_creation/proc_creation_macos_system_network_discovery.yml b/rules/macos/process_creation/proc_creation_macos_susp_system_network_discovery.yml similarity index 81% rename from rules/macos/process_creation/proc_creation_macos_system_network_discovery.yml rename to rules/macos/process_creation/proc_creation_macos_susp_system_network_discovery.yml index 690993b3b3b..85806dcdeab 100644 --- a/rules/macos/process_creation/proc_creation_macos_system_network_discovery.yml +++ b/rules/macos/process_creation/proc_creation_macos_susp_system_network_discovery.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md author: remotephone, oscd.community date: 2020-10-06 -modified: 2022-12-28 +modified: 2024-08-29 tags: - attack.discovery - attack.t1016 @@ -14,19 +14,21 @@ logsource: product: macos category: process_creation detection: - selection1: + selection_1: Image|endswith: - - '/netstat' + - '/arp' - '/ifconfig' - - '/socketfilterfw' + - '/netstat' - '/networksetup' - - '/arp' - selection2: + - '/socketfilterfw' + selection_2: Image: '/usr/bin/defaults' CommandLine|contains|all: - - 'read' - '/Library/Preferences/com.apple.alf' - condition: 1 of selection* + - 'read' + filter_main_wifivelocityd: + ParentImage|endswith: '/wifivelocityd' + condition: 1 of selection_* and not 1 of filter_main_* falsepositives: - Legitimate administration activities level: informational From 509120a735d8745564aa289196a64162d68ee92a Mon Sep 17 00:00:00 2001 From: Djordje Lukic <112394060+djlukic@users.noreply.github.com> Date: Thu, 29 Aug 2024 20:41:50 +0200 Subject: [PATCH 041/144] Merge PR #4986 from @djlukic - Multiple FP fixes fix: A Rule Has Been Deleted From The Windows Firewall Exception List - Exclude WinSxS fix: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Exclude "amsiprovider_x64" fix: Uncommon AppX Package Locations - Exclude additional MS cdn domain fix: Uncommon New Firewall Rule Added In Windows Firewall Exception List - Enhance filters and exclude empty path --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- ...ment_server_uncommon_package_locations.yml | 8 ++-- .../win_codeintegrity_attempted_dll_load.yml | 4 +- .../firewall_as/win_firewall_as_add_rule.yml | 39 +++++++++++-------- .../win_firewall_as_delete_rule.yml | 5 ++- 4 files changed, 34 insertions(+), 22 deletions(-) diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml index 7e54e98286c..4932cd36fa6 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml @@ -9,6 +9,7 @@ references: - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-01-11 +modified: 2024-08-29 tags: - attack.defense-evasion logsource: @@ -17,7 +18,7 @@ logsource: detection: selection: EventID: 854 - filter_generic: + filter_main_generic: Path|contains: # Paths can be written using forward slash if the "file://" protocol is used - 'C:\Program Files\WindowsApps\' @@ -27,11 +28,12 @@ detection: - 'C:\Windows\ImmersiveControlPanel\' - 'x-windowsupdate://' - 'file:///C:/Program%20Files' # Also covers 'file:///C:/Program%20Files%20(x86)/' - filter_specific: + filter_main_specific: Path|contains: + - 'https://statics.teams.cdn.live.net/' - 'https://statics.teams.cdn.office.net/' - 'microsoft.com' # Example: https://go.microsoft.com/fwlink/?linkid=2160968 - condition: selection and not 1 of filter_* + condition: selection and not 1 of filter_main_* falsepositives: - Unknown level: medium diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml index f09c8ed6ca5..9e948ae6ae8 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml @@ -11,7 +11,7 @@ references: - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2022-01-20 -modified: 2023-11-15 +modified: 2024-08-29 tags: - attack.execution logsource: @@ -97,6 +97,8 @@ detection: - '\Program Files\McAfee\MfeAV\AMSIExt.dll' filter_optional_eset: FileNameBuffer|endswith: '\Program Files\ESET\ESET Security\eamsi.dll' + filter_optional_comodo: + FileNameBuffer|endswith: '\Program Files\comodo\comodo internet security\amsiprovider_x64.dll' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Antivirus and other third party products are known to trigger this rule quite a lot. Initial filters and tuning is required before using this rule. diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml index b6c1d02021d..9bf0300ab9f 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml @@ -6,7 +6,7 @@ references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 date: 2022-02-19 -modified: 2024-05-10 +modified: 2024-08-29 tags: - attack.defense-evasion - attack.t1562.004 @@ -22,25 +22,32 @@ detection: filter_main_block: Action: 2 # Block filter_main_generic: - ApplicationPath|contains: - - ':\Program Files (x86)\' - - ':\Program Files\' - - ':\Windows\System32\' - - ':\Windows\SysWOW64\' - - ':\Windows\WinSxS\' + ApplicationPath|startswith: + - 'C:\Program Files (x86)\' + - 'C:\Program Files\' + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + - 'C:\Windows\WinSxS\' filter_optional_msmpeng: - ModifyingApplication|contains|all: - - ':\ProgramData\Microsoft\Windows Defender\Platform\' - - '\MsMpEng.exe' + ModifyingApplication|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\' + ModifyingApplication|endswith: '\MsMpEng.exe' filter_main_covered_paths: # This filter is added to avoid duplicate alerting from 9e2575e7-2cb9-4da1-adc8-ed94221dca5e ApplicationPath|contains: - - ':\PerfLogs\' - - ':\Temp\' - - ':\Tmp\' - - ':\Users\Public\' - - ':\Windows\Tasks\' - - ':\Windows\Temp\' + - 'C:\PerfLogs\' + - 'C:\Temp\' + - 'C:\Tmp\' + - 'C:\Users\Public\' + - 'C:\Windows\Tasks\' + - 'C:\Windows\Temp\' - '\AppData\Local\Temp\' + filter_optional_no_path: + # This filter filters a lot of FPs related to Windows Services + ModifyingApplication: + - 'C:\Windows\System32\svchost.exe' + - 'C:\Windows\System32\dllhost.exe' + ApplicationPath: '' + filter_main_null: + ApplicationPath: null condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* level: medium diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml b/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml index 82539c5b44d..f7992f8f12d 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml @@ -6,7 +6,7 @@ references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 date: 2022-02-19 -modified: 2023-06-12 +modified: 2024-08-29 tags: - attack.defense-evasion - attack.t1562.004 @@ -20,8 +20,9 @@ detection: - 2052 # A rule has been deleted in the Windows Defender Firewall exception list. (Windows 11) filter_main_generic: ModifyingApplication|startswith: - - 'C:\Program Files\' - 'C:\Program Files (x86)\' + - 'C:\Program Files\' + - 'C:\Windows\WinSxS\' filter_main_svchost: ModifyingApplication: 'C:\Windows\System32\svchost.exe' filter_optional_msmpeng: From 9eb4dea0a68da569d878861a07636192ff5515f9 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 2 Sep 2024 10:01:12 +0200 Subject: [PATCH 042/144] Merge PR #4992 from @nasbench - Archive new rule references and update cache file chore: archive new rule references and update cache file Co-authored-by: nasbench --- .github/latest_archiver_output.md | 1018 +++++++++++++++-------------- tests/rule-references.txt | 17 + 2 files changed, 539 insertions(+), 496 deletions(-) diff --git a/.github/latest_archiver_output.md b/.github/latest_archiver_output.md index d598550c261..e445e4a230d 100644 --- a/.github/latest_archiver_output.md +++ b/.github/latest_archiver_output.md @@ -1,548 +1,574 @@ # Reference Archiver Results -Last Execution: 2024-08-15 02:17:53 +Last Execution: 2024-09-01 02:07:53 ### Archiver Script Results #### Newly Archived References -- https://github.com/elastic/detection-rules/blob/5fe7833312031a4787e07893e27e4ea7a7665745/rules/_deprecated/privilege_escalation_krbrelayup_suspicious_logon.toml#L38 -- https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/800c0e06571993a54e39571cf27fd474dcc5c0bc/2017/2017.11.14.Muddying_the_Water/muddying-the-water-targeted-attacks.pdf -- https://www.loobins.io/binaries/sysctl/# -- https://web.archive.org/web/20200530031708/https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua -- https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.Common/Data/DPAPI/DPAPIBackupKey.cs#L28-L32 -- https://github.com/AaLl86/WindowsInternals/blob/070dc4f317726dfb6ffd2b7a7c121a33a8659b5e/Slides/Hypervisor-enforced%20Paging%20Translation%20-%20The%20end%20of%20non%20data-driven%20Kernel%20Exploits%20(Recon2024).pdf +N/A #### Already Archived References -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus -- https://learn.microsoft.com/en-us/sysinternals/downloads/psservice -- https://learn.microsoft.com/en-gb/sysinternals/downloads/sdelete -- https://tria.ge/240301-rk34sagf5x/behavioral2 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/whoami -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-registrations-and-joins-outside-policy -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#unfamiliar-sign-in-properties -- https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-administrator-roles -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#end-user-consent -- https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/ -- https://learn.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo?view=windowsserver2022-ps -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil -- https://twitter.com/DTCERT/status/1712785426895839339 -- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment -- https://learn.microsoft.com/en-us/windows-hardware/drivers/taef/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/clip -- https://help.duo.com/s/article/6327?language=en_US -- https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights -- https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/ -- https://www.elastic.co/guide/en/security/current/execution-of-com-object-via-xwizard.html -- https://hijacklibs.net/entries/microsoft/built-in/mscorsvc.html -- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10) -- https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass -- https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware -- https://learn.microsoft.com/en-us/sysinternals/downloads/psexec -- https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html -- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-user-activity +- https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini +- https://www.virustotal.com/gui/file/bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f/behavior +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn +- https://www.ammyy.com/en/admin_features.html +- https://blog.sekoia.io/darkgate-internals/ +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4 +- https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983 +- https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities +- https://github.com/amjcyber/EDRNoiseMaker +- https://www.sentinelone.com/labs/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/ +- https://hijacklibs.net/entries/microsoft/built-in/dbgmodel.html +- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts +- https://learn.microsoft.com/de-de/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide +- https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101 #### Error While Archiving References -- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ -- https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/initial_access_via_system_manager.toml -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure -- https://www.cyberciti.biz/faq/linux-remove-user-command/ -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services -- https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens -- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address -- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations -- https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/ -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101 -- https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html -- https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609 -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe -- https://www.sans.org/cyber-security-summit/archives -- https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.4 -- https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html -- https://learn.microsoft.com/en-us/windows/client-management/manage-recall -- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/ +- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b +- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks +- https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins +- https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/ +- https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ +- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 +- https://redcanary.com/blog/msix-installers/ +- https://x.com/yarden_shafir/status/1822667605175324787 +- https://github.com/rapid7/metasploit-framework/issues/11337 - http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ -- https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616 -- https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13 -- https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/ - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address -- https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/ -- https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token -- https://app.any.run/tasks/9a8fd563-4c54-4d0a-9ad8-1fe08339cbc3/ -- https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps -- https://research.splunk.com/endpoint/10399c1e-f51e-11eb-b920-acde48001122/ -- https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1 -- https://evasions.checkpoint.com/techniques/macos.html -- https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html -- https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch -- https://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771 -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4 -- https://learn.microsoft.com/de-de/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions -- https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis -- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b -- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration -- https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp -- https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings -- https://learn.microsoft.com/en-us/windows/win32/msi/event-logging -- https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001 -- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 -- https://web.archive.org/web/20190508165435/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf -- https://web.archive.org/web/20220614030603/http://www.powertheshell.com/ntfsstreams/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd -- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html -- https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details -- https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216 -- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns -- https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423 -- https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown -- https://www.loobins.io/binaries/hdiutil/ -- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/ -- https://tria.ge/240123-rapteaahhr/behavioral1 -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user -- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/ -- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ -- https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2 -- https://tria.ge/231023-lpw85she57/behavioral2 -- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 -- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::SecurityPage_AutoDetect -- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/ -- https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change -- https://support.google.com/a/answer/9261439 -- https://tria.ge/240307-1hlldsfe7t/behavioral2/analog?main_event=Registry&op=SetValueKeyInt -- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers -- https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding +- https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in +- https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85) +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac - https://cloud.google.com/access-context-manager/docs/audit-logging -- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/ -- https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/ -- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/ +- https://web.archive.org/web/20210512154016/https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1 +- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html +- https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc +- https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012 +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation +- https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/ - https://web.archive.org/web/20220519091349/https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/ -- https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022 -- https://www.tarasco.org/security/pwdump_7/ -- https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html -- https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/ -- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ -- https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade -- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3 -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount/ -- https://us-cert.cisa.gov/ncas/alerts/aa21-259a -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4 -- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/ -- https://twitter.com/Max_Mal_/status/1775222576639291859 -- https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/ -- https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html -- https://www.virustotal.com/gui/file/bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f/behavior +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4 +- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands +- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ +- https://learn.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps +- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations +- https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/ +- https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps +- https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html +- https://ss64.com/osx/sw_vers.html +- https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/ - https://paper.seebug.org/1495/ -- https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address -- https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-browser -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 -- https://tria.ge/240225-jlylpafb24/behavioral1/analog?main_event=Registry&op=SetValueKeyInt -- https://www.loobins.io/binaries/tmutil/ -- https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794 +- https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc +- https://www.anyviewer.com/help/remote-technical-support.html +- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule +- https://twitter.com/NathanMcNulty/status/1785051227568632263 +- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ +- https://labs.withsecure.com/publications/kapeka +- https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps +- https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/ +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount/ +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183 +- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software +- https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1 +- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ +- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer +- https://github.com/nettitude/SharpWSUS +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4 +- https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/ +- https://ss64.com/mac/chflags.html +- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html +- https://megatools.megous.com/ +- https://web.archive.org/web/20220614030603/http://www.powertheshell.com/ntfsstreams/ - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661 -- https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e +- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set +- https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown +- https://learn.microsoft.com/en-us/windows/win32/shell/app-registration +- https://blackpointcyber.com/resources/blog/breaking-through-the-screen/ +- https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes +- https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/ - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732 -- https://github.com/amjcyber/EDRNoiseMaker -- https://tria.ge/231212-r1bpgaefar/behavioral2 -- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html -- https://bazaar.abuse.ch/browse/signature/RaspberryRobin/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634 -- https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85) -- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory -- https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/ -- https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations -- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ -- https://x.com/_st0pp3r_/status/1742203752361128162?s=20 -- https://github.com/embedi/CVE-2017-11882 -- https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/ -- https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand -- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html -- https://tria.ge/240521-ynezpagf56/behavioral1 -- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ -- https://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/ -- https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4 +- https://labs.nettitude.com/blog/introducing-sharpwsus/ +- https://www.loobins.io/binaries/tmutil/ +- https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487 +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf -- https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776 -- https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create -- https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/ -- https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding -- https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) -- https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps -- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4 -- https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support -- https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html -- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ -- https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated -- https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/ -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1 -- https://learn.microsoft.com/en-us/windows/win32/shell/app-registration +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) +- https://www.tenable.com/security/research/tra-2023-11 +- https://web.archive.org/web/20200530031906/https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/ +- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash +- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11) +- https://github.com/yardenshafir/conference_talks/blob/3de1f5d7c02656c35117f067fbff0a219c304b09/OffensiveCon_2023_Your_Mitigations_are_My_Opportunities.pdf +- https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability +- https://twitter.com/TheDFIRReport/status/1482078434327244805 +- https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy +- https://github.com/CICADA8-Research/RemoteKrbRelay +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes +- https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/ +- https://tria.ge/220422-1pw1pscfdl/ +- https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html +- https://web.archive.org/web/20230329172447/https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_UNCAsIntranet +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4 +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2 -- https://learn.microsoft.com/en-us/azure/dns/dns-zones-records -- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/ -- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038 -- https://securelist.com/network-tunneling-with-qemu/111803/ -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8 -- https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/ -- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/ +- https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2 +- https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool +- https://www.tarasco.org/security/pwdump_7/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10) +- https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files +- https://gist.github.com/nasbench/ca6ef95db04ae04ffd1e0b1ce709cadd +- https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens +- https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior +- https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/ +- https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/ +- https://github.com/gentilkiwi/mimikatz +- https://objective-see.org/blog/blog_0x1E.html +- https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt +- https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues +- https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/ +- https://www.loobins.io/binaries/hdiutil/ +- https://app.any.run/tasks/25970bb5-f864-4e9e-9e1b-cc8ff9e6386a +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#token-issuer-anomaly +- https://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/ +- https://github.com/grayhatkiller/SharpExShell +- https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6281 +- https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13 +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 +- https://adsecurity.org/?p=3513 +- https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4706 +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/ +- https://ss64.com/mac/hdiutil.html +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation +- https://thehackernews.com/2024/03/github-rolls-out-default-secret.html +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625 +- https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration +- https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/ +- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#things-to-monitor +- https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/ +- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 +- https://web.archive.org/web/20220422215221/https://twitter.com/malware_traffic/status/1517622327000846338 +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/ +- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml +- https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/ +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_IncludeUnspecifiedLocalSites +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management +- https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/ +- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script +- https://ss64.com/nt/shell.html +- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes +- https://bazaar.abuse.ch/browse/signature/RaspberryRobin/ - https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide -- https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension -- https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771 +- https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html +- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 +- https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF +- https://malware.guide/browser-hijacker/remove-onelaunch-virus/ +- https://www.huntress.com/blog/attacking-mssql-servers +- https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html +- https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616 +- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ +- https://learn.microsoft.com/en-us/windows/client-management/manage-recall +- https://objective-see.org/blog/blog_0x6D.html +- https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/ +- https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior - https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/ -- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc +- https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors +- https://linux.die.net/man/1/arecord +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#private_repository_forking +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3 +- https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1 +- https://tria.ge/240123-rapteaahhr/behavioral1 +- https://tria.ge/220422-1nnmyagdf2/ +- https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ +- https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC +- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup +- https://evasions.checkpoint.com/techniques/macos.html +- https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216 +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2 +- https://learn.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml- +- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country +- https://ipurple.team/2024/07/15/sharphound-detection/ +- https://twitter.com/Kostastsale/status/1646256901506605063?s=20 +- https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ +- https://adsecurity.org/?p=1785 +- https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl +- https://www.huntress.com/blog/attacking-mssql-servers-pt-ii - https://tria.ge/240226-fhbe7sdc39/behavioral1 -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_IncludeUnspecifiedLocalSites -- https://www.elastic.co/security-labs/operation-bleeding-bear -- https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029 -- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials -- https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091 -- https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files -- https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b -- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/ -- https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html -- https://www.fortiguard.com/psirt/FG-IR-22-398 -- https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ +- https://bazaar.abuse.ch/browse/tag/one/ +- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts +- https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch +- https://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content +- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing +- https://www.microsoft.com/en-us/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/ - https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump -- https://www.tenable.com/security/research/tra-2023-11 -- https://web.archive.org/web/20231210115125/http://www.xuetr.com/ -- https://medium.com/@NullByteWht/hacking-macos-how-to-dump-1password-keepassx-lastpass-passwords-in-plaintext-723c5b1c311b -- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction -- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 -- https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes -- https://anydesk.com/en/changelog/windows -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown -- https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior -- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ +- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html +- https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps +- https://twitter.com/th3_protoCOL/status/1536788652889497600 +- https://github.com/GhostPack/SharpDPAPI +- https://twitter.com/Cryptolaemus1/status/1517634855940632576 +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010 +- https://unit42.paloaltonetworks.com/chromeloader-malware/ - https://www.loobins.io/binaries/nscurl/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/replace -- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins -- https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487 -- https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0 -- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ -- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/ -- https://www.group-ib.com/resources/threat-research/red-curl-2.html -- https://strontic.github.io/xcyclopedia/library/aclui.dll-F883E9CA757B622B032FDCA5BF33D0DF.html -- https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/ -- https://www.group-ib.com/blog/apt41-world-tour-2021/ -- https://web.archive.org/web/20200530031906/https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/ -- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml -- https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/ +- https://app.any.run/tasks/fa99cedc-9d2f-4115-a08e-291429ce3692 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038 +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user +- https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository +- https://github.com/search?q=repo%3AHackplayers%2Fevil-winrm++shell.run%28&type=code +- https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed +- https://twitter.com/standa_t/status/1808868985678803222 +- https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/ - https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps -- https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code -- https://thehackernews.com/2024/03/github-rolls-out-default-secret.html -- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role -- https://redcanary.com/blog/msix-installers/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4706 -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN -- https://malware.guide/browser-hijacker/remove-onelaunch-virus/ -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 -- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage -- https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder +- https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420 +- https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet +- https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain +- https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html +- https://trustedsec.com/blog/oops-i-udld-it-again +- https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/ +- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations +- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ +- https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool +- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/ - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#new-owner -- https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf -- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf +- https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ +- https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details +- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html +- https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps +- https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38 +- https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/ +- https://twitter.com/1ZRR4H/status/1537501582727778304 +- https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1 +- https://twitter.com/0gtweet/status/1720419490519752955 +- https://research.splunk.com/endpoint/10399c1e-f51e-11eb-b920-acde48001122/ +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::SecurityPage_AutoDetect +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows +- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/ +- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 +- https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211 +- https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps +- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195 +- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/ +- https://news.ycombinator.com/item?id=29504755 +- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine +- https://www.softperfect.com/products/networkscanner/ +- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ +- https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates +- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4 +- https://pentestlab.blog/tag/svchost/ +- https://www.cyberciti.biz/faq/linux-remove-user-command/ +- https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/ +- https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf +- https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal +- https://www.qemu.org/docs/master/system/invocation.html#hxtool-5 +- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction +- https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b +- https://www.fortiguard.com/psirt/FG-IR-22-398 +- https://asec.ahnlab.com/en/78944/ +- https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16 +- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials +- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/ +- https://us-cert.cisa.gov/ncas/alerts/aa21-008a +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently +- https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html +- https://learn.microsoft.com/en-us/windows/win32/shell/launch +- https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html +- https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609 +- https://learn.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings - https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/ +- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory +- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ +- https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html +- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings +- https://www.cve.org/CVERecord?id=CVE-2024-1709 +- https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/ +- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ +- https://docs.microsoft.com/en-us/sql/tools/bcp-utility +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles - https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/ -- https://github.com/CICADA8-Research/RemoteKrbRelay -- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml -- https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn -- https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation -- https://tria.ge/240731-jh4crsycnb/behavioral2 -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel -- https://github.com/rapid7/metasploit-framework/issues/11337 -- https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository -- https://linux.die.net/man/1/arecord -- https://web.archive.org/web/20230329172447/https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html -- https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors -- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ -- https://ngrok.com/blog-post/new-ngrok-domains -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic -- https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420 -- https://boinc.berkeley.edu/ -- https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/ -- https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/ +- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers +- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/ - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78 -- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications -- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16 -- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings -- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/ -- https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ -- https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/ -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script - https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/ -- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change -- https://github.com/search?q=repo%3AHackplayers%2Fevil-winrm++shell.run%28&type=code -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11) +- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage +- https://github.com/FalconForceTeam/FalconFriday/blob/master/Discovery/ADWS_Connection_from_Unexpected_Binary-Win.md +- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1 +- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ +- https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps +- https://www.group-ib.com/resources/threat-research/red-curl-2.html +- https://twitter.com/Max_Mal_/status/1775222576639291859 +- https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html +- https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/ +- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf - https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior -- https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa -- https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access -- https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections -- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx -- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html +- https://www.cyberciti.biz/faq/how-force-kill-process-linux/ +- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698 +- https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps +- https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/initial_access_via_system_manager.toml +- https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps +- https://www.action1.com/documentation/ +- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/ +- https://res.armor.com/resources/threat-intelligence/astaroth-banking-trojan/ +- https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address +- https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/ +- https://www.loobins.io/binaries/pbpaste/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647 +- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ +- https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack +- https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension +- https://www.group-ib.com/blog/apt41-world-tour-2021/ +- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe +- https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/ +- https://www.elastic.co/security-labs/operation-bleeding-bear +- https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html +- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ +- https://www.sans.org/blog/defending-against-scattered-spider-and-the-com-with-cybercrime-intelligence/ +- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create +- https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4649 +- https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html +- https://medium.com/@NullByteWht/hacking-macos-how-to-dump-1password-keepassx-lastpass-passwords-in-plaintext-723c5b1c311b +- https://github.com/antonioCoco/RoguePotato +- https://darkatlas.io/blog/medusa-ransomware-group-opsec-failure +- https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ - https://nvd.nist.gov/vuln/detail/CVE-2024-3400 -- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis +- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/ +- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/ +- https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624 - https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/ -- https://learn.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml- -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4649 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#things-to-monitor -- https://objective-see.org/blog/blog_0x1E.html -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery -- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ -- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes -- https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/ -- https://learn.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps -- https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2 -- https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16 -- https://github.com/GhostPack/SharpDPAPI -- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ -- https://gist.github.com/nasbench/ca6ef95db04ae04ffd1e0b1ce709cadd -- https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/ -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_UNCAsIntranet -- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ -- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html -- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations -- https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/ -- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#token-issuer-anomaly -- https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/ -- https://www.loobins.io/binaries/launchctl/ -- https://nored0x.github.io/red-teaming/office-persistence/#what-is-a-wll-file -- https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority -- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 -- https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/ -- https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983 - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/ -- https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) -- https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult +- https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/ - https://www.attackiq.com/2023/09/20/emulating-rhysida/ -- https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625 -- https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup -- https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ -- https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb -- https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/ -- https://adsecurity.org/?p=1785 -- https://labs.withsecure.com/publications/kapeka -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7 -- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/ -- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ -- https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt -- https://github.com/gentilkiwi/mimikatz -- https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/ -- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ -- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/ -- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 -- https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule -- https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things -- https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4 -- https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf -- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/ -- https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging -- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ -- https://redcanary.com/blog/threat-detection/process-masquerading/ -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10) -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country -- https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html -- https://us-cert.cisa.gov/ncas/alerts/aa21-008a +- https://boinc.berkeley.edu/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-browser +- https://www.loobins.io/binaries/launchctl/ +- https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php +- https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install +- https://github.com/FalconForceTeam/SOAPHound +- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/ +- https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown +- https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/ +- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ +- https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html +- https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts +- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/ +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue -- https://pentestlab.blog/tag/svchost/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6281 -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators -- https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/ -- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4 -- https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2 -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac -- https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/ +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1 +- https://tria.ge/231023-lpw85she57/behavioral2 +- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ +- https://tria.ge/240521-ynezpagf56/behavioral1 +- https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer +- https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa +- https://securelist.com/network-tunneling-with-qemu/111803/ +- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ +- https://www.virustotal.com/gui/file/ded20df574b843aaa3c8e977c2040e1498ae17c12924a19868df5b12dee6dfdd +- https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support +- https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins +- https://x.com/_st0pp3r_/status/1742203752361128162?s=20 +- https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/ +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.4 - https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/ -- https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/ -- https://twitter.com/standa_t/status/1808868985678803222 +- https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/ +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_ProxyByPass +- https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/ +- https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change +- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 +- https://blog.morphisec.com/vmware-identity-manager-attack-backdoor +- https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11) - https://cloud.google.com/logging/docs/audit/understanding-audit-logs -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794 -- https://twitter.com/DTCERT/status/1712785421845790799 -- https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname +- https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/ +- https://web.archive.org/web/20231210115125/http://www.xuetr.com/ +- https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/ +- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ +- https://learn.microsoft.com/en-us/windows/win32/msi/event-logging +- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/ +- https://asec.ahnlab.com/en/61000/ +- https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2 +- https://anydesk.com/en/changelog/windows +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743 +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions +- https://app.any.run/tasks/9a8fd563-4c54-4d0a-9ad8-1fe08339cbc3/ +- https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings +- https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps +- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted +- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators - https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/ -- https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1 -- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins -- https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer -- https://ss64.com/osx/sw_vers.html -- https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps +- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/ +- https://strontic.github.io/xcyclopedia/library/aclui.dll-F883E9CA757B622B032FDCA5BF33D0DF.html +- https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand - https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/ -- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software -- https://www.cyberciti.biz/faq/how-force-kill-process-linux/ -- https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ -- https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks -- https://learn.microsoft.com/en-us/windows/win32/shell/launch +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8 +- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/ +- https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022 +- https://ss64.com/nt/set.html +- https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 +- https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic +- https://support.google.com/a/answer/9261439 +- https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER +- https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp +- https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/ +- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ +- https://www.trustedsec.com/blog/art_of_kerberoast/ +- https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections +- https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/ +- https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c +- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) +- https://www.mandiant.com/resources/blog/triton-actor-ttp-profile-custom-attack-tools-detections +- https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/ - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4699 -- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195 -- https://github.com/grayhatkiller/SharpExShell -- https://megatools.megous.com/ -- https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation +- https://us-cert.cisa.gov/ncas/alerts/aa21-259a +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority +- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis +- https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019 +- https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive +- https://nored0x.github.io/red-teaming/office-persistence/#what-is-a-wll-file +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval +- https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634 +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel +- https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/ +- https://twitter.com/Kostastsale/status/1480716528421011458 +- https://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40 +- https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327 +- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated +- https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf +- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role +- https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise +- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/ +- https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult +- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications +- https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/ +- https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 +- https://learn.microsoft.com/en-us/azure/dns/dns-zones-records +- https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/ - https://learn.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture -- https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/ -- https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211 -- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/ -- https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_ProxyByPass -- https://www.cve.org/CVERecord?id=CVE-2024-1709 -- https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#private_repository_forking -- https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF +- https://twitter.com/MsftSecIntel/status/1737895710169628824 - https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml -- https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete -- https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet -- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ -- https://blackpointcyber.com/resources/blog/breaking-through-the-screen/ -- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing -- https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior -- https://twitter.com/NathanMcNulty/status/1785051227568632263 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11) -- https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo +- https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials +- https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging +- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference +- https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool +- https://tria.ge/231212-r1bpgaefar/behavioral2 +- https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/ +- https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html - https://localtonet.com/documents/supported-tunnels -- https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1 -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/ -- https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/ -- https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4 -- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ -- https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows -- https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29 -- https://hijacklibs.net/entries/microsoft/built-in/dbgmodel.html -- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ -- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer -- https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor -- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967 -- https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps -- https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps -- https://www.softperfect.com/products/networkscanner/ -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/ -- https://www.mandiant.com/resources/blog/triton-actor-ttp-profile-custom-attack-tools-detections -- https://ss64.com/mac/hdiutil.html -- https://github.com/antonioCoco/RoguePotato -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7 -- https://objective-see.org/blog/blog_0x6D.html -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts -- https://news.ycombinator.com/item?id=29504755 -- https://unit42.paloaltonetworks.com/chromeloader-malware/ -- https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues +- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml +- https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001 +- https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48 +- https://twitter.com/DTCERT/status/1712785421845790799 +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7 +- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/ +- https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior +- https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/ - https://github.com/0xthirteen/SharpMove/ -- https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl -- https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps -- https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently -- https://www.loobins.io/binaries/pbpaste/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval -- https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/ +- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ +- https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/ +- https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys +- https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response +- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks +- https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029 +- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html - https://www.loobins.io/binaries/xattr/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in -- https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680 -- https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ -- https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/ -- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference -- https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v -- https://twitter.com/MsftSecIntel/status/1737895710169628824 +- https://www.sans.org/cyber-security-summit/archives +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage +- https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673 +- https://github.com/embedi/CVE-2017-11882 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/set_1 +- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16 +- https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker +- https://tria.ge/240731-jh4crsycnb/behavioral2 +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7 +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in +- https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0 +- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/replace - https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html -- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/ -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4 -- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted -- https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/ -- https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16 -- https://www.qemu.org/docs/master/system/invocation.html#hxtool-5 -- https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647 -- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts -- https://blog.sekoia.io/darkgate-internals/ -- https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia -- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698 -- https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html -- https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack -- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ -- https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal -- https://learn.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations +- https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo +- https://redcanary.com/blog/threat-detection/process-masquerading/ +- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967 +- https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4 +- https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details +- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure +- https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091 +- https://twitter.com/th3_protoCOL/status/1480621526764322817 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete +- https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html +- https://tria.ge/240225-jlylpafb24/behavioral1/analog?main_event=Registry&op=SetValueKeyInt +- https://tria.ge/240307-1hlldsfe7t/behavioral2/analog?main_event=Registry&op=SetValueKeyInt +- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/ +- https://ngrok.com/blog-post/new-ngrok-domains +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/ +- https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741 +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address +- https://web.archive.org/web/20190508165435/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776 +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role +- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns diff --git a/tests/rule-references.txt b/tests/rule-references.txt index cd41296ed3e..fdacaf0dce0 100644 --- a/tests/rule-references.txt +++ b/tests/rule-references.txt @@ -3774,3 +3774,20 @@ https://www.loobins.io/binaries/sysctl/# https://web.archive.org/web/20200530031708/https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.Common/Data/DPAPI/DPAPIBackupKey.cs#L28-L32 https://github.com/AaLl86/WindowsInternals/blob/070dc4f317726dfb6ffd2b7a7c121a33a8659b5e/Slides/Hypervisor-enforced%20Paging%20Translation%20-%20The%20end%20of%20non%20data-driven%20Kernel%20Exploits%20(Recon2024).pdf +https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql +https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini +https://www.virustotal.com/gui/file/bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f/behavior +https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn +https://www.ammyy.com/en/admin_features.html +https://blog.sekoia.io/darkgate-internals/ +https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4 +https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983 +https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities +https://github.com/amjcyber/EDRNoiseMaker +https://www.sentinelone.com/labs/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/ +https://hijacklibs.net/entries/microsoft/built-in/dbgmodel.html +https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts +https://learn.microsoft.com/de-de/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide +https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680 +https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change +https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101 From 839f5636f5c0e89422c195939642aa3bcfcd22f1 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 2 Sep 2024 10:01:36 +0200 Subject: [PATCH 043/144] Merge PR #4991 from @nasbench - Promote older rules status from `experimental` to `test` chore: promote older rules status from `experimental` to `test` Co-authored-by: nasbench --- .../proc_creation_win_exploit_cve_2020_1472_zero_poc.yml | 2 +- ...creation_win_exploit_cve_2021_44228_vmware_horizon_log4j.yml | 2 +- ...tion_win_exploit_cve_2022_22954_vmware_workspace_one_rce.yml | 2 +- .../proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml | 2 +- .../proc_creation_win_malware_chrome_loader_execution.yml | 2 +- .../proc_creation_win_malware_raspberry_robin_execution.yml | 2 +- ...creation_win_malware_raspberry_robin_external_drive_exec.yml | 2 +- ..._creation_win_malware_serpent_backdoor_payload_execution.yml | 2 +- .../cisco_syslog_cve_2023_20198_ios_xe_web_ui.yml | 2 +- .../CVE-2023-27363/file_event_win_cve_2023_27363_foxit_rce.yml | 2 +- ...oit_cve_2023_34362_moveit_transfer_exploitation_activity.yml | 2 +- .../file_event_win_exploit_cve_2023_36874_wermgr_creation.yml | 2 +- ..._exploit_cve_2023_43261_milesight_information_disclosure.yml | 2 +- ..._exploit_cve_2023_43261_milesight_information_disclosure.yml | 2 +- .../file_event_win_malware_darkgate_autoit3_binary_creation.yml | 2 +- ...n_malware_darkgate_autoit3_from_susp_parent_and_location.yml | 2 +- .../proc_creation_win_malware_darkgate_net_user_creation.yml | 2 +- .../GuLoader/proc_creation_win_malware_guloader_execution.yml | 2 +- .../Ursnif/proc_creation_win_malware_ursnif_cmd_redirection.yml | 2 +- .../dns_query_win_apt_diamond_steel_indicators.yml | 2 +- .../file_event_win_apt_diamond_sleet_indicators.yml | 2 +- .../TA/Diamond-Sleet/image_load_apt_diamond_sleet_side_load.yml | 2 +- .../proc_creation_win_apt_diamond_sleet_indicators.yml | 2 +- .../registry_event_apt_diamond_sleet_scheduled_task.yml | 2 +- .../win_security_apt_diamond_sleet_scheduled_task.yml | 2 +- .../TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml | 2 +- .../okta_apt_suspicious_user_creation.yml | 2 +- .../TA/Onyx-Sleet/file_event_win_apt_onyx_sleet_indicators.yml | 2 +- .../m365/audit/microsoft365_susp_email_forwarding_activity.yml | 2 +- .../cloud/okta/okta_password_health_report_query.yml | 2 +- .../file/file_event/file_event_win_susp_binary_dropper.yml | 2 +- .../file/file_event/file_event_win_vscode_tunnel_indicators.yml | 2 +- .../proc_creation_win_regsvr32_dllregisterserver_exec.yml | 2 +- ...emote_access_tools_action1_code_exec_and_remote_sessions.yml | 2 +- .../proc_creation_win_rundll32_dllregisterserver.yml | 2 +- .../process_creation/proc_creation_win_taskkill_execution.yml | 2 +- rules/cloud/aws/cloudtrail/aws_disable_bucket_versioning.yml | 2 +- rules/cloud/okta/okta_admin_activity_from_proxy_query.yml | 2 +- rules/cloud/okta/okta_password_in_alternateid_field.yml | 2 +- rules/cloud/okta/okta_user_created.yml | 2 +- .../process_creation/proc_creation_lnx_susp_hktl_execution.yml | 2 +- .../win_app_remote_access_tools_screenconnect_command_exec.yml | 2 +- .../win_app_remote_access_tools_screenconnect_file_transfer.yml | 2 +- .../builtin/security/win_security_kerberoasting_activity.yml | 2 +- .../win_system_kdcsvc_cert_use_no_strong_mapping.yml | 2 +- .../file_event_win_powershell_module_uncommon_creation.yml | 2 +- ..._event_win_remote_access_tools_screenconnect_remote_file.yml | 2 +- .../file_event_win_susp_hidden_dir_index_allocation.yml | 2 +- .../file_event/file_event_win_susp_lnk_double_extension.yml | 2 +- .../file/file_event/file_event_win_taskmgr_lsass_dump.yml | 2 +- .../file_event_win_vscode_tunnel_remote_creation_artefacts.yml | 2 +- .../file_event_win_vscode_tunnel_renamed_execution.yml | 2 +- rules/windows/pipe_created/pipe_created_hktl_coercedpotato.yml | 2 +- .../posh_ps_get_process_security_software_discovery.yml | 2 +- .../proc_creation_win_certoc_download_direct_ip.yml | 2 +- .../proc_creation_win_curl_download_direct_ip_exec.yml | 2 +- .../proc_creation_win_office_exec_from_trusted_locations.yml | 2 +- ...oc_creation_win_office_onenote_embedded_script_execution.yml | 2 +- .../proc_creation_win_powershell_download_cradle_obfuscated.yml | 2 +- ...ion_win_registry_office_disable_python_security_warnings.yml | 2 +- .../windows/process_creation/proc_creation_win_renamed_curl.yml | 2 +- .../process_creation/proc_creation_win_schtasks_system.yml | 2 +- .../proc_creation_win_susp_emoji_usage_in_cli_1.yml | 2 +- .../proc_creation_win_susp_emoji_usage_in_cli_2.yml | 2 +- .../proc_creation_win_susp_emoji_usage_in_cli_3.yml | 2 +- .../proc_creation_win_susp_emoji_usage_in_cli_4.yml | 2 +- .../proc_creation_win_susp_hidden_dir_index_allocation.yml | 2 +- .../proc_creation_win_susp_obfuscated_ip_via_cli.yml | 2 +- .../proc_creation_win_vscode_child_processes_anomalies.yml | 2 +- .../proc_creation_win_vscode_tunnel_execution.yml | 2 +- .../proc_creation_win_vscode_tunnel_remote_shell_.yml | 2 +- .../proc_creation_win_vscode_tunnel_service_install.yml | 2 +- .../registry_event/registry_set_enable_anonymous_connection.yml | 2 +- .../registry_set_powershell_enablescripts_enabled.yml | 2 +- 74 files changed, 74 insertions(+), 74 deletions(-) diff --git a/rules-emerging-threats/2020/Exploits/CVE-2020-1472/proc_creation_win_exploit_cve_2020_1472_zero_poc.yml b/rules-emerging-threats/2020/Exploits/CVE-2020-1472/proc_creation_win_exploit_cve_2020_1472_zero_poc.yml index ae9ff1a4edf..0f095a35648 100644 --- a/rules-emerging-threats/2020/Exploits/CVE-2020-1472/proc_creation_win_exploit_cve_2020_1472_zero_poc.yml +++ b/rules-emerging-threats/2020/Exploits/CVE-2020-1472/proc_creation_win_exploit_cve_2020_1472_zero_poc.yml @@ -1,6 +1,6 @@ title: Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC id: dcc6a01e-9471-44a0-a699-71ea96f8ed8b -status: experimental +status: test description: Detects the execution of the commonly used ZeroLogon PoC executable. references: - https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/ diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-44228/proc_creation_win_exploit_cve_2021_44228_vmware_horizon_log4j.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-44228/proc_creation_win_exploit_cve_2021_44228_vmware_horizon_log4j.yml index 489254786ee..de05e72b807 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-44228/proc_creation_win_exploit_cve_2021_44228_vmware_horizon_log4j.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-44228/proc_creation_win_exploit_cve_2021_44228_vmware_horizon_log4j.yml @@ -1,6 +1,6 @@ title: Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon id: 3eb91f0a-0060-424a-a676-59f5fdd75610 -status: experimental +status: test description: | Detects potential initial exploitation attempts against VMware Horizon deployments running a vulnerable versions of Log4j. references: diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-22954/proc_creation_win_exploit_cve_2022_22954_vmware_workspace_one_rce.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-22954/proc_creation_win_exploit_cve_2022_22954_vmware_workspace_one_rce.yml index 07d61ccd766..7ee1656b253 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-22954/proc_creation_win_exploit_cve_2022_22954_vmware_workspace_one_rce.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-22954/proc_creation_win_exploit_cve_2022_22954_vmware_workspace_one_rce.yml @@ -1,6 +1,6 @@ title: Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution id: 5660d8db-6e25-411f-b92f-094420168a5d -status: experimental +status: test description: | Detects potential exploitation attempt of CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager. As reported by Morphisec, part of the attack chain, threat actors used PowerShell commands that executed as a child processes of the legitimate Tomcat "prunsrv.exe" process application. diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml index f0cf1fe2ee6..ac147a22f92 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml @@ -1,6 +1,6 @@ title: Suspicious Sysmon as Execution Parent id: 6d1058a4-407e-4f3a-a144-1968c11dc5c3 -status: experimental +status: test description: Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120) references: - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120 diff --git a/rules-emerging-threats/2022/Malware/ChromeLoader/proc_creation_win_malware_chrome_loader_execution.yml b/rules-emerging-threats/2022/Malware/ChromeLoader/proc_creation_win_malware_chrome_loader_execution.yml index ea7fe91ca12..64fac0615e6 100644 --- a/rules-emerging-threats/2022/Malware/ChromeLoader/proc_creation_win_malware_chrome_loader_execution.yml +++ b/rules-emerging-threats/2022/Malware/ChromeLoader/proc_creation_win_malware_chrome_loader_execution.yml @@ -1,6 +1,6 @@ title: ChromeLoader Malware Execution id: 0a74c5a9-1b71-4475-9af2-7829d320d5c2 -status: experimental +status: test description: Detects execution of ChromeLoader malware via a registered scheduled task references: - https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER diff --git a/rules-emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_execution.yml b/rules-emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_execution.yml index 1e63b4f2904..143f181f135 100644 --- a/rules-emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_execution.yml +++ b/rules-emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_execution.yml @@ -3,7 +3,7 @@ id: d52d2e87-eb03-4fac-961d-eb616da79788 related: - id: 2c6bea3a-ef58-4f2e-a775-4928f6b7c58a type: similar -status: experimental +status: test description: Detects raspberry robin subsequent execution of commands. references: - https://redcanary.com/blog/raspberry-robin/ diff --git a/rules-emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_external_drive_exec.yml b/rules-emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_external_drive_exec.yml index dd9af0d0450..95711d5c537 100644 --- a/rules-emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_external_drive_exec.yml +++ b/rules-emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_external_drive_exec.yml @@ -3,7 +3,7 @@ id: 2c6bea3a-ef58-4f2e-a775-4928f6b7c58a related: - id: d52d2e87-eb03-4fac-961d-eb616da79788 type: similar -status: experimental +status: test description: Detects the initial execution of the Raspberry Robin malware from an external drive using "Cmd.EXE". references: - https://redcanary.com/blog/raspberry-robin/ diff --git a/rules-emerging-threats/2022/Malware/Serpent-Backdoor/proc_creation_win_malware_serpent_backdoor_payload_execution.yml b/rules-emerging-threats/2022/Malware/Serpent-Backdoor/proc_creation_win_malware_serpent_backdoor_payload_execution.yml index d7c1e22fc30..72962ce2f2c 100644 --- a/rules-emerging-threats/2022/Malware/Serpent-Backdoor/proc_creation_win_malware_serpent_backdoor_payload_execution.yml +++ b/rules-emerging-threats/2022/Malware/Serpent-Backdoor/proc_creation_win_malware_serpent_backdoor_payload_execution.yml @@ -1,6 +1,6 @@ title: Serpent Backdoor Payload Execution Via Scheduled Task id: d5eb7432-fda4-4bba-a37f-ffa74d9ed639 -status: experimental +status: test description: | Detects post exploitation execution technique of the Serpent backdoor. According to Proofpoint, one of the commands that the backdoor ran was via creating a temporary scheduled task using an unusual method. diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-20198/cisco_syslog_cve_2023_20198_ios_xe_web_ui.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-20198/cisco_syslog_cve_2023_20198_ios_xe_web_ui.yml index 435b685782f..1c48babab40 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-20198/cisco_syslog_cve_2023_20198_ios_xe_web_ui.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-20198/cisco_syslog_cve_2023_20198_ios_xe_web_ui.yml @@ -1,6 +1,6 @@ title: Exploitation Indicators Of CVE-2023-20198 id: 2ece8816-b7a0-4d9b-b0e8-ae7ad18bc02b -status: experimental +status: test description: Detecting exploitation indicators of CVE-2023-20198 a privilege escalation vulnerability in Cisco IOS XE Software Web UI. references: - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-27363/file_event_win_cve_2023_27363_foxit_rce.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-27363/file_event_win_cve_2023_27363_foxit_rce.yml index 72a6705ec73..73ef23c8cfa 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-27363/file_event_win_cve_2023_27363_foxit_rce.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-27363/file_event_win_cve_2023_27363_foxit_rce.yml @@ -1,6 +1,6 @@ title: Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader id: 9cae055f-e1d2-4f81-b8a5-1986a68cdd84 -status: experimental +status: test description: Detects suspicious ".hta" file creation in the startup folder by Foxit Reader. This can be an indication of CVE-2023-27363 exploitation. references: - https://github.com/j00sean/SecBugs/tree/ff72d553f75d93e1a0652830c0f74a71b3f19c46/CVEs/CVE-2023-27363 diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/proc_creation_win_exploit_cve_2023_34362_moveit_transfer_exploitation_activity.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/proc_creation_win_exploit_cve_2023_34362_moveit_transfer_exploitation_activity.yml index 35b92509931..d6ac97d381c 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/proc_creation_win_exploit_cve_2023_34362_moveit_transfer_exploitation_activity.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/proc_creation_win_exploit_cve_2023_34362_moveit_transfer_exploitation_activity.yml @@ -1,6 +1,6 @@ title: Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE id: 39ac1fb0-07f1-474b-b97e-c5c0eace0d79 -status: experimental +status: test description: | Detects the execution of "csc.exe" via "w3wp.exe" process. MOVEit affected hosts execute "csc.exe" via the "w3wp.exe" process to dynamically compile malicious DLL files. diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation.yml index 4cf28f65147..58e9685c8ef 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation.yml @@ -1,6 +1,6 @@ title: Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation id: ad0960eb-0015-4d16-be13-b3d9f18f1342 -status: experimental +status: test description: Detects the creation of a file named "wermgr.exe" being created in an uncommon directory. This could be a sign of potential exploitation of CVE-2023-36874. references: - https://github.com/Wh04m1001/CVE-2023-36874 diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-43261/proxy_exploit_cve_2023_43261_milesight_information_disclosure.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-43261/proxy_exploit_cve_2023_43261_milesight_information_disclosure.yml index 6c52dc6757f..a9ef63b89ec 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-43261/proxy_exploit_cve_2023_43261_milesight_information_disclosure.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-43261/proxy_exploit_cve_2023_43261_milesight_information_disclosure.yml @@ -3,7 +3,7 @@ id: f48f5368-355c-4a1b-8bf5-11c13d589eaa related: - id: a2bcca38-9f3a-4d5e-b603-0c587e8569d7 type: similar -status: experimental +status: test description: | Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in proxy logs. references: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-43261/web_exploit_cve_2023_43261_milesight_information_disclosure.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-43261/web_exploit_cve_2023_43261_milesight_information_disclosure.yml index 159fc6365b5..ba79fd6a4e2 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-43261/web_exploit_cve_2023_43261_milesight_information_disclosure.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-43261/web_exploit_cve_2023_43261_milesight_information_disclosure.yml @@ -3,7 +3,7 @@ id: a2bcca38-9f3a-4d5e-b603-0c587e8569d7 related: - id: f48f5368-355c-4a1b-8bf5-11c13d589eaa type: similar -status: experimental +status: test description: | Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in access logs. references: diff --git a/rules-emerging-threats/2023/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_binary_creation.yml b/rules-emerging-threats/2023/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_binary_creation.yml index 991c48dbd0d..746d7d30693 100644 --- a/rules-emerging-threats/2023/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_binary_creation.yml +++ b/rules-emerging-threats/2023/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_binary_creation.yml @@ -1,6 +1,6 @@ title: DarkGate - Autoit3.EXE File Creation By Uncommon Process id: 1a433e1d-03d2-47a6-8063-ece992cf4e73 -status: experimental +status: test description: | Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe. This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs diff --git a/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml b/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml index 54553892cde..ace21abd121 100644 --- a/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml +++ b/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml @@ -1,6 +1,6 @@ title: DarkGate - Autoit3.EXE Execution Parameters id: f8e9aa1c-14f2-4dbd-aa59-b98968ed650d -status: experimental +status: test description: | Detects execution of the legitimate Autoit3 utility from a suspicious parent process. AutoIt3.exe is used within the DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate diff --git a/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_net_user_creation.yml b/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_net_user_creation.yml index bf34f3a418f..f3d1b831100 100644 --- a/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_net_user_creation.yml +++ b/rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_net_user_creation.yml @@ -1,6 +1,6 @@ title: DarkGate - User Created Via Net.EXE id: bf906d7b-7070-4642-8383-e404cf26eba5 -status: experimental +status: test description: Detects creation of local users via the net.exe command with the name of "DarkGate" references: - Internal Research diff --git a/rules-emerging-threats/2023/Malware/GuLoader/proc_creation_win_malware_guloader_execution.yml b/rules-emerging-threats/2023/Malware/GuLoader/proc_creation_win_malware_guloader_execution.yml index 56a80458131..ad63c36c688 100644 --- a/rules-emerging-threats/2023/Malware/GuLoader/proc_creation_win_malware_guloader_execution.yml +++ b/rules-emerging-threats/2023/Malware/GuLoader/proc_creation_win_malware_guloader_execution.yml @@ -1,6 +1,6 @@ title: Injected Browser Process Spawning Rundll32 - GuLoader Activity id: 89e1490f-1a3e-452a-bbb8-b68a5f58072f -status: experimental +status: test description: | Detects the execution of installed GuLoader malware on the host. GuLoader is initiating network connections via the rundll32.exe process that is spawned via a browser parent(injected) process. diff --git a/rules-emerging-threats/2023/Malware/Ursnif/proc_creation_win_malware_ursnif_cmd_redirection.yml b/rules-emerging-threats/2023/Malware/Ursnif/proc_creation_win_malware_ursnif_cmd_redirection.yml index e17e3c710a6..63457e26d60 100644 --- a/rules-emerging-threats/2023/Malware/Ursnif/proc_creation_win_malware_ursnif_cmd_redirection.yml +++ b/rules-emerging-threats/2023/Malware/Ursnif/proc_creation_win_malware_ursnif_cmd_redirection.yml @@ -1,6 +1,6 @@ title: Ursnif Redirection Of Discovery Commands id: 7aaa5739-12fc-41aa-b98b-23ec27d42bdf -status: experimental +status: test description: | Detects the redirection of Ursnif discovery commands as part of the initial execution of the malware. references: diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/dns_query_win_apt_diamond_steel_indicators.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/dns_query_win_apt_diamond_steel_indicators.yml index 60363ca0947..b8914fc38a0 100644 --- a/rules-emerging-threats/2023/TA/Diamond-Sleet/dns_query_win_apt_diamond_steel_indicators.yml +++ b/rules-emerging-threats/2023/TA/Diamond-Sleet/dns_query_win_apt_diamond_steel_indicators.yml @@ -1,6 +1,6 @@ title: Diamond Sleet APT DNS Communication Indicators id: fba38e0f-4607-4344-bb8f-a4b50cdeef7f -status: experimental +status: test description: Detects DNS queries related to Diamond Sleet APT activity references: - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/file_event_win_apt_diamond_sleet_indicators.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/file_event_win_apt_diamond_sleet_indicators.yml index 11959b9cbdc..1f08fe48865 100644 --- a/rules-emerging-threats/2023/TA/Diamond-Sleet/file_event_win_apt_diamond_sleet_indicators.yml +++ b/rules-emerging-threats/2023/TA/Diamond-Sleet/file_event_win_apt_diamond_sleet_indicators.yml @@ -1,6 +1,6 @@ title: Diamond Sleet APT File Creation Indicators id: e1212b32-55ff-4dfb-a595-62b572248056 -status: experimental +status: test description: Detects file creation activity that is related to Diamond Sleet APT activity references: - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/image_load_apt_diamond_sleet_side_load.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/image_load_apt_diamond_sleet_side_load.yml index d4d0bac8baf..7b39993e8f4 100644 --- a/rules-emerging-threats/2023/TA/Diamond-Sleet/image_load_apt_diamond_sleet_side_load.yml +++ b/rules-emerging-threats/2023/TA/Diamond-Sleet/image_load_apt_diamond_sleet_side_load.yml @@ -1,6 +1,6 @@ title: Diamond Sleet APT DLL Sideloading Indicators id: d1b65d98-37d7-4ff6-b139-2d87c1af3042 -status: experimental +status: test description: Detects DLL sideloading activity seen used by Diamond Sleet APT references: - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml index 5d98be1edc5..289b86ecc6a 100644 --- a/rules-emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml +++ b/rules-emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml @@ -1,6 +1,6 @@ title: Diamond Sleet APT Process Activity Indicators id: b5495d8d-24ad-4a44-8caf-ceae9a07a5c2 -status: experimental +status: test description: Detects process creation activity indicators related to Diamond Sleet APT references: - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml index 1cb6ea199db..4b03169c6e8 100644 --- a/rules-emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml +++ b/rules-emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml @@ -1,6 +1,6 @@ title: Diamond Sleet APT Scheduled Task Creation - Registry id: 9f9f92ba-5300-43a4-b435-87d1ee571688 -status: experimental +status: test description: | Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability references: diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/win_security_apt_diamond_sleet_scheduled_task.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/win_security_apt_diamond_sleet_scheduled_task.yml index 7a3d5065765..5c2be9e3867 100644 --- a/rules-emerging-threats/2023/TA/Diamond-Sleet/win_security_apt_diamond_sleet_scheduled_task.yml +++ b/rules-emerging-threats/2023/TA/Diamond-Sleet/win_security_apt_diamond_sleet_scheduled_task.yml @@ -1,6 +1,6 @@ title: Diamond Sleet APT Scheduled Task Creation id: 3b8e5084-4de9-449a-a40d-0e11014f2e2d -status: experimental +status: test description: | Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability references: diff --git a/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml b/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml index b9bbfecc6ef..32ea28202e0 100644 --- a/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml +++ b/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml @@ -1,6 +1,6 @@ title: Lazarus APT DLL Sideloading Activity id: 24007168-a26b-4049-90d0-ce138e13a5cf -status: experimental +status: test description: Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company references: - https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/ diff --git a/rules-emerging-threats/2023/TA/Okta-Support-System-Breach/okta_apt_suspicious_user_creation.yml b/rules-emerging-threats/2023/TA/Okta-Support-System-Breach/okta_apt_suspicious_user_creation.yml index 5db5d4e613a..705617120f3 100644 --- a/rules-emerging-threats/2023/TA/Okta-Support-System-Breach/okta_apt_suspicious_user_creation.yml +++ b/rules-emerging-threats/2023/TA/Okta-Support-System-Breach/okta_apt_suspicious_user_creation.yml @@ -1,6 +1,6 @@ title: Okta 2023 Breach Indicator Of Compromise id: 00a8e92a-776b-425f-80f2-82d8f8fab2e5 -status: experimental +status: test description: | Detects new user account creation or activation with specific names related to the Okta Support System 2023 breach. This rule can be enhanced by filtering out known and legitimate username used in your environnement. diff --git a/rules-emerging-threats/2023/TA/Onyx-Sleet/file_event_win_apt_onyx_sleet_indicators.yml b/rules-emerging-threats/2023/TA/Onyx-Sleet/file_event_win_apt_onyx_sleet_indicators.yml index 953359270b3..cda5059dbb9 100644 --- a/rules-emerging-threats/2023/TA/Onyx-Sleet/file_event_win_apt_onyx_sleet_indicators.yml +++ b/rules-emerging-threats/2023/TA/Onyx-Sleet/file_event_win_apt_onyx_sleet_indicators.yml @@ -1,6 +1,6 @@ title: Onyx Sleet APT File Creation Indicators id: 2fef4fd9-7206-40d1-b4f5-ad6441d0cd9b -status: experimental +status: test description: Detects file creation activity that is related to Onyx Sleet APT activity references: - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ diff --git a/rules-threat-hunting/cloud/m365/audit/microsoft365_susp_email_forwarding_activity.yml b/rules-threat-hunting/cloud/m365/audit/microsoft365_susp_email_forwarding_activity.yml index 0fb920cc85b..ab06ca5890c 100644 --- a/rules-threat-hunting/cloud/m365/audit/microsoft365_susp_email_forwarding_activity.yml +++ b/rules-threat-hunting/cloud/m365/audit/microsoft365_susp_email_forwarding_activity.yml @@ -1,6 +1,6 @@ title: Mail Forwarding/Redirecting Activity In O365 id: c726e007-2cd0-4a55-abfb-79730fbedee5 -status: experimental +status: test description: Detects email forwarding or redirecting acitivty in O365 Audit logs. references: - https://redcanary.com/blog/email-forwarding-rules/ diff --git a/rules-threat-hunting/cloud/okta/okta_password_health_report_query.yml b/rules-threat-hunting/cloud/okta/okta_password_health_report_query.yml index 7adda976246..ae0f0019bf2 100644 --- a/rules-threat-hunting/cloud/okta/okta_password_health_report_query.yml +++ b/rules-threat-hunting/cloud/okta/okta_password_health_report_query.yml @@ -1,6 +1,6 @@ title: Okta Password Health Report Query id: 0d58814b-1660-4d31-8c93-d1086ed24cba -status: experimental +status: test description: | Detects all activities against the endpoint "/reports/password-health/*" which should only be accessed via OKTA Admin Console UI. Use this rule to hunt for potential suspicious requests. Correlate this event with "admin console" login and alert on requests without any corresponding admin console login diff --git a/rules-threat-hunting/windows/file/file_event/file_event_win_susp_binary_dropper.yml b/rules-threat-hunting/windows/file/file_event/file_event_win_susp_binary_dropper.yml index 9ecf86a3d8b..464bd86f246 100644 --- a/rules-threat-hunting/windows/file/file_event/file_event_win_susp_binary_dropper.yml +++ b/rules-threat-hunting/windows/file/file_event/file_event_win_susp_binary_dropper.yml @@ -1,6 +1,6 @@ title: Creation of an Executable by an Executable id: 297afac9-5d02-4138-8c58-b977bac60556 -status: experimental +status: test description: Detects the creation of an executable by another executable. references: - Internal Research diff --git a/rules-threat-hunting/windows/file/file_event/file_event_win_vscode_tunnel_indicators.yml b/rules-threat-hunting/windows/file/file_event/file_event_win_vscode_tunnel_indicators.yml index 6eb4fcc37b4..32152a09cf3 100644 --- a/rules-threat-hunting/windows/file/file_event/file_event_win_vscode_tunnel_indicators.yml +++ b/rules-threat-hunting/windows/file/file_event/file_event_win_vscode_tunnel_indicators.yml @@ -1,6 +1,6 @@ title: VsCode Code Tunnel Execution File Indicator id: 9661ec9d-4439-4a7a-abed-d9be4ca43b6d -status: experimental +status: test description: | Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility. Attackers can abuse this functionality to establish a C2 channel references: diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml index 599882c5b24..c8ee47894b0 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml @@ -3,7 +3,7 @@ id: ce2c44b5-a6ac-412a-afba-9e89326fa972 related: - id: 0ba1da6d-b6ce-4366-828c-18826c9de23e type: similar -status: experimental +status: test description: | Detects execution of regsvr32 with the silent flag and no other flags on a DLL located in an uncommon or potentially suspicious location. When Regsvr32 is called in such a way, it implicitly calls the DLL export function 'DllRegisterServer'. diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_action1_code_exec_and_remote_sessions.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_action1_code_exec_and_remote_sessions.yml index f199dadcfa0..2eb0f4820dc 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_action1_code_exec_and_remote_sessions.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_action1_code_exec_and_remote_sessions.yml @@ -1,6 +1,6 @@ title: Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions id: aa3168fb-d594-4f93-a92d-7a9ba675b766 -status: experimental +status: test description: | Detects the execution of Action1 in order to execute arbitrary code or establish a remote session. diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_dllregisterserver.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_dllregisterserver.yml index 7fa3c27662c..065909254c3 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_dllregisterserver.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_dllregisterserver.yml @@ -3,7 +3,7 @@ id: d81a9fc6-55db-4461-b962-0e78fea5b0ad related: - id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed # Renamed rundll32 type: similar -status: experimental +status: test description: | Detects when the DLL export function 'DllRegisterServer' is called in the commandline by Rundll32 explicitly where the DLL is located in a non-standard path. references: diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml index cd49e96d9ea..3d743b7bed5 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml @@ -1,6 +1,6 @@ title: Process Terminated Via Taskkill id: 86085955-ea48-42a2-9dd3-85d4c36b167d -status: experimental +status: test description: | Detects execution of "taskkill.exe" in order to stop a service or a process. Look for suspicious parents executing this command in order to hunt for potential malicious activity. Attackers might leverage this in order to conduct data destruction or data encrypted for impact on the data stores of services like Exchange and SQL Server. diff --git a/rules/cloud/aws/cloudtrail/aws_disable_bucket_versioning.yml b/rules/cloud/aws/cloudtrail/aws_disable_bucket_versioning.yml index ec6e805d955..ede3b688d93 100644 --- a/rules/cloud/aws/cloudtrail/aws_disable_bucket_versioning.yml +++ b/rules/cloud/aws/cloudtrail/aws_disable_bucket_versioning.yml @@ -1,6 +1,6 @@ title: AWS S3 Bucket Versioning Disable id: a136ac98-b2bc-4189-a14d-f0d0388e57a7 -status: experimental +status: test description: Detects when S3 bucket versioning is disabled. Threat actors use this technique during AWS ransomware incidents prior to deleting S3 objects. references: - https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82 diff --git a/rules/cloud/okta/okta_admin_activity_from_proxy_query.yml b/rules/cloud/okta/okta_admin_activity_from_proxy_query.yml index 7b9cadb89f7..7fe6b305231 100644 --- a/rules/cloud/okta/okta_admin_activity_from_proxy_query.yml +++ b/rules/cloud/okta/okta_admin_activity_from_proxy_query.yml @@ -1,6 +1,6 @@ title: Okta Admin Functions Access Through Proxy id: 9058ca8b-f397-4fd1-a9fa-2b7aad4d6309 -status: experimental +status: test description: Detects access to Okta admin functions through proxy. references: - https://www.beyondtrust.com/blog/entry/okta-support-unit-breach diff --git a/rules/cloud/okta/okta_password_in_alternateid_field.yml b/rules/cloud/okta/okta_password_in_alternateid_field.yml index 30daec17d92..dbbc14c17c7 100644 --- a/rules/cloud/okta/okta_password_in_alternateid_field.yml +++ b/rules/cloud/okta/okta_password_in_alternateid_field.yml @@ -1,6 +1,6 @@ title: Potential Okta Password in AlternateID Field id: 91b76b84-8589-47aa-9605-c837583b82a9 -status: experimental +status: test description: | Detects when a user has potentially entered their password into the username field, which will cause the password to be retained in log files. diff --git a/rules/cloud/okta/okta_user_created.yml b/rules/cloud/okta/okta_user_created.yml index 43a0a2b18bf..b988412d354 100644 --- a/rules/cloud/okta/okta_user_created.yml +++ b/rules/cloud/okta/okta_user_created.yml @@ -1,6 +1,6 @@ title: New Okta User Created id: b6c718dd-8f53-4b9f-98d8-93fdca966969 -status: experimental +status: test description: Detects new user account creation author: Nasreddine Bencherchali (Nextron Systems) date: 2023-10-25 diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml b/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml index 4b41010ac4e..73526a6df76 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml @@ -1,6 +1,6 @@ title: Linux HackTool Execution id: a015e032-146d-4717-8944-7a1884122111 -status: experimental +status: test description: Detects known hacktool execution based on image name. references: - https://github.com/Gui774ume/ebpfkit diff --git a/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml b/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml index 3f457d197ae..5709cd6b86f 100644 --- a/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml +++ b/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml @@ -3,7 +3,7 @@ id: 076ebe48-cc05-4d8f-9d41-89245cd93a14 related: - id: b1f73849-6329-4069-bc8f-78a604bb8b23 type: similar -status: experimental +status: test description: Detects command execution via ScreenConnect RMM references: - https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling diff --git a/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml b/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml index 2cbd3dc6bea..7e4d942d715 100644 --- a/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml +++ b/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml @@ -3,7 +3,7 @@ id: 5d19eb78-5b5b-4ef2-a9f0-4bfa94d58a13 related: - id: b1f73849-6329-4069-bc8f-78a604bb8b23 type: similar -status: experimental +status: test description: Detects file being transferred via ScreenConnect RMM references: - https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling diff --git a/rules/windows/builtin/security/win_security_kerberoasting_activity.yml b/rules/windows/builtin/security/win_security_kerberoasting_activity.yml index 188672a89da..6f6e09b98bc 100644 --- a/rules/windows/builtin/security/win_security_kerberoasting_activity.yml +++ b/rules/windows/builtin/security/win_security_kerberoasting_activity.yml @@ -1,6 +1,6 @@ title: Kerberoasting Activity - Initial Query id: d04ae2b8-ad54-4de0-bd87-4bc1da66aa59 -status: experimental +status: test description: | This rule will collect the data needed to start looking into possible kerberoasting activity. Further analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds. diff --git a/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_cert_use_no_strong_mapping.yml b/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_cert_use_no_strong_mapping.yml index dcc6b71cd3b..3f5fa11d5c2 100644 --- a/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_cert_use_no_strong_mapping.yml +++ b/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_cert_use_no_strong_mapping.yml @@ -1,6 +1,6 @@ title: Certificate Use With No Strong Mapping id: 993c2665-e6ef-40e3-a62a-e1a97686af79 -status: experimental +status: test description: | Detects a user certificate that was valid but could not be mapped to a user in a strong way (such as via explicit mapping, key trust mapping, or a SID) This could be a sign of exploitation of the elevation of privilege vulnerabilities (CVE-2022-34691, CVE-2022-26931, CVE-2022-26923) that can occur when the KDC allows certificate spoofing by not requiring a strong mapping. diff --git a/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml b/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml index bef429acffb..6ffb31e5b1b 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml @@ -1,6 +1,6 @@ title: PowerShell Module File Created By Non-PowerShell Process id: e3845023-ca9a-4024-b2b2-5422156d5527 -status: experimental +status: test description: Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. by a non-PowerShell process references: - Internal Research diff --git a/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_remote_file.yml b/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_remote_file.yml index cfda56f4d67..03026bda38f 100644 --- a/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_remote_file.yml +++ b/rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_remote_file.yml @@ -3,7 +3,7 @@ id: 0afecb6e-6223-4a82-99fb-bf5b981e92a5 related: - id: b1f73849-6329-4069-bc8f-78a604bb8b23 type: similar -status: experimental +status: test description: | Detects the creation of files in a specific location by ScreenConnect RMM. ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\\Documents\ConnectWiseControl\Temp\" before execution. diff --git a/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml b/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml index e3380dffd59..a6d21c786e2 100644 --- a/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml +++ b/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml @@ -3,7 +3,7 @@ id: a8f866e1-bdd4-425e-a27a-37619238d9c7 related: - id: 0900463c-b33b-49a8-be1d-552a3b553dae type: similar -status: experimental +status: test description: | Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe" references: diff --git a/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml b/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml index 496898d7ff8..7762eb87672 100644 --- a/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml +++ b/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml @@ -3,7 +3,7 @@ id: 3215aa19-f060-4332-86d5-5602511f3ca8 related: - id: b4926b47-a9d7-434c-b3a0-adc3fa0bd13e type: derived -status: experimental +status: test description: | Detects the creation of files with an "LNK" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the "LNK" extension by default. references: diff --git a/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump.yml b/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump.yml index dd73e1b6929..968797ea807 100644 --- a/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump.yml +++ b/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump.yml @@ -1,6 +1,6 @@ title: LSASS Process Memory Dump Creation Via Taskmgr.EXE id: 69ca12af-119d-44ed-b50f-a47af0ebc364 -status: experimental +status: test description: Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager. author: Swachchhanda Shrawan Poudel date: 2023-10-19 diff --git a/rules/windows/file/file_event/file_event_win_vscode_tunnel_remote_creation_artefacts.yml b/rules/windows/file/file_event/file_event_win_vscode_tunnel_remote_creation_artefacts.yml index b514ffe6d52..d74cae70573 100644 --- a/rules/windows/file/file_event/file_event_win_vscode_tunnel_remote_creation_artefacts.yml +++ b/rules/windows/file/file_event/file_event_win_vscode_tunnel_remote_creation_artefacts.yml @@ -1,6 +1,6 @@ title: Visual Studio Code Tunnel Remote File Creation id: 56e05d41-ce99-4ecd-912d-93f019ee0b71 -status: experimental +status: test description: | Detects the creation of file by the "node.exe" process in the ".vscode-server" directory. Could be a sign of remote file creation via VsCode tunnel feature references: diff --git a/rules/windows/file/file_event/file_event_win_vscode_tunnel_renamed_execution.yml b/rules/windows/file/file_event/file_event_win_vscode_tunnel_renamed_execution.yml index ceba72ef558..2f4bc5e1f0e 100644 --- a/rules/windows/file/file_event/file_event_win_vscode_tunnel_renamed_execution.yml +++ b/rules/windows/file/file_event/file_event_win_vscode_tunnel_renamed_execution.yml @@ -1,6 +1,6 @@ title: Renamed VsCode Code Tunnel Execution - File Indicator id: d102b8f5-61dc-4e68-bd83-9a3187c67377 -status: experimental +status: test description: | Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility by an "Image" or "Process" other than VsCode. references: diff --git a/rules/windows/pipe_created/pipe_created_hktl_coercedpotato.yml b/rules/windows/pipe_created/pipe_created_hktl_coercedpotato.yml index 9773510d21e..986444a2c66 100644 --- a/rules/windows/pipe_created/pipe_created_hktl_coercedpotato.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_coercedpotato.yml @@ -1,6 +1,6 @@ title: HackTool - CoercedPotato Named Pipe Creation id: 4d0083b3-580b-40da-9bba-626c19fe4033 -status: experimental +status: test description: Detects the pattern of a pipe name as used by the hack tool CoercedPotato references: - https://blog.hackvens.fr/articles/CoercedPotato.html diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_process_security_software_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_get_process_security_software_discovery.yml index 118cfd53206..6e5dedd4304 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_get_process_security_software_discovery.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_get_process_security_software_discovery.yml @@ -1,6 +1,6 @@ title: Security Software Discovery Via Powershell Script id: 904e8e61-8edf-4350-b59c-b905fc8e810c -status: experimental +status: test description: | Detects calls to "get-process" where the output is piped to a "where-object" filter to search for security solution processes. Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus diff --git a/rules/windows/process_creation/proc_creation_win_certoc_download_direct_ip.yml b/rules/windows/process_creation/proc_creation_win_certoc_download_direct_ip.yml index c00e0f69406..bb4b23779ad 100644 --- a/rules/windows/process_creation/proc_creation_win_certoc_download_direct_ip.yml +++ b/rules/windows/process_creation/proc_creation_win_certoc_download_direct_ip.yml @@ -3,7 +3,7 @@ id: b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a related: - id: 70ad0861-d1fe-491c-a45f-fa48148a300d type: similar -status: experimental +status: test description: Detects when a user downloads a file from an IP based URL using CertOC.exe references: - https://lolbas-project.github.io/lolbas/Binaries/Certoc/ diff --git a/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml b/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml index 7b0b7dce1fd..d4174b490e9 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml @@ -3,7 +3,7 @@ id: 9cc85849-3b02-4cb5-b371-3a1ff54f2218 related: - id: 5cb299fc-5fb1-4d07-b989-0644c68b6043 type: similar -status: experimental +status: test description: Detects file downloads directly from IP address URL using curl.exe references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers diff --git a/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml b/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml index dc850edb394..17e672543f4 100644 --- a/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml +++ b/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml @@ -1,6 +1,6 @@ title: Potentially Suspicious Office Document Executed From Trusted Location id: f99abdf0-6283-4e71-bd2b-b5c048a94743 -status: experimental +status: test description: Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code. references: - Internal Research diff --git a/rules/windows/process_creation/proc_creation_win_office_onenote_embedded_script_execution.yml b/rules/windows/process_creation/proc_creation_win_office_onenote_embedded_script_execution.yml index 69ac465849c..bd3518e03eb 100644 --- a/rules/windows/process_creation/proc_creation_win_office_onenote_embedded_script_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_office_onenote_embedded_script_execution.yml @@ -1,6 +1,6 @@ title: OneNote.EXE Execution of Malicious Embedded Scripts id: 84b1706c-932a-44c4-ae28-892b28a25b94 -status: experimental +status: test description: | Detects the execution of malicious OneNote documents that contain embedded scripts. When a user clicks on a OneNote attachment and then on the malicious link inside the ".one" file, it exports and executes the malicious embedded script from specific directories. diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_cradle_obfuscated.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_cradle_obfuscated.yml index 5d266405671..9eddc842c16 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_cradle_obfuscated.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_cradle_obfuscated.yml @@ -1,6 +1,6 @@ title: Obfuscated PowerShell OneLiner Execution id: 44e24481-6202-4c62-9127-5a0ae8e3fe3d -status: experimental +status: test description: Detects the execution of a specific OneLiner to download and execute powershell modules in memory. author: '@Kostastsale, @TheDFIRReport' references: diff --git a/rules/windows/process_creation/proc_creation_win_registry_office_disable_python_security_warnings.yml b/rules/windows/process_creation/proc_creation_win_registry_office_disable_python_security_warnings.yml index 6c70c6abe44..81984c068e3 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_office_disable_python_security_warnings.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_office_disable_python_security_warnings.yml @@ -3,7 +3,7 @@ id: 023c654f-8f16-44d9-bb2b-00ff36a62af9 related: - id: 17e53739-a1fc-4a62-b1b9-87711c2d5e44 type: similar -status: experimental +status: test description: | Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet. diff --git a/rules/windows/process_creation/proc_creation_win_renamed_curl.yml b/rules/windows/process_creation/proc_creation_win_renamed_curl.yml index 6d964cf0fa6..590e23495e3 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_curl.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_curl.yml @@ -1,6 +1,6 @@ title: Renamed CURL.EXE Execution id: 7530cd3d-7671-43e3-b209-976966f6ea48 -status: experimental +status: test description: Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields references: - https://twitter.com/Kostastsale/status/1700965142828290260 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_system.yml b/rules/windows/process_creation/proc_creation_win_schtasks_system.yml index d6eac695b55..c3423c667f8 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_system.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_system.yml @@ -1,6 +1,6 @@ title: Schtasks Creation Or Modification With SYSTEM Privileges id: 89ca78fd-b37c-4310-b3d3-81a023f83936 -status: experimental +status: test description: Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges references: - https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern diff --git a/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_1.yml b/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_1.yml index 40d26c24a2f..049e0bbc8de 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_1.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_1.yml @@ -1,6 +1,6 @@ title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1 id: 4a30ac0c-b9d6-4e01-b71a-5f851bbf4259 -status: experimental +status: test description: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity. author: '@Kostastsale, @TheDFIRReport' references: diff --git a/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_2.yml b/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_2.yml index 834f7c81cd9..198cd3b4815 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_2.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_2.yml @@ -1,6 +1,6 @@ title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2 id: c98f2a0d-e1b8-4f76-90d3-359caf88d6b9 -status: experimental +status: test description: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity. author: '@Kostastsale, @TheDFIRReport' references: diff --git a/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_3.yml b/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_3.yml index a8830e43078..6f4c5cf5fc3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_3.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_3.yml @@ -1,6 +1,6 @@ title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3 id: f9578658-9e71-4711-b634-3f9b50cd3c06 -status: experimental +status: test description: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity. author: '@Kostastsale, @TheDFIRReport' references: diff --git a/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_4.yml b/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_4.yml index 55baf53e3a7..c5342fbf9de 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_4.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_4.yml @@ -1,6 +1,6 @@ title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4 id: 225274c4-8dd1-40db-9e09-71dff4f6fb3c -status: experimental +status: test description: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity. author: '@Kostastsale, @TheDFIRReport' references: diff --git a/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml b/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml index 8dbabf5e305..47fa7ee7bc6 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml @@ -3,7 +3,7 @@ id: 0900463c-b33b-49a8-be1d-552a3b553dae related: - id: a8f866e1-bdd4-425e-a27a-37619238d9c7 type: similar -status: experimental +status: test description: | Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe" references: diff --git a/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml b/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml index 5fd7eb597e9..cc245f66044 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml @@ -1,6 +1,6 @@ title: Obfuscated IP Via CLI id: 56d19cb4-6414-4769-9644-1ed35ffbb148 -status: experimental +status: test description: Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line references: - https://h.43z.one/ipconverter/ diff --git a/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml b/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml index 1538402e677..4f7df9b16cf 100644 --- a/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml +++ b/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml @@ -1,6 +1,6 @@ title: Potentially Suspicious Child Process Of VsCode id: 5a3164f2-b373-4152-93cf-090b13c12d27 -status: experimental +status: test description: Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles. references: - https://twitter.com/nas_bench/status/1618021838407495681 diff --git a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml index 33ab564561d..291eb6b300b 100644 --- a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml @@ -1,6 +1,6 @@ title: Visual Studio Code Tunnel Execution id: 90d6bd71-dffb-4989-8d86-a827fedd6624 -status: experimental +status: test description: Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel references: - https://ipfyx.fr/post/visual-studio-code-tunnel/ diff --git a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml index c73c51207c6..4177a6d8081 100644 --- a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml +++ b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml @@ -1,6 +1,6 @@ title: Visual Studio Code Tunnel Shell Execution id: f4a623c2-4ef5-4c33-b811-0642f702c9f1 -status: experimental +status: test description: Detects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system. references: - https://ipfyx.fr/post/visual-studio-code-tunnel/ diff --git a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml index bb20a7ae017..17487bd4338 100644 --- a/rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml +++ b/rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml @@ -1,6 +1,6 @@ title: Visual Studio Code Tunnel Service Installation id: 30bf1789-379d-4fdc-900f-55cd0a90a801 -status: experimental +status: test description: Detects the installation of VsCode tunnel (code-tunnel) as a service. references: - https://ipfyx.fr/post/visual-studio-code-tunnel/ diff --git a/rules/windows/registry/registry_event/registry_set_enable_anonymous_connection.yml b/rules/windows/registry/registry_event/registry_set_enable_anonymous_connection.yml index 9ed2f7e71f4..ec642ca43c8 100644 --- a/rules/windows/registry/registry_event/registry_set_enable_anonymous_connection.yml +++ b/rules/windows/registry/registry_event/registry_set_enable_anonymous_connection.yml @@ -1,6 +1,6 @@ title: Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback id: 4d431012-2ab5-4db7-a84e-b29809da2172 -status: experimental +status: test description: Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship. references: - https://learn.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmi-remotely-starting-with-vista diff --git a/rules/windows/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml b/rules/windows/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml index d17f5d335a5..77f0c5311c4 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml @@ -3,7 +3,7 @@ id: 8218c875-90b9-42e2-b60d-0b0069816d10 related: - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 type: derived -status: experimental +status: test description: Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed. references: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScripts From 3e2f8d5abacf98b7fc399084848d683d1cefc598 Mon Sep 17 00:00:00 2001 From: Murphy0801 Date: Mon, 2 Sep 2024 07:19:31 -0400 Subject: [PATCH 044/144] Merge PR #4975 from @Murphy0801 - Add new rules related to GTFOBins new: Capsh Shell Invocation - Linux new: Inline Python Execution - Spawn Shell Via OS System Library new: Shell Execution GCC - Linux new: Shell Execution via Find - Linux new: Shell Execution via Flock - Linux new: Shell Execution via Git - Linux new: Shell Execution via Nice - Linux new: Shell Execution via Rsync - Linux new: Shell Invocation via Env Command - Linux new: Shell Invocation Via Ssh - Linux new: Suspicious Invocation of Shell via AWK - Linux --------- Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- ...proc_creation_lnx_apt_shell_execution.yml} | 7 +++- .../proc_creation_lnx_awk_shell_spawn.yml | 38 +++++++++++++++++++ ...oc_creation_lnx_capsh_shell_invocation.yml | 24 ++++++++++++ ...proc_creation_lnx_env_shell_invocation.yml | 29 ++++++++++++++ ...proc_creation_lnx_find_shell_execution.yml | 33 ++++++++++++++++ ...roc_creation_lnx_flock_shell_execution.yml | 31 +++++++++++++++ .../proc_creation_lnx_gcc_shell_execution.yml | 36 ++++++++++++++++++ .../proc_creation_lnx_git_shell_execution.yml | 29 ++++++++++++++ ...proc_creation_lnx_nice_shell_execution.yml | 29 ++++++++++++++ ...oc_creation_lnx_python_shell_os_system.yml | 38 +++++++++++++++++++ ...roc_creation_lnx_rsync_shell_execution.yml | 29 ++++++++++++++ .../proc_creation_lnx_ssh_shell_execution.yml | 36 ++++++++++++++++++ ...proc_creation_lnx_vim_shell_execution.yml} | 15 +++++--- 13 files changed, 366 insertions(+), 8 deletions(-) rename rules/linux/process_creation/{proc_creation_lnx_gtfobin_apt.yml => proc_creation_lnx_apt_shell_execution.yml} (64%) create mode 100644 rules/linux/process_creation/proc_creation_lnx_awk_shell_spawn.yml create mode 100644 rules/linux/process_creation/proc_creation_lnx_capsh_shell_invocation.yml create mode 100644 rules/linux/process_creation/proc_creation_lnx_env_shell_invocation.yml create mode 100644 rules/linux/process_creation/proc_creation_lnx_find_shell_execution.yml create mode 100644 rules/linux/process_creation/proc_creation_lnx_flock_shell_execution.yml create mode 100644 rules/linux/process_creation/proc_creation_lnx_gcc_shell_execution.yml create mode 100644 rules/linux/process_creation/proc_creation_lnx_git_shell_execution.yml create mode 100644 rules/linux/process_creation/proc_creation_lnx_nice_shell_execution.yml create mode 100644 rules/linux/process_creation/proc_creation_lnx_python_shell_os_system.yml create mode 100644 rules/linux/process_creation/proc_creation_lnx_rsync_shell_execution.yml create mode 100644 rules/linux/process_creation/proc_creation_lnx_ssh_shell_execution.yml rename rules/linux/process_creation/{proc_creation_lnx_gtfobin_vim.yml => proc_creation_lnx_vim_shell_execution.yml} (77%) diff --git a/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml b/rules/linux/process_creation/proc_creation_lnx_apt_shell_execution.yml similarity index 64% rename from rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml rename to rules/linux/process_creation/proc_creation_lnx_apt_shell_execution.yml index c5f75e71dc0..0628ece1bac 100644 --- a/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml +++ b/rules/linux/process_creation/proc_creation_lnx_apt_shell_execution.yml @@ -1,12 +1,15 @@ -title: Apt GTFOBin Abuse - Linux +title: Shell Invocation via Apt - Linux id: bb382fd5-b454-47ea-a264-1828e4c766d6 status: test -description: Detects usage of "apt" and "apt-get" as a GTFOBin to execute and proxy command and binary execution +description: | + Detects the use of the "apt" and "apt-get" commands to execute a shell or proxy commands. + Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. references: - https://gtfobins.github.io/gtfobins/apt/ - https://gtfobins.github.io/gtfobins/apt-get/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-12-28 +modified: 2024-09-02 tags: - attack.discovery - attack.t1083 diff --git a/rules/linux/process_creation/proc_creation_lnx_awk_shell_spawn.yml b/rules/linux/process_creation/proc_creation_lnx_awk_shell_spawn.yml new file mode 100644 index 00000000000..74b6e875f4c --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_awk_shell_spawn.yml @@ -0,0 +1,38 @@ +title: Suspicious Invocation of Shell via AWK - Linux +id: 8c1a5675-cb85-452f-a298-b01b22a51856 +status: experimental +description: | + Detects the execution of "awk" or it's sibling commands, to invoke a shell using the system() function. + This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation. +references: + - https://gtfobins.github.io/gtfobins/awk/#shell + - https://gtfobins.github.io/gtfobins/gawk/#shell + - https://gtfobins.github.io/gtfobins/nawk/#shell + - https://gtfobins.github.io/gtfobins/mawk/#shell +author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +date: 2024-09-02 +tags: + - attack.execution + - attack.t1059 +logsource: + category: process_creation + product: linux +detection: + selection_img: + Image|endswith: + - '/awk' + - '/gawk' + - '/mawk' + - '/nawk' + CommandLine|contains: 'BEGIN {system' + selection_cli: + CommandLine|contains: + - '/bin/bash' + - '/bin/dash' + - '/bin/fish' + - '/bin/sh' + - '/bin/zsh' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_capsh_shell_invocation.yml b/rules/linux/process_creation/proc_creation_lnx_capsh_shell_invocation.yml new file mode 100644 index 00000000000..7dedb608ea3 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_capsh_shell_invocation.yml @@ -0,0 +1,24 @@ +title: Capsh Shell Invocation - Linux +id: db1ac3be-f606-4e3a-89e0-9607cbe6b98a +status: experimental +description: | + Detects the use of the "capsh" utility to invoke a shell. +references: + - https://gtfobins.github.io/gtfobins/capsh/#shell + - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html +author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +date: 2024-09-02 +tags: + - attack.execution + - attack.t1059 +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: '/capsh' + CommandLine|endswith: ' --' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_env_shell_invocation.yml b/rules/linux/process_creation/proc_creation_lnx_env_shell_invocation.yml new file mode 100644 index 00000000000..655c4682c30 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_env_shell_invocation.yml @@ -0,0 +1,29 @@ +title: Shell Invocation via Env Command - Linux +id: bed978f8-7f3a-432b-82c5-9286a9b3031a +status: experimental +description: | + Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands. +references: + - https://gtfobins.github.io/gtfobins/env/#shell + - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html +author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +date: 2024-09-02 +tags: + - attack.execution + - attack.t1059 +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: '/env' + CommandLine|endswith: + - '/bin/bash' + - '/bin/dash' + - '/bin/fish' + - '/bin/sh' + - '/bin/zsh' + condition: selection +falsepositives: + - Github operations such as ghe-backup +level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_find_shell_execution.yml b/rules/linux/process_creation/proc_creation_lnx_find_shell_execution.yml new file mode 100644 index 00000000000..f6509084122 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_find_shell_execution.yml @@ -0,0 +1,33 @@ +title: Shell Execution via Find - Linux +id: 6adfbf8f-52be-4444-9bac-81b539624146 +status: experimental +description: | + Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt. +references: + - https://gtfobins.github.io/gtfobins/find/#shell + - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html +author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +date: 2024-09-02 +tags: + - attack.discovery + - attack.t1083 +logsource: + category: process_creation + product: linux +detection: + selection_img: + Image|endswith: '/find' + CommandLine|contains|all: + - ' . ' + - '-exec' + selection_cli: + CommandLine|contains: + - '/bin/bash' + - '/bin/dash' + - '/bin/fish' + - '/bin/sh' + - '/bin/zsh' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_flock_shell_execution.yml b/rules/linux/process_creation/proc_creation_lnx_flock_shell_execution.yml new file mode 100644 index 00000000000..a2a6138b419 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_flock_shell_execution.yml @@ -0,0 +1,31 @@ +title: Shell Execution via Flock - Linux +id: 4b09c71e-4269-4111-9cdd-107d8867f0cc +status: experimental +description: | + Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. +references: + - https://gtfobins.github.io/gtfobins/flock/#shell + - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html +author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +date: 2024-09-02 +tags: + - attack.discovery + - attack.t1083 +logsource: + category: process_creation + product: linux +detection: + selection_img: + Image|endswith: '/flock' + CommandLine|contains: ' -u ' + selection_cli: + CommandLine|contains: + - '/bin/bash' + - '/bin/dash' + - '/bin/fish' + - '/bin/sh' + - '/bin/zsh' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_gcc_shell_execution.yml b/rules/linux/process_creation/proc_creation_lnx_gcc_shell_execution.yml new file mode 100644 index 00000000000..cc542deaeb8 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_gcc_shell_execution.yml @@ -0,0 +1,36 @@ +title: Shell Execution GCC - Linux +id: 9b5de532-a757-4d70-946c-1f3e44f48b4d +status: experimental +description: | + Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. +references: + - https://gtfobins.github.io/gtfobins/gcc/#shell + - https://gtfobins.github.io/gtfobins/c89/#shell + - https://gtfobins.github.io/gtfobins/c99/#shell + - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html +author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +date: 2024-09-02 +tags: + - attack.discovery + - attack.t1083 +logsource: + category: process_creation + product: linux +detection: + selection_img: + Image|endswith: + - '/c89' + - '/c99' + - '/gcc' + CommandLine|contains: '-wrapper' + selection_cli: + CommandLine|contains: + - '/bin/bash,-s' + - '/bin/dash,-s' + - '/bin/fish,-s' + - '/bin/sh,-s' + - '/bin/zsh,-s' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_git_shell_execution.yml b/rules/linux/process_creation/proc_creation_lnx_git_shell_execution.yml new file mode 100644 index 00000000000..d2d94b54536 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_git_shell_execution.yml @@ -0,0 +1,29 @@ +title: Shell Execution via Git - Linux +id: 47b3bbd4-1bf7-48cc-84ab-995362aaa75a +status: experimental +description: | + Detects the use of the "git" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. +references: + - https://gtfobins.github.io/gtfobins/git/#shell +author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +date: 2024-09-02 +tags: + - attack.execution + - attack.t1059 +logsource: + category: process_creation + product: linux +detection: + selection: + ParentImage|endswith: '/git' + ParentCommandLine|contains|all: + - ' -p ' + - 'help' + CommandLine|contains: + - 'bash 0<&1' + - 'dash 0<&1' + - 'sh 0<&1' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_nice_shell_execution.yml b/rules/linux/process_creation/proc_creation_lnx_nice_shell_execution.yml new file mode 100644 index 00000000000..9ea19c3325b --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_nice_shell_execution.yml @@ -0,0 +1,29 @@ +title: Shell Execution via Nice - Linux +id: 093d68c7-762a-42f4-9f46-95e79142571a +status: experimental +description: | + Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. +references: + - https://gtfobins.github.io/gtfobins/nice/#shell + - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html +author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +date: 2024-09-02 +tags: + - attack.discovery + - attack.t1083 +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: '/nice' + CommandLine|endswith: + - '/bin/bash' + - '/bin/dash' + - '/bin/fish' + - '/bin/sh' + - '/bin/zsh' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_python_shell_os_system.yml b/rules/linux/process_creation/proc_creation_lnx_python_shell_os_system.yml new file mode 100644 index 00000000000..23b10f60df9 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_python_shell_os_system.yml @@ -0,0 +1,38 @@ +title: Inline Python Execution - Spawn Shell Via OS System Library +id: 2d2f44ff-4611-4778-a8fc-323a0e9850cc +status: experimental +description: | + Detects execution of inline Python code via the "-c" in order to call the "system" function from the "os" library, and spawn a shell. +references: + - https://gtfobins.github.io/gtfobins/python/#shell +author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +date: 2024-09-02 +tags: + - attack.execution + - attack.t1059 +logsource: + category: process_creation + product: linux +detection: + selection_img: + - Image|endswith: + - '/python' + - '/python2' + - '/python3' + - Image|contains: + - '/python2.' # python image is always of the form ../python3.10; ../python is just a symlink + - '/python3.' + selection_cli: + CommandLine|contains|all: + - ' -c ' + - 'os.system(' + CommandLine|contains: + - '/bin/bash' + - '/bin/dash' + - '/bin/fish' + - '/bin/sh' + - '/bin/zsh' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_rsync_shell_execution.yml b/rules/linux/process_creation/proc_creation_lnx_rsync_shell_execution.yml new file mode 100644 index 00000000000..0e68d8e950c --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_rsync_shell_execution.yml @@ -0,0 +1,29 @@ +title: Shell Execution via Rsync - Linux +id: e2326866-609f-4015-aea9-7ec634e8aa04 +status: experimental +description: | + Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. +references: + - https://gtfobins.github.io/gtfobins/rsync/#shell +author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +date: 2024-09-02 +tags: + - attack.execution + - attack.t1059 +logsource: + category: process_creation + product: linux +detection: + selection_img: + Image|endswith: '/rsync' + CommandLine|contains: ' -e ' + selection_cli: + CommandLine|contains: + - 'sh 0<&2 1>&2' + - 'sh 1>&2 0<&2' + selection_null: + CommandLine|contains: '/dev/null' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_ssh_shell_execution.yml b/rules/linux/process_creation/proc_creation_lnx_ssh_shell_execution.yml new file mode 100644 index 00000000000..65c95f0fba3 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_ssh_shell_execution.yml @@ -0,0 +1,36 @@ +title: Shell Invocation Via Ssh - Linux +id: 8737b7f6-8df3-4bb7-b1da-06019b99b687 +status: experimental +description: | + Detects the use of the "ssh" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. +references: + - https://gtfobins.github.io/gtfobins/ssh/ + - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html +author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +date: 2024-08-29 +tags: + - attack.execution + - attack.t1059 +logsource: + category: process_creation + product: linux +detection: + selection_img: + Image|endswith: '/ssh' + CommandLine|contains: + - 'ProxyCommand=;' + - 'permitlocalcommand=yes' + - 'localhost' + selection_cli: + CommandLine|contains: + - '/bin/bash' + - '/bin/dash' + - '/bin/fish' + - '/bin/sh' + - '/bin/zsh' + - 'sh 0<&2 1>&2' + - 'sh 1>&2 0<&2' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml b/rules/linux/process_creation/proc_creation_lnx_vim_shell_execution.yml similarity index 77% rename from rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml rename to rules/linux/process_creation/proc_creation_lnx_vim_shell_execution.yml index 0228c228358..8d1e79788d1 100644 --- a/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml +++ b/rules/linux/process_creation/proc_creation_lnx_vim_shell_execution.yml @@ -1,13 +1,16 @@ title: Vim GTFOBin Abuse - Linux id: 7ab8f73a-fcff-428b-84aa-6a5ff7877dea status: test -description: Detects usage of "vim" and it's siblings as a GTFOBin to execute and proxy command and binary execution +description: | + Detects the use of "vim" and it's siblings commands to execute a shell or proxy commands. + Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. references: - https://gtfobins.github.io/gtfobins/vim/ - https://gtfobins.github.io/gtfobins/rvim/ - https://gtfobins.github.io/gtfobins/vimdiff/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-12-28 +modified: 2024-09-02 tags: - attack.discovery - attack.t1083 @@ -17,22 +20,22 @@ logsource: detection: selection_img: Image|endswith: - - '/vim' - '/rvim' + - '/vim' - '/vimdiff' CommandLine|contains: - - ' -c ' - ' --cmd' + - ' -c ' selection_cli: CommandLine|contains: - ':!/' - - ':py ' - ':lua ' - - '/bin/sh' + - ':py ' - '/bin/bash' - '/bin/dash' - - '/bin/zsh' - '/bin/fish' + - '/bin/sh' + - '/bin/zsh' condition: all of selection_* falsepositives: - Unknown From bd284a997b1f32b546637671090be3ce73cba051 Mon Sep 17 00:00:00 2001 From: dan21san <98960305+dan21san@users.noreply.github.com> Date: Mon, 2 Sep 2024 14:23:22 +0200 Subject: [PATCH 045/144] Merge PR #4990 from @dan21san - Add `Remote Access Tool - AnyDesk Incoming Connection` new: Remote Access Tool - AnyDesk Incoming Connection --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- ...cess_tools_anydesk_incoming_connection.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/windows/network_connection/net_connection_win_remote_access_tools_anydesk_incoming_connection.yml diff --git a/rules/windows/network_connection/net_connection_win_remote_access_tools_anydesk_incoming_connection.yml b/rules/windows/network_connection/net_connection_win_remote_access_tools_anydesk_incoming_connection.yml new file mode 100644 index 00000000000..4583e2b3f70 --- /dev/null +++ b/rules/windows/network_connection/net_connection_win_remote_access_tools_anydesk_incoming_connection.yml @@ -0,0 +1,25 @@ +title: Remote Access Tool - AnyDesk Incoming Connection +id: d58ba5c6-0ed7-4b9d-a433-6878379efda9 +status: experimental +description: | + Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows + - https://asec.ahnlab.com/en/40263/ +author: '@d4ns4n_ (Wuerth-Phoenix)' +date: 2024-09-02 +tags: + - attack.persistence + - attack.command-and-control + - attack.t1219 +logsource: + category: network_connection + product: windows +detection: + selection: + Image|endswith: '\AnyDesk.exe' + Initiated: 'false' # If the network connection is initiated remotely (incoming), the field is set to false. + condition: selection +falsepositives: + - Legitimate incoming connections (e.g. sysadmin activity). Most of the time I would expect outgoing connections (initiated locally). +level: medium From b86a494f55bb9c382b79e05d102699e01021853d Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 2 Sep 2024 19:03:46 +0200 Subject: [PATCH 046/144] Merge PR #4993 from @nasbench - Fix Issues new: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image - A detection replacement for `e0552b19-5a83-4222-b141-b36184bb8d79` remove: OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd - Moved to "unsupported" folder, due to the need of correlation. remove: Potential Persistence Via COM Search Order Hijacking - Moved to "deprecated" in favour of `790317c0-0a36-4a6a-a105-6e576bf99a14`. update: Potential CommandLine Obfuscation Using Unicode Characters - Moved to "threat-hunting" due to the nature FPs update: Potential Remote WMI ActiveScriptEventConsumers Activity - Moved to "threat-hunting" as its meant as an enrichment rule. --- ..._scx_runasprovider_executeshellcommand.yml | 4 +- ...rsistence_com_hijacking_susp_locations.yml | 3 + .../registry_set_persistence_search_order.yml | 7 ++- ...scrcons_remote_wmi_scripteventconsumer.yml | 17 +++--- ...ation_win_susp_cli_obfuscation_unicode.yml | 27 ++++----- ...n_win_susp_cli_obfuscation_unicode_img.yml | 56 +++++++++++++++++++ ..._set_persistence_com_hijacking_builtin.yml | 5 ++ 7 files changed, 95 insertions(+), 24 deletions(-) rename {rules/linux/auditd => deprecated/linux}/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml (81%) rename {rules/windows/registry/registry_set => deprecated/windows}/registry_set_persistence_search_order.yml (96%) rename {rules => rules-threat-hunting}/windows/builtin/security/account_management/win_security_scrcons_remote_wmi_scripteventconsumer.yml (53%) rename {rules => rules-threat-hunting}/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml (69%) create mode 100644 rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode_img.yml diff --git a/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml b/deprecated/linux/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml similarity index 81% rename from rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml rename to deprecated/linux/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml index 9c1282641a2..a28cfc46049 100644 --- a/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml +++ b/deprecated/linux/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml @@ -1,6 +1,6 @@ title: OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd id: 045b5f9c-49f7-4419-a236-9854fb3c827a -status: test +status: unsupported # This rule requires correlations. See https://github.com/SigmaHQ/sigma/discussions/4440#discussioncomment-7070862 and https://user-images.githubusercontent.com/9653181/133756156-4fb9c2b1-aa65-4380-957b-72170de36fc4.png description: | Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. @@ -10,7 +10,7 @@ references: - https://github.com/Azure/Azure-Sentinel/pull/3059 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2021-09-17 -modified: 2022-11-26 +modified: 2024-09-02 tags: - attack.privilege-escalation - attack.initial-access diff --git a/deprecated/windows/registry_set_persistence_com_hijacking_susp_locations.yml b/deprecated/windows/registry_set_persistence_com_hijacking_susp_locations.yml index f18f5e95d7f..fae46d48418 100644 --- a/deprecated/windows/registry_set_persistence_com_hijacking_susp_locations.yml +++ b/deprecated/windows/registry_set_persistence_com_hijacking_susp_locations.yml @@ -1,5 +1,8 @@ title: Potential Persistence Via COM Hijacking From Suspicious Locations id: 3d968d17-ffa4-4bc0-bfdc-f139de76ce77 +related: + - id: 790317c0-0a36-4a6a-a105-6e576bf99a14 + type: derived status: deprecated description: Detects potential COM object hijacking where the "Server" (In/Out) is pointing to a suspicious or unusual location. references: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml b/deprecated/windows/registry_set_persistence_search_order.yml similarity index 96% rename from rules/windows/registry/registry_set/registry_set_persistence_search_order.yml rename to deprecated/windows/registry_set_persistence_search_order.yml index 9168883524f..765d12a1f91 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml +++ b/deprecated/windows/registry_set_persistence_search_order.yml @@ -1,12 +1,15 @@ title: Potential Persistence Via COM Search Order Hijacking id: a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12 -status: test +related: + - id: 790317c0-0a36-4a6a-a105-6e576bf99a14 + type: derived +status: deprecated description: Detects potential COM object hijacking leveraging the COM Search Order references: - https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/ author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien date: 2020-04-14 -modified: 2023-09-28 +modified: 2024-09-02 tags: - attack.persistence - attack.t1546.015 diff --git a/rules/windows/builtin/security/account_management/win_security_scrcons_remote_wmi_scripteventconsumer.yml b/rules-threat-hunting/windows/builtin/security/account_management/win_security_scrcons_remote_wmi_scripteventconsumer.yml similarity index 53% rename from rules/windows/builtin/security/account_management/win_security_scrcons_remote_wmi_scripteventconsumer.yml rename to rules-threat-hunting/windows/builtin/security/account_management/win_security_scrcons_remote_wmi_scripteventconsumer.yml index 0cbb18bb51a..9cdec7afc6b 100644 --- a/rules/windows/builtin/security/account_management/win_security_scrcons_remote_wmi_scripteventconsumer.yml +++ b/rules-threat-hunting/windows/builtin/security/account_management/win_security_scrcons_remote_wmi_scripteventconsumer.yml @@ -1,15 +1,18 @@ -title: Remote WMI ActiveScriptEventConsumers +title: Potential Remote WMI ActiveScriptEventConsumers Activity id: 9599c180-e3a8-4743-8f92-7fb96d3be648 status: test -description: Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network +description: | + Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network. + This event is best correlated and used as an enrichment to determine the potential lateral movement activity. references: - https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020-09-02 -modified: 2021-11-27 +modified: 2024-09-02 tags: - attack.lateral-movement - attack.privilege-escalation + - detection.threat-hunting - attack.persistence - attack.t1546.003 logsource: @@ -20,9 +23,9 @@ detection: EventID: 4624 LogonType: 3 ProcessName|endswith: 'scrcons.exe' - filter: - TargetLogonId: '0x3e7' - condition: selection and not filter + filter_main_local_system: + TargetLogonId: '0x3e7' # Local System + condition: selection and not 1 of filter_main_* falsepositives: - SCCM -level: high +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml similarity index 69% rename from rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml rename to rules-threat-hunting/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml index 5c4990d623b..47b1dde305b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml @@ -1,44 +1,45 @@ -title: Potential Commandline Obfuscation Using Unicode Characters +title: Potential CommandLine Obfuscation Using Unicode Characters id: e0552b19-5a83-4222-b141-b36184bb8d79 related: + - id: 584bca0f-3608-4402-80fd-4075ff6072e3 + type: similar - id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9 type: obsolete status: test description: | - Detects potential commandline obfuscation using unicode characters. + Detects potential CommandLine obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. references: - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http author: frack113, Florian Roth (Nextron Systems) date: 2022-01-15 -modified: 2024-07-22 +modified: 2024-09-02 tags: - attack.defense-evasion - attack.t1027 + - detection.threat-hunting logsource: category: process_creation product: windows detection: - selection_spacing_modifiers: - CommandLine|contains: # spacing modifier letters that get auto-replaced + selection: + CommandLine|contains: + # spacing modifier letters that get auto-replaced - 'ˣ' # 0x02E3 - '˪' # 0x02EA - 'ˢ' # 0x02E2 - selection_unicode_slashes: # forward slash alternatives - CommandLine|contains: + # Forward slash alternatives - '∕' # 0x22FF - '⁄' # 0x206F - selection_unicode_hyphens: # hyphen alternatives - CommandLine|contains: + # Hyphen alternatives - '―' # 0x2015 - '—' # 0x2014 - selection_other: - CommandLine|contains: + # Other - '¯' - '®' - '¶' - condition: 1 of selection_* + condition: selection falsepositives: - Unknown -level: high +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode_img.yml b/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode_img.yml new file mode 100644 index 00000000000..67a1d751ae5 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode_img.yml @@ -0,0 +1,56 @@ +title: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image +id: 584bca0f-3608-4402-80fd-4075ff6072e3 +related: + - id: e0552b19-5a83-4222-b141-b36184bb8d79 + type: similar + - id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9 + type: obsolete +status: test +description: | + Detects potential commandline obfuscation using unicode characters. + Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. +references: + - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http +author: frack113, Florian Roth (Nextron Systems), Josh Nickels +date: 2024-09-02 +tags: + - attack.defense-evasion + - attack.t1027 +logsource: + category: process_creation + product: windows +detection: + selection_img: + Image|endswith: + - '\cmd.exe' + - '\cscript.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\wscript.exe' + OriginalFileName: + - 'Cmd.EXE' + - 'cscript.exe' + - 'PowerShell.EXE' + - 'pwsh.dll' + - 'wscript.exe' + selection_special_chars: + CommandLine|contains: + # spacing modifier letters that get auto-replaced + - 'ˣ' # 0x02E3 + - '˪' # 0x02EA + - 'ˢ' # 0x02E2 + # Forward slash alternatives + - '∕' # 0x22FF + - '⁄' # 0x206F + # Hyphen alternatives + - '―' # 0x2015 + - '—' # 0x2014 + # Other + - '¯' + - '®' + - '¶' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml index 2830d87e085..1d115015d07 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml @@ -1,5 +1,10 @@ title: COM Object Hijacking Via Modification Of Default System CLSID Default Value id: 790317c0-0a36-4a6a-a105-6e576bf99a14 +related: + - id: 3d968d17-ffa4-4bc0-bfdc-f139de76ce77 + type: obsolete + - id: a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12 + type: obsolete status: experimental description: Detects potential COM object hijacking via modification of default system CLSID. references: From 7f0f7eefe0c457883c5e50547d1ade846add3add Mon Sep 17 00:00:00 2001 From: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> Date: Mon, 2 Sep 2024 23:49:52 +0545 Subject: [PATCH 047/144] Merge PR #4983 from @swachchhanda000 - Add `Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location` new: Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- ...ess_in_potentially_suspicious_location.yml | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 rules-threat-hunting/windows/image_load/image_load_dll_taskschd_by_process_in_potentially_suspicious_location.yml diff --git a/rules-threat-hunting/windows/image_load/image_load_dll_taskschd_by_process_in_potentially_suspicious_location.yml b/rules-threat-hunting/windows/image_load/image_load_dll_taskschd_by_process_in_potentially_suspicious_location.yml new file mode 100644 index 00000000000..0fe58afa21b --- /dev/null +++ b/rules-threat-hunting/windows/image_load/image_load_dll_taskschd_by_process_in_potentially_suspicious_location.yml @@ -0,0 +1,35 @@ +title: Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location +id: 3b92a1d0-8d4b-4d28-a1b4-1e29d49a6a3e +status: experimental +description: | + Detects the loading of the "taskschd.dll" module from a process that located in a potentially suspicious or uncommon directory. + The loading of this DLL might indicate that the application have the capability to create a scheduled task via the "Schedule.Service" COM object. + Investigation of the loading application and its behavior is required to determining if its malicious. +references: + - https://www.logpoint.com/en/blog/shenanigans-of-scheduled-tasks/ + - https://x.com/Max_Mal_/status/1826179497084739829 +author: Swachchhanda Shrawan Poudel +date: 2024-09-02 +tags: + - attack.persistence + - attack.execution + - attack.t1053.005 +logsource: + category: image_load + product: windows +detection: + selection_dll: + - ImageLoaded|endswith: '\taskschd.dll' + - OriginalFileName: 'taskschd.dll' + selection_paths: + Image|contains: + - ':\Temp\' + - ':\Users\Public\' + - ':\Windows\Temp\' + - '\AppData\Local\Temp\' + - '\Desktop\' + - '\Downloads\' + condition: all of selection_* +falsepositives: + - Some installers might generate false positives, apply additional filters accordingly. +level: low From b724a7f59d2da573e29953c8331ed9ff38b3a671 Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Tue, 3 Sep 2024 14:17:47 -0600 Subject: [PATCH 048/144] Merge PR #4997 from @MHaggis - Add rules related to PowerShell Web Access new: PowerShell Web Access Feature Enabled Via DISM new: PowerShell Web Access Installation - PsScript --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- ..._ps_powershell_web_access_installation.yml | 31 +++++++++++++++++++ ...m_enable_powershell_web_access_feature.yml | 29 +++++++++++++++++ ....yml => proc_creation_win_dism_remove.yml} | 0 3 files changed, 60 insertions(+) create mode 100644 rules/windows/powershell/powershell_script/posh_ps_powershell_web_access_installation.yml create mode 100644 rules/windows/process_creation/proc_creation_win_dism_enable_powershell_web_access_feature.yml rename rules/windows/process_creation/{proc_creation_win_dsim_remove.yml => proc_creation_win_dism_remove.yml} (100%) diff --git a/rules/windows/powershell/powershell_script/posh_ps_powershell_web_access_installation.yml b/rules/windows/powershell/powershell_script/posh_ps_powershell_web_access_installation.yml new file mode 100644 index 00000000000..238391191ef --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_powershell_web_access_installation.yml @@ -0,0 +1,31 @@ +title: PowerShell Web Access Installation - PsScript +id: 5f9c7f1a-7c21-4c39-b2f3-8d8006e0e51f +status: test +description: Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse +references: + - https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a + - https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41 +author: Michael Haag +date: 2024-09-03 +tags: + - attack.persistence + - attack.t1059.001 +logsource: + product: windows + category: ps_script + definition: 'Requirements: Script Block Logging must be enabled' +detection: + selection_install: + ScriptBlockText|contains: 'Install-WindowsFeature WindowsPowerShellWebAccess' + selection_config: + ScriptBlockText|contains: 'Install-PswaWebApplication' + selection_auth: + ScriptBlockText|contains|all: + - 'Add-PswaAuthorizationRule' + - '-UserName *' + - '-ComputerName *' + condition: 1 of selection_* +falsepositives: + - Legitimate PowerShell Web Access installations by administrators +level: high diff --git a/rules/windows/process_creation/proc_creation_win_dism_enable_powershell_web_access_feature.yml b/rules/windows/process_creation/proc_creation_win_dism_enable_powershell_web_access_feature.yml new file mode 100644 index 00000000000..f10fe04711e --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_dism_enable_powershell_web_access_feature.yml @@ -0,0 +1,29 @@ +title: PowerShell Web Access Feature Enabled Via DISM +id: 7e8f2d3b-9c1a-4f67-b9e8-8d9006e0e51f +status: test +description: Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse +references: + - https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a + - https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41 +author: Michael Haag +date: 2024-09-03 +tags: + - attack.persistence + - attack.t1548.002 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\dism.exe' + - OriginalFileName: 'DISM.EXE' + selection_cli: + CommandLine|contains|all: + - 'WindowsPowerShellWebAccess' + - '/online' + - '/enable-feature' + condition: all of selection_* +falsepositives: + - Legitimate PowerShell Web Access installations by administrators +level: high diff --git a/rules/windows/process_creation/proc_creation_win_dsim_remove.yml b/rules/windows/process_creation/proc_creation_win_dism_remove.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_dsim_remove.yml rename to rules/windows/process_creation/proc_creation_win_dism_remove.yml From 9b39e2626099e11fa3679596d10b00a513974574 Mon Sep 17 00:00:00 2001 From: secDre4mer <61268450+secDre4mer@users.noreply.github.com> Date: Tue, 3 Sep 2024 22:20:20 +0200 Subject: [PATCH 049/144] Merge PR #4995 from @secDre4mer - Add `Process Deletion of Its Own Executable` new: Process Deletion of Its Own Executable --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- .../file_delete_win_delete_own_image.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/windows/file/file_delete/file_delete_win_delete_own_image.yml diff --git a/rules/windows/file/file_delete/file_delete_win_delete_own_image.yml b/rules/windows/file/file_delete/file_delete_win_delete_own_image.yml new file mode 100644 index 00000000000..96cc4739617 --- /dev/null +++ b/rules/windows/file/file_delete/file_delete_win_delete_own_image.yml @@ -0,0 +1,21 @@ +title: Process Deletion of Its Own Executable +id: f01d1f70-cd41-42ec-9c0b-26dd9c22bf29 +status: experimental +description: | + Detects the deletion of a process's executable by itself. This is usually not possible without workarounds and may be used by malware to hide its traces. +references: + - https://github.com/joaoviictorti/RustRedOps/tree/ce04369a246006d399e8c61d9fe0e6b34f988a49/Self_Deletion +author: Max Altgelt (Nextron Systems) +date: 2024-09-03 +tags: + - attack.defense-evasion +logsource: + product: windows + category: file_delete +detection: + selection: + TargetFilename|fieldref: Image + condition: selection +falsepositives: + - Some false positives are to be expected from uninstallers. +level: medium From 06e3ce353bb80e34dab81fbc8accab77435e44cb Mon Sep 17 00:00:00 2001 From: Josh Date: Fri, 6 Sep 2024 05:39:17 -0400 Subject: [PATCH 050/144] Merge PR #4998 from @joshnck - Add `DNS Request From Windows Script Host` new: DNS Request From Windows Script Host --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- ...s_query_win_wscript_cscript_resolution.yml | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 rules-placeholder/windows/dns_query/dns_query_win_wscript_cscript_resolution.yml diff --git a/rules-placeholder/windows/dns_query/dns_query_win_wscript_cscript_resolution.yml b/rules-placeholder/windows/dns_query/dns_query_win_wscript_cscript_resolution.yml new file mode 100644 index 00000000000..3123561fc6c --- /dev/null +++ b/rules-placeholder/windows/dns_query/dns_query_win_wscript_cscript_resolution.yml @@ -0,0 +1,42 @@ +title: DNS Request From Windows Script Host +id: 12310575-e8b1-475c-a976-57ed540b349c +status: experimental +description: | + Detects unusual domain resolutions originating from CScript/WScript that can identify malicious javascript files executing in an environment, often as a result from a phishing or watering hole attack. +author: Josh Nickels, Marius Rothenbücher +references: + - Internal Research +date: 2024-09-06 +tags: + - attack.execution + - attack.t1059 +logsource: + product: windows + category: dns_query +detection: + selection: + Image|endswith: + - '\wscript.exe' + - '\cscript.exe' + QueryName|contains: '.' # Ensures that lookups are for external hosts + filter_main_internal_domains: # Populate this placeholder with known and expected internal domains + QueryName|expand: '%internal_domains%' + filter_optional_trusted_domains: # Mostly certificate distribution domains + - QueryName: + - 'crl.starfieldtech.com' + - 'ocsp.usertrust.com' + - 'officecdn.microsoft.com' + - 'oneocsp.microsoft.com' + - 'oscp.comodoca.com' + - 'oscp.sectigo.com' + - 'oscp.starfieldtech.com' + - 'www.python.org' + - QueryName|endswith: + - '.digicert.com' + - '.entrust.net' + - '.globalsign.net' + - '.verisign.com' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* +falsepositives: + - Script files making expected domain requests +level: low From 06b116608e5d5ccccf584591818fdf00cf0a550c Mon Sep 17 00:00:00 2001 From: Josh Date: Fri, 6 Sep 2024 05:40:04 -0400 Subject: [PATCH 051/144] Merge PR #4999 from @joshnck - Add `Group Policy Abuse for Privilege Addition` new: Group Policy Abuse for Privilege Addition --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- ..._group_policy_abuse_privilege_addition.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/builtin/security/win_security_susp_group_policy_abuse_privilege_addition.yml diff --git a/rules/windows/builtin/security/win_security_susp_group_policy_abuse_privilege_addition.yml b/rules/windows/builtin/security/win_security_susp_group_policy_abuse_privilege_addition.yml new file mode 100644 index 00000000000..0029448ac7c --- /dev/null +++ b/rules/windows/builtin/security/win_security_susp_group_policy_abuse_privilege_addition.yml @@ -0,0 +1,27 @@ +title: Group Policy Abuse for Privilege Addition +id: 1c480e10-7ee1-46d4-8ed2-85f9789e3ce4 +status: experimental +description: | + Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins. +author: Elastic, Josh Nickels, Marius Rothenbücher +references: + - https://www.elastic.co/guide/en/security/current/group-policy-abuse-for-privilege-addition.html#_setup_275 +date: 2024-09-04 +tags: + - attack.privilege-escalation + - attack.t1484.001 +logsource: + product: windows + service: security + definition: 'Requirements: The "Audit Directory Service Changes" logging policy must be configured in order to receive events.' +detection: + selection: + EventID: 5136 + AttributeLDAPDisplayName: 'gPCMachineExtensionNames' + AttributeValue|contains: + - '827D319E-6EAC-11D2-A4EA-00C04F79F83A' + - '803E14A0-B4FB-11D0-A0D0-00A0C90F574B' + condition: selection +falsepositives: + - Users allowed to perform these modifications (user found in field SubjectUserName) +level: medium From ad84d82baf3543d67b9ce03ad67ffd75c1460161 Mon Sep 17 00:00:00 2001 From: Josh Date: Fri, 6 Sep 2024 05:40:46 -0400 Subject: [PATCH 052/144] Merge PR #5000 from @joshnck - Update `Persistence and Execution at Scale via GPO Scheduled Task` update: Persistence and Execution at Scale via GPO Scheduled Task - Increase coverage by adding selection for EID 5136 --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- .../win_security_gpo_scheduledtasks.yml | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml b/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml index 799759ea8b4..a7f5b3467e3 100644 --- a/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml +++ b/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml @@ -5,9 +5,10 @@ description: Detect lateral movement using GPO scheduled task, usually used to d references: - https://twitter.com/menasec1/status/1106899890377052160 - https://www.secureworks.com/blog/ransomware-as-a-distraction + - https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-0-16-1-scheduled-task-execution-at-scale-via-gpo.html author: Samir Bousseaden date: 2019-04-03 -modified: 2024-08-01 +modified: 2024-09-04 tags: - attack.persistence - attack.lateral-movement @@ -17,14 +18,22 @@ logsource: service: security definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure' detection: - selection: + selection_5136: + EventID: 5136 + AttributeLDAPDisplayName: + - 'gPCMachineExtensionNames' + - 'gPCUserExtensionNames' + AttributeValue|contains: + - 'CAB54552-DEEA-4691-817E-ED4A4D1AFC72' + - 'AADCED64-746C-4633-A97C-D61349046527' + selection_5145: EventID: 5145 - ShareName: '\\\\\*\\SYSVOL' # looking for the string \\*\SYSVOL + ShareName|endswith: '\SYSVOL' # looking for the string \\*\SYSVOL RelativeTargetName|endswith: 'ScheduledTasks.xml' AccessList|contains: - 'WriteData' - '%%4417' - condition: selection + condition: 1 of selection_* falsepositives: - - If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks + - If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduled tasks. level: high From 8288d4be9f646d5c6501a0ed6a0afc152f5aa32d Mon Sep 17 00:00:00 2001 From: Josh Date: Fri, 6 Sep 2024 05:41:18 -0400 Subject: [PATCH 053/144] Merge PR #5001 from @joshnck - Add `Startup/Logon Script Added to Group Policy Object` new: Startup/Logon Script Added to Group Policy Object --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- ...oup_policy_startup_script_added_to_gpo.yml | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 rules/windows/builtin/security/win_security_susp_group_policy_startup_script_added_to_gpo.yml diff --git a/rules/windows/builtin/security/win_security_susp_group_policy_startup_script_added_to_gpo.yml b/rules/windows/builtin/security/win_security_susp_group_policy_startup_script_added_to_gpo.yml new file mode 100644 index 00000000000..e9baa491f96 --- /dev/null +++ b/rules/windows/builtin/security/win_security_susp_group_policy_startup_script_added_to_gpo.yml @@ -0,0 +1,41 @@ +title: Startup/Logon Script Added to Group Policy Object +id: 123e4e6d-b123-48f8-b261-7214938acaf0 +status: experimental +description: | + Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects. +references: + - https://www.elastic.co/guide/en/security/current/startup-logon-script-added-to-group-policy-object.html +author: Elastic, Josh Nickels, Marius Rothenbücher +date: 2024-09-06 +tags: + - attack.privilege-escalation + - attack.t1484.001 + - attack.t1547 +logsource: + product: windows + service: security + definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure' +detection: + selection_eventid: + EventID: + - 5136 + - 5145 + selection_attributes_main: + AttributeLDAPDisplayName: + - 'gPCMachineExtensionNames' + - 'gPCUserExtensionNames' + AttributeValue|contains: '42B5FAAE-6536-11D2-AE5A-0000F87571E3' + selection_attributes_optional: + AttributeValue|contains: + - '40B6664F-4972-11D1-A7CA-0000F87571E3' + - '40B66650-4972-11D1-A7CA-0000F87571E3' + selection_share: + ShareName|endswith: '\SYSVOL' + RelativeTargetName|endswith: + - '\scripts.ini' + - '\psscripts.ini' + AccessList|contains: '%%4417' + condition: selection_eventid and (all of selection_attributes_* or selection_share) +falsepositives: + - Legitimate execution by system administrators. +level: medium From ab2fb3642611988012a1ee79b056e2f3068059aa Mon Sep 17 00:00:00 2001 From: secDre4mer <61268450+secDre4mer@users.noreply.github.com> Date: Fri, 6 Sep 2024 11:42:04 +0200 Subject: [PATCH 054/144] Merge PR #5002 from @secDre4mer - Update `Potential CommandLine Obfuscation Using Unicode Characters` rules update: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image - Add coverage for `0x00A0` update: Potential CommandLine Obfuscation Using Unicode Characters - Add coverage for `0x00A0` --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- .../proc_creation_win_susp_cli_obfuscation_unicode.yml | 6 +++++- .../proc_creation_win_susp_cli_obfuscation_unicode_img.yml | 5 +++++ .../proc_creation_win_susp_right_to_left_override.yml | 5 +++++ 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml index 47b1dde305b..515e4bd1aa3 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml @@ -3,6 +3,8 @@ id: e0552b19-5a83-4222-b141-b36184bb8d79 related: - id: 584bca0f-3608-4402-80fd-4075ff6072e3 type: similar + - id: ad691d92-15f2-4181-9aa4-723c74f9ddc3 # RTLO + type: similar - id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9 type: obsolete status: test @@ -14,7 +16,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http author: frack113, Florian Roth (Nextron Systems) date: 2022-01-15 -modified: 2024-09-02 +modified: 2024-09-05 tags: - attack.defense-evasion - attack.t1027 @@ -35,6 +37,8 @@ detection: # Hyphen alternatives - '―' # 0x2015 - '—' # 0x2014 + # Whitespace that don't work as path separator + - ' ' # 0x00A0 # Other - '¯' - '®' diff --git a/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode_img.yml b/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode_img.yml index 67a1d751ae5..8127ccc75c5 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode_img.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode_img.yml @@ -3,6 +3,8 @@ id: 584bca0f-3608-4402-80fd-4075ff6072e3 related: - id: e0552b19-5a83-4222-b141-b36184bb8d79 type: similar + - id: ad691d92-15f2-4181-9aa4-723c74f9ddc3 # RTLO + type: similar - id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9 type: obsolete status: test @@ -14,6 +16,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http author: frack113, Florian Roth (Nextron Systems), Josh Nickels date: 2024-09-02 +modified: 2024-09-05 tags: - attack.defense-evasion - attack.t1027 @@ -46,6 +49,8 @@ detection: # Hyphen alternatives - '―' # 0x2015 - '—' # 0x2014 + # Whitespace that don't work as path separator + - ' ' # 0x00A0 # Other - '¯' - '®' diff --git a/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml b/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml index 53583383428..e6c3841b5c0 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml @@ -1,5 +1,10 @@ title: Potential Defense Evasion Via Right-to-Left Override id: ad691d92-15f2-4181-9aa4-723c74f9ddc3 +related: + - id: e0552b19-5a83-4222-b141-b36184bb8d79 + type: derived + - id: 584bca0f-3608-4402-80fd-4075ff6072e3 + type: derived status: test description: | Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. From 132482818e0d0eae9246fd9ada6cc55e2e22eec3 Mon Sep 17 00:00:00 2001 From: Fukusuke Takahashi <41001169+fukusuket@users.noreply.github.com> Date: Fri, 13 Sep 2024 18:14:11 +0900 Subject: [PATCH 055/144] Merge PR #5007 from @fukusuket - Fix unreachable GitHub URL references chore: CVE-2021-1675 Print Spooler Exploitation Filename Pattern - Fix unreachable GitHub URL references chore: HackTool - DInjector PowerShell Cradle Execution - Fix unreachable GitHub URL references chore: InstallerFileTakeOver LPE CVE-2021-41379 File Create Event - Fix unreachable GitHub URL references chore: LPE InstallerFileTakeOver PoC CVE-2021-41379 - Fix unreachable GitHub URL references chore: Malicious PowerShell Scripts - FileCreation - Fix unreachable GitHub URL references chore: Malicious PowerShell Scripts - PoshModule - Fix unreachable GitHub URL references chore: Possible CVE-2021-1675 Print Spooler Exploitation - Fix unreachable GitHub URL references chore: Potential NT API Stub Patching - Fix unreachable GitHub URL references chore: Potential PrintNightmare Exploitation Attempt - Fix unreachable GitHub URL references chore: Potential RDP Exploit CVE-2019-0708 - Fix unreachable GitHub URL references chore: Potential SAM Database Dump - Fix unreachable GitHub URL references chore: Scanner PoC for CVE-2019-0708 RDP RCE Vuln - Fix unreachable GitHub URL references chore: Suspicious Rejected SMB Guest Logon From IP - Fix unreachable GitHub URL references chore: Windows Spooler Service Suspicious Binary Load - Fix unreachable GitHub URL references --- .../windows/proc_access_win_susp_invoke_patchingapi.yml | 2 +- .../file_event_win_cve_2021_1675_printspooler.yml | 4 ++-- .../CVE-2021-1675/win_exploit_cve_2021_1675_printspooler.yml | 4 ++-- .../CVE-2021-41379/file_event_win_cve_2021_41379_msi_lpe.yml | 2 +- .../2021/Exploits/CVE-2021-41379/win_vul_cve_2021_41379.yml | 2 +- .../win_security_rdp_bluekeep_poc_scanner.yml | 2 +- .../win_smbclient_security_susp_failed_guest_logon.yml | 4 ++-- .../system/termdd/win_system_rdp_potential_cve_2019_0708.yml | 2 +- .../file_delete_win_cve_2021_1675_print_nightmare.yml | 2 +- .../file_event/file_event_win_powershell_exploit_scripts.yml | 2 +- rules/windows/file/file_event/file_event_win_sam_dump.yml | 2 +- rules/windows/image_load/image_load_spoolsv_dll_load.yml | 2 +- .../powershell/powershell_module/posh_pm_exploit_scripts.yml | 2 +- .../process_creation/proc_creation_win_hktl_dinjector.yml | 2 +- 14 files changed, 17 insertions(+), 17 deletions(-) diff --git a/deprecated/windows/proc_access_win_susp_invoke_patchingapi.yml b/deprecated/windows/proc_access_win_susp_invoke_patchingapi.yml index 309e1124d6d..0da538c5538 100644 --- a/deprecated/windows/proc_access_win_susp_invoke_patchingapi.yml +++ b/deprecated/windows/proc_access_win_susp_invoke_patchingapi.yml @@ -3,7 +3,7 @@ id: b916cba1-b38a-42da-9223-17114d846fd6 status: deprecated description: Detects potential NT API stub patching as seen used by the project PatchingAPI references: - - https://github.com/D1rkMtr/UnhookingPatch + - https://web.archive.org/web/20230106211702/https://github.com/D1rkMtr/UnhookingPatch - https://twitter.com/D1rkMtr/status/1611471891193298944?s=20 author: frack113 date: 2023/01/07 diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/file_event_win_cve_2021_1675_printspooler.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/file_event_win_cve_2021_1675_printspooler.yml index 13082f6a4b0..230f384113f 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/file_event_win_cve_2021_1675_printspooler.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/file_event_win_cve_2021_1675_printspooler.yml @@ -3,8 +3,8 @@ id: 2131cfb3-8c12-45e8-8fa0-31f5924e9f07 status: test description: Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675 references: - - https://github.com/hhlxf/PrintNightmare - - https://github.com/afwu/PrintNightmare + - https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/ + - https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare - https://github.com/cube0x0/CVE-2021-1675 author: Florian Roth (Nextron Systems) date: 2021-06-29 diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler.yml index 008aa75f77f..a4b89877fca 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler.yml @@ -3,8 +3,8 @@ id: 4e64668a-4da1-49f5-a8df-9e2d5b866718 status: test description: Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675 references: - - https://github.com/hhlxf/PrintNightmare - - https://github.com/afwu/PrintNightmare + - https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/ + - https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare - https://twitter.com/fuzzyf10w/status/1410202370835898371 author: Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10w, Tim Shelton date: 2021-06-30 diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-41379/file_event_win_cve_2021_41379_msi_lpe.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-41379/file_event_win_cve_2021_41379_msi_lpe.yml index 516c52d50cb..0d842436db7 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-41379/file_event_win_cve_2021_41379_msi_lpe.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-41379/file_event_win_cve_2021_41379_msi_lpe.yml @@ -3,7 +3,7 @@ id: 3be82d5d-09fe-4d6a-a275-0d40d234d324 status: test description: Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file references: - - https://github.com/klinix5/InstallerFileTakeOver + - https://web.archive.org/web/20220421061949/https://github.com/klinix5/InstallerFileTakeOver - https://www.zerodayinitiative.com/advisories/ZDI-21-1308/ author: Florian Roth (Nextron Systems) date: 2021-11-22 diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-41379/win_vul_cve_2021_41379.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-41379/win_vul_cve_2021_41379.yml index 1b208b43e5f..799e3659389 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-41379/win_vul_cve_2021_41379.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-41379/win_vul_cve_2021_41379.yml @@ -3,7 +3,7 @@ id: 7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8 status: test description: Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379 references: - - https://github.com/klinix5/InstallerFileTakeOver + - https://web.archive.org/web/20220421061949/https://github.com/klinix5/InstallerFileTakeOver author: Florian Roth (Nextron Systems) date: 2021-11-22 modified: 2022-07-12 diff --git a/rules/windows/builtin/security/account_management/win_security_rdp_bluekeep_poc_scanner.yml b/rules/windows/builtin/security/account_management/win_security_rdp_bluekeep_poc_scanner.yml index ce57e274c58..8a9229e2ef2 100644 --- a/rules/windows/builtin/security/account_management/win_security_rdp_bluekeep_poc_scanner.yml +++ b/rules/windows/builtin/security/account_management/win_security_rdp_bluekeep_poc_scanner.yml @@ -4,7 +4,7 @@ status: test description: Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep references: - https://twitter.com/AdamTheAnalyst/status/1134394070045003776 - - https://github.com/zerosum0x0/CVE-2019-0708 + - https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708 author: Florian Roth (Nextron Systems), Adam Bradbury (idea) date: 2019-06-02 modified: 2022-12-25 diff --git a/rules/windows/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yml b/rules/windows/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yml index 45318997bd6..81e633b4862 100644 --- a/rules/windows/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yml +++ b/rules/windows/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yml @@ -4,8 +4,8 @@ status: test description: Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service references: - https://twitter.com/KevTheHermit/status/1410203844064301056 - - https://github.com/hhlxf/PrintNightmare - - https://github.com/afwu/PrintNightmare + - https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/ + - https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare author: Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10w date: 2021-06-30 modified: 2023-01-02 diff --git a/rules/windows/builtin/system/termdd/win_system_rdp_potential_cve_2019_0708.yml b/rules/windows/builtin/system/termdd/win_system_rdp_potential_cve_2019_0708.yml index 4abbd93921c..28bc787bb4f 100644 --- a/rules/windows/builtin/system/termdd/win_system_rdp_potential_cve_2019_0708.yml +++ b/rules/windows/builtin/system/termdd/win_system_rdp_potential_cve_2019_0708.yml @@ -3,7 +3,7 @@ id: aaa5b30d-f418-420b-83a0-299cb6024885 status: test description: Detect suspicious error on protocol RDP, potential CVE-2019-0708 references: - - https://github.com/zerosum0x0/CVE-2019-0708 + - https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708 - https://github.com/Ekultek/BlueKeep author: 'Lionel PRAT, Christophe BROCAS, @atc_project (improvements)' date: 2019-05-24 diff --git a/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml b/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml index faceed8596f..737c2925942 100644 --- a/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml +++ b/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml @@ -3,7 +3,7 @@ id: 5b2bbc47-dead-4ef7-8908-0cf73fcbecbf status: test description: Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675 references: - - https://github.com/hhlxf/PrintNightmare + - https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/ - https://github.com/cube0x0/CVE-2021-1675 author: Bhabesh Raj date: 2021-07-01 diff --git a/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml b/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml index 66b18fd9a5c..470703b8af2 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml @@ -9,7 +9,7 @@ references: - https://github.com/PowerShellMafia/PowerSploit - https://github.com/NetSPI/PowerUpSQL - https://github.com/CsEnox/EventViewer-UACBypass - - https://github.com/AlsidOfficial/WSUSpendu/ + - https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu - https://github.com/nettitude/Invoke-PowerThIEf - https://github.com/S3cur3Th1sSh1t/WinPwn - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries diff --git a/rules/windows/file/file_event/file_event_win_sam_dump.yml b/rules/windows/file/file_event/file_event_win_sam_dump.yml index 94d7c14a322..76cafa7bf01 100644 --- a/rules/windows/file/file_event/file_event_win_sam_dump.yml +++ b/rules/windows/file/file_event/file_event_win_sam_dump.yml @@ -4,7 +4,7 @@ status: test description: Detects the creation of files that look like exports of the local SAM (Security Account Manager) references: - https://github.com/search?q=CVE-2021-36934 - - https://github.com/cube0x0/CVE-2021-36934 + - https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934 - https://www.google.com/search?q=%22reg.exe+save%22+sam - https://github.com/HuskyHacks/ShadowSteal - https://github.com/FireFart/hivenightmare diff --git a/rules/windows/image_load/image_load_spoolsv_dll_load.yml b/rules/windows/image_load/image_load_spoolsv_dll_load.yml index aefe1fa4d02..597d14b9357 100644 --- a/rules/windows/image_load/image_load_spoolsv_dll_load.yml +++ b/rules/windows/image_load/image_load_spoolsv_dll_load.yml @@ -3,7 +3,7 @@ id: 02fb90de-c321-4e63-a6b9-25f4b03dfd14 status: test description: Detect DLL Load from Spooler Service backup folder references: - - https://github.com/hhlxf/PrintNightmare + - https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/ - https://github.com/ly4k/SpoolFool author: FPT.EagleEye, Thomas Patzke (improvements) date: 2021-06-29 diff --git a/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml b/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml index d8f72dc8cde..d5993d88508 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml @@ -11,7 +11,7 @@ references: - https://github.com/PowerShellMafia/PowerSploit - https://github.com/NetSPI/PowerUpSQL - https://github.com/CsEnox/EventViewer-UACBypass - - https://github.com/AlsidOfficial/WSUSpendu/ + - https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu - https://github.com/nettitude/Invoke-PowerThIEf - https://github.com/S3cur3Th1sSh1t/WinPwn - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries diff --git a/rules/windows/process_creation/proc_creation_win_hktl_dinjector.yml b/rules/windows/process_creation/proc_creation_win_hktl_dinjector.yml index 6acd285472e..021d1341f1a 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_dinjector.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_dinjector.yml @@ -3,7 +3,7 @@ id: d78b5d61-187d-44b6-bf02-93486a80de5a status: test description: Detects the use of the Dinject PowerShell cradle based on the specific flags references: - - https://github.com/snovvcrash/DInjector # Original got deleted. This is a fork + - https://web.archive.org/web/20211001064856/https://github.com/snovvcrash/DInjector # Original got deleted. This is a fork author: Florian Roth (Nextron Systems) date: 2021-12-07 modified: 2023-02-04 From 236db73778693acf0a2911cef31793ce6f68ff38 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 13 Sep 2024 11:17:23 +0200 Subject: [PATCH 056/144] Merge PR #5006 from @frack113 - Fix `UNC2452 Process Creation Patterns` fix: UNC2452 Process Creation Patterns - Add the missing `all` modifier --- .../proc_creation_win_apt_unc2452_cmds.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yml b/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yml index 3ae86ca4a96..b7589eac31b 100644 --- a/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yml +++ b/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yml @@ -6,7 +6,7 @@ references: - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ author: Florian Roth (Nextron Systems) date: 2021-01-22 -modified: 2023-09-12 +modified: 2024-09-12 tags: - attack.execution - attack.t1059.001 @@ -42,7 +42,7 @@ detection: - '.dll,Tk_' selection_generic_4: ParentImage|endswith: '\rundll32.exe' - ParentCommandLine|contains: + ParentCommandLine|contains|all: - 'C:\Windows' - '.dll' CommandLine|contains: 'cmd.exe /C ' From fedc6f43eaa2a9747903783652c8752f51e33b5d Mon Sep 17 00:00:00 2001 From: bharat-arora-magnet <144950984+bharat-arora-magnet@users.noreply.github.com> Date: Fri, 13 Sep 2024 02:19:14 -0700 Subject: [PATCH 057/144] Merge PR #5005 from @bharat-arora-magnet - Fix `PwnKit Local Privilege Escalation` fix: PwnKit Local Privilege Escalation - Fix typo with the word `suspicious` --- .../auth/lnx_auth_pwnkit_local_privilege_escalation.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml b/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml index 7e671643998..b392939d01e 100644 --- a/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml +++ b/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/wdormann/status/1486161836961579020 author: Sreeman date: 2022-01-26 -modified: 2023-01-23 +modified: 2024-09-11 tags: - attack.privilege-escalation - attack.t1548.001 @@ -17,7 +17,7 @@ detection: keywords: '|all': - 'pkexec' - - 'The value for environment variable XAUTHORITY contains suscipious content' + - 'The value for environment variable XAUTHORITY contains suspicious content' - '[USER=root] [TTY=/dev/pts/0]' condition: keywords falsepositives: From 71be3c719bc351115c928b5f3be9c84950e0bf43 Mon Sep 17 00:00:00 2001 From: Kamran Saifullah <16836050+deFr0ggy@users.noreply.github.com> Date: Fri, 13 Sep 2024 13:15:58 +0300 Subject: [PATCH 058/144] Merge PR #5003 from @deFr0ggy - Add `Network Connection Initiated To BTunnels Domains` new: Network Connection Initiated To BTunnels Domains --------- Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- .../net_connection_win_domain_btunnels.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/network_connection/net_connection_win_domain_btunnels.yml diff --git a/rules/windows/network_connection/net_connection_win_domain_btunnels.yml b/rules/windows/network_connection/net_connection_win_domain_btunnels.yml new file mode 100644 index 00000000000..72914fff5fa --- /dev/null +++ b/rules/windows/network_connection/net_connection_win_domain_btunnels.yml @@ -0,0 +1,24 @@ +title: Network Connection Initiated To BTunnels Domains +id: 9e02c8ec-02b9-43e8-81eb-34a475ba7965 +status: experimental +description: | + Detects network connections to BTunnels domains initiated by a process on the system. + Attackers can abuse that feature to establish a reverse shell or persistence on a machine. +references: + - https://defr0ggy.github.io/research/Utilizing-BTunnel-For-Data-Exfiltration/ +author: Kamran Saifullah +date: 2024-09-13 +tags: + - attack.exfiltration + - attack.t1567.001 +logsource: + category: network_connection + product: windows +detection: + selection: + Initiated: 'true' + DestinationHostname|endswith: '.btunnel.co.in' + condition: selection +falsepositives: + - Legitimate use of BTunnels will also trigger this. +level: medium From 99a47e4f96053210b6aeb22e2f541fce281d99c4 Mon Sep 17 00:00:00 2001 From: MahirAli Khan Date: Fri, 13 Sep 2024 17:25:33 +0530 Subject: [PATCH 059/144] Merge PR #4980 from @Mahir-Ali-khan - Update `DNS Query To Remote Access Software Domain From Non-Browser App` update: DNS Query To Remote Access Software Domain From Non-Browser App - Add `remoteassistance.support.services.microsoft.com`, `tailscale.com`, `twingate.com` --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- ...ry_win_remote_access_software_domains_non_browsers.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml b/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml index 6ada51a6f2f..0d00207add1 100644 --- a/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml +++ b/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml @@ -18,9 +18,12 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution - https://redcanary.com/blog/misbehaving-rats/ - https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093 + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a + - https://blog.sekoia.io/scattered-spider-laying-new-eggs/ + - https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization author: frack113, Connor Martin date: 2022-07-11 -modified: 2023-09-12 +modified: 2024-09-13 tags: - attack.command-and-control - attack.t1219 @@ -63,6 +66,7 @@ detection: - 'relay.kaseya.net' - 'relay.screenconnect.com' - 'relay.splashtop.com' + - 'remoteassistance.support.services.microsoft.com' # Quick Assist Application - 'remotedesktop-pa.googleapis.com' - 'remoteutilities.com' # Usage of Remote Utilities RAT - 'secure.logmeinrescue.com' @@ -70,8 +74,10 @@ detection: - 'static.remotepc.com' - 'swi-rc.com' - 'swi-tc.com' + - 'tailscale.com' # Scattered Spider threat group used this RMM tool - 'telemetry.servers.qetqo.com' - 'tmate.io' + - 'twingate.com' # Scattered Spider threat group used this RMM tool - 'zohoassist.com' selection_rustdesk: # https://twitter.com/malmoeb/status/1668504345132822531?s=20 and https://www.adamsdesk.com/posts/rustdesk-not-connecting/ mention this pattern QueryName|endswith: '.rustdesk.com' From 23c4c0b90c983f882b5c6a763cda331e848b190f Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 18 Sep 2024 23:55:08 +0200 Subject: [PATCH 060/144] Merge PR #5009 from @nasbench - Archive new rule references and update cache file chore: archive new rule references and update cache file Co-authored-by: nasbench --- .github/latest_archiver_output.md | 1060 +++++++++++++++-------------- tests/rule-references.txt | 17 + 2 files changed, 557 insertions(+), 520 deletions(-) diff --git a/.github/latest_archiver_output.md b/.github/latest_archiver_output.md index e445e4a230d..62d375d78c9 100644 --- a/.github/latest_archiver_output.md +++ b/.github/latest_archiver_output.md @@ -1,6 +1,6 @@ # Reference Archiver Results -Last Execution: 2024-09-01 02:07:53 +Last Execution: 2024-09-15 02:05:16 ### Archiver Script Results @@ -11,564 +11,584 @@ N/A #### Already Archived References -- https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini -- https://www.virustotal.com/gui/file/bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f/behavior -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn -- https://www.ammyy.com/en/admin_features.html -- https://blog.sekoia.io/darkgate-internals/ -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4 -- https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983 -- https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities -- https://github.com/amjcyber/EDRNoiseMaker -- https://www.sentinelone.com/labs/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/ -- https://hijacklibs.net/entries/microsoft/built-in/dbgmodel.html -- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts -- https://learn.microsoft.com/de-de/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide -- https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101 +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#token-issuer-anomaly +- https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks +- https://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content +- https://www.mandiant.com/resources/blog/triton-actor-ttp-profile-custom-attack-tools-detections +- https://learn.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001 +- https://www.elastic.co/security-labs/operation-bleeding-bear +- https://learn.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps +- https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85) +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount/ +- https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/ +- https://gtfobins.github.io/gtfobins/nice/#shell +- https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/initial_access_via_system_manager.toml +- https://res.armor.com/resources/threat-intelligence/astaroth-banking-trojan/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624 +- https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487 #### Error While Archiving References -- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b -- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks -- https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins -- https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/ -- https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ -- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 -- https://redcanary.com/blog/msix-installers/ -- https://x.com/yarden_shafir/status/1822667605175324787 -- https://github.com/rapid7/metasploit-framework/issues/11337 -- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding -- https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in -- https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85) -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac -- https://cloud.google.com/access-context-manager/docs/audit-logging -- https://web.archive.org/web/20210512154016/https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1 -- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html -- https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc -- https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012 -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation -- https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/ -- https://web.archive.org/web/20220519091349/https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/ -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4 -- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands -- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ -- https://learn.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps -- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations -- https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/ -- https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps -- https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html -- https://ss64.com/osx/sw_vers.html -- https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/ -- https://paper.seebug.org/1495/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794 -- https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc -- https://www.anyviewer.com/help/remote-technical-support.html +- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ +- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/ +- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf +- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/ +- https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/ +- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml +- https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER +- https://twitter.com/th3_protoCOL/status/1480621526764322817 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule -- https://twitter.com/NathanMcNulty/status/1785051227568632263 -- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ -- https://labs.withsecure.com/publications/kapeka -- https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps -- https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/ -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount/ -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183 +- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html +- https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things +- https://ipurple.team/2024/07/15/sharphound-detection/ +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423 - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software -- https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1 -- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ -- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer -- https://github.com/nettitude/SharpWSUS -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4 -- https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/ -- https://ss64.com/mac/chflags.html +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows +- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes +- https://blog.sekoia.io/scattered-spider-laying-new-eggs/ +- https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 +- https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html +- https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html +- https://github.com/antonioCoco/RoguePotato +- https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder +- https://www.tenable.com/security/research/tra-2023-11 +- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ +- https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html +- https://tria.ge/240225-jlylpafb24/behavioral1/analog?main_event=Registry&op=SetValueKeyInt +- https://trustedsec.com/blog/oops-i-udld-it-again +- https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) +- https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/ +- https://web.archive.org/web/20210512154016/https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1 +- https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708 +- https://cloud.google.com/access-context-manager/docs/audit-logging +- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis +- https://www.cyberciti.biz/faq/how-force-kill-process-linux/ +- https://ngrok.com/blog-post/new-ngrok-domains +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4 +- https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11) +- https://tria.ge/240521-ynezpagf56/behavioral1 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) +- https://asec.ahnlab.com/en/40263/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in +- https://twitter.com/th3_protoCOL/status/1536788652889497600 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4 +- https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609 +- https://tria.ge/220422-1nnmyagdf2/ +- https://app.any.run/tasks/9a8fd563-4c54-4d0a-9ad8-1fe08339cbc3/ +- https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022 +- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt +- https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/ +- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/ +- https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e +- https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029 +- https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1 +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647 +- https://docs.microsoft.com/en-us/sql/tools/bcp-utility +- https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ +- https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/ +- https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/ +- https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/ +- https://objective-see.org/blog/blog_0x6D.html +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 +- https://anydesk.com/en/changelog/windows +- https://www.elastic.co/guide/en/security/current/startup-logon-script-added-to-group-policy-object.html +- https://www.loobins.io/binaries/nscurl/ +- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6281 +- https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently +- https://twitter.com/1ZRR4H/status/1537501582727778304 +- https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/ - https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html - https://megatools.megous.com/ -- https://web.archive.org/web/20220614030603/http://www.powertheshell.com/ntfsstreams/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661 -- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set -- https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown +- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/ +- https://github.com/embedi/CVE-2017-11882 +- https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/ - https://learn.microsoft.com/en-us/windows/win32/shell/app-registration -- https://blackpointcyber.com/resources/blog/breaking-through-the-screen/ -- https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes -- https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634 +- https://gtfobins.github.io/gtfobins/gcc/#shell +- https://tria.ge/220422-1pw1pscfdl/ +- https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC +- https://www.huntress.com/blog/attacking-mssql-servers +- https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48 +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation +- https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ +- https://paper.seebug.org/1495/ +- https://learn.microsoft.com/en-us/windows/win32/msi/event-logging +- https://linux.die.net/man/1/arecord +- https://www.action1.com/documentation/ +- https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#new-owner +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673 +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address +- https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/ +- https://gtfobins.github.io/gtfobins/nawk/#shell +- https://tria.ge/240307-1hlldsfe7t/behavioral2/analog?main_event=Registry&op=SetValueKeyInt +- https://github.com/GhostPack/SharpDPAPI +- https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/ +- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732 -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4 -- https://labs.nettitude.com/blog/introducing-sharpwsus/ -- https://www.loobins.io/binaries/tmutil/ -- https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487 -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt -- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) -- https://www.tenable.com/security/research/tra-2023-11 -- https://web.archive.org/web/20200530031906/https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/ -- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/ +- https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html +- https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/ +- https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior +- https://learn.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml- +- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing +- https://asec.ahnlab.com/en/78944/ +- https://redcanary.com/blog/threat-detection/process-masquerading/ +- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities +- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 +- https://unit42.paloaltonetworks.com/chromeloader-malware/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd +- https://x.com/yarden_shafir/status/1822667605175324787 +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 +- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_ProxyByPass +- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ +- https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ +- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/ +- https://www.virustotal.com/gui/file/ded20df574b843aaa3c8e977c2040e1498ae17c12924a19868df5b12dee6dfdd +- https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt +- https://cloud.google.com/logging/docs/audit/understanding-audit-logs +- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html +- https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal +- https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors +- https://learn.microsoft.com/en-us/windows/client-management/manage-recall +- https://app.any.run/tasks/fa99cedc-9d2f-4115-a08e-291429ce3692 +- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11) -- https://github.com/yardenshafir/conference_talks/blob/3de1f5d7c02656c35117f067fbff0a219c304b09/OffensiveCon_2023_Your_Mitigations_are_My_Opportunities.pdf -- https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability -- https://twitter.com/TheDFIRReport/status/1482078434327244805 -- https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy +- https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/ +- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference +- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf +- https://github.com/gentilkiwi/mimikatz +- https://www.attackiq.com/2023/09/20/emulating-rhysida/ +- https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections +- https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool +- https://www.huntress.com/blog/attacking-mssql-servers-pt-ii +- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/ +- https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8 +- https://www.loobins.io/binaries/hdiutil/ +- https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934 +- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks +- https://gtfobins.github.io/gtfobins/c89/#shell +- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/ +- https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/ +- https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/ - https://github.com/CICADA8-Research/RemoteKrbRelay -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes -- https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/ -- https://tria.ge/220422-1pw1pscfdl/ -- https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html -- https://web.archive.org/web/20230329172447/https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_UNCAsIntranet - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4 -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2 -- https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2 -- https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool -- https://www.tarasco.org/security/pwdump_7/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10) -- https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files -- https://gist.github.com/nasbench/ca6ef95db04ae04ffd1e0b1ce709cadd -- https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens -- https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior -- https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/ -- https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/ -- https://github.com/gentilkiwi/mimikatz -- https://objective-see.org/blog/blog_0x1E.html -- https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt -- https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues -- https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/ -- https://www.loobins.io/binaries/hdiutil/ +- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage +- https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps +- https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps +- https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/ +- https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html +- https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis +- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/ +- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ +- https://twitter.com/NathanMcNulty/status/1785051227568632263 +- https://gtfobins.github.io/gtfobins/capsh/#shell +- https://pentestlab.blog/tag/svchost/ +- https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41 - https://app.any.run/tasks/25970bb5-f864-4e9e-9e1b-cc8ff9e6386a -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#token-issuer-anomaly -- https://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/ -- https://github.com/grayhatkiller/SharpExShell -- https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6281 -- https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13 -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 -- https://adsecurity.org/?p=3513 -- https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4706 -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/ -- https://ss64.com/mac/hdiutil.html -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation -- https://thehackernews.com/2024/03/github-rolls-out-default-secret.html -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625 -- https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration -- https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/ -- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#things-to-monitor -- https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/ -- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 -- https://web.archive.org/web/20220422215221/https://twitter.com/malware_traffic/status/1517622327000846338 -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/ -- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml -- https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/ -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_IncludeUnspecifiedLocalSites -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management -- https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/ -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script -- https://ss64.com/nt/shell.html -- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes -- https://bazaar.abuse.ch/browse/signature/RaspberryRobin/ -- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771 -- https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html -- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 +- https://gtfobins.github.io/gtfobins/python/#shell +- https://gtfobins.github.io/gtfobins/flock/#shell +- https://labs.withsecure.com/publications/kapeka - https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF -- https://malware.guide/browser-hijacker/remove-onelaunch-virus/ -- https://www.huntress.com/blog/attacking-mssql-servers -- https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html -- https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616 -- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ -- https://learn.microsoft.com/en-us/windows/client-management/manage-recall -- https://objective-see.org/blog/blog_0x6D.html +- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/replace +- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/ +- https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html +- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16 +- https://blackpointcyber.com/resources/blog/breaking-through-the-screen/ +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel +- https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet +- https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027 +- https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html +- https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/ +- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 +- https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging +- https://github.com/0xthirteen/SharpMove/ +- https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/ +- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ +- https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure - https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/ -- https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior -- https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/ -- https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors -- https://linux.die.net/man/1/arecord -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#private_repository_forking -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3 -- https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1 -- https://tria.ge/240123-rapteaahhr/behavioral1 -- https://tria.ge/220422-1nnmyagdf2/ +- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/ +- https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/ +- https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/ +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_IncludeUnspecifiedLocalSites +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2 +- https://gtfobins.github.io/gtfobins/awk/#shell +- https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html +- https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection - https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ -- https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles +- https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091 +- https://us-cert.cisa.gov/ncas/alerts/aa21-259a - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup -- https://evasions.checkpoint.com/techniques/macos.html -- https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216 -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2 -- https://learn.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml- -- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country -- https://ipurple.team/2024/07/15/sharphound-detection/ +- https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/ +- https://web.archive.org/web/20220519091349/https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/ - https://twitter.com/Kostastsale/status/1646256901506605063?s=20 -- https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ -- https://adsecurity.org/?p=1785 -- https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl -- https://www.huntress.com/blog/attacking-mssql-servers-pt-ii -- https://tria.ge/240226-fhbe7sdc39/behavioral1 -- https://bazaar.abuse.ch/browse/tag/one/ -- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts -- https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch -- https://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content -- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing -- https://www.microsoft.com/en-us/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/ -- https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump -- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html -- https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps -- https://twitter.com/th3_protoCOL/status/1536788652889497600 -- https://github.com/GhostPack/SharpDPAPI -- https://twitter.com/Cryptolaemus1/status/1517634855940632576 -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010 -- https://unit42.paloaltonetworks.com/chromeloader-malware/ -- https://www.loobins.io/binaries/nscurl/ -- https://app.any.run/tasks/fa99cedc-9d2f-4115-a08e-291429ce3692 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038 -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user -- https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository -- https://github.com/search?q=repo%3AHackplayers%2Fevil-winrm++shell.run%28&type=code -- https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed +- https://learn.microsoft.com/en-us/windows/win32/shell/launch +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide +- https://www.anyviewer.com/help/remote-technical-support.html +- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe +- https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit +- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ +- https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf +- https://twitter.com/0gtweet/status/1720419490519752955 +- https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/ +- https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin +- https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability +- https://research.splunk.com/endpoint/10399c1e-f51e-11eb-b920-acde48001122/ +- https://learn.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture +- https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776 +- https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation - https://twitter.com/standa_t/status/1808868985678803222 -- https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/ -- https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps -- https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420 -- https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet +- https://securelist.com/network-tunneling-with-qemu/111803/ +- https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa +- https://www.microsoft.com/en-us/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/ - https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain -- https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html -- https://trustedsec.com/blog/oops-i-udld-it-again -- https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/ -- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations -- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ -- https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool +- https://web.archive.org/web/20220614030603/http://www.powertheshell.com/ntfsstreams/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-browser +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated +- https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response +- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ +- https://gtfobins.github.io/gtfobins/find/#shell - https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#new-owner -- https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ -- https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details -- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html -- https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps -- https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38 -- https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/ -- https://twitter.com/1ZRR4H/status/1537501582727778304 -- https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1 -- https://twitter.com/0gtweet/status/1720419490519752955 -- https://research.splunk.com/endpoint/10399c1e-f51e-11eb-b920-acde48001122/ +- https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code +- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b +- https://malware.guide/browser-hijacker/remove-onelaunch-virus/ +- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings +- https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/ +- https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/ +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183 +- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::SecurityPage_AutoDetect -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows -- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/ -- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 -- https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211 -- https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps -- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195 -- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/ -- https://news.ycombinator.com/item?id=29504755 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine +- https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/ +- https://github.com/FalconForceTeam/FalconFriday/blob/master/Discovery/ADWS_Connection_from_Unexpected_Binary-Win.md +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/set_1 +- https://tria.ge/240226-fhbe7sdc39/behavioral1 +- https://bazaar.abuse.ch/browse/signature/RaspberryRobin/ +- https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/ +- https://web.archive.org/web/20220422215221/https://twitter.com/malware_traffic/status/1517622327000846338 +- https://twitter.com/Kostastsale/status/1480716528421011458 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616 +- https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1 +- https://blog.morphisec.com/vmware-identity-manager-attack-backdoor +- https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/ +- https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl +- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications +- https://nvd.nist.gov/vuln/detail/CVE-2024-3400 +- https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps +- https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/ +- https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication +- https://tria.ge/231023-lpw85she57/behavioral2 +- https://gtfobins.github.io/gtfobins/git/#shell +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins - https://www.softperfect.com/products/networkscanner/ -- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ -- https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates -- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4 -- https://pentestlab.blog/tag/svchost/ -- https://www.cyberciti.biz/faq/linux-remove-user-command/ -- https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/ -- https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf -- https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal -- https://www.qemu.org/docs/master/system/invocation.html#hxtool-5 -- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction -- https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b -- https://www.fortiguard.com/psirt/FG-IR-22-398 -- https://asec.ahnlab.com/en/78944/ -- https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16 -- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials -- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/ -- https://us-cert.cisa.gov/ncas/alerts/aa21-008a -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently -- https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html -- https://learn.microsoft.com/en-us/windows/win32/shell/launch -- https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html -- https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609 -- https://learn.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings -- https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/ -- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory -- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ -- https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html -- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings -- https://www.cve.org/CVERecord?id=CVE-2024-1709 -- https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/ -- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ -- https://docs.microsoft.com/en-us/sql/tools/bcp-utility -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles -- https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/ +- https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role +- https://github.com/FalconForceTeam/SOAPHound +- https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html +- https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps +- https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/ +- https://asec.ahnlab.com/en/61000/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp +- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands +- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/ +- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/ +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise +- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue +- https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files +- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ +- https://github.com/joaoviictorti/RustRedOps/tree/ce04369a246006d399e8c61d9fe0e6b34f988a49/Self_Deletion +- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#things-to-monitor +- https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts +- https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps +- https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps +- https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2 +- https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-0-16-1-scheduled-task-execution-at-scale-via-gpo.html +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_UNCAsIntranet +- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195 +- https://www.trustedsec.com/blog/art_of_kerberoast/ +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.4 +- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11) - https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers -- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/ +- https://web.archive.org/web/20230329172447/https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html +- https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4699 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery +- https://ss64.com/mac/hdiutil.html +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions +- https://gtfobins.github.io/gtfobins/c99/#shell +- https://x.com/Max_Mal_/status/1826179497084739829 +- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 +- https://www.sans.org/cyber-security-summit/archives +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661 +- https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420 +- https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/ +- https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia +- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ +- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown +- https://github.com/rapid7/metasploit-framework/issues/11337 +- https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0 +- https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038 +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#private_repository_forking +- https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html +- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a +- https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade +- https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf +- https://twitter.com/DTCERT/status/1712785421845790799 +- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78 -- https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/ -- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage -- https://github.com/FalconForceTeam/FalconFriday/blob/master/Discovery/ADWS_Connection_from_Unexpected_Binary-Win.md -- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1 -- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ -- https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations +- https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump +- https://adsecurity.org/?p=1785 +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794 +- https://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/ +- https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor +- https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216 - https://www.group-ib.com/resources/threat-research/red-curl-2.html -- https://twitter.com/Max_Mal_/status/1775222576639291859 -- https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html -- https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/ -- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf -- https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior -- https://www.cyberciti.biz/faq/how-force-kill-process-linux/ -- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698 -- https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps -- https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/initial_access_via_system_manager.toml -- https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps -- https://www.action1.com/documentation/ -- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/ -- https://res.armor.com/resources/threat-intelligence/astaroth-banking-trojan/ -- https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address -- https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/ -- https://www.loobins.io/binaries/pbpaste/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647 -- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ -- https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack -- https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension -- https://www.group-ib.com/blog/apt41-world-tour-2021/ -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe +- https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch +- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4 +- https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html +- https://tria.ge/240123-rapteaahhr/behavioral1 +- https://github.com/nettitude/SharpWSUS +- https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2 +- https://us-cert.cisa.gov/ncas/alerts/aa21-008a +- https://ss64.com/osx/sw_vers.html +- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a +- https://web.archive.org/web/20190508165435/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf +- https://www.fortiguard.com/psirt/FG-IR-22-398 +- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/ +- https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens +- https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps - https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/ -- https://www.elastic.co/security-labs/operation-bleeding-bear -- https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html -- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ -- https://www.sans.org/blog/defending-against-scattered-spider-and-the-com-with-cybercrime-intelligence/ -- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins +- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4706 +- https://ss64.com/mac/chflags.html +- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/ +- https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool +- https://gtfobins.github.io/gtfobins/env/#shell +- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer +- https://gtfobins.github.io/gtfobins/gawk/#shell +- https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change +- https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/ - https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4649 -- https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html -- https://medium.com/@NullByteWht/hacking-macos-how-to-dump-1password-keepassx-lastpass-passwords-in-plaintext-723c5b1c311b -- https://github.com/antonioCoco/RoguePotato -- https://darkatlas.io/blog/medusa-ransomware-group-opsec-failure -- https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ -- https://nvd.nist.gov/vuln/detail/CVE-2024-3400 -- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/ -- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/ -- https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624 -- https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/ -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/ -- https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/ -- https://www.attackiq.com/2023/09/20/emulating-rhysida/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771 +- https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack +- https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/ +- https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/ +- https://github.com/search?q=repo%3AHackplayers%2Fevil-winrm++shell.run%28&type=code +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user +- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/ +- https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html +- https://www.loobins.io/binaries/xattr/ +- https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743 +- https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v +- https://www.group-ib.com/blog/apt41-world-tour-2021/ +- https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38 +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address +- https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/ +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3 +- https://labs.nettitude.com/blog/introducing-sharpwsus/ - https://boinc.berkeley.edu/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-browser - https://www.loobins.io/binaries/launchctl/ -- https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php -- https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install -- https://github.com/FalconForceTeam/SOAPHound -- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/ +- https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/ +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac +- https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/ +- https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/ +- https://gtfobins.github.io/gtfobins/mawk/#shell +- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10) +- https://www.tarasco.org/security/pwdump_7/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741 +- https://www.sans.org/blog/defending-against-scattered-spider-and-the-com-with-cybercrime-intelligence/ +- https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/ +- https://learn.microsoft.com/en-us/azure/dns/dns-zones-records - https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown -- https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/ -- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ -- https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html -- https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts -- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/ -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd -- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue +- https://web.archive.org/web/20231210115125/http://www.xuetr.com/ +- https://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40 +- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1 -- https://tria.ge/231023-lpw85she57/behavioral2 -- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ -- https://tria.ge/240521-ynezpagf56/behavioral1 -- https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer -- https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa -- https://securelist.com/network-tunneling-with-qemu/111803/ +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/ +- https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates +- https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive +- https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership +- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory +- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes +- https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature +- https://objective-see.org/blog/blog_0x1E.html +- https://twitter.com/Max_Mal_/status/1775222576639291859 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult +- https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ -- https://www.virustotal.com/gui/file/ded20df574b843aaa3c8e977c2040e1498ae17c12924a19868df5b12dee6dfdd -- https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support -- https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins -- https://x.com/_st0pp3r_/status/1742203752361128162?s=20 -- https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/ -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.4 -- https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/ -- https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/ -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_ProxyByPass -- https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/ -- https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change -- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 -- https://blog.morphisec.com/vmware-identity-manager-attack-backdoor -- https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11) -- https://cloud.google.com/logging/docs/audit/understanding-audit-logs -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname -- https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/ -- https://web.archive.org/web/20231210115125/http://www.xuetr.com/ -- https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/ -- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ -- https://learn.microsoft.com/en-us/windows/win32/msi/event-logging -- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/ -- https://asec.ahnlab.com/en/61000/ -- https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2 -- https://anydesk.com/en/changelog/windows -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743 -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions -- https://app.any.run/tasks/9a8fd563-4c54-4d0a-9ad8-1fe08339cbc3/ -- https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings -- https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed +- https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps +- https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare +- https://twitter.com/Cryptolaemus1/status/1517634855940632576 +- https://twitter.com/TheDFIRReport/status/1482078434327244805 +- https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps +- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ +- https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials +- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns +- https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/ +- https://tria.ge/231212-r1bpgaefar/behavioral2 +- https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes +- https://www.loobins.io/binaries/pbpaste/ +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/ +- https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete +- https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp +- https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1 +- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services +- https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html +- https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019 +- https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool +- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine +- https://darkatlas.io/blog/medusa-ransomware-group-opsec-failure - https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted -- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators -- https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/ -- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/ -- https://strontic.github.io/xcyclopedia/library/aclui.dll-F883E9CA757B622B032FDCA5BF33D0DF.html -- https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand -- https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/ -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8 -- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/ -- https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022 -- https://ss64.com/nt/set.html +- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html +- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ +- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html +- https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php +- https://defr0ggy.github.io/research/Utilizing-BTunnel-For-Data-Exfiltration/ +- https://gist.github.com/nasbench/ca6ef95db04ae04ffd1e0b1ce709cadd +- https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install +- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4 +- https://thehackernews.com/2024/03/github-rolls-out-default-secret.html +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625 +- https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc +- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html +- https://www.logpoint.com/en/blog/shenanigans-of-scheduled-tasks/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698 +- https://evasions.checkpoint.com/techniques/macos.html +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in +- https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html +- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 +- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/ +- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ +- https://ss64.com/nt/shell.html +- https://news.ycombinator.com/item?id=29504755 +- https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps +- https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/ - https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 -- https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic -- https://support.google.com/a/answer/9261439 -- https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER -- https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp -- https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/ -- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ -- https://www.trustedsec.com/blog/art_of_kerberoast/ -- https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections -- https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/ +- https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/ +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators +- https://bazaar.abuse.ch/browse/tag/one/ +- https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support +- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 - https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c -- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) -- https://www.mandiant.com/resources/blog/triton-actor-ttp-profile-custom-attack-tools-detections -- https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4699 -- https://us-cert.cisa.gov/ncas/alerts/aa21-259a -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority -- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis -- https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019 -- https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive -- https://nored0x.github.io/red-teaming/office-persistence/#what-is-a-wll-file - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval -- https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634 -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel -- https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/ -- https://twitter.com/Kostastsale/status/1480716528421011458 -- https://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40 -- https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327 -- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated -- https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf -- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role -- https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise +- https://www.cve.org/CVERecord?id=CVE-2024-1709 +- https://redcanary.com/blog/msix-installers/ +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority +- https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/ +- https://medium.com/@NullByteWht/hacking-macos-how-to-dump-1password-keepassx-lastpass-passwords-in-plaintext-723c5b1c311b +- https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2 - https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/ -- https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult -- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications -- https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/ -- https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 -- https://learn.microsoft.com/en-us/azure/dns/dns-zones-records -- https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/ -- https://learn.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture -- https://twitter.com/MsftSecIntel/status/1737895710169628824 -- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml -- https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials -- https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging -- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference -- https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool -- https://tria.ge/231212-r1bpgaefar/behavioral2 -- https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/ -- https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html -- https://localtonet.com/documents/supported-tunnels -- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml +- https://tria.ge/240731-jh4crsycnb/behavioral2 +- https://web.archive.org/web/20200530031906/https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/ +- https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior +- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml +- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc - https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001 -- https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48 -- https://twitter.com/DTCERT/status/1712785421845790799 -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7 -- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/ -- https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior -- https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/ -- https://github.com/0xthirteen/SharpMove/ -- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ -- https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/ -- https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys -- https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response -- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks -- https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029 -- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html -- https://www.loobins.io/binaries/xattr/ -- https://www.sans.org/cyber-security-summit/archives -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery -- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage -- https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673 -- https://github.com/embedi/CVE-2017-11882 +- https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html +- https://nored0x.github.io/red-teaming/office-persistence/#what-is-a-wll-file +- https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/ +- https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu +- https://gtfobins.github.io/gtfobins/rsync/#shell +- https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/set_1 -- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16 -- https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker -- https://tria.ge/240731-jh4crsycnb/behavioral2 -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7 -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in -- https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0 -- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/replace -- https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations -- https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo -- https://redcanary.com/blog/threat-detection/process-masquerading/ -- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967 -- https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4 +- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/ +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012 +- https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings - https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details -- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure -- https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091 -- https://twitter.com/th3_protoCOL/status/1480621526764322817 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete -- https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html -- https://tria.ge/240225-jlylpafb24/behavioral1/analog?main_event=Registry&op=SetValueKeyInt -- https://tria.ge/240307-1hlldsfe7t/behavioral2/analog?main_event=Registry&op=SetValueKeyInt -- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/ -- https://ngrok.com/blog-post/new-ngrok-domains -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/ -- https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741 -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address -- https://web.archive.org/web/20190508165435/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776 +- https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211 +- https://github.com/grayhatkiller/SharpExShell +- https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address +- https://x.com/_st0pp3r_/status/1742203752361128162?s=20 +- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf +- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ +- https://www.cyberciti.biz/faq/linux-remove-user-command/ +- https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b +- https://twitter.com/MsftSecIntel/status/1737895710169628824 +- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script +- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4649 +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown +- https://github.com/yardenshafir/conference_talks/blob/3de1f5d7c02656c35117f067fbff0a219c304b09/OffensiveCon_2023_Your_Mitigations_are_My_Opportunities.pdf +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7 +- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials +- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ +- https://www.loobins.io/binaries/tmutil/ +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010 +- https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/ +- https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details +- https://localtonet.com/documents/supported-tunnels +- https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/ +- https://www.qemu.org/docs/master/system/invocation.html#hxtool-5 +- https://ss64.com/nt/set.html +- https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16 +- https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer +- https://www.elastic.co/guide/en/security/current/group-policy-abuse-for-privilege-addition.html#_setup_275 +- https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/ +- https://adsecurity.org/?p=3513 +- https://strontic.github.io/xcyclopedia/library/aclui.dll-F883E9CA757B622B032FDCA5BF33D0DF.html - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role -- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns +- https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys +- https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ +- https://web.archive.org/web/20211001064856/https://github.com/snovvcrash/DInjector +- https://support.google.com/a/answer/9261439 +- https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/ +- https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327 +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management +- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/ diff --git a/tests/rule-references.txt b/tests/rule-references.txt index fdacaf0dce0..782f0309390 100644 --- a/tests/rule-references.txt +++ b/tests/rule-references.txt @@ -3791,3 +3791,20 @@ https://learn.microsoft.com/de-de/microsoft-365/enterprise/urls-and-ip-address-r https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680 https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101 +https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#token-issuer-anomaly +https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/ +https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks +https://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content +https://www.mandiant.com/resources/blog/triton-actor-ttp-profile-custom-attack-tools-detections +https://learn.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings +https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001 +https://www.elastic.co/security-labs/operation-bleeding-bear +https://learn.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps +https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85) +https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount/ +https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/ +https://gtfobins.github.io/gtfobins/nice/#shell +https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/initial_access_via_system_manager.toml +https://res.armor.com/resources/threat-intelligence/astaroth-banking-trojan/ +https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624 +https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487 From 9db7e072231be0bab54c0e9f4f0ed55d756c6043 Mon Sep 17 00:00:00 2001 From: Alexander J <741037+jaegeral@users.noreply.github.com> Date: Sun, 22 Sep 2024 19:14:26 +0200 Subject: [PATCH 061/144] Merge PR #5022 from @jaegeral - Fix some typos in rules metadata chore: fix some typos in the title and description of some rules --- .../win_security_windows_defender_exclusions_write_access.yml | 2 +- .../windefend/win_defender_real_time_protection_disabled.yml | 2 +- .../powershell_classic/posh_pc_renamed_powershell.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml b/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml index b6f0cf9e63e..3c2c5371685 100644 --- a/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml +++ b/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml @@ -1,4 +1,4 @@ -title: Windows Defender Exclusion Reigstry Key - Write Access Requested +title: Windows Defender Exclusion Registry Key - Write Access Requested id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d related: - id: 46a68649-f218-4f86-aea1-16a759d81820 diff --git a/rules/windows/builtin/windefend/win_defender_real_time_protection_disabled.yml b/rules/windows/builtin/windefend/win_defender_real_time_protection_disabled.yml index 65d7a385748..811ead3fd3f 100644 --- a/rules/windows/builtin/windefend/win_defender_real_time_protection_disabled.yml +++ b/rules/windows/builtin/windefend/win_defender_real_time_protection_disabled.yml @@ -5,7 +5,7 @@ related: type: obsolete status: stable description: | - Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initaited this action you might want to reduce it to a "medium" level if this occurs too many times in your environment + Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initiated this action you might want to reduce it to a "medium" level if this occurs too many times in your environment references: - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md diff --git a/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml b/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml index 44700a9376b..2c4b03ef91b 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml @@ -16,7 +16,7 @@ logsource: detection: selection: Data|contains: 'HostName=ConsoleHost' - # Note: Powershell Logging Data is localized. Meaning that "HostApplication" field will be translated to a different field on a non english layout. This rule doesn't take this into account due to the sheer ammount of possibilities. It's up to the user to add these cases. + # Note: Powershell Logging Data is localized. Meaning that "HostApplication" field will be translated to a different field on a non english layout. This rule doesn't take this into account due to the sheer amount of possibilities. It's up to the user to add these cases. filter_main_ps: Data|contains: - 'HostApplication=powershell' From 014d169f83a2d9a16435dcb08020bb9f79f5c1d2 Mon Sep 17 00:00:00 2001 From: Kostas Date: Sun, 22 Sep 2024 10:26:02 -0700 Subject: [PATCH 062/144] Merge PR #5020 from @tsale - Add `Remote Access Tool - MeshAgent Command Execution via MeshCentral` new: Remote Access Tool - MeshAgent Command Execution via MeshCentral --------- Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- ...win_remote_access_tools_meshagent_exec.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_remote_access_tools_meshagent_exec.yml diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_meshagent_exec.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_meshagent_exec.yml new file mode 100644 index 00000000000..22c35ffb55d --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_meshagent_exec.yml @@ -0,0 +1,29 @@ +title: Remote Access Tool - MeshAgent Command Execution via MeshCentral +id: 74a2b202-73e0-4693-9a3a-9d36146d0775 +status: experimental +description: | + Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly. + MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes. +references: + - https://github.com/Ylianst/MeshAgent + - https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173 + - https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-info.js#L55 +author: '@Kostastsale' +date: 2024-09-22 +tags: + - attack.command-and-control + - attack.t1219 +logsource: + product: windows + category: process_creation +detection: + selection: + ParentImage|endswith: '\meshagent.exe' + Image|endswith: + - '\cmd.exe' + - '\powershell.exe' + - '\pwsh.exe' + condition: selection +falsepositives: + - False positives can be found in environments using MessAgent for remote management, analysis should prioritize the grandparent process, MessAgent.exe, and scrutinize the resulting child processes triggered by any suspicious interactive commands directed at the target host. +level: medium From 35a5eb9a4cb6f9c7a25277617806471d9999b255 Mon Sep 17 00:00:00 2001 From: Arnim Rupp <46819580+ruppde@users.noreply.github.com> Date: Sun, 22 Sep 2024 19:29:20 +0200 Subject: [PATCH 063/144] Merge PR #5013 from @ruppde - Update linux scanning rules update: Linux HackTool Execution - Remove "zenmap" and "nmap" as they are already covered by 3e102cd9-a70d-4a7a-9508-403963092f31 update: Linux Network Service Scanning Tools Execution - Add "zenmap" utility --- .../proc_creation_lnx_susp_hktl_execution.yml | 4 +--- .../proc_creation_lnx_susp_network_utilities_execution.yml | 3 ++- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml b/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml index 73526a6df76..58217791331 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml @@ -14,7 +14,7 @@ references: - https://github.com/Pennyw0rth/NetExec/ author: Nasreddine Bencherchali (Nextron Systems), Georg Lauenstein (sure[secure]) date: 2023-01-03 -modified: 2023-10-25 +modified: 2024-09-19 tags: - attack.execution - attack.resource-development @@ -47,10 +47,8 @@ detection: - '/legion' - '/naabu' - '/netdiscover' - - '/nmap' - '/nuclei' - '/recon-ng' - - '/zenmap' selection_scanners_sniper: Image|contains: '/sniper' selection_web_enum: diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_network_utilities_execution.yml b/rules/linux/process_creation/proc_creation_lnx_susp_network_utilities_execution.yml index 9dd224d6b9f..3dbfbf8e3cf 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_network_utilities_execution.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_network_utilities_execution.yml @@ -8,7 +8,7 @@ references: - https://github.com/Tib3rius/AutoRecon author: Alejandro Ortuno, oscd.community, Georg Lauenstein (sure[secure]) date: 2020-10-21 -modified: 2023-10-25 +modified: 2024-09-19 tags: - attack.discovery - attack.t1046 @@ -32,6 +32,7 @@ detection: - '/nmap' - '/nping' - '/telnet' # could be wget, curl, ssh, many things. basically everything that is able to do network connection. consider fine tuning + - '/zenmap' filter_main_netcat_listen_flag: CommandLine|contains: - ' --listen ' From 8ebc58cf42124a3dbfb5c8ba5cde92cc1a20853b Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 1 Oct 2024 14:55:39 +0200 Subject: [PATCH 064/144] Merge PR #5028 from @nasbench - Archive new rule references and update cache file chore: archive new rule references and update cache file Co-authored-by: nasbench --- .github/latest_archiver_output.md | 1064 ++++++++++++++--------------- tests/rule-references.txt | 16 + 2 files changed, 541 insertions(+), 539 deletions(-) diff --git a/.github/latest_archiver_output.md b/.github/latest_archiver_output.md index 62d375d78c9..dd075557ff0 100644 --- a/.github/latest_archiver_output.md +++ b/.github/latest_archiver_output.md @@ -1,6 +1,6 @@ # Reference Archiver Results -Last Execution: 2024-09-15 02:05:16 +Last Execution: 2024-10-01 02:09:15 ### Archiver Script Results @@ -11,584 +11,570 @@ N/A #### Already Archived References -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#token-issuer-anomaly -- https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks -- https://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content -- https://www.mandiant.com/resources/blog/triton-actor-ttp-profile-custom-attack-tools-detections -- https://learn.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001 -- https://www.elastic.co/security-labs/operation-bleeding-bear -- https://learn.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps -- https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85) -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount/ -- https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/ -- https://gtfobins.github.io/gtfobins/nice/#shell -- https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/initial_access_via_system_manager.toml -- https://res.armor.com/resources/threat-intelligence/astaroth-banking-trojan/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624 -- https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4649 +- https://learn.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture +- https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/ +- https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature +- https://gist.github.com/nasbench/ca6ef95db04ae04ffd1e0b1ce709cadd +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7 +- https://x.com/yarden_shafir/status/1822667605175324787 +- https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt +- https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/ +- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml +- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4699 +- https://anydesk.com/en/changelog/windows +- https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-0-16-1-scheduled-task-execution-at-scale-via-gpo.html +- https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior #### Error While Archiving References +- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/ +- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ +- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf +- https://www.group-ib.com/blog/apt41-world-tour-2021/ +- https://www.huntress.com/blog/attacking-mssql-servers-pt-ii +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in +- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ +- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ +- https://redcanary.com/blog/msix-installers/ +- https://github.com/yardenshafir/conference_talks/blob/3de1f5d7c02656c35117f067fbff0a219c304b09/OffensiveCon_2023_Your_Mitigations_are_My_Opportunities.pdf +- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ +- https://web.archive.org/web/20210512154016/https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts +- https://ss64.com/nt/shell.html +- https://github.com/search?q=repo%3AHackplayers%2Fevil-winrm++shell.run%28&type=code +- https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml +- https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia +- https://redcanary.com/blog/threat-detection/process-masquerading/ +- https://www.logpoint.com/en/blog/shenanigans-of-scheduled-tasks/ - https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ -- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic +- https://objective-see.org/blog/blog_0x1E.html +- https://gtfobins.github.io/gtfobins/env/#shell +- https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/ +- https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump +- https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt +- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers +- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ +- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/ +- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10) +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel +- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations +- https://medium.com/@NullByteWht/hacking-macos-how-to-dump-1password-keepassx-lastpass-passwords-in-plaintext-723c5b1c311b +- https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html +- https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support +- https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication +- https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/ +- https://www.elastic.co/guide/en/security/current/group-policy-abuse-for-privilege-addition.html#_setup_275 +- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a +- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray +- https://defr0ggy.github.io/research/Utilizing-BTunnel-For-Data-Exfiltration/ +- https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732 +- https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1 +- https://bazaar.abuse.ch/browse/tag/one/ +- https://twitter.com/Kostastsale/status/1480716528421011458 +- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 +- https://web.archive.org/web/20231210115125/http://www.xuetr.com/ +- https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all +- https://www.loobins.io/binaries/pbpaste/ +- https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/ +- https://twitter.com/standa_t/status/1808868985678803222 +- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ +- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/ +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles +- https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal +- https://gtfobins.github.io/gtfobins/nawk/#shell +- https://x.com/Max_Mal_/status/1826179497084739829 +- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html - https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf -- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/ -- https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/ -- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml -- https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER -- https://twitter.com/th3_protoCOL/status/1480621526764322817 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule -- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html -- https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things -- https://ipurple.team/2024/07/15/sharphound-detection/ -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423 -- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows -- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes -- https://blog.sekoia.io/scattered-spider-laying-new-eggs/ +- https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/ +- https://github.com/0xthirteen/SharpMove/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address +- https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu +- https://megatools.megous.com/ +- https://gtfobins.github.io/gtfobins/capsh/#shell +- https://web.archive.org/web/20220519091349/https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/ +- https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository +- https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html +- https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/ +- https://www.action1.com/documentation/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776 +- https://www.loobins.io/binaries/nscurl/ +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::SecurityPage_AutoDetect +- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts +- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661 +- https://linux.die.net/man/1/arecord - https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 -- https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html -- https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html -- https://github.com/antonioCoco/RoguePotato -- https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder -- https://www.tenable.com/security/research/tra-2023-11 -- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ -- https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html -- https://tria.ge/240225-jlylpafb24/behavioral1/analog?main_event=Registry&op=SetValueKeyInt -- https://trustedsec.com/blog/oops-i-udld-it-again -- https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) -- https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/ -- https://web.archive.org/web/20210512154016/https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1 -- https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708 -- https://cloud.google.com/access-context-manager/docs/audit-logging -- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis -- https://www.cyberciti.biz/faq/how-force-kill-process-linux/ -- https://ngrok.com/blog-post/new-ngrok-domains -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4 -- https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11) +- https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html +- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ +- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/ +- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743 +- https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1 +- https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes +- https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors +- https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/ +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide +- https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role +- https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand +- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/replace +- https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer +- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ - https://tria.ge/240521-ynezpagf56/behavioral1 +- https://github.com/FalconForceTeam/SOAPHound - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) -- https://asec.ahnlab.com/en/40263/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in -- https://twitter.com/th3_protoCOL/status/1536788652889497600 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4 -- https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609 -- https://tria.ge/220422-1nnmyagdf2/ -- https://app.any.run/tasks/9a8fd563-4c54-4d0a-9ad8-1fe08339cbc3/ -- https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022 -- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt -- https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/ -- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/ -- https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e -- https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029 -- https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1 -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647 -- https://docs.microsoft.com/en-us/sql/tools/bcp-utility -- https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ -- https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/ -- https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/ -- https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/ -- https://objective-see.org/blog/blog_0x6D.html -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 -- https://anydesk.com/en/changelog/windows -- https://www.elastic.co/guide/en/security/current/startup-logon-script-added-to-group-policy-object.html -- https://www.loobins.io/binaries/nscurl/ -- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations -- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6281 -- https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently -- https://twitter.com/1ZRR4H/status/1537501582727778304 -- https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/ -- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html -- https://megatools.megous.com/ -- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/ -- https://github.com/embedi/CVE-2017-11882 -- https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/ -- https://learn.microsoft.com/en-us/windows/win32/shell/app-registration -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634 -- https://gtfobins.github.io/gtfobins/gcc/#shell -- https://tria.ge/220422-1pw1pscfdl/ -- https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC -- https://www.huntress.com/blog/attacking-mssql-servers -- https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48 -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation -- https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ -- https://paper.seebug.org/1495/ -- https://learn.microsoft.com/en-us/windows/win32/msi/event-logging -- https://linux.die.net/man/1/arecord -- https://www.action1.com/documentation/ -- https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#new-owner -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673 -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address -- https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/ -- https://gtfobins.github.io/gtfobins/nawk/#shell -- https://tria.ge/240307-1hlldsfe7t/behavioral2/analog?main_event=Registry&op=SetValueKeyInt -- https://github.com/GhostPack/SharpDPAPI -- https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/ -- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732 -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/ -- https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html -- https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/ - https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior -- https://learn.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml- -- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing -- https://asec.ahnlab.com/en/78944/ -- https://redcanary.com/blog/threat-detection/process-masquerading/ +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations +- https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html +- https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet +- https://gtfobins.github.io/gtfobins/git/#shell +- https://web.archive.org/web/20220422215221/https://twitter.com/malware_traffic/status/1517622327000846338 +- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications +- https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes +- https://www.loobins.io/binaries/launchctl/ +- https://twitter.com/MsftSecIntel/status/1737895710169628824 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup +- https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/ +- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/ +- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule +- https://gtfobins.github.io/gtfobins/flock/#shell +- https://github.com/GhostPack/SharpDPAPI - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities -- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 -- https://unit42.paloaltonetworks.com/chromeloader-malware/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd -- https://x.com/yarden_shafir/status/1822667605175324787 -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 -- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_ProxyByPass -- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ -- https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ -- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/ -- https://www.virustotal.com/gui/file/ded20df574b843aaa3c8e977c2040e1498ae17c12924a19868df5b12dee6dfdd -- https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt -- https://cloud.google.com/logging/docs/audit/understanding-audit-logs -- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html -- https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal -- https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors -- https://learn.microsoft.com/en-us/windows/client-management/manage-recall -- https://app.any.run/tasks/fa99cedc-9d2f-4115-a08e-291429ce3692 -- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction -- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx -- https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/ -- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference -- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf -- https://github.com/gentilkiwi/mimikatz -- https://www.attackiq.com/2023/09/20/emulating-rhysida/ -- https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections -- https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool -- https://www.huntress.com/blog/attacking-mssql-servers-pt-ii -- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/ +- https://trustedsec.com/blog/oops-i-udld-it-again +- https://www.loobins.io/binaries/tmutil/ +- https://web.archive.org/web/20211001064856/https://github.com/snovvcrash/DInjector +- https://tria.ge/240307-1hlldsfe7t/behavioral2/analog?main_event=Registry&op=SetValueKeyInt +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.4 +- https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1 +- https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420 +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators +- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/ +- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands +- https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2 +- https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/set_1 +- https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/ - https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8 -- https://www.loobins.io/binaries/hdiutil/ -- https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934 -- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks -- https://gtfobins.github.io/gtfobins/c89/#shell -- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/ -- https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/ -- https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/ -- https://github.com/CICADA8-Research/RemoteKrbRelay -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4 -- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage -- https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps +- https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization +- https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1 +- https://blackpointcyber.com/resources/blog/breaking-through-the-screen/ +- https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html +- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory +- https://gtfobins.github.io/gtfobins/rsync/#shell +- https://www.sans.org/blog/defending-against-scattered-spider-and-the-com-with-cybercrime-intelligence/ +- https://www.tarasco.org/security/pwdump_7/ +- https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625 +- https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ +- https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216 +- https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare +- https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps +- https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/ +- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html +- https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/ +- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/ - https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps +- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ +- https://github.com/nettitude/SharpWSUS +- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a - https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/ -- https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html -- https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis -- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/ -- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ +- https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings +- https://labs.nettitude.com/blog/introducing-sharpwsus/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) +- https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps +- https://twitter.com/Max_Mal_/status/1775222576639291859 +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed +- https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/ +- https://tria.ge/220422-1pw1pscfdl/ +- https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708 +- https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 +- https://ss64.com/mac/chflags.html +- https://gtfobins.github.io/gtfobins/gawk/#shell +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete +- https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6281 +- https://www.microsoft.com/en-us/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/ +- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ +- https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder +- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf +- https://github.com/antonioCoco/RoguePotato +- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195 +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations +- https://localtonet.com/documents/supported-tunnels +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698 +- https://tria.ge/220422-1nnmyagdf2/ +- https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48 +- https://twitter.com/TheDFIRReport/status/1482078434327244805 +- https://research.splunk.com/endpoint/10399c1e-f51e-11eb-b920-acde48001122/ +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management +- https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/ +- https://www.cyberciti.biz/faq/how-force-kill-process-linux/ - https://twitter.com/NathanMcNulty/status/1785051227568632263 -- https://gtfobins.github.io/gtfobins/capsh/#shell -- https://pentestlab.blog/tag/svchost/ +- https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp +- https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/ +- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/ +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker +- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 +- https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin +- https://blog.sekoia.io/scattered-spider-laying-new-eggs/ +- https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF +- https://strontic.github.io/xcyclopedia/library/aclui.dll-F883E9CA757B622B032FDCA5BF33D0DF.html +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#private_repository_forking +- https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool +- https://github.com/joaoviictorti/RustRedOps/tree/ce04369a246006d399e8c61d9fe0e6b34f988a49/Self_Deletion +- https://twitter.com/0gtweet/status/1720419490519752955 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010 +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4 +- https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/ +- https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/ - https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634 +- https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files +- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html +- https://app.any.run/tasks/9a8fd563-4c54-4d0a-9ad8-1fe08339cbc3/ +- https://asec.ahnlab.com/en/78944/ +- https://www.elastic.co/guide/en/security/current/startup-logon-script-added-to-group-policy-object.html +- https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934 +- https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive +- https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials +- https://tria.ge/240731-jh4crsycnb/behavioral2 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown +- https://gtfobins.github.io/gtfobins/awk/#shell +- https://www.group-ib.com/resources/threat-research/red-curl-2.html +- https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps +- https://cloud.google.com/logging/docs/audit/understanding-audit-logs +- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647 +- https://www.trustedsec.com/blog/art_of_kerberoast/ +- https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/ +- https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa +- https://twitter.com/Kostastsale/status/1646256901506605063?s=20 +- https://www.sans.org/cyber-security-summit/archives +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11) +- https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-browser +- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace - https://app.any.run/tasks/25970bb5-f864-4e9e-9e1b-cc8ff9e6386a +- https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg +- https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e +- https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf +- https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/ +- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/ +- https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/ +- https://bazaar.abuse.ch/browse/signature/RaspberryRobin/ +- https://github.com/Ylianst/MeshAgent +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_IncludeUnspecifiedLocalSites +- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ +- https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ - https://gtfobins.github.io/gtfobins/python/#shell -- https://gtfobins.github.io/gtfobins/flock/#shell -- https://labs.withsecure.com/publications/kapeka -- https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1 +- https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html +- https://evasions.checkpoint.com/techniques/macos.html +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority +- https://x.com/_st0pp3r_/status/1742203752361128162?s=20 +- https://twitter.com/DTCERT/status/1712785421845790799 +- https://ss64.com/nt/set.html - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/replace -- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/ -- https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html +- https://us-cert.cisa.gov/ncas/alerts/aa21-008a +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673 +- https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability +- https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2 +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult +- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes +- https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/ +- https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis +- https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16 +- https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/ +- https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/ +- https://twitter.com/th3_protoCOL/status/1480621526764322817 +- https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch +- https://github.com/embedi/CVE-2017-11882 +- https://objective-see.org/blog/blog_0x6D.html +- https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/ +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4706 +- https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf +- https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ +- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ +- https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/ +- https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/ +- https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0 +- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html +- https://ipurple.team/2024/07/15/sharphound-detection/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616 - https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16 -- https://blackpointcyber.com/resources/blog/breaking-through-the-screen/ -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel -- https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet -- https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027 -- https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html +- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine +- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials +- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software +- https://paper.seebug.org/1495/ +- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services +- https://tria.ge/240123-rapteaahhr/behavioral1 +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2 +- https://web.archive.org/web/20200530031906/https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/ +- https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN +- https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/ +- https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool +- https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership +- https://github.com/CICADA8-Research/RemoteKrbRelay +- https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/ +- https://gtfobins.github.io/gtfobins/mawk/#shell +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#things-to-monitor +- https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/ +- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/ +- https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/ +- https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/ - https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/ +- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/ - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 -- https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging -- https://github.com/0xthirteen/SharpMove/ -- https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/ -- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ +- https://www.tenable.com/security/research/tra-2023-11 +- https://boinc.berkeley.edu/ +- https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues +- https://asec.ahnlab.com/en/40263/ +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/ +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771 +- https://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40 - https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure -- https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/ -- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/ -- https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/ -- https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/ -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_IncludeUnspecifiedLocalSites -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2 -- https://gtfobins.github.io/gtfobins/awk/#shell -- https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html -- https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection -- https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles -- https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091 -- https://us-cert.cisa.gov/ncas/alerts/aa21-259a -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup -- https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/ -- https://web.archive.org/web/20220519091349/https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/ -- https://twitter.com/Kostastsale/status/1646256901506605063?s=20 -- https://learn.microsoft.com/en-us/windows/win32/shell/launch -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide -- https://www.anyviewer.com/help/remote-technical-support.html -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe -- https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit -- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ -- https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf -- https://twitter.com/0gtweet/status/1720419490519752955 -- https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/ -- https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin -- https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability -- https://research.splunk.com/endpoint/10399c1e-f51e-11eb-b920-acde48001122/ -- https://learn.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture -- https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776 -- https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/ +- https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd +- https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html +- https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html +- https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor +- https://twitter.com/1ZRR4H/status/1537501582727778304 +- https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install +- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo +- https://ss64.com/mac/hdiutil.html +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2 +- https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038 +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/ +- https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps +- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/ +- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4 - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation -- https://twitter.com/standa_t/status/1808868985678803222 -- https://securelist.com/network-tunneling-with-qemu/111803/ -- https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa -- https://www.microsoft.com/en-us/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/ -- https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain -- https://web.archive.org/web/20220614030603/http://www.powertheshell.com/ntfsstreams/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-browser +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_UNCAsIntranet +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated +- https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval +- https://blog.morphisec.com/vmware-identity-manager-attack-backdoor +- https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates +- https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp +- https://learn.microsoft.com/en-us/windows/win32/shell/launch +- https://github.com/rapid7/metasploit-framework/issues/11337 - https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response -- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ -- https://gtfobins.github.io/gtfobins/find/#shell -- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/ -- https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code -- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b -- https://malware.guide/browser-hijacker/remove-onelaunch-virus/ -- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings -- https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/ -- https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/ +- https://www.attackiq.com/2023/09/20/emulating-rhysida/ +- https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging +- https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11) - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183 -- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::SecurityPage_AutoDetect +- https://securelist.com/network-tunneling-with-qemu/111803/ +- https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/ +- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing +- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script +- https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/ - https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/ -- https://github.com/FalconForceTeam/FalconFriday/blob/master/Discovery/ADWS_Connection_from_Unexpected_Binary-Win.md -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/set_1 -- https://tria.ge/240226-fhbe7sdc39/behavioral1 -- https://bazaar.abuse.ch/browse/signature/RaspberryRobin/ -- https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/ -- https://web.archive.org/web/20220422215221/https://twitter.com/malware_traffic/status/1517622327000846338 -- https://twitter.com/Kostastsale/status/1480716528421011458 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616 -- https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1 -- https://blog.morphisec.com/vmware-identity-manager-attack-backdoor -- https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/ -- https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl -- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications -- https://nvd.nist.gov/vuln/detail/CVE-2024-3400 -- https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps -- https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/ -- https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication -- https://tria.ge/231023-lpw85she57/behavioral2 -- https://gtfobins.github.io/gtfobins/git/#shell -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins -- https://www.softperfect.com/products/networkscanner/ -- https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role -- https://github.com/FalconForceTeam/SOAPHound -- https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html - https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps -- https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/ -- https://asec.ahnlab.com/en/61000/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp -- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands -- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/ -- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/ -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise -- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue -- https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files -- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ -- https://github.com/joaoviictorti/RustRedOps/tree/ce04369a246006d399e8c61d9fe0e6b34f988a49/Self_Deletion -- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#things-to-monitor -- https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts -- https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps -- https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps -- https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2 -- https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-0-16-1-scheduled-task-execution-at-scale-via-gpo.html -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_UNCAsIntranet -- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195 -- https://www.trustedsec.com/blog/art_of_kerberoast/ -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.4 -- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11) -- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers -- https://web.archive.org/web/20230329172447/https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html -- https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4699 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery -- https://ss64.com/mac/hdiutil.html +- https://www.cve.org/CVERecord?id=CVE-2024-1709 +- https://learn.microsoft.com/en-us/windows/win32/shell/app-registration +- https://www.loobins.io/binaries/hdiutil/ - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions -- https://gtfobins.github.io/gtfobins/c99/#shell -- https://x.com/Max_Mal_/status/1826179497084739829 -- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 -- https://www.sans.org/cyber-security-summit/archives -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661 -- https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420 -- https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/ -- https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia -- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ -- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown -- https://github.com/rapid7/metasploit-framework/issues/11337 -- https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0 -- https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038 -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#private_repository_forking -- https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html -- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a -- https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade -- https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf -- https://twitter.com/DTCERT/status/1712785421845790799 -- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78 -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations -- https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump -- https://adsecurity.org/?p=1785 -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794 -- https://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/ -- https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor -- https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216 -- https://www.group-ib.com/resources/threat-research/red-curl-2.html -- https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch -- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4 -- https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html -- https://tria.ge/240123-rapteaahhr/behavioral1 -- https://github.com/nettitude/SharpWSUS -- https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2 -- https://us-cert.cisa.gov/ncas/alerts/aa21-008a -- https://ss64.com/osx/sw_vers.html -- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a -- https://web.archive.org/web/20190508165435/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf -- https://www.fortiguard.com/psirt/FG-IR-22-398 -- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/ +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac +- https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things +- https://malware.guide/browser-hijacker/remove-onelaunch-virus/ +- https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html +- https://tria.ge/240225-jlylpafb24/behavioral1/analog?main_event=Registry&op=SetValueKeyInt +- https://support.google.com/a/answer/9261439 +- https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022 - https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens -- https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps -- https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins -- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4706 -- https://ss64.com/mac/chflags.html -- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/ -- https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool -- https://gtfobins.github.io/gtfobins/env/#shell -- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer -- https://gtfobins.github.io/gtfobins/gawk/#shell -- https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change -- https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/ -- https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771 +- https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details +- https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html +- https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091 +- https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327 +- https://web.archive.org/web/20190508165435/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf +- https://app.any.run/tasks/fa99cedc-9d2f-4115-a08e-291429ce3692 +- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction - https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack -- https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/ -- https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/ -- https://github.com/search?q=repo%3AHackplayers%2Fevil-winrm++shell.run%28&type=code -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user -- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/ -- https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html -- https://www.loobins.io/binaries/xattr/ +- https://www.cyberciti.biz/faq/linux-remove-user-command/ - https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743 -- https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v -- https://www.group-ib.com/blog/apt41-world-tour-2021/ -- https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38 -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address -- https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/ +- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#new-owner +- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml +- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3 -- https://labs.nettitude.com/blog/introducing-sharpwsus/ -- https://boinc.berkeley.edu/ -- https://www.loobins.io/binaries/launchctl/ -- https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/ -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac -- https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/ -- https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/ -- https://gtfobins.github.io/gtfobins/mawk/#shell -- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10) -- https://www.tarasco.org/security/pwdump_7/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741 -- https://www.sans.org/blog/defending-against-scattered-spider-and-the-com-with-cybercrime-intelligence/ -- https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/ +- https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections +- https://news.ycombinator.com/item?id=29504755 +- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/ +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4 +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8 +- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml +- https://www.qemu.org/docs/master/system/invocation.html#hxtool-5 +- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/ +- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b +- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently +- https://www.huntress.com/blog/attacking-mssql-servers +- https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps +- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel +- https://darkatlas.io/blog/medusa-ransomware-group-opsec-failure +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29 +- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/ +- https://ngrok.com/blog-post/new-ngrok-domains +- https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure +- https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps +- https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ +- https://docs.microsoft.com/en-us/sql/tools/bcp-utility +- https://gtfobins.github.io/gtfobins/find/#shell +- https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/ +- https://nvd.nist.gov/vuln/detail/CVE-2024-3400 +- https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address +- https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13 +- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration +- https://learn.microsoft.com/en-us/windows/win32/msi/event-logging +- https://www.anyviewer.com/help/remote-technical-support.html +- https://tria.ge/240226-fhbe7sdc39/behavioral1 - https://learn.microsoft.com/en-us/azure/dns/dns-zones-records -- https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml -- https://web.archive.org/web/20231210115125/http://www.xuetr.com/ -- https://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40 -- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1 -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/ -- https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates -- https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive -- https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership -- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory -- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes -- https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature -- https://objective-see.org/blog/blog_0x1E.html -- https://twitter.com/Max_Mal_/status/1775222576639291859 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult -- https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ -- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed -- https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps -- https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 +- https://github.com/grayhatkiller/SharpExShell +- https://gtfobins.github.io/gtfobins/gcc/#shell +- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ - https://twitter.com/Cryptolaemus1/status/1517634855940632576 -- https://twitter.com/TheDFIRReport/status/1482078434327244805 -- https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps -- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ -- https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials -- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns -- https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/ -- https://tria.ge/231212-r1bpgaefar/behavioral2 -- https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes -- https://www.loobins.io/binaries/pbpaste/ -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/ -- https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete -- https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp -- https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1 -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services -- https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html -- https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019 -- https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine -- https://darkatlas.io/blog/medusa-ransomware-group-opsec-failure - https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted -- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html -- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ -- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html -- https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php -- https://defr0ggy.github.io/research/Utilizing-BTunnel-For-Data-Exfiltration/ -- https://gist.github.com/nasbench/ca6ef95db04ae04ffd1e0b1ce709cadd -- https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install -- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4 -- https://thehackernews.com/2024/03/github-rolls-out-default-secret.html -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625 -- https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc -- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html -- https://www.logpoint.com/en/blog/shenanigans-of-scheduled-tasks/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698 -- https://evasions.checkpoint.com/techniques/macos.html -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in -- https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html +- https://www.virustotal.com/gui/file/ded20df574b843aaa3c8e977c2040e1498ae17c12924a19868df5b12dee6dfdd +- https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change +- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967 +- https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps +- https://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/ +- https://www.loobins.io/binaries/xattr/ +- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173 +- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx +- https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38 +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4 +- https://cloud.google.com/access-context-manager/docs/audit-logging +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_ProxyByPass +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012 - https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 -- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/ -- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ -- https://ss64.com/nt/shell.html -- https://news.ycombinator.com/item?id=29504755 -- https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps -- https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/ -- https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 -- https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/ -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators -- https://bazaar.abuse.ch/browse/tag/one/ -- https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support -- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 -- https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval -- https://www.cve.org/CVERecord?id=CVE-2024-1709 -- https://redcanary.com/blog/msix-installers/ -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority -- https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/ -- https://medium.com/@NullByteWht/hacking-macos-how-to-dump-1password-keepassx-lastpass-passwords-in-plaintext-723c5b1c311b -- https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2 +- https://web.archive.org/web/20230329172447/https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html +- https://learn.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml- +- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ +- https://gtfobins.github.io/gtfobins/c89/#shell +- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ +- https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade +- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ +- https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/ +- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 +- https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps +- https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794 +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country +- https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423 +- https://thehackernews.com/2024/03/github-rolls-out-default-secret.html +- https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/ +- https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/ +- https://github.com/gentilkiwi/mimikatz +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/ +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation +- https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/ +- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/ +- https://ss64.com/osx/sw_vers.html - https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/ -- https://tria.ge/240731-jh4crsycnb/behavioral2 -- https://web.archive.org/web/20200530031906/https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/ -- https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior -- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml -- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc -- https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb -- https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html -- https://nored0x.github.io/red-teaming/office-persistence/#what-is-a-wll-file -- https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/ -- https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu -- https://gtfobins.github.io/gtfobins/rsync/#shell -- https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts -- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/ -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012 -- https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings -- https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details +- https://adsecurity.org/?p=3513 +- https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/ +- https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/ +- https://www.softperfect.com/products/networkscanner/ - https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211 -- https://github.com/grayhatkiller/SharpExShell -- https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address -- https://x.com/_st0pp3r_/status/1742203752361128162?s=20 -- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf -- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ -- https://www.cyberciti.biz/faq/linux-remove-user-command/ +- https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/ - https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b -- https://twitter.com/MsftSecIntel/status/1737895710169628824 -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script -- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4649 -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown -- https://github.com/yardenshafir/conference_talks/blob/3de1f5d7c02656c35117f067fbff0a219c304b09/OffensiveCon_2023_Your_Mitigations_are_My_Opportunities.pdf -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7 -- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials -- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ -- https://www.loobins.io/binaries/tmutil/ -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010 -- https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/ -- https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details -- https://localtonet.com/documents/supported-tunnels -- https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/ -- https://www.qemu.org/docs/master/system/invocation.html#hxtool-5 -- https://ss64.com/nt/set.html -- https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16 -- https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer -- https://www.elastic.co/guide/en/security/current/group-policy-abuse-for-privilege-addition.html#_setup_275 -- https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/ -- https://adsecurity.org/?p=3513 -- https://strontic.github.io/xcyclopedia/library/aclui.dll-F883E9CA757B622B032FDCA5BF33D0DF.html -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role +- https://tria.ge/231023-lpw85she57/behavioral2 +- https://learn.microsoft.com/en-us/windows/client-management/manage-recall +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78 +- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks +- https://github.com/FalconForceTeam/FalconFriday/blob/master/Discovery/ADWS_Connection_from_Unexpected_Binary-Win.md +- https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/ - https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys -- https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ -- https://web.archive.org/web/20211001064856/https://github.com/snovvcrash/DInjector -- https://support.google.com/a/answer/9261439 -- https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/ -- https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327 -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management -- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/ +- https://adsecurity.org/?p=1785 +- https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html +- https://tria.ge/231212-r1bpgaefar/behavioral2 +- https://nored0x.github.io/red-teaming/office-persistence/#what-is-a-wll-file +- https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027 +- https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/ +- https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2 +- https://asec.ahnlab.com/en/61000/ +- https://web.archive.org/web/20220614030603/http://www.powertheshell.com/ntfsstreams/ +- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-info.js#L55 +- https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins +- https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access +- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis +- https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php +- https://pentestlab.blog/tag/svchost/ +- https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl +- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns +- https://gtfobins.github.io/gtfobins/c99/#shell +- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/ +- https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/ +- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ +- https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior +- https://us-cert.cisa.gov/ncas/alerts/aa21-259a +- https://unit42.paloaltonetworks.com/chromeloader-malware/ +- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4 +- https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior +- https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/ +- https://twitter.com/th3_protoCOL/status/1536788652889497600 +- https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role +- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ +- https://www.fortiguard.com/psirt/FG-IR-22-398 +- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash +- https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in +- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage +- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue +- https://labs.withsecure.com/publications/kapeka +- https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741 +- https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html +- https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc +- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference diff --git a/tests/rule-references.txt b/tests/rule-references.txt index 782f0309390..65c2fa05e8c 100644 --- a/tests/rule-references.txt +++ b/tests/rule-references.txt @@ -3808,3 +3808,19 @@ https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/init https://res.armor.com/resources/threat-intelligence/astaroth-banking-trojan/ https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624 https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487 +https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4649 +https://learn.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture +https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/ +https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature +https://gist.github.com/nasbench/ca6ef95db04ae04ffd1e0b1ce709cadd +https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7 +https://x.com/yarden_shafir/status/1822667605175324787 +https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb +https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt +https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/ +https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml +https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html +https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4699 +https://anydesk.com/en/changelog/windows +https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-0-16-1-scheduled-task-execution-at-scale-via-gpo.html +https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior From 08c52c367c6a7fbaccc0138ab85ba73070678d72 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 1 Oct 2024 14:56:09 +0200 Subject: [PATCH 065/144] Merge PR #5027 from @nasbench - Promote older rules status from `experimental` to `test` chore: promote older rules status from experimental to test Co-authored-by: nasbench --- ...on_lnx_exploit_cve_2023_22518_confluence_java_child_proc.yml | 2 +- ..._win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml | 2 +- .../proxy_exploit_cve_2023_22518_confluence_auth_bypass.yml | 2 +- .../web_exploit_cve_2023_22518_confluence_auth_bypass.yml | 2 +- .../CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise.yml | 2 +- .../web_cve_2023_46214_rce_splunk_enterprise_poc.yml | 2 +- .../proxy_cve_2023_46747_f5_remote_code_execution.yml | 2 +- .../web_cve_2023_46747_f5_remote_code_execution.yml | 2 +- ...023_4966_citrix_sensitive_information_disclosure_exploit.yml | 2 +- ..._citrix_sensitive_information_disclosure_exploit_attempt.yml | 2 +- ...023_4966_citrix_sensitive_information_disclosure_exploit.yml | 2 +- ..._citrix_sensitive_information_disclosure_exploit_attempt.yml | 2 +- .../Lace-Tempest/file_event_win_apt_lace_tempest_indicators.yml | 2 +- .../TA/Lace-Tempest/posh_ps_apt_lace_tempest_eraser_script.yml | 2 +- .../Lace-Tempest/posh_ps_apt_lace_tempest_malware_launcher.yml | 2 +- ...roc_creation_win_apt_lace_tempest_cobalt_strike_download.yml | 2 +- .../proc_creation_win_apt_lace_tempest_loader_execution.yml | 2 +- .../file/file_rename/file_rename_win_non_dll_to_dll_ext.yml | 2 +- .../proc_access_win_lsass_susp_source_process.yml | 2 +- .../proc_creation_win_powershell_crypto_namespace.yml | 2 +- .../proc_creation_win_powershell_import_module.yml | 2 +- .../proc_creation_win_susp_elevated_system_shell.yml | 2 +- .../registry_set/registry_set_powershell_crypto_namespace.yml | 2 +- .../process_creation/proc_creation_lnx_dd_process_injection.yml | 2 +- .../web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml | 2 +- .../webserver_generic/web_f5_tm_utility_bash_api_request.yml | 2 +- .../win_security_service_install_remote_access_software.yml | 2 +- .../microsoft_windows_eventlog/win_system_eventlog_cleared.yml | 2 +- .../win_system_susp_eventlog_cleared.yml | 2 +- .../create_remote_thread_win_powershell_susp_targets.yml | 2 +- .../dns_query/dns_query_win_devtunnels_communication.yml | 2 +- .../dns_query/dns_query_win_vscode_tunnel_communication.yml | 2 +- rules/windows/driver_load/driver_load_win_mal_drivers.yml | 2 +- rules/windows/driver_load/driver_load_win_mal_drivers_names.yml | 2 +- rules/windows/driver_load/driver_load_win_vuln_drivers.yml | 2 +- .../windows/driver_load/driver_load_win_vuln_drivers_names.yml | 2 +- .../image_load/image_load_dll_rstrtmgr_suspicious_load.yml | 2 +- .../image_load/image_load_dll_rstrtmgr_uncommon_load.yml | 2 +- .../network_connection/net_connection_win_domain_devtunnels.yml | 2 +- .../net_connection_win_domain_vscode_tunnel_connection.yml | 2 +- .../powershell/powershell_script/posh_ps_hktl_winpwn.yml | 2 +- .../process_access/proc_access_win_hktl_generic_access.yml | 2 +- .../process_access/proc_access_win_lsass_susp_access_flag.yml | 2 +- .../proc_creation_win_browsers_chromium_load_extension.yml | 2 +- .../proc_creation_win_browsers_chromium_susp_load_extension.yml | 2 +- .../process_creation/proc_creation_win_cmd_unusual_parent.yml | 2 +- .../proc_creation_win_findstr_recon_everyone.yml | 2 +- .../proc_creation_win_findstr_security_keyword_lookup.yml | 2 +- .../proc_creation_win_gpg4win_portable_execution.yml | 2 +- .../windows/process_creation/proc_creation_win_hktl_winpwn.yml | 2 +- .../process_creation/proc_creation_win_imewbdld_download.yml | 2 +- .../proc_creation_win_msedge_proxy_download.yml | 2 +- .../proc_creation_win_msxsl_remote_execution.yml | 2 +- .../proc_creation_win_office_excel_dcom_lateral_movement.yml | 2 +- .../proc_creation_win_powershell_decrypt_pattern.yml | 2 +- .../process_creation/proc_creation_win_schtasks_env_folder.yml | 2 +- .../process_creation/proc_creation_win_squirrel_download.yml | 2 +- .../proc_creation_win_squirrel_proxy_execution.yml | 2 +- .../proc_creation_win_susp_electron_execution_proxy.yml | 2 +- ..._creation_win_susp_elevated_system_shell_uncommon_parent.yml | 2 +- .../proc_creation_win_susp_ms_appinstaller_download.yml | 2 +- .../process_creation/proc_creation_win_susp_non_exe_image.yml | 2 +- ...roc_creation_win_whoami_execution_from_high_priv_process.yml | 2 +- .../process_creation/proc_creation_win_whoami_output.yml | 2 +- .../proc_creation_win_whoami_parent_anomaly.yml | 2 +- .../proc_creation_win_winget_add_susp_custom_source.yml | 2 +- .../process_tampering/proc_tampering_susp_process_hollowing.yml | 2 +- .../registry_set/registry_set_disable_function_user.yml | 2 +- .../registry_set/registry_set_ime_non_default_extension.yml | 2 +- .../registry/registry_set/registry_set_ime_suspicious_paths.yml | 2 +- .../registry_set_netsh_help_dll_persistence_susp_location.yml | 2 +- .../registry_set_netsh_helper_dll_potential_persistence.yml | 2 +- .../registry_set_persistence_shim_database_susp_application.yml | 2 +- 73 files changed, 73 insertions(+), 73 deletions(-) diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_lnx_exploit_cve_2023_22518_confluence_java_child_proc.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_lnx_exploit_cve_2023_22518_confluence_java_child_proc.yml index f8536343146..489b3864998 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_lnx_exploit_cve_2023_22518_confluence_java_child_proc.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_lnx_exploit_cve_2023_22518_confluence_java_child_proc.yml @@ -3,7 +3,7 @@ id: f8987c03-4290-4c96-870f-55e75ee377f4 related: - id: 1ddaa9a4-eb0b-4398-a9fe-7b018f9e23db type: similar -status: experimental +status: test description: | Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands. references: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml index c4644193a21..9e9cd3be108 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml @@ -3,7 +3,7 @@ id: 1ddaa9a4-eb0b-4398-a9fe-7b018f9e23db related: - id: f8987c03-4290-4c96-870f-55e75ee377f4 type: similar -status: experimental +status: test description: | Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands. references: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proxy_exploit_cve_2023_22518_confluence_auth_bypass.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proxy_exploit_cve_2023_22518_confluence_auth_bypass.yml index 195eddee17d..42c141ab705 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proxy_exploit_cve_2023_22518_confluence_auth_bypass.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proxy_exploit_cve_2023_22518_confluence_auth_bypass.yml @@ -3,7 +3,7 @@ id: 27d2cdde-9778-490e-91ec-9bd0be6e8cc6 related: - id: a902d249-9b9c-4dc4-8fd0-fbe528ef965c type: similar -status: experimental +status: test description: | Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands. references: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-22518/web_exploit_cve_2023_22518_confluence_auth_bypass.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-22518/web_exploit_cve_2023_22518_confluence_auth_bypass.yml index 9d49404ce96..4ecbbb85e2b 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-22518/web_exploit_cve_2023_22518_confluence_auth_bypass.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-22518/web_exploit_cve_2023_22518_confluence_auth_bypass.yml @@ -3,7 +3,7 @@ id: a902d249-9b9c-4dc4-8fd0-fbe528ef965c related: - id: 27d2cdde-9778-490e-91ec-9bd0be6e8cc6 type: similar -status: experimental +status: test description: | Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands. references: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise.yml index 874de100c01..1809bcfc71a 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise.yml @@ -3,7 +3,7 @@ id: 04017cd5-621e-4ec4-a762-1f042fe3d3e5 related: - id: ba5268de-4dd4-4d5c-8a90-2b5e6dc1aff8 type: derived -status: experimental +status: test description: | Detects potential exploitation of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing references: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise_poc.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise_poc.yml index afa5ecccf93..89c6d525e4d 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise_poc.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise_poc.yml @@ -3,7 +3,7 @@ id: ba5268de-4dd4-4d5c-8a90-2b5e6dc1aff8 related: - id: 04017cd5-621e-4ec4-a762-1f042fe3d3e5 type: derived -status: experimental +status: test description: | Detects exploitation attempt of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing using known public proof of concept code references: diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-46747/proxy_cve_2023_46747_f5_remote_code_execution.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-46747/proxy_cve_2023_46747_f5_remote_code_execution.yml index b41777dbd84..66f733f1e1e 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-46747/proxy_cve_2023_46747_f5_remote_code_execution.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-46747/proxy_cve_2023_46747_f5_remote_code_execution.yml @@ -3,7 +3,7 @@ id: f195b2ff-e542-41bf-8d91-864fb81e5c20 related: - id: e9928831-ba14-42ea-a4bc-33d352b9929a type: similar -status: experimental +status: test description: Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP. references: - https://github.com/AliBrTab/CVE-2023-46747-POC/tree/main diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-46747/web_cve_2023_46747_f5_remote_code_execution.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-46747/web_cve_2023_46747_f5_remote_code_execution.yml index 5877736d0b1..e2442c1e6be 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-46747/web_cve_2023_46747_f5_remote_code_execution.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-46747/web_cve_2023_46747_f5_remote_code_execution.yml @@ -3,7 +3,7 @@ id: e9928831-ba14-42ea-a4bc-33d352b9929a related: - id: f195b2ff-e542-41bf-8d91-864fb81e5c20 type: similar -status: experimental +status: test description: Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP. references: - https://github.com/AliBrTab/CVE-2023-46747-POC/tree/main diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-4966/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-4966/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml index 7631cdfa2d3..fa2a2fed860 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-4966/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-4966/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml @@ -7,7 +7,7 @@ related: type: similar - id: a4e068b5-e27c-4f21-85b3-e69e5a4f7ce1 # Webserver Exploit type: similar -status: experimental +status: test description: Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs by looking for a very long host header string. references: - https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967 diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-4966/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-4966/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml index 3112cb17a52..cad7b143b0f 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-4966/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-4966/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml @@ -7,7 +7,7 @@ related: type: similar - id: a4e068b5-e27c-4f21-85b3-e69e5a4f7ce1 # Webserver Exploit type: similar -status: experimental +status: test description: Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs. references: - https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967 diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-4966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-4966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml index 54c0337e717..761f1e671ce 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-4966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-4966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml @@ -7,7 +7,7 @@ related: type: similar - id: a4e068b5-e27c-4f21-85b3-e69e5a4f7ce1 # Webserver Exploit type: similar -status: experimental +status: test description: Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs. references: - https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967 diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-4966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-4966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml index fa3d4a59ffa..a0ae0719f98 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-4966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-4966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml @@ -7,7 +7,7 @@ related: type: similar - id: aee7681f-b53d-4594-a9de-ac51e6ad3362 # Proxy Exploit type: similar -status: experimental +status: test description: Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs by looking for a very long host header string. references: - https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967 diff --git a/rules-emerging-threats/2023/TA/Lace-Tempest/file_event_win_apt_lace_tempest_indicators.yml b/rules-emerging-threats/2023/TA/Lace-Tempest/file_event_win_apt_lace_tempest_indicators.yml index 39229e476a7..190225ce20d 100644 --- a/rules-emerging-threats/2023/TA/Lace-Tempest/file_event_win_apt_lace_tempest_indicators.yml +++ b/rules-emerging-threats/2023/TA/Lace-Tempest/file_event_win_apt_lace_tempest_indicators.yml @@ -1,6 +1,6 @@ title: Lace Tempest File Indicators id: e94486ea-2650-4548-bf25-88cbd0bb32d7 -status: experimental +status: test description: Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7 references: - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification diff --git a/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_eraser_script.yml b/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_eraser_script.yml index daaf4621f61..a4f492b19e8 100644 --- a/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_eraser_script.yml +++ b/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_eraser_script.yml @@ -1,6 +1,6 @@ title: Lace Tempest PowerShell Evidence Eraser id: b377ddab-502d-4519-9e8c-5590033d2d70 -status: experimental +status: test description: | Detects a PowerShell script used by Lace Tempest APT to erase evidence from victim servers by exploiting CVE-2023-47246 as reported by SysAid Team references: diff --git a/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_malware_launcher.yml b/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_malware_launcher.yml index 1bbdcdf8a1b..e1caed0d4ea 100644 --- a/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_malware_launcher.yml +++ b/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_malware_launcher.yml @@ -1,6 +1,6 @@ title: Lace Tempest PowerShell Launcher id: 37dc5463-f7e3-4f61-ad76-ba59cd02a651 -status: experimental +status: test description: | Detects a PowerShell script used by Lace Tempest APT to launch their malware loader by exploiting CVE-2023-47246 as reported by SysAid Team references: diff --git a/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml b/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml index 2668b724493..c9ce683ae5c 100644 --- a/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml +++ b/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml @@ -1,6 +1,6 @@ title: Lace Tempest Cobalt Strike Download id: aa5b0a40-ed88-46aa-9fdc-0337b379ca9d -status: experimental +status: test description: Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team references: - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification diff --git a/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml b/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml index 2f090535868..2edda535133 100644 --- a/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml +++ b/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml @@ -1,6 +1,6 @@ title: Lace Tempest Malware Loader Execution id: 745ea50b-9673-4ba7-9426-cb45cf4a8e6d -status: experimental +status: test description: Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team references: - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification diff --git a/rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml b/rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml index 6db891ec2f8..4ef616ca9c8 100644 --- a/rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml +++ b/rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml @@ -1,6 +1,6 @@ title: Non-DLL Extension File Renamed With DLL Extension id: bbfd974c-248e-4435-8de6-1e938c79c5c1 -status: experimental +status: test description: | Detects rename operations of files with non-DLL extensions to files with a DLL extension. This is often performed by malware in order to avoid initial detections based on extensions. references: diff --git a/rules-threat-hunting/windows/process_access/proc_access_win_lsass_susp_source_process.yml b/rules-threat-hunting/windows/process_access/proc_access_win_lsass_susp_source_process.yml index 76ca3d3d8f1..0b22994844d 100644 --- a/rules-threat-hunting/windows/process_access/proc_access_win_lsass_susp_source_process.yml +++ b/rules-threat-hunting/windows/process_access/proc_access_win_lsass_susp_source_process.yml @@ -1,6 +1,6 @@ title: LSASS Access From Program In Potentially Suspicious Folder id: fa34b441-961a-42fa-a100-ecc28c886725 -status: experimental +status: test description: Detects process access to LSASS memory with suspicious access flags and from a potentially suspicious folder references: - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_crypto_namespace.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_crypto_namespace.yml index 0c086f5f2b5..6146715441c 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_crypto_namespace.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_crypto_namespace.yml @@ -1,6 +1,6 @@ title: Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace id: ad856965-f44d-42a8-945e-bbf7bd03d05a -status: experimental +status: test description: | Detects the invocation of PowerShell commands with references to classes from the "System.Security.Cryptography" namespace. The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption. diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml index d5881c60f7c..3fff9a17ac2 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml @@ -1,6 +1,6 @@ title: Import New Module Via PowerShell CommandLine id: 4ad74d01-f48c-42d0-b88c-b31efa4d2262 -status: experimental +status: test description: Detects usage of the "Import-Module" cmdlet in order to add new Cmdlets to the current PowerShell session references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/import-module?view=powershell-7.3 diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml index 90c97d973d5..2d3e7a8b1ee 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml @@ -3,7 +3,7 @@ id: 61065c72-5d7d-44ef-bf41-6a36684b545f related: - id: 178e615d-e666-498b-9630-9ed363038101 type: similar -status: experimental +status: test description: | Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges. Use this rule to hunt for potential suspicious processes. references: diff --git a/rules-threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml b/rules-threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml index 9dcd72d35a9..bdd8cc5b07c 100644 --- a/rules-threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml +++ b/rules-threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml @@ -1,6 +1,6 @@ title: Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace id: 1c2a3268-3881-414a-80af-a5b313b14c0e -status: experimental +status: test description: | Detects the setting of a registry inside the "\Shell\Open\Command" value with PowerShell classes from the "System.Security.Cryptography" namespace. The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption. diff --git a/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml b/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml index 468b38d9650..38d01030647 100644 --- a/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml +++ b/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml @@ -1,6 +1,6 @@ title: Potential Linux Process Code Injection Via DD Utility id: 4cad6c64-d6df-42d6-8dae-eb78defdc415 -status: experimental +status: test description: Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command. references: - https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/ diff --git a/rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml b/rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml index 6a2f8c07bd8..a48451d7c63 100644 --- a/rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml +++ b/rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml @@ -3,7 +3,7 @@ id: b59c98c6-95e8-4d65-93ee-f594dfb96b17 related: - id: 85254a62-22be-4239-b79c-2ec17e566c37 type: similar -status: experimental +status: test description: Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP references: - https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash diff --git a/rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml b/rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml index e57e2c6ea64..a240e62ec5b 100644 --- a/rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml +++ b/rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml @@ -3,7 +3,7 @@ id: 85254a62-22be-4239-b79c-2ec17e566c37 related: - id: b59c98c6-95e8-4d65-93ee-f594dfb96b17 type: similar -status: experimental +status: test description: Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP references: - https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash diff --git a/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml b/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml index a67b53e1302..e21a9959cba 100644 --- a/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml +++ b/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml @@ -3,7 +3,7 @@ id: c8b00925-926c-47e3-beea-298fd563728e related: - id: 1a31b18a-f00c-4061-9900-f735b96c99fc type: similar -status: experimental +status: test description: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform references: - https://redcanary.com/blog/misbehaving-rats/ diff --git a/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml b/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml index 961484a1149..853e5c76a7c 100644 --- a/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml +++ b/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml @@ -7,7 +7,7 @@ related: type: derived - id: 100ef69e-3327-481c-8e5c-6d80d9507556 type: derived -status: experimental +status: test description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution references: - https://twitter.com/deviouspolack/status/832535435960209408 diff --git a/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml b/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml index a52cbbdbb98..4899504cd8c 100644 --- a/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml @@ -3,7 +3,7 @@ id: 100ef69e-3327-481c-8e5c-6d80d9507556 related: - id: a62b37e0-45d3-48d9-a517-90c1a1b0186b type: derived -status: experimental +status: test description: Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution references: - https://twitter.com/deviouspolack/status/832535435960209408 diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml b/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml index 1a1dfe74173..cdb746f7062 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml @@ -3,7 +3,7 @@ id: 99b97608-3e21-4bfe-8217-2a127c396a0e related: - id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50 type: similar -status: experimental +status: test description: Detects the creation of a remote thread from a Powershell process in an uncommon target process references: - https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html diff --git a/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml b/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml index 23874013d64..50d60b0da81 100644 --- a/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml +++ b/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml @@ -7,7 +7,7 @@ related: type: similar - id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode type: similar -status: experimental +status: test description: | Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. references: diff --git a/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml b/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml index 55bb4a6b457..43ce8397a76 100644 --- a/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml +++ b/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml @@ -7,7 +7,7 @@ related: type: similar - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels type: similar -status: experimental +status: test description: | Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. references: diff --git a/rules/windows/driver_load/driver_load_win_mal_drivers.yml b/rules/windows/driver_load/driver_load_win_mal_drivers.yml index 2562839bf56..3c29bb1168b 100644 --- a/rules/windows/driver_load/driver_load_win_mal_drivers.yml +++ b/rules/windows/driver_load/driver_load_win_mal_drivers.yml @@ -1,6 +1,6 @@ title: Malicious Driver Load id: 05296024-fe8a-4baf-8f3d-9a5f5624ceb2 -status: experimental +status: test description: Detects loading of known malicious drivers via their hash. references: - https://loldrivers.io/ diff --git a/rules/windows/driver_load/driver_load_win_mal_drivers_names.yml b/rules/windows/driver_load/driver_load_win_mal_drivers_names.yml index 75976e61dc3..49c631b5ac8 100644 --- a/rules/windows/driver_load/driver_load_win_mal_drivers_names.yml +++ b/rules/windows/driver_load/driver_load_win_mal_drivers_names.yml @@ -1,6 +1,6 @@ title: Malicious Driver Load By Name id: 39b64854-5497-4b57-a448-40977b8c9679 -status: experimental +status: test description: Detects loading of known malicious drivers via the file name of the drivers. references: - https://loldrivers.io/ diff --git a/rules/windows/driver_load/driver_load_win_vuln_drivers.yml b/rules/windows/driver_load/driver_load_win_vuln_drivers.yml index b883188fe72..3909b7b6e06 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_drivers.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_drivers.yml @@ -1,6 +1,6 @@ title: Vulnerable Driver Load id: 7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8 -status: experimental +status: test description: Detects loading of known vulnerable drivers via their hash. references: - https://loldrivers.io/ diff --git a/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml b/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml index cf10371c7ec..e56a0c68a71 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml @@ -1,6 +1,6 @@ title: Vulnerable Driver Load By Name id: 72cd00d6-490c-4650-86ff-1d11f491daa1 -status: experimental +status: test description: Detects the load of known vulnerable drivers via the file name of the drivers. references: - https://loldrivers.io/ diff --git a/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml b/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml index 57b56ee490d..1c8700fe726 100644 --- a/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml +++ b/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml @@ -3,7 +3,7 @@ id: b48492dc-c5ef-4572-8dff-32bc241c15c8 related: - id: 3669afd2-9891-4534-a626-e5cf03810a61 type: derived -status: experimental +status: test description: | Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. diff --git a/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml b/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml index 87094ee6545..ce795d7e0db 100644 --- a/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml +++ b/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml @@ -3,7 +3,7 @@ id: 3669afd2-9891-4534-a626-e5cf03810a61 related: - id: b48492dc-c5ef-4572-8dff-32bc241c15c8 type: derived -status: experimental +status: test description: | Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. diff --git a/rules/windows/network_connection/net_connection_win_domain_devtunnels.yml b/rules/windows/network_connection/net_connection_win_domain_devtunnels.yml index 23efcc69ae1..058eae6cf3c 100644 --- a/rules/windows/network_connection/net_connection_win_domain_devtunnels.yml +++ b/rules/windows/network_connection/net_connection_win_domain_devtunnels.yml @@ -7,7 +7,7 @@ related: type: similar - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels type: similar -status: experimental +status: test description: | Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. references: diff --git a/rules/windows/network_connection/net_connection_win_domain_vscode_tunnel_connection.yml b/rules/windows/network_connection/net_connection_win_domain_vscode_tunnel_connection.yml index 1c5a7826e81..491ac9ee1e0 100644 --- a/rules/windows/network_connection/net_connection_win_domain_vscode_tunnel_connection.yml +++ b/rules/windows/network_connection/net_connection_win_domain_vscode_tunnel_connection.yml @@ -7,7 +7,7 @@ related: type: similar - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels type: similar -status: experimental +status: test description: | Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. references: diff --git a/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml b/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml index b2ac4e5772d..c03ea5301a9 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml @@ -3,7 +3,7 @@ id: 851fd622-b675-4d26-b803-14bc7baa517a related: - id: d557dc06-62e8-4468-a8e8-7984124908ce type: similar -status: experimental +status: test description: | Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation. author: Swachchhanda Shrawan Poudel diff --git a/rules/windows/process_access/proc_access_win_hktl_generic_access.yml b/rules/windows/process_access/proc_access_win_hktl_generic_access.yml index d25f8ad0020..78e53c1d44b 100644 --- a/rules/windows/process_access/proc_access_win_hktl_generic_access.yml +++ b/rules/windows/process_access/proc_access_win_hktl_generic_access.yml @@ -1,6 +1,6 @@ title: HackTool - Generic Process Access id: d0d2f720-d14f-448d-8242-51ff396a334e -status: experimental +status: test description: Detects process access requests from hacktool processes based on their default image name references: - https://jsecurity101.medium.com/bypassing-access-mask-auditing-strategies-480fb641c158 diff --git a/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml b/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml index 6e8dd7f0083..1d37e17af53 100644 --- a/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml +++ b/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml @@ -3,7 +3,7 @@ id: a18dd26b-6450-46de-8c91-9659150cf088 related: - id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d type: similar -status: experimental +status: test description: Detects process access requests to LSASS process with potentially suspicious access flags references: - https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml index 0624aa3ebe6..45a3a5d97e4 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml @@ -3,7 +3,7 @@ id: 88d6e60c-759d-4ac1-a447-c0f1466c2d21 related: - id: 27ba3207-dd30-4812-abbf-5d20c57d474e type: similar -status: experimental +status: test description: Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension references: - https://redcanary.com/blog/chromeloader/ diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml index 504d235589f..959f37fad3c 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml @@ -3,7 +3,7 @@ id: 27ba3207-dd30-4812-abbf-5d20c57d474e related: - id: 88d6e60c-759d-4ac1-a447-c0f1466c2d21 type: similar -status: experimental +status: test description: Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension references: - https://redcanary.com/blog/chromeloader/ diff --git a/rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml b/rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml index 322622e2f6b..b8e5ddd2df1 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml @@ -1,6 +1,6 @@ title: Unusual Parent Process For Cmd.EXE id: 4b991083-3d0e-44ce-8fc4-b254025d8d4b -status: experimental +status: test description: Detects suspicious parent process for cmd.exe references: - https://www.elastic.co/guide/en/security/current/unusual-parent-process-for-cmd.exe.html diff --git a/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml b/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml index 8cda1589441..9d6198045a1 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml @@ -1,6 +1,6 @@ title: Permission Misconfiguration Reconnaissance Via Findstr.EXE id: 47e4bab7-c626-47dc-967b-255608c9a920 -status: experimental +status: test description: | Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. This was seen being used in combination with "icacls" and other utilities to spot misconfigured files or folders permissions. diff --git a/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml b/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml index 818da4f4ee6..c965a45a02b 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml @@ -3,7 +3,7 @@ id: 4fe074b4-b833-4081-8f24-7dcfeca72b42 related: - id: fe63010f-8823-4864-a96b-a7b4a0f7b929 type: derived -status: experimental +status: test description: | Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results. This detection focuses on the keywords that the attacker might use as a filter. diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml index f413b31b2a6..f46af06370c 100644 --- a/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml @@ -1,6 +1,6 @@ title: Portable Gpg.EXE Execution id: 77df53a5-1d78-4f32-bc5a-0e7465bd8f41 -status: experimental +status: test description: Detects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data. references: - https://www.trendmicro.com/vinfo/vn/threat-encyclopedia/malware/ransom.bat.zarlock.a diff --git a/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml b/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml index 014da3783fc..208ef882b01 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml @@ -3,7 +3,7 @@ id: d557dc06-62e8-4468-a8e8-7984124908ce related: - id: 851fd622-b675-4d26-b803-14bc7baa517a type: similar -status: experimental +status: test description: | Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation. author: Swachchhanda Shrawan Poudel diff --git a/rules/windows/process_creation/proc_creation_win_imewbdld_download.yml b/rules/windows/process_creation/proc_creation_win_imewbdld_download.yml index 487a9408181..122e49c9b81 100644 --- a/rules/windows/process_creation/proc_creation_win_imewbdld_download.yml +++ b/rules/windows/process_creation/proc_creation_win_imewbdld_download.yml @@ -3,7 +3,7 @@ id: 863218bd-c7d0-4c52-80cd-0a96c09f54af related: - id: 8d7e392e-9b28-49e1-831d-5949c6281228 type: derived -status: experimental +status: test description: Detects usage of "IMEWDBLD.exe" to download arbitrary files references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download diff --git a/rules/windows/process_creation/proc_creation_win_msedge_proxy_download.yml b/rules/windows/process_creation/proc_creation_win_msedge_proxy_download.yml index abbb5ac3ccf..79e890f18fc 100644 --- a/rules/windows/process_creation/proc_creation_win_msedge_proxy_download.yml +++ b/rules/windows/process_creation/proc_creation_win_msedge_proxy_download.yml @@ -1,6 +1,6 @@ title: Arbitrary File Download Via MSEDGE_PROXY.EXE id: e84d89c4-f544-41ca-a6af-4b92fd38b023 -status: experimental +status: test description: Detects usage of "msedge_proxy.exe" to download arbitrary files references: - https://lolbas-project.github.io/lolbas/Binaries/msedge_proxy/ diff --git a/rules/windows/process_creation/proc_creation_win_msxsl_remote_execution.yml b/rules/windows/process_creation/proc_creation_win_msxsl_remote_execution.yml index 696d8d25d80..e22aa8d9ea4 100644 --- a/rules/windows/process_creation/proc_creation_win_msxsl_remote_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_msxsl_remote_execution.yml @@ -1,6 +1,6 @@ title: Remote XSL Execution Via Msxsl.EXE id: 75d0a94e-6252-448d-a7be-d953dff527bb -status: experimental +status: test description: Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md diff --git a/rules/windows/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml b/rules/windows/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml index 82c08071f3e..188d26f48c3 100644 --- a/rules/windows/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml +++ b/rules/windows/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml @@ -1,6 +1,6 @@ title: Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp id: 551d9c1f-816c-445b-a7a6-7a3864720d60 -status: experimental +status: test description: | Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object. references: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml b/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml index 05c1df9440d..cfb9e17a43c 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml @@ -1,6 +1,6 @@ title: PowerShell Execution With Potential Decryption Capabilities id: 434c08ba-8406-4d15-8b24-782cb071a691 -status: experimental +status: test description: Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware. references: - https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/ diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml b/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml index bd5dbaf9f16..fe467408fd6 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml @@ -3,7 +3,7 @@ id: 81325ce1-be01-4250-944f-b4789644556f related: - id: 43f487f0-755f-4c2a-bce7-d6d2eec2fcf8 # TODO: Recreate after baseline type: derived -status: experimental +status: test description: Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware references: - https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/ diff --git a/rules/windows/process_creation/proc_creation_win_squirrel_download.yml b/rules/windows/process_creation/proc_creation_win_squirrel_download.yml index ae5d70dd089..d63ab228f5f 100644 --- a/rules/windows/process_creation/proc_creation_win_squirrel_download.yml +++ b/rules/windows/process_creation/proc_creation_win_squirrel_download.yml @@ -5,7 +5,7 @@ related: type: similar - id: fa4b21c9-0057-4493-b289-2556416ae4d7 type: obsolete -status: experimental +status: test description: | Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.) references: diff --git a/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml b/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml index 69ea3ea2327..1845ad5963f 100644 --- a/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml @@ -5,7 +5,7 @@ related: type: similar - id: fa4b21c9-0057-4493-b289-2556416ae4d7 type: obsolete -status: experimental +status: test description: | Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.) references: diff --git a/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml b/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml index 370e3dcc0d3..2ed7cc5982d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml @@ -3,7 +3,7 @@ id: 378a05d8-963c-46c9-bcce-13c7657eac99 related: - id: f26eb764-fd89-464b-85e2-dc4a8e6e77b8 type: similar -status: experimental +status: test description: Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary. references: - https://positive.security/blog/ms-officecmd-rce diff --git a/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml b/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml index 271d8a99563..be1bdb4a2ee 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml @@ -3,7 +3,7 @@ id: 178e615d-e666-498b-9630-9ed363038101 related: - id: 61065c72-5d7d-44ef-bf41-6a36684b545f type: similar -status: experimental +status: test description: Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location. references: - https://github.com/Wh04m1001/SysmonEoP diff --git a/rules/windows/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml b/rules/windows/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml index a1f8d6ba804..ae174c1da9b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml @@ -3,7 +3,7 @@ id: 180c7c5c-d64b-4a63-86e9-68910451bc8b related: - id: 7cff77e1-9663-46a3-8260-17f2e1aa9d0a type: derived -status: experimental +status: test description: | Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\" diff --git a/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml b/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml index 647af0885be..f336a1a4ec1 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml @@ -1,6 +1,6 @@ title: Execution of Suspicious File Type Extension id: c09dad97-1c78-4f71-b127-7edb2b8e491a -status: experimental +status: test description: | Detects whether the image specified in a process creation event doesn't refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process. This rule might require some initial baselining to align with some third party tooling in the user environment. diff --git a/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml b/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml index daa294ce3b4..3d7584b1ca8 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml @@ -3,7 +3,7 @@ id: 79ce34ca-af29-4d0e-b832-fc1b377020db related: - id: 80167ada-7a12-41ed-b8e9-aa47195c66a1 type: obsolete -status: experimental +status: test description: Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment diff --git a/rules/windows/process_creation/proc_creation_win_whoami_output.yml b/rules/windows/process_creation/proc_creation_win_whoami_output.yml index 78d2919bc53..69676bd096e 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_output.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_output.yml @@ -1,6 +1,6 @@ title: Whoami.EXE Execution With Output Option id: c30fb093-1109-4dc8-88a8-b30d11c95a5d -status: experimental +status: test description: Detects the execution of "whoami.exe" with the "/FO" flag to choose CSV as output format or with redirection options to export the results to a file for later use. references: - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/ diff --git a/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml b/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml index 37e64e0f036..a0ba550d753 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml @@ -1,6 +1,6 @@ title: Whoami.EXE Execution Anomaly id: 8de1cbe8-d6f5-496d-8237-5f44a721c7a0 -status: experimental +status: test description: Detects the execution of whoami.exe with suspicious parent processes. references: - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/ diff --git a/rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml b/rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml index ce4f11509fb..08602fc0c07 100644 --- a/rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml +++ b/rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml @@ -5,7 +5,7 @@ related: type: similar - id: 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2 type: similar -status: experimental +status: test description: Detects usage of winget to add new potentially suspicious download sources references: - https://learn.microsoft.com/en-us/windows/package-manager/winget/source diff --git a/rules/windows/process_tampering/proc_tampering_susp_process_hollowing.yml b/rules/windows/process_tampering/proc_tampering_susp_process_hollowing.yml index c5c9b1e8a06..451e5d8c84a 100644 --- a/rules/windows/process_tampering/proc_tampering_susp_process_hollowing.yml +++ b/rules/windows/process_tampering/proc_tampering_susp_process_hollowing.yml @@ -1,6 +1,6 @@ title: Potential Process Hollowing Activity id: c4b890e5-8d8c-4496-8c66-c805753817cd -status: experimental +status: test description: Detects when a memory process image does not match the disk image, indicative of process hollowing. references: - https://twitter.com/SecurePeacock/status/1486054048390332423?s=20 diff --git a/rules/windows/registry/registry_set/registry_set_disable_function_user.yml b/rules/windows/registry/registry_set/registry_set_disable_function_user.yml index f8d68d58bbf..ef6a7d6d862 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_function_user.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_function_user.yml @@ -1,6 +1,6 @@ title: Disable Internal Tools or Feature in Registry id: e2482f8d-3443-4237-b906-cc145d87a076 -status: experimental +status: test description: Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md diff --git a/rules/windows/registry/registry_set/registry_set_ime_non_default_extension.yml b/rules/windows/registry/registry_set/registry_set_ime_non_default_extension.yml index 8ef3bc865f8..342c1538fff 100644 --- a/rules/windows/registry/registry_set/registry_set_ime_non_default_extension.yml +++ b/rules/windows/registry/registry_set/registry_set_ime_non_default_extension.yml @@ -3,7 +3,7 @@ id: b888e3f2-224d-4435-b00b-9dd66e9ea1f1 related: - id: 9d8f9bb8-01af-4e15-a3a2-349071530530 type: derived -status: experimental +status: test description: | Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. diff --git a/rules/windows/registry/registry_set/registry_set_ime_suspicious_paths.yml b/rules/windows/registry/registry_set/registry_set_ime_suspicious_paths.yml index cdfa2e9b7b8..7cd1bb1d9f4 100644 --- a/rules/windows/registry/registry_set/registry_set_ime_suspicious_paths.yml +++ b/rules/windows/registry/registry_set/registry_set_ime_suspicious_paths.yml @@ -3,7 +3,7 @@ id: 9d8f9bb8-01af-4e15-a3a2-349071530530 related: - id: b888e3f2-224d-4435-b00b-9dd66e9ea1f1 type: derived -status: experimental +status: test description: | Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. diff --git a/rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml b/rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml index e19b5f7b8d3..44e763fd74f 100644 --- a/rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml +++ b/rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml @@ -5,7 +5,7 @@ related: type: similar - id: c90362e0-2df3-4e61-94fe-b37615814cb1 type: similar -status: experimental +status: test description: | Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper references: diff --git a/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml b/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml index 58adbbad219..e5713848a59 100644 --- a/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml @@ -5,7 +5,7 @@ related: type: similar - id: e7b18879-676e-4a0e-ae18-27039185a8e7 type: similar -status: experimental +status: test description: | Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper references: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml b/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml index 18d5a0facdb..f6322754434 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml @@ -1,6 +1,6 @@ title: Suspicious Shim Database Patching Activity id: bf344fea-d947-4ef4-9192-34d008315d3a -status: experimental +status: test description: Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence. references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/ From 1f1f31e99c3c1dd2ac21f471ca7ec67a923c3e87 Mon Sep 17 00:00:00 2001 From: Mohamed Ashraf <47338567+X-Junior@users.noreply.github.com> Date: Tue, 1 Oct 2024 16:22:42 +0300 Subject: [PATCH 066/144] Merge PR #5026 from @X-Junior - Update `COM Object Hijacking Via Modification Of Default System CLSID Default Value` update : COM Object Hijacking Via Modification Of Default System CLSID Default Value - Add new suspicious locations and builtin CLSID --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- ..._set_persistence_com_hijacking_builtin.yml | 28 +++++++++++++++---- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml index 1d115015d07..0e8c8291a1a 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml @@ -9,8 +9,10 @@ status: experimental description: Detects potential COM object hijacking via modification of default system CLSID. references: - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea) + - https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/ author: Nasreddine Bencherchali (Nextron Systems) date: 2024-07-16 +modified: 2024-10-01 tags: - attack.persistence - attack.t1546.015 @@ -18,12 +20,12 @@ logsource: category: registry_set product: windows detection: - selection_target: + selection_target_root: TargetObject|contains: '\CLSID\' TargetObject|endswith: - '\InprocServer32\(Default)' - '\LocalServer32\(Default)' - selection_builtin_clsid: + selection_target_builtin_clsid: TargetObject|contains: # Note: Add other legitimate CLSID - '\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\' @@ -31,20 +33,36 @@ detection: - '\{4590f811-1d3a-11d0-891f-00aa004b2e24}\' - '\{4de225bf-cf59-4cfc-85f7-68b90f185355}\' - '\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\' - selection_locations: + - '\{2155fee3-2419-4373-b102-6843707eb41f}\' + selection_susp_location_1: Details|contains: # Note: Add more suspicious paths and locations - - '\AppData\Local\Temp\' + - ':\Perflogs\' + - '\AppData\Local\' - '\Desktop\' - '\Downloads\' - '\Microsoft\Windows\Start Menu\Programs\Startup\' - '\System32\spool\drivers\color\' # as seen in the knotweed blog + - '\Temporary Internet' - '\Users\Public\' - '\Windows\Temp\' - '%appdata%' - '%temp%' - '%tmp%' - condition: all of selection_* + selection_susp_location_2: + - Details|contains|all: + - ':\Users\' + - '\Favorites\' + - Details|contains|all: + - ':\Users\' + - '\Favourites\' + - Details|contains|all: + - ':\Users\' + - '\Contacts\' + - Details|contains|all: + - ':\Users\' + - '\Pictures\' + condition: all of selection_target_* and 1 of selection_susp_location_* falsepositives: - Unlikely level: high From 8a3f07430f4922e20acedc2b43bbdcfeac494526 Mon Sep 17 00:00:00 2001 From: MalGamy12 Date: Sun, 6 Oct 2024 23:34:21 +0300 Subject: [PATCH 067/144] Merge PR #5033 from @MalGamy12 - Update `Process Terminated Via Taskkill` update: Process Terminated Via Taskkill - Add `/pid` flag and windash support --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- .../proc_creation_win_taskkill_execution.yml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml index 3d743b7bed5..5fa64441f57 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml @@ -6,9 +6,10 @@ description: | Attackers might leverage this in order to conduct data destruction or data encrypted for impact on the data stores of services like Exchange and SQL Server. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1489/T1489.md#atomic-test-3---windows---stop-service-by-killing-process -author: frack113 + - https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/ +author: frack113, MalGamy (Nextron Systems), Nasreddine Bencherchali date: 2021-12-26 -modified: 2023-11-06 +modified: 2024-10-06 tags: - attack.impact - attack.t1489 @@ -20,10 +21,13 @@ detection: selection_img: - Image|endswith: '\taskkill.exe' - OriginalFileName: 'taskkill.exe' - selection_cli: - CommandLine|contains|all: - - ' /f' + selection_cli_force: + - CommandLine|contains|windash: ' /f ' + - CommandLine|endswith|windash: ' /f' + selection_cli_filter_process: + CommandLine|contains|windash: - ' /im ' + - ' /pid ' filter_main_installers: ParentImage|contains: - '\AppData\Local\Temp\' From c70fff4b8be163d3af92dcbdf254582892eaa96a Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 6 Oct 2024 22:44:05 +0200 Subject: [PATCH 068/144] Merge PR #4935 from @frack113 - Add new IIS logsource and related rules chore: add "Microsoft-IIS-Configuration/Operational" support to the tests and thor.yml new: ETW Logging/Processing Option Disabled On IIS Server new: HTTP Logging Disabled On IIS Server new: New Module Module Added To IIS Server new: Previously Installed IIS Module Was Removed --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- .../win_iis_logging_etw_disabled.yml | 28 ++++++++++++ .../win_iis_logging_http_disabled.yml | 26 +++++++++++ .../win_iis_module_added.yml | 44 +++++++++++++++++++ .../win_iis_module_removed.yml | 28 ++++++++++++ tests/logsource.json | 3 +- tests/thor.yml | 5 +++ 6 files changed, 133 insertions(+), 1 deletion(-) create mode 100644 rules/windows/builtin/iis-configuration/win_iis_logging_etw_disabled.yml create mode 100644 rules/windows/builtin/iis-configuration/win_iis_logging_http_disabled.yml create mode 100644 rules/windows/builtin/iis-configuration/win_iis_module_added.yml create mode 100644 rules/windows/builtin/iis-configuration/win_iis_module_removed.yml diff --git a/rules/windows/builtin/iis-configuration/win_iis_logging_etw_disabled.yml b/rules/windows/builtin/iis-configuration/win_iis_logging_etw_disabled.yml new file mode 100644 index 00000000000..a364ff6b447 --- /dev/null +++ b/rules/windows/builtin/iis-configuration/win_iis_logging_etw_disabled.yml @@ -0,0 +1,28 @@ +title: ETW Logging/Processing Option Disabled On IIS Server +id: a5b40a90-baf5-4bf7-a6f7-373494881d22 +status: experimental +description: Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option. +references: + - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis + - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/ + - https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/logfile/ +author: frack113, Nasreddine Bencherchali +date: 2024-10-06 +tags: + - attack.defense-evasion + - attack.t1562.002 + - attack.t1505.004 +logsource: + product: windows + service: iis-configuration +detection: + selection: + EventID: 29 + Configuration|endswith: '@logTargetW3C' + OldValue|contains: 'ETW' + filter_main_etw_added: + NewValue|contains: 'ETW' + condition: selection and not 1 of filter_main_* +falsepositives: + - Legitimate administrator activity +level: medium diff --git a/rules/windows/builtin/iis-configuration/win_iis_logging_http_disabled.yml b/rules/windows/builtin/iis-configuration/win_iis_logging_http_disabled.yml new file mode 100644 index 00000000000..ecaa5648aaa --- /dev/null +++ b/rules/windows/builtin/iis-configuration/win_iis_logging_http_disabled.yml @@ -0,0 +1,26 @@ +title: HTTP Logging Disabled On IIS Server +id: e8ebd53a-30c2-45bd-81bb-74befba07bdb +status: experimental +description: Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests. +references: + - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis + - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/ + - https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging +author: frack113 +date: 2024-10-06 +tags: + - attack.defense-evasion + - attack.t1562.002 + - attack.t1505.004 +logsource: + product: windows + service: iis-configuration +detection: + selection: + EventID: 29 + Configuration: '/system.webServer/httpLogging/@dontLog' + NewValue: 'true' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/builtin/iis-configuration/win_iis_module_added.yml b/rules/windows/builtin/iis-configuration/win_iis_module_added.yml new file mode 100644 index 00000000000..408ae185001 --- /dev/null +++ b/rules/windows/builtin/iis-configuration/win_iis_module_added.yml @@ -0,0 +1,44 @@ +title: New Module Module Added To IIS Server +id: dd857d3e-0c6e-457b-9b48-e82ae7f86bd7 +status: experimental +description: Detects the addition of a new module to an IIS server. +references: + - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis + - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/ + - https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/ + - https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview +author: frack113 +date: 2024-10-06 +tags: + - attack.defense-evasion + - attack.persistence + - attack.t1562.002 + - attack.t1505.004 +logsource: + product: windows + service: iis-configuration +detection: + selection: + EventID: 29 + Configuration|contains: '/system.webServer/modules/add' + filter_main_builtin: + NewValue: + - 'AnonymousAuthenticationModule' + - 'CustomErrorModule' + - 'DefaultDocumentModule' + - 'DirectoryListingModule' + - 'FileCacheModule' + - 'HttpCacheModule' + - 'HttpLoggingModule' + - 'ProtocolSupportModule' + - 'RequestFilteringModule' + - 'StaticCompressionModule' + - 'StaticFileModule' + - 'TokenCacheModule' + - 'UriCacheModule' + filter_main_remove: + NewValue: '' + condition: selection and not 1 of filter_main_* +falsepositives: + - Legitimate administrator activity +level: medium diff --git a/rules/windows/builtin/iis-configuration/win_iis_module_removed.yml b/rules/windows/builtin/iis-configuration/win_iis_module_removed.yml new file mode 100644 index 00000000000..43315e4fa52 --- /dev/null +++ b/rules/windows/builtin/iis-configuration/win_iis_module_removed.yml @@ -0,0 +1,28 @@ +title: Previously Installed IIS Module Was Removed +id: 9e1a1fdf-ee58-40ce-8e15-b66ca5a80e1f +status: experimental +description: Detects the removal of a previously installed IIS module. +references: + - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis + - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/ + - https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/ + - https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview +author: Nasreddine Bencherchali +date: 2024-10-06 +tags: + - attack.defense-evasion + - attack.persistence + - attack.t1562.002 + - attack.t1505.004 +logsource: + product: windows + service: iis-configuration +detection: + selection: + EventID: 29 + Configuration|contains: '/system.webServer/modules/remove' + condition: selection +falsepositives: + - Legitimate administrator activity +# Note: Upgrade after an initial baseline +level: low diff --git a/tests/logsource.json b/tests/logsource.json index 55bfeefd9fd..05ef8e7dd3f 100644 --- a/tests/logsource.json +++ b/tests/logsource.json @@ -96,7 +96,8 @@ "dns-client":["QueryName", "QueryType", "QueryOptions", "QueryStatus", "QueryResults", "NetworkIndex", "InterfaceIndex", "Status", "ClientPID", "QueryBlob", "DnsServerIpAddress", "ResponseStatus", "SendBlob", "SendBlobContext", "AddressLength", "Address"], "appmodel-runtime":["ProcessID", "PackageName", "ImageName", "ApplicationName", "Message"], "capi2":[], - "certificateservicesclient-lifecycle-system":[] + "certificateservicesclient-lifecycle-system":[], + "iis-configuration":[ "PhysicalPath","ConfigPath","EffectiveLocationPath","Configuration","TokenCacheModule","EditOperationType","OldValue","NewValue"] } }, "linux":{ diff --git a/tests/thor.yml b/tests/thor.yml index 4c4f97f1b22..6c98afc109a 100644 --- a/tests/thor.yml +++ b/tests/thor.yml @@ -564,6 +564,11 @@ logsources: sources: - 'WinEventLog:Microsoft-ServiceBus-Client/Admin' - 'WinEventLog:Microsoft-ServiceBus-Client/Operational' + windows-iis-configuration: + product: windows + service: iis-configuration + sources: + - 'WinEventLog:Microsoft-IIS-Configuration/Operational' apache: category: webserver sources: From d1f1fc716fa0dba3db95778d5bb66b87e194eb96 Mon Sep 17 00:00:00 2001 From: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> Date: Mon, 7 Oct 2024 02:36:09 +0545 Subject: [PATCH 069/144] Merge PR #5031 from @swachchhanda000 - Add `Potential Python DLL SideLoading` new: Potential Python DLL SideLoading --------- Co-authored-by: Swachchhanda Shrawan Poudel Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- .../image_load_side_load_python.yml | 43 +++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 rules/windows/image_load/image_load_side_load_python.yml diff --git a/rules/windows/image_load/image_load_side_load_python.yml b/rules/windows/image_load/image_load_side_load_python.yml new file mode 100644 index 00000000000..76af3a227ac --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_python.yml @@ -0,0 +1,43 @@ +title: Potential Python DLL SideLoading +id: d36f7c12-14a3-4d48-b6b8-774b9c66f44d +status: experimental +description: Detects potential DLL sideloading of Python DLL files. +references: + - https://www.securonix.com/blog/seolurker-attack-campaign-uses-seo-poisoning-fake-google-ads-to-install-malware/ + - https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/ + - https://github.com/wietze/HijackLibs/tree/dc9c9f2f94e6872051dab58fbafb043fdd8b4176/yml/3rd_party/python +author: Swachchhanda Shrawan Poudel +date: 2024-10-06 +tags: + - attack.defense-evasion + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|endswith: + - '\python39.dll' + - '\python310.dll' + - '\python311.dll' + - '\python312.dll' + filter_main_default_install_paths: + - ImageLoaded|startswith: + - 'C:\Program Files\Python3' + - 'C:\Program Files (x86)\Python3' + - ImageLoaded|contains: '\AppData\Local\Programs\Python\Python3' + filter_optional_visual_studio: + ImageLoaded|startswith: 'C:\Program Files\Microsoft Visual Studio\' + filter_optional_cpython: + ImageLoaded|contains: + - '\cpython\externals\' + - '\cpython\PCbuild\' + filter_main_legit_signature_details: + Product: 'Python' + Signed: 'true' + Description: 'Python' + Company: 'Python Software Foundation' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* +falsepositives: + - Legitimate software using Python DLLs +level: medium From 5b59c6d1153a36602c1aa1b4fa8080482613a1db Mon Sep 17 00:00:00 2001 From: Feathers <93973834+ionsor@users.noreply.github.com> Date: Sun, 6 Oct 2024 23:03:54 +0200 Subject: [PATCH 070/144] Merge PR #5012 from @ionsor - Update `Potentially Suspicious JWT Token Search Via CLI` update: Potentially Suspicious JWT Token Search Via CLI - added the `eyJhbGciOi` string, corresponding to `{"alg":` from the JWT token header. --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- ...ml => proc_creation_win_susp_jwt_token_search.yml} | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) rename rules/windows/process_creation/{proc_creation_win_susp_office_token_search.yml => proc_creation_win_susp_jwt_token_search.yml} (56%) diff --git a/rules/windows/process_creation/proc_creation_win_susp_office_token_search.yml b/rules/windows/process_creation/proc_creation_win_susp_jwt_token_search.yml similarity index 56% rename from rules/windows/process_creation/proc_creation_win_susp_office_token_search.yml rename to rules/windows/process_creation/proc_creation_win_susp_jwt_token_search.yml index 2cde32de6a0..30c23151682 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_office_token_search.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_jwt_token_search.yml @@ -1,11 +1,14 @@ -title: Suspicious Office Token Search Via CLI +title: Potentially Suspicious JWT Token Search Via CLI id: 6d3a3952-6530-44a3-8554-cf17c116c615 status: test -description: Detects possible search for office tokens via CLI by looking for the string "eyJ0eX". This string is used as an anchor to look for the start of the JWT token used by office and similar apps. +description: | + Detects possible search for JWT tokens via CLI by looking for the string "eyJ0eX" or "eyJhbG". + This string is used as an anchor to look for the start of the JWT token used by microsoft office and similar apps. references: - https://mrd0x.com/stealing-tokens-from-office-applications/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-10-25 +modified: 2024-10-06 tags: - attack.credential-access - attack.t1528 @@ -16,9 +19,13 @@ detection: selection: CommandLine|contains: - 'eyJ0eXAiOi' # {"typ": + - 'eyJhbGciOi' # {"alg": - ' eyJ0eX' - ' "eyJ0eX"' - " 'eyJ0eX'" + - ' eyJhbG' + - ' "eyJhbG"' + - " 'eyJhbG'" condition: selection falsepositives: - Unknown From a997d6282a08765c37395995b24ac46ea97110c4 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 8 Oct 2024 21:57:25 +0200 Subject: [PATCH 071/144] Merge PR #5038 from @Neo23x0 - Update `LSASS Process Memory Dump Files` update: LSASS Process Memory Dump Files - add new dump pattern for RustiveDump and NativeDump, and exchanged "startswith" with "contains" modifier for better coverage --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- ..._event_win_lsass_default_dump_file_names.yml | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml b/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml index 53ac3955b2b..212f36f172a 100644 --- a/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml +++ b/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml @@ -14,9 +14,11 @@ references: - https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/ - https://github.com/helpsystems/nanodump - https://github.com/CCob/MirrorDump + - https://github.com/safedv/RustiveDump/blob/1a9b026b477587becfb62df9677cede619d42030/src/main.rs#L35 + - https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258 author: Florian Roth (Nextron Systems) date: 2021-11-15 -modified: 2023-09-05 +modified: 2024-10-08 tags: - attack.credential-access - attack.t1003.001 @@ -26,18 +28,19 @@ logsource: detection: selection_1: TargetFilename|endswith: - - '\lsass.dmp' - - '\lsass.zip' - - '\lsass.rar' - '\Andrew.dmp' - '\Coredump.dmp' + - '\lsass.dmp' + - '\lsass.rar' + - '\lsass.zip' - '\NotLSASS.zip' # https://github.com/CCob/MirrorDump - '\PPLBlade.dmp' # https://github.com/tastypepperoni/PPLBlade + - '\rustive.dmp' # https://github.com/safedv/RustiveDump/blob/main/src/main.rs#L35 selection_2: TargetFilename|contains: - '\lsass_2' # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp - - '\lsassdump' - '\lsassdmp' + - '\lsassdump' selection_3: TargetFilename|contains|all: - '\lsass' @@ -46,7 +49,9 @@ detection: TargetFilename|contains: 'SQLDmpr' TargetFilename|endswith: '.mdmp' selection_5: - TargetFilename|startswith: 'nanodump' + TargetFilename|contains: + - '\nanodump' + - '\proc_' # NativeDump pattern https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258 TargetFilename|endswith: '.dmp' condition: 1 of selection_* falsepositives: From f472015599a7b4873c6fbd6c6ef080d61c08afb6 Mon Sep 17 00:00:00 2001 From: MalGamy12 Date: Tue, 8 Oct 2024 23:07:45 +0300 Subject: [PATCH 072/144] Merge PR #5037 from @MalGamy12 - Update `Disable Windows Defender Functionalities Via Registry Keys` update: Disable Windows Defender Functionalities Via Registry Keys - Remove `\Real-Time Protection\` prefix to increase coverage. --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- .../registry_set_windows_defender_tamper.yml | 23 ++++++++++--------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml b/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml index 4c1ac1db187..b8c1889489d 100644 --- a/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml @@ -15,9 +15,10 @@ references: - https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html - https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html - https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html + - https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/ author: AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudel date: 2022-08-01 -modified: 2024-07-03 +modified: 2024-10-07 tags: - attack.defense-evasion - attack.t1562.001 @@ -34,19 +35,19 @@ detection: TargetObject|endswith: - '\DisableAntiSpyware' - '\DisableAntiVirus' - - '\Real-Time Protection\DisableBehaviorMonitoring' - - '\Real-Time Protection\DisableIntrusionPreventionSystem' - - '\Real-Time Protection\DisableIOAVProtection' - - '\Real-Time Protection\DisableOnAccessProtection' - - '\Real-Time Protection\DisableRealtimeMonitoring' - - '\Real-Time Protection\DisableScanOnRealtimeEnable' - - '\Real-Time Protection\DisableScriptScanning' - - '\Reporting\DisableEnhancedNotifications' - - '\SpyNet\DisableBlockAtFirstSeen' + - '\DisableBehaviorMonitoring' + - '\DisableBlockAtFirstSeen' + - '\DisableEnhancedNotifications' + - '\DisableIntrusionPreventionSystem' + - '\DisableIOAVProtection' + - '\DisableOnAccessProtection' + - '\DisableRealtimeMonitoring' + - '\DisableScanOnRealtimeEnable' + - '\DisableScriptScanning' Details: 'DWORD (0x00000001)' selection_dword_0: TargetObject|endswith: - - '\App and Browser protection\DisallowExploitProtectionOverride' + - '\DisallowExploitProtectionOverride' - '\Features\TamperProtection' - '\MpEngine\MpEnablePus' - '\PUAProtection' From d270dc542c6b47fc883f553414712979c9749e4d Mon Sep 17 00:00:00 2001 From: Milad Cheraghi <82805580+CheraghiMilad@users.noreply.github.com> Date: Tue, 8 Oct 2024 23:39:13 +0330 Subject: [PATCH 073/144] Merge PR #5039 from @CheraghiMilad - Update `Local System Accounts Discovery - Linux` update: Local System Accounts Discovery - Linux - Increase coverage by adding additional utilities such as "nano", "tail, "vim" --------- Co-authored-by: Milad Cheraghi Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- .../process_creation/proc_creation_lnx_local_account.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_local_account.yml b/rules/linux/process_creation/proc_creation_lnx_local_account.yml index 35b1422283e..40bccc49ac2 100644 --- a/rules/linux/process_creation/proc_creation_lnx_local_account.yml +++ b/rules/linux/process_creation/proc_creation_lnx_local_account.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md author: Alejandro Ortuno, oscd.community date: 2020-10-08 -modified: 2022-11-27 +modified: 2024-08-10 tags: - attack.discovery - attack.t1087.001 @@ -21,9 +21,13 @@ detection: selection_3: Image|endswith: - '/cat' + - '/ed' - '/head' - - '/tail' - '/more' + - '/nano' + - '/tail' + - '/vi' + - '/vim' CommandLine|contains: - '/etc/passwd' - '/etc/shadow' From b063a9d7551c772e549b5f3cfe43bd0125286984 Mon Sep 17 00:00:00 2001 From: dan21san <98960305+dan21san@users.noreply.github.com> Date: Tue, 8 Oct 2024 22:17:21 +0200 Subject: [PATCH 074/144] Merge PR #5036 from @dan21san - Update `Alternate PowerShell Hosts Pipe` update: Alternate PowerShell Hosts Pipe - Add optional filter for `AzureConnectedMachineAgent` and update old filters to be more accurate --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- ...created_powershell_alternate_host_pipe.yml | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml b/rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml index 72e24f9b52d..c865e6f1ef6 100644 --- a/rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml +++ b/rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml @@ -10,7 +10,7 @@ references: - https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton date: 2019-09-12 -modified: 2023-10-18 +modified: 2024-10-07 tags: - attack.execution - attack.t1059.001 @@ -35,15 +35,20 @@ detection: - ':\Windows\System32\wsmprovhost.exe' - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe' - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe' - filter_main_sqlserver: # Microsoft SQL Server\130\Tools\ - Image|contains|all: - - ':\Program Files' - - '\Microsoft SQL Server\' + filter_optional_sqlserver: # Microsoft SQL Server\130\Tools\ + Image|startswith: + - 'C:\Program Files (x86)\' + - 'C:\Program Files\' + Image|contains: '\Microsoft SQL Server\' Image|endswith: '\Tools\Binn\SQLPS.exe' + filter_optional_azure_connected_machine_agent: + # Azure Connected Machine Agent (https://devblogs.microsoft.com/powershell/azure-policy-guest-configuration-client/) + Image|startswith: 'C:\Program Files\AzureConnectedMachineAgent\GCArcService' + Image|endswith: '\GC\gc_worker.exe' filter_optional_citrix: - Image|contains: ':\Program Files\Citrix\' + Image|startswith: 'C:\Program Files\Citrix\' filter_optional_exchange: - Image|contains: ':\Program Files\Microsoft\Exchange Server\' + Image|startswith: 'C:\Program Files\Microsoft\Exchange Server\' filter_main_null: Image: null condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* From 86989a046430f11a81fd5739d58fbba1593cc2b1 Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Wed, 9 Oct 2024 03:37:23 +0700 Subject: [PATCH 075/144] Merge PR #5008 from @BlackB0lt - Update `HackTool - Certipy Execution` update: HackTool - Certipy Execution - Increase coverage by adding new flags such as 'cert', 'template' and 'ptt' --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- .../proc_creation_win_hktl_certipy.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_hktl_certipy.yml b/rules/windows/process_creation/proc_creation_win_hktl_certipy.yml index de7bd5c6c80..6b217749bc3 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_certipy.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_certipy.yml @@ -1,11 +1,14 @@ title: HackTool - Certipy Execution id: 6938366d-8954-4ddc-baff-c830b3ba8fcd status: test -description: Detects Certipy a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments. +description: | + Detects Certipy execution, a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments. references: - https://github.com/ly4k/Certipy -author: pH-T (Nextron Systems) + - https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7 +author: pH-T (Nextron Systems), Sittikorn Sangrattanapitak date: 2023-04-17 +modified: 2024-10-08 tags: - attack.discovery - attack.credential-access @@ -20,12 +23,17 @@ detection: - Description|contains: 'Certipy' selection_cli_commands: CommandLine|contains: + - ' account ' - ' auth ' + # - ' ca ' # Too short to be used with just one CLI + - ' cert ' - ' find ' - ' forge ' + - ' ptt ' - ' relay ' - ' req ' - ' shadow ' + - ' template ' selection_cli_flags: CommandLine|contains: - ' -bloodhound' @@ -35,6 +43,7 @@ detection: - ' -old-bloodhound' - ' -pfx ' - ' -target' + - ' -template' - ' -username ' - ' -vulnerable' - 'auth -pfx' From 7ddc55160596e5b7ee46bd21e7362a7f0bdbc56f Mon Sep 17 00:00:00 2001 From: Arnim Rupp <46819580+ruppde@users.noreply.github.com> Date: Tue, 8 Oct 2024 23:04:44 +0200 Subject: [PATCH 076/144] Merge PR #5040 from @ruppde - Update `Antivirus Password Dumper Detection` update: Antivirus Password Dumper Detection - Add `DCSync` string to cover MS Defender traffic detections --- rules/category/antivirus/av_password_dumper.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/category/antivirus/av_password_dumper.yml b/rules/category/antivirus/av_password_dumper.yml index 3e8454bdc0f..0cfb9a8a2d1 100644 --- a/rules/category/antivirus/av_password_dumper.yml +++ b/rules/category/antivirus/av_password_dumper.yml @@ -8,7 +8,7 @@ references: - https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448 author: Florian Roth (Nextron Systems) date: 2018-09-09 -modified: 2024-07-17 +modified: 2024-10-08 tags: - attack.credential-access - attack.t1003 @@ -21,6 +21,7 @@ detection: selection: - Signature|startswith: 'PWS' - Signature|contains: + - 'DCSync' - 'DumpCreds' - 'DumpLsass' - 'HTool/WCE' From f33530e7561d98bc6f898f5a9137c3b2a7159a1b Mon Sep 17 00:00:00 2001 From: Djordje Lukic <112394060+djlukic@users.noreply.github.com> Date: Tue, 8 Oct 2024 23:08:50 +0200 Subject: [PATCH 077/144] Merge PR #4994 from @djlukic - Multiple FP fixes update: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Add additional filters for third party AV update: Suspicious Non PowerShell WSMAN COM Provider - Add new filter to cover the edge case where the `HostApplication` field is null update: Renamed Powershell Under Powershell Channel - Add new filter to cover the edge case where the `HostApplication` field is null --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- .../win_codeintegrity_attempted_dll_load.yml | 7 ++++++- .../powershell_classic/posh_pc_renamed_powershell.yml | 10 ++++++++-- .../posh_pc_wsman_com_provider_no_powershell.yml | 6 +++++- 3 files changed, 19 insertions(+), 4 deletions(-) diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml index 9e948ae6ae8..f9fac468880 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml @@ -11,7 +11,7 @@ references: - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2022-01-20 -modified: 2024-08-29 +modified: 2024-10-08 tags: - attack.execution logsource: @@ -99,6 +99,11 @@ detection: FileNameBuffer|endswith: '\Program Files\ESET\ESET Security\eamsi.dll' filter_optional_comodo: FileNameBuffer|endswith: '\Program Files\comodo\comodo internet security\amsiprovider_x64.dll' + filter_optional_sentinel_one: + # Example: program files\sentinelone\sentinel agent 23.4.4.223\inprocessclient64.dll + - FileNameBuffer|contains: '\Program Files\SentinelOne\Sentinel Agent' + # Example: Program Files\SentinelOne\Sentinel Agent 23.4.4.223\SentinelAgent.exe + - ProcessNameBuffer|contains: '\Program Files\SentinelOne\Sentinel Agent' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Antivirus and other third party products are known to trigger this rule quite a lot. Initial filters and tuning is required before using this rule. diff --git a/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml b/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml index 2c4b03ef91b..329717393b6 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml @@ -1,15 +1,17 @@ title: Renamed Powershell Under Powershell Channel id: 30a8cb77-8eb3-4cfb-8e79-ad457c5a4592 status: test -description: Detects renamed powershell +description: | + Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths. references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: Harish Segar, frack113 date: 2020-06-29 -modified: 2023-10-27 +modified: 2024-10-08 tags: - attack.execution - attack.t1059.001 + - attack.t1036.003 logsource: product: windows category: ps_classic_start @@ -25,6 +27,10 @@ detection: # In some cases powershell was invoked with inverted slashes - 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell' - 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell' + filter_main_host_application_null: + # Note: Since we're using the raw data field to match. There is no easy way to filter out cases where the "HostApplication" field is null (i.e doesn't exist). We're practically forced to use a regex. + # If you're already mapping and extracting the field, then obviously use that directly. + Data|re: 'HostId=[a-zA-Z0-9-]{36} EngineVersion=' condition: selection and not 1 of filter_main_* falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml b/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml index 3ce5fb0c8eb..41f34de7858 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml @@ -8,7 +8,7 @@ references: - https://github.com/bohops/WSMan-WinRM author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020-06-24 -modified: 2023-10-27 +modified: 2024-10-08 tags: - attack.execution - attack.t1059.001 @@ -28,6 +28,10 @@ detection: # In some cases powershell was invoked with inverted slashes - 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell' - 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell' + filter_main_host_application_null: + # Note: Since we're using the raw data field to match. There is no easy way to filter out cases where the "HostApplication" field is null (i.e doesn't exist). We're practically forced to use a regex. + # If you're already mapping and extracting the field, then obviously use that directly. + Data|re: 'HostId=[a-zA-Z0-9-]{36} EngineVersion=' condition: selection and not 1 of filter_main_* falsepositives: - Unknown From 7e4748ec0e8c6a62c2434f1bf89ba5fbf722dcf4 Mon Sep 17 00:00:00 2001 From: Mohamed Ashraf <47338567+X-Junior@users.noreply.github.com> Date: Fri, 25 Oct 2024 17:32:03 +0300 Subject: [PATCH 078/144] feat: update multiple rules (#5055) * Update multiple rules * updates --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- ..._bits_client_new_transfer_via_file_sharing_domains.yml | 3 ++- ..._hash_file_sharing_domains_download_susp_extension.yml | 3 ++- ...sh_file_sharing_domains_download_unusual_extension.yml | 3 ++- .../net_connection_win_domain_dead_drop_resolvers.yml | 3 ++- ...nection_win_susp_file_sharing_domains_susp_folders.yml | 3 ++- ...eation_win_curl_download_susp_file_sharing_domains.yml | 3 ++- ..._win_powershell_download_susp_file_sharing_domains.yml | 3 ++- .../proc_creation_win_susp_service_tamper.yml | 6 ++++-- ...eation_win_wget_download_susp_file_sharing_domains.yml | 3 ++- .../registry_set_persistence_com_hijacking_builtin.yml | 8 +++++--- 10 files changed, 25 insertions(+), 13 deletions(-) diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml index 05bfd3298a3..276119e8c22 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml @@ -9,7 +9,7 @@ references: - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ author: Florian Roth (Nextron Systems) date: 2022-06-28 -modified: 2024-08-22 +modified: 2024-10-21 tags: - attack.defense-evasion - attack.persistence @@ -38,6 +38,7 @@ detection: - 'pastebin.com' - 'pastebin.pl' - 'pastetext.net' + - 'pixeldrain.com' - 'privatlab.com' - 'privatlab.net' - 'send.exploit.in' diff --git a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml index 951a45678d7..24be3bd217e 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml @@ -12,7 +12,7 @@ references: - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ author: Florian Roth (Nextron Systems) date: 2022-08-24 -modified: 2024-08-22 +modified: 2024-10-21 tags: - attack.defense-evasion - attack.s0139 @@ -40,6 +40,7 @@ detection: - 'pastebin.com' - 'pastebin.pl' - 'pastetext.net' + - 'pixeldrain.com' - 'privatlab.com' - 'privatlab.net' - 'send.exploit.in' diff --git a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml index 0bee642bfc0..bb66b75d12b 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml @@ -11,7 +11,7 @@ references: - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ author: Florian Roth (Nextron Systems) date: 2022-08-24 -modified: 2024-08-22 +modified: 2024-10-21 tags: - attack.defense-evasion - attack.s0139 @@ -39,6 +39,7 @@ detection: - 'pastebin.com' - 'pastebin.pl' - 'pastetext.net' + - 'pixeldrain.com' - 'privatlab.com' - 'privatlab.net' - 'send.exploit.in' diff --git a/rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml b/rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml index 0b877691e88..6a749e66da6 100644 --- a/rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml +++ b/rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml @@ -16,7 +16,7 @@ references: - https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al author: Sorina Ionescu, X__Junior (Nextron Systems) date: 2022-08-17 -modified: 2024-08-22 +modified: 2024-10-21 tags: - attack.command-and-control - attack.t1102 @@ -58,6 +58,7 @@ detection: - 'pastebin.com' - 'pastebin.pl' - 'pastetext.net' + - 'pixeldrain.com' - 'privatlab.com' - 'privatlab.net' - 'reddit.com' diff --git a/rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml b/rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml index de62477fbd8..e177d0288f4 100644 --- a/rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml +++ b/rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml @@ -13,7 +13,7 @@ references: - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2018-08-30 -modified: 2024-08-22 +modified: 2024-10-21 tags: - attack.command-and-control - attack.t1105 @@ -57,6 +57,7 @@ detection: - 'pastebin.com' - 'pastebin.pl' - 'pastetext.net' + - 'pixeldrain.com' - 'privatlab.com' - 'privatlab.net' - 'send.exploit.in' diff --git a/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml index bc9e1660c40..3e5bae37a3e 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml @@ -7,7 +7,7 @@ references: - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv author: Nasreddine Bencherchali (Nextron Systems) date: 2023-05-05 -modified: 2024-08-22 +modified: 2024-10-21 tags: - attack.execution logsource: @@ -36,6 +36,7 @@ detection: - 'pastebin.com' - 'pastebin.pl' - 'pastetext.net' + - 'pixeldrain.com' - 'privatlab.com' - 'privatlab.net' - 'send.exploit.in' diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml index 6967bf3518f..21bba48efe9 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml @@ -9,7 +9,7 @@ references: - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 author: Nasreddine Bencherchali (Nextron Systems) date: 2024-02-23 -modified: 2024-08-22 +modified: 2024-10-21 tags: - attack.execution logsource: @@ -43,6 +43,7 @@ detection: - 'pastebin.com' - 'pastebin.pl' - 'pastetext.net' + - 'pixeldrain.com' - 'privatlab.com' - 'privatlab.net' - 'send.exploit.in' diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml index 9a88356d8a8..d363c1c4fb9 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml @@ -8,7 +8,8 @@ related: - id: 7fd4bb39-12d0-45ab-bb36-cebabc73dc7b type: obsolete status: test -description: Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts +description: | + Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts references: - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg - https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html @@ -17,7 +18,7 @@ references: - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955 author: Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior date: 2022-09-01 -modified: 2024-08-25 +modified: 2024-10-21 tags: - attack.defense-evasion - attack.t1489 @@ -275,6 +276,7 @@ detection: - 'WPFFontCache_v0400' - 'WRSVC' - 'wsbexchange' + - 'WSearch' - 'Zoolz 2 Service' condition: all of selection_* falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml index 5b2fc21271d..3c1e4a4263f 100644 --- a/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml @@ -8,7 +8,7 @@ references: - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-05-05 -modified: 2024-08-22 +modified: 2024-10-21 tags: - attack.execution logsource: @@ -37,6 +37,7 @@ detection: - 'pastebin.com' - 'pastebin.pl' - 'pastetext.net' + - 'pixeldrain.com' - 'privatlab.com' - 'privatlab.net' - 'send.exploit.in' diff --git a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml index 0e8c8291a1a..a30291b3400 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml @@ -10,9 +10,10 @@ description: Detects potential COM object hijacking via modification of default references: - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea) - https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/ + - https://blog.talosintelligence.com/uat-5647-romcom/ author: Nasreddine Bencherchali (Nextron Systems) date: 2024-07-16 -modified: 2024-10-01 +modified: 2024-10-18 tags: - attack.persistence - attack.t1546.015 @@ -28,12 +29,13 @@ detection: selection_target_builtin_clsid: TargetObject|contains: # Note: Add other legitimate CLSID - - '\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\' - '\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\' + - '\{2155fee3-2419-4373-b102-6843707eb41f}\' - '\{4590f811-1d3a-11d0-891f-00aa004b2e24}\' - '\{4de225bf-cf59-4cfc-85f7-68b90f185355}\' + - '\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\' - '\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\' - - '\{2155fee3-2419-4373-b102-6843707eb41f}\' + - '\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\' selection_susp_location_1: Details|contains: # Note: Add more suspicious paths and locations From f4e563ae8f530e44e296a568570e3be56aba2816 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 28 Oct 2024 06:57:02 -0400 Subject: [PATCH 079/144] Merge PR #5062 from @defensivedepth - Update README.md chore: update README.md - Add a link to `Security Onion` sigma integration --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index b40fda6b86a..84debf6d01e 100644 --- a/README.md +++ b/README.md @@ -102,6 +102,7 @@ If you find a false positive or would like to propose a new detection rule idea * [Nextron's Aurora Agent](https://www.nextron-systems.com/aurora/) * [Nextron's THOR Scanner](https://www.nextron-systems.com/thor/) - Scan with Sigma rules on endpoints * [RANK VASA](https://globenewswire.com/news-release/2019/03/04/1745907/0/en/RANK-Software-to-Help-MSSPs-Scale-Cybersecurity-Offerings.html) +* [Security Onion](https://docs.securityonion.net/en/latest/sigma.html) * [Sekoia.io XDR](https://www.sekoia.io) - XDR supporting Sigma and Sigma Correlation rules languages * [sigma2stix](https://github.com/muchdogesec/sigma2stix) - Converts the entire SigmaHQ Ruleset into STIX 2.1 Objects. * A versioned archive of sigma2stix STIX 2.1 data is also available to [download here](https://github.com/muchdogesec/cti_knowledge_base_store/tree/main/sigma-rules). From ad8ab49d45571ae093f139ee1e5fe318e372cd72 Mon Sep 17 00:00:00 2001 From: Gameel Ali Date: Mon, 28 Oct 2024 14:25:02 +0300 Subject: [PATCH 080/144] Merge PR #5060 from @MalGamy12 - Update `Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE` Update: Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE - Add additional paths for `:\Users\All Users\` and `:\Users\Default\` --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- .../proc_creation_win_schtasks_env_folder.yml | 33 ++++++++++--------- 1 file changed, 18 insertions(+), 15 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml b/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml index fe467408fd6..ca8cfb758e3 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml @@ -1,4 +1,4 @@ -title: Suspicious Schtasks From Env Var Folder +title: Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE id: 81325ce1-be01-4250-944f-b4789644556f related: - id: 43f487f0-755f-4c2a-bce7-d6d2eec2fcf8 # TODO: Recreate after baseline @@ -8,9 +8,10 @@ description: Detects Schtask creations that point to a suspicious folder or an e references: - https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/ - https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04 + - https://blog.talosintelligence.com/gophish-powerrat-dcrat/ author: Florian Roth (Nextron Systems) date: 2022-02-21 -modified: 2023-11-30 +modified: 2024-10-28 tags: - attack.execution - attack.t1053.005 @@ -18,38 +19,40 @@ logsource: product: windows category: process_creation detection: - selection1_create: + selection_1_create: Image|endswith: '\schtasks.exe' CommandLine|contains: ' /create ' - selection1_all_folders: + selection_1_all_folders: CommandLine|contains: - ':\Perflogs' + - ':\Users\All Users\' + - ':\Users\Default\' + - ':\Users\Public' - ':\Windows\Temp' - '\AppData\Local\' - '\AppData\Roaming\' - - '\Users\Public' - '%AppData%' - '%Public%' - selection2_parent: + selection_2_parent: ParentCommandLine|endswith: '\svchost.exe -k netsvcs -p -s Schedule' - selection2_some_folders: + selection_2_some_folders: CommandLine|contains: - ':\Perflogs' - ':\Windows\Temp' - '\Users\Public' - '%Public%' - filter_mixed: - - CommandLine|contains: - - 'update_task.xml' - - '/Create /TN TVInstallRestore /TR' + filter_optional_other: - ParentCommandLine|contains: 'unattended.ini' - filter_avira_install: + - CommandLine|contains: 'update_task.xml' + filter_optional_team_viewer: + CommandLine|contains: '/Create /TN TVInstallRestore /TR' + filter_optional_avira_install: # Comment out this filter if you dont use AVIRA CommandLine|contains|all: - '/Create /Xml "C:\Users\' - '\AppData\Local\Temp\.CR.' - 'Avira_Security_Installation.xml' - filter_avira_other: + filter_optional_avira_other: # Comment out this filter if you dont use AVIRA CommandLine|contains|all: - '/Create /F /TN' @@ -61,12 +64,12 @@ detection: - '.tmp\WatchdogServiceControlManagerTimeout.xml' - '.tmp\SystrayAutostart.xml' - '.tmp\MaintenanceTask.xml' - filter_klite_codec: + filter_optional_klite_codec: CommandLine|contains|all: - '\AppData\Local\Temp\' - '/Create /TN "klcp_update" /XML ' - '\klcp_update_task.xml' - condition: ( all of selection1* or all of selection2* ) and not 1 of filter* + condition: ( all of selection_1_* or all of selection_2_* ) and not 1 of filter_optional_* falsepositives: - Benign scheduled tasks creations or executions that happen often during software installations - Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders From 44176f0c17a1ee146d4716abd2780b850d3da693 Mon Sep 17 00:00:00 2001 From: Koifman Date: Mon, 28 Oct 2024 13:28:35 +0200 Subject: [PATCH 081/144] Merge PR #5057 from @Koifman - Add `Access To Browser Credential Files By Uncommon Applications - Security` new: Access To Browser Credential Files By Uncommon Applications - Security --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> --- ...ecurity_file_access_browser_credential.yml | 56 +++++++++++++++++++ .../file_access_win_browsers_credential.yml | 3 + 2 files changed, 59 insertions(+) create mode 100644 rules-threat-hunting/windows/builtin/security/win_security_file_access_browser_credential.yml diff --git a/rules-threat-hunting/windows/builtin/security/win_security_file_access_browser_credential.yml b/rules-threat-hunting/windows/builtin/security/win_security_file_access_browser_credential.yml new file mode 100644 index 00000000000..36499371b56 --- /dev/null +++ b/rules-threat-hunting/windows/builtin/security/win_security_file_access_browser_credential.yml @@ -0,0 +1,56 @@ +title: Access To Browser Credential Files By Uncommon Applications - Security +id: 4b60e527-ec73-4b47-8cb3-f02ad927ca65 +related: + - id: 91cb43db-302a-47e3-b3c8-7ede481e27bf + type: similar +status: experimental +description: | + Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing This rule requires heavy baselining before usage. +references: + - https://ipurple.team/2024/09/10/browser-stored-credentials/ +author: Daniel Koifman (@Koifsec), Nasreddine Bencherchali +date: 2024-10-21 +tags: + - attack.credential-access + - attack.t1555.003 + - detection.threat-hunting +logsource: + product: windows + service: security + definition: 'Requirements: Audit File System subcategory must be enabled. Additionally, each listed ObjectName must have "List folder/read data" auditing enabled.' +detection: + selection_eid: + EventID: 4663 + ObjectType: 'File' + # Note: This AccessMask requires enhancements. As this access can be combined with other requests. It should include all possible outcomes where READ access and similar are part of it. + AccessMask: '0x1' + selection_browser_chromium: + ObjectName|contains: + - '\User Data\Default\Login Data' + - '\User Data\Local State' + - '\User Data\Default\Network\Cookies' + selection_browser_firefox: + FileName|endswith: + - '\cookies.sqlite' + - '\places.sqlite' + - 'release\key3.db' # Firefox + - 'release\key4.db' # Firefox + - 'release\logins.json' # Firefox + filter_main_system: + ProcessName: System + filter_main_generic: + # This filter is added to avoid large amount of FP with 3rd party software. You should remove this in favour of specific filter per-application + ProcessName|startswith: + - 'C:\Program Files (x86)\' + - 'C:\Program Files\' + - 'C:\Windows\system32\' + - 'C:\Windows\SysWOW64\' + filter_optional_defender: + ProcessName|startswith: 'C:\ProgramData\Microsoft\Windows Defender\' + ProcessName|endswith: + - '\MpCopyAccelerator.exe' + - '\MsMpEng.exe' + condition: selection_eid and 1 of selection_browser_* and not 1 of filter_main_* and not 1 of filter_optional_* +falsepositives: + - Unknown +level: low diff --git a/rules-threat-hunting/windows/file/file_access/file_access_win_browsers_credential.yml b/rules-threat-hunting/windows/file/file_access/file_access_win_browsers_credential.yml index 8172b8be016..55e297ba6df 100644 --- a/rules-threat-hunting/windows/file/file_access/file_access_win_browsers_credential.yml +++ b/rules-threat-hunting/windows/file/file_access/file_access_win_browsers_credential.yml @@ -1,5 +1,8 @@ title: Access To Browser Credential Files By Uncommon Applications id: 91cb43db-302a-47e3-b3c8-7ede481e27bf +related: + - id: 4b60e527-ec73-4b47-8cb3-f02ad927ca65 + type: similar status: experimental description: | Detects file access requests to browser credential stores by uncommon processes. From 05a496388bbee39903690e3d178808179ac34c9d Mon Sep 17 00:00:00 2001 From: dan21san <98960305+dan21san@users.noreply.github.com> Date: Fri, 1 Nov 2024 10:20:29 +0100 Subject: [PATCH 082/144] Merge PR #5052 from @dan21san - Update `Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet` update: Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet - Add the "-Attachments" flag to the logic in order to reduce false positives. --------- Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- .../posh_ps_send_mailmessage.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) rename {rules => rules-threat-hunting}/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml (60%) diff --git a/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml similarity index 60% rename from rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml rename to rules-threat-hunting/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml index 0d9e4e175ab..b8775d1072f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml @@ -1,28 +1,28 @@ -title: Powershell Exfiltration Over SMTP +title: Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet id: 9a7afa56-4762-43eb-807d-c3dc9ffe211b status: test description: | - Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. - The data may also be sent to an alternate network location from the main command and control server. + Detects the execution of a PowerShell script with a call to the "Send-MailMessage" cmdlet along with the "-Attachments" flag. This could be a potential sign of data exfiltration via Email. + Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4 - https://www.ietf.org/rfc/rfc2821.txt author: frack113 date: 2022-09-26 +modified: 2024-11-01 tags: - attack.exfiltration - attack.t1048.003 + - detection.threat-hunting logsource: product: windows category: ps_script definition: 'Requirements: Script Block Logging must be enabled' detection: selection: - ScriptBlockText|contains: 'Send-MailMessage' - filter: - ScriptBlockText|contains: 'CmdletsToExport' - condition: selection and not filter + ScriptBlockText|contains: 'Send-MailMessage*-Attachments' + condition: selection falsepositives: - - Legitimate script + - Unknown level: medium From f533350560c3f5d3e559bd1938f65f29e6ce16d2 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 1 Nov 2024 10:21:04 +0100 Subject: [PATCH 083/144] Merge PR #5065 from @nasbench - Promote older rules status from `experimental` to `test` chore: promote older rules status from `experimental` to `test` Co-authored-by: nasbench --- ...creation_win_malware_pikabot_combined_commands_execution.yml | 2 +- .../image_load_apt_cozy_bear_graphical_proton_dlls.yml | 2 +- .../win_security_apt_cozy_bear_scheduled_tasks_name.yml | 2 +- ..._taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml | 2 +- .../builtin/security/win_security_exploit_cve_2020_1472.yml | 2 +- .../file_access_win_susp_gpo_access_uncommon_process.yml | 2 +- .../windows/image_load/image_load_dll_amsi_uncommon_process.yml | 2 +- .../process_creation/proc_creation_macos_csrutil_disable.yml | 2 +- .../process_creation/proc_creation_macos_csrutil_status.yml | 2 +- .../process_creation/proc_creation_macos_ioreg_discovery.yml | 2 +- .../process_creation/proc_creation_macos_swvers_discovery.yml | 2 +- .../proc_creation_macos_system_profiler_discovery.yml | 2 +- .../proc_creation_macos_tail_base64_decode_from_image.yml | 2 +- rules/windows/builtin/security/win_security_hktl_nofilter.yml | 2 +- .../builtin/security/win_security_susp_lsass_dump_generic.yml | 2 +- .../create_stream_hash_hktl_generic_download.yml | 2 +- .../dns_query/dns_query_win_cloudflared_communication.yml | 2 +- .../file_event/file_event_win_office_uncommon_file_startup.yml | 2 +- ...t_win_ps_script_policy_test_creation_by_uncommon_process.yml | 2 +- .../file_event/file_event_win_susp_recycle_bin_fake_exec.yml | 2 +- .../net_connection_win_wordpad_uncommon_ports.yml | 2 +- rules/windows/pipe_created/pipe_created_hktl_efspotato.yml | 2 +- .../posh_pc_tamper_windows_defender_set_mp.yml | 2 +- .../posh_ps_tamper_windows_defender_set_mp.yml | 2 +- .../proc_access_win_susp_direct_ntopenprocess_call.yml | 2 +- .../proc_creation_win_cloudflared_portable_execution.yml | 2 +- .../proc_creation_win_cloudflared_quicktunnel_execution.yml | 2 +- .../proc_creation_win_cloudflared_tunnel_cleanup.yml | 2 +- .../proc_creation_win_cloudflared_tunnel_run.yml | 2 +- .../proc_creation_win_conhost_susp_child_process.yml | 2 +- .../proc_creation_win_dotnet_trace_lolbin_execution.yml | 2 +- .../proc_creation_win_forfiles_child_process_masquerading.yml | 2 +- .../process_creation/proc_creation_win_hktl_edrsilencer.yml | 2 +- .../proc_creation_win_netsh_fw_rules_discovery.yml | 2 +- .../process_creation/proc_creation_win_pua_process_hacker.yml | 2 +- .../proc_creation_win_rar_susp_greedy_compression.yml | 2 +- .../proc_creation_win_reg_desktop_background_change.yml | 2 +- .../process_creation/proc_creation_win_renamed_cloudflared.yml | 2 +- .../proc_creation_win_susp_recycle_bin_fake_execution.yml | 2 +- .../process_creation/proc_creation_win_tar_compression.yml | 2 +- .../process_creation/proc_creation_win_tar_extraction.yml | 2 +- ...c_creation_win_teams_suspicious_command_line_cred_access.yml | 2 +- .../proc_creation_win_wmic_recon_system_info_uncommon.yml | 2 +- .../proc_creation_win_wscript_cscript_susp_child_processes.yml | 2 +- .../registry_set/registry_set_desktop_background_change.yml | 2 +- ...stry_set_persistence_app_cpmpat_layer_registerapprestart.yml | 2 +- .../registry_set/registry_set_powershell_execution_policy.yml | 2 +- .../registry/registry_set/registry_set_system_lsa_nolmhash.yml | 2 +- 48 files changed, 48 insertions(+), 48 deletions(-) diff --git a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml index b20001764f2..86c1d3920cb 100644 --- a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml +++ b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml @@ -1,6 +1,6 @@ title: Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE id: e5144106-8198-4f6e-bfc2-0a551cc8dd94 -status: experimental +status: test description: | Detects the execution of concatenated commands via "cmd.exe". Pikabot often executes a combination of multiple commands via the command handler "cmd /c" in order to download and execute additional payloads. Commands such as "curl", "wget" in order to download extra payloads. "ping" and "timeout" are abused to introduce delays in the command execution and "Rundll32" is also used to execute malicious DLL files. diff --git a/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml b/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml index 228682aaf7c..21978d88f95 100644 --- a/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml +++ b/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml @@ -1,6 +1,6 @@ title: DLL Names Used By SVR For GraphicalProton Backdoor id: e64c8ef3-9f98-40c8-b71e-96110991cb4c -status: experimental +status: test description: Hunts known SVR-specific DLL names. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a diff --git a/rules-emerging-threats/2023/TA/Cozy-Bear/win_security_apt_cozy_bear_scheduled_tasks_name.yml b/rules-emerging-threats/2023/TA/Cozy-Bear/win_security_apt_cozy_bear_scheduled_tasks_name.yml index e7fcf0f10d3..22f4d348d38 100644 --- a/rules-emerging-threats/2023/TA/Cozy-Bear/win_security_apt_cozy_bear_scheduled_tasks_name.yml +++ b/rules-emerging-threats/2023/TA/Cozy-Bear/win_security_apt_cozy_bear_scheduled_tasks_name.yml @@ -3,7 +3,7 @@ id: 8fa65166-f463-4fd2-ad4f-1436133c52e1 related: - id: 2bfc1373-0220-4fbd-8b10-33ddafd2a142 type: similar -status: experimental +status: test description: Hunts for known SVR-specific scheduled task names author: CISA references: diff --git a/rules-emerging-threats/2023/TA/Cozy-Bear/win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml b/rules-emerging-threats/2023/TA/Cozy-Bear/win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml index 19c8867bc35..66348c5e123 100644 --- a/rules-emerging-threats/2023/TA/Cozy-Bear/win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml +++ b/rules-emerging-threats/2023/TA/Cozy-Bear/win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml @@ -3,7 +3,7 @@ id: 2bfc1373-0220-4fbd-8b10-33ddafd2a142 related: - id: 8fa65166-f463-4fd2-ad4f-1436133c52e1 # Security-Audting Eventlog type: similar -status: experimental +status: test description: Hunts for known SVR-specific scheduled task names author: CISA references: diff --git a/rules-placeholder/windows/builtin/security/win_security_exploit_cve_2020_1472.yml b/rules-placeholder/windows/builtin/security/win_security_exploit_cve_2020_1472.yml index 4a34b31f900..c987c4e1702 100644 --- a/rules-placeholder/windows/builtin/security/win_security_exploit_cve_2020_1472.yml +++ b/rules-placeholder/windows/builtin/security/win_security_exploit_cve_2020_1472.yml @@ -1,6 +1,6 @@ title: Potential Zerologon (CVE-2020-1472) Exploitation id: dd7876d8-0f09-11eb-adc1-0242ac120002 -status: experimental +status: test description: Detects potential Netlogon Elevation of Privilege Vulnerability aka Zerologon (CVE-2020-1472) references: - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 diff --git a/rules-threat-hunting/windows/file/file_access/file_access_win_susp_gpo_access_uncommon_process.yml b/rules-threat-hunting/windows/file/file_access/file_access_win_susp_gpo_access_uncommon_process.yml index 316a0d08b08..215f5d536da 100644 --- a/rules-threat-hunting/windows/file/file_access/file_access_win_susp_gpo_access_uncommon_process.yml +++ b/rules-threat-hunting/windows/file/file_access/file_access_win_susp_gpo_access_uncommon_process.yml @@ -1,6 +1,6 @@ title: Access To Sysvol Policies Share By Uncommon Process id: 8344c19f-a023-45ff-ad63-a01c5396aea0 -status: experimental +status: test description: Detects file access requests to the Windows Sysvol Policies Share by uncommon processes references: - https://github.com/vletoux/pingcastle diff --git a/rules-threat-hunting/windows/image_load/image_load_dll_amsi_uncommon_process.yml b/rules-threat-hunting/windows/image_load/image_load_dll_amsi_uncommon_process.yml index f2f7a0b5745..e2142a7d9b5 100644 --- a/rules-threat-hunting/windows/image_load/image_load_dll_amsi_uncommon_process.yml +++ b/rules-threat-hunting/windows/image_load/image_load_dll_amsi_uncommon_process.yml @@ -1,6 +1,6 @@ title: Amsi.DLL Load By Uncommon Process id: facd1549-e416-48e0-b8c4-41d7215eedc8 -status: experimental +status: test description: Detects loading of Amsi.dll by uncommon processes references: - https://infosecwriteups.com/amsi-bypass-new-way-2023-d506345944e9 diff --git a/rules/macos/process_creation/proc_creation_macos_csrutil_disable.yml b/rules/macos/process_creation/proc_creation_macos_csrutil_disable.yml index 69c47afe7fb..b23fcf8e991 100644 --- a/rules/macos/process_creation/proc_creation_macos_csrutil_disable.yml +++ b/rules/macos/process_creation/proc_creation_macos_csrutil_disable.yml @@ -1,6 +1,6 @@ title: System Integrity Protection (SIP) Disabled id: 3603f18a-ec15-43a1-9af2-d196c8a7fec6 -status: experimental +status: test description: | Detects the use of csrutil to disable the Configure System Integrity Protection (SIP). This technique is used in post-exploit scenarios. references: diff --git a/rules/macos/process_creation/proc_creation_macos_csrutil_status.yml b/rules/macos/process_creation/proc_creation_macos_csrutil_status.yml index 1790b6dcb14..f3b61dfce3b 100644 --- a/rules/macos/process_creation/proc_creation_macos_csrutil_status.yml +++ b/rules/macos/process_creation/proc_creation_macos_csrutil_status.yml @@ -1,6 +1,6 @@ title: System Integrity Protection (SIP) Enumeration id: 53821412-17b0-4147-ade0-14faae67d54b -status: experimental +status: test description: | Detects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios. references: diff --git a/rules/macos/process_creation/proc_creation_macos_ioreg_discovery.yml b/rules/macos/process_creation/proc_creation_macos_ioreg_discovery.yml index 79956ea7dae..85c3aae3b35 100644 --- a/rules/macos/process_creation/proc_creation_macos_ioreg_discovery.yml +++ b/rules/macos/process_creation/proc_creation_macos_ioreg_discovery.yml @@ -1,6 +1,6 @@ title: System Information Discovery Using Ioreg id: 2d5e7a8b-f484-4a24-945d-7f0efd52eab0 -status: experimental +status: test description: | Detects the use of "ioreg" which will show I/O Kit registry information. This process is used for system information discovery. diff --git a/rules/macos/process_creation/proc_creation_macos_swvers_discovery.yml b/rules/macos/process_creation/proc_creation_macos_swvers_discovery.yml index e98c15627b3..8c47f54f71c 100644 --- a/rules/macos/process_creation/proc_creation_macos_swvers_discovery.yml +++ b/rules/macos/process_creation/proc_creation_macos_swvers_discovery.yml @@ -1,6 +1,6 @@ title: System Information Discovery Using sw_vers id: 5de06a6f-673a-4fc0-8d48-bcfe3837b033 -status: experimental +status: test description: Detects the use of "sw_vers" for system information discovery references: - https://www.virustotal.com/gui/file/d3fa64f63563fe958b75238742d1e473800cb5f49f5cb79d38d4aa3c93709026/behavior diff --git a/rules/macos/process_creation/proc_creation_macos_system_profiler_discovery.yml b/rules/macos/process_creation/proc_creation_macos_system_profiler_discovery.yml index 2035384e5e8..96407361e72 100644 --- a/rules/macos/process_creation/proc_creation_macos_system_profiler_discovery.yml +++ b/rules/macos/process_creation/proc_creation_macos_system_profiler_discovery.yml @@ -1,6 +1,6 @@ title: System Information Discovery Using System_Profiler id: 4809c683-059b-4935-879d-36835986f8cf -status: experimental +status: test description: | Detects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information. This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes. diff --git a/rules/macos/process_creation/proc_creation_macos_tail_base64_decode_from_image.yml b/rules/macos/process_creation/proc_creation_macos_tail_base64_decode_from_image.yml index 6d5e3933ad6..2723b5f94de 100644 --- a/rules/macos/process_creation/proc_creation_macos_tail_base64_decode_from_image.yml +++ b/rules/macos/process_creation/proc_creation_macos_tail_base64_decode_from_image.yml @@ -1,6 +1,6 @@ title: Potential Base64 Decoded From Images id: 09a910bf-f71f-4737-9c40-88880ba5913d -status: experimental +status: test description: | Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner. references: diff --git a/rules/windows/builtin/security/win_security_hktl_nofilter.yml b/rules/windows/builtin/security/win_security_hktl_nofilter.yml index b36699cc42c..b1fa4617257 100644 --- a/rules/windows/builtin/security/win_security_hktl_nofilter.yml +++ b/rules/windows/builtin/security/win_security_hktl_nofilter.yml @@ -1,6 +1,6 @@ title: HackTool - NoFilter Execution id: 7b14c76a-c602-4ae6-9717-eff868153fc0 -status: experimental +status: test description: | Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators references: diff --git a/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml b/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml index d612b07cbba..95b355b94d6 100644 --- a/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml +++ b/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml @@ -1,6 +1,6 @@ title: Potentially Suspicious AccessMask Requested From LSASS id: 4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76 -status: experimental +status: test description: Detects process handle on LSASS process with certain access mask references: - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html diff --git a/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml b/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml index e6946ffeee5..9391e7301af 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml @@ -1,6 +1,6 @@ title: HackTool Named File Stream Created id: 19b041f6-e583-40dc-b842-d6fa8011493f -status: experimental +status: test description: Detects the creation of a named file stream with the imphash of a well-known hack tool references: - https://github.com/gentilkiwi/mimikatz diff --git a/rules/windows/dns_query/dns_query_win_cloudflared_communication.yml b/rules/windows/dns_query/dns_query_win_cloudflared_communication.yml index 60ab1f2d500..c7bc4d52acb 100644 --- a/rules/windows/dns_query/dns_query_win_cloudflared_communication.yml +++ b/rules/windows/dns_query/dns_query_win_cloudflared_communication.yml @@ -3,7 +3,7 @@ id: a1d9eec5-33b2-4177-8d24-27fe754d0812 related: - id: 7cd1dcdc-6edf-4896-86dc-d1f19ad64903 type: similar -status: experimental +status: test description: | Detects DNS requests to Cloudflared tunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. diff --git a/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml b/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml index 7acf3d614fa..3ff17c6934b 100644 --- a/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml +++ b/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml @@ -1,6 +1,6 @@ title: Uncommon File Created In Office Startup Folder id: a10a2c40-2c4d-49f8-b557-1a946bc55d9d -status: experimental +status: test description: Detects the creation of a file with an uncommon extension in an Office application startup folder references: - https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/ diff --git a/rules/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml b/rules/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml index 7af6c490cad..d410b68adad 100644 --- a/rules/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml +++ b/rules/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml @@ -1,6 +1,6 @@ title: PSScriptPolicyTest Creation By Uncommon Process id: 1027d292-dd87-4a1a-8701-2abe04d7783c -status: experimental +status: test description: Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker. references: - https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/ diff --git a/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml b/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml index 7824a5de1ca..0a7680262de 100644 --- a/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml +++ b/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml @@ -3,7 +3,7 @@ id: cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca related: - id: 5ce0f04e-3efc-42af-839d-5b3a543b76c0 type: derived -status: experimental +status: test description: Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware references: - https://www.mandiant.com/resources/blog/infected-usb-steal-secrets diff --git a/rules/windows/network_connection/net_connection_win_wordpad_uncommon_ports.yml b/rules/windows/network_connection/net_connection_win_wordpad_uncommon_ports.yml index 1bf18ed773e..dcf35177ab9 100644 --- a/rules/windows/network_connection/net_connection_win_wordpad_uncommon_ports.yml +++ b/rules/windows/network_connection/net_connection_win_wordpad_uncommon_ports.yml @@ -1,6 +1,6 @@ title: Suspicious Wordpad Outbound Connections id: 786cdae8-fefb-4eb2-9227-04e34060db01 -status: experimental +status: test description: | Detects a network connection initiated by "wordpad.exe" over uncommon destination ports. This might indicate potential process injection activity from a beacon or similar mechanisms. diff --git a/rules/windows/pipe_created/pipe_created_hktl_efspotato.yml b/rules/windows/pipe_created/pipe_created_hktl_efspotato.yml index fd269f15d2e..f652759ce1a 100644 --- a/rules/windows/pipe_created/pipe_created_hktl_efspotato.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_efspotato.yml @@ -1,6 +1,6 @@ title: HackTool - EfsPotato Named Pipe Creation id: 637f689e-b4a5-4a86-be0e-0100a0a33ba2 -status: experimental +status: test description: Detects the pattern of a pipe name as used by the hack tool EfsPotato references: - https://twitter.com/SBousseaden/status/1429530155291193354?s=20 diff --git a/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml b/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml index 27851bd1bb5..a00c14eb889 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml @@ -3,7 +3,7 @@ id: ec19ebab-72dc-40e1-9728-4c0b805d722c related: - id: 14c71865-6cd3-44ae-adaa-1db923fae5f2 type: similar -status: experimental +status: test description: Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md diff --git a/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml b/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml index 9cb659232b9..ceb86c1993f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml @@ -3,7 +3,7 @@ id: 14c71865-6cd3-44ae-adaa-1db923fae5f2 related: - id: ec19ebab-72dc-40e1-9728-4c0b805d722c type: derived -status: experimental +status: test description: Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md diff --git a/rules/windows/process_access/proc_access_win_susp_direct_ntopenprocess_call.yml b/rules/windows/process_access/proc_access_win_susp_direct_ntopenprocess_call.yml index c4d80b40f5f..4b69b151818 100644 --- a/rules/windows/process_access/proc_access_win_susp_direct_ntopenprocess_call.yml +++ b/rules/windows/process_access/proc_access_win_susp_direct_ntopenprocess_call.yml @@ -1,6 +1,6 @@ title: Potential Direct Syscall of NtOpenProcess id: 3f3f3506-1895-401b-9cc3-e86b16e630d0 -status: experimental +status: test description: Detects potential calls to NtOpenProcess directly from NTDLL. references: - https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6 diff --git a/rules/windows/process_creation/proc_creation_win_cloudflared_portable_execution.yml b/rules/windows/process_creation/proc_creation_win_cloudflared_portable_execution.yml index e0a35f2da37..b769e5d9624 100644 --- a/rules/windows/process_creation/proc_creation_win_cloudflared_portable_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cloudflared_portable_execution.yml @@ -1,6 +1,6 @@ title: Cloudflared Portable Execution id: fadb84f0-4e84-4f6d-a1ce-9ef2bffb6ccd -status: experimental +status: test description: | Detects the execution of the "cloudflared" binary from a non standard location. references: diff --git a/rules/windows/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml b/rules/windows/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml index 3c8194c9783..a662ae76a8c 100644 --- a/rules/windows/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml @@ -5,7 +5,7 @@ related: type: similar - id: 9a019ffc-3580-4c9d-8d87-079f7e8d3fd4 type: similar -status: experimental +status: test description: | Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB. The free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com. diff --git a/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml b/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml index 3ebc4087d97..c7a705d7676 100644 --- a/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml +++ b/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml @@ -1,6 +1,6 @@ title: Cloudflared Tunnel Connections Cleanup id: 7050bba1-1aed-454e-8f73-3f46f09ce56a -status: experimental +status: test description: Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections. references: - https://github.com/cloudflare/cloudflared diff --git a/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml b/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml index f3661aa4b01..5ceeda7a53b 100644 --- a/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml +++ b/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml @@ -1,6 +1,6 @@ title: Cloudflared Tunnel Execution id: 9a019ffc-3580-4c9d-8d87-079f7e8d3fd4 -status: experimental +status: test description: Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks. references: - https://blog.reconinfosec.com/emergence-of-akira-ransomware-group diff --git a/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml index 06b2331c2a8..c144c3926b0 100644 --- a/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml @@ -1,6 +1,6 @@ title: Uncommon Child Process Of Conhost.EXE id: 7dc2dedd-7603-461a-bc13-15803d132355 -status: experimental +status: test description: Detects uncommon "conhost" child processes. This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity. references: - http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ diff --git a/rules/windows/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml b/rules/windows/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml index 816fc05d7dd..89bd4bb91c1 100644 --- a/rules/windows/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml @@ -1,6 +1,6 @@ title: Binary Proxy Execution Via Dotnet-Trace.EXE id: 9257c05b-4a4a-48e5-a670-b7b073cf401b -status: experimental +status: test description: Detects commandline arguments for executing a child process via dotnet-trace.exe references: - https://twitter.com/bohops/status/1740022869198037480 diff --git a/rules/windows/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml b/rules/windows/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml index dc0b6d50886..b77b3588d28 100644 --- a/rules/windows/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml +++ b/rules/windows/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml @@ -1,6 +1,6 @@ title: Forfiles.EXE Child Process Masquerading id: f53714ec-5077-420e-ad20-907ff9bb2958 -status: experimental +status: test description: | Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory. references: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_edrsilencer.yml b/rules/windows/process_creation/proc_creation_win_hktl_edrsilencer.yml index 892d06cad45..c07c238e104 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_edrsilencer.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_edrsilencer.yml @@ -1,6 +1,6 @@ title: HackTool - EDRSilencer Execution id: eb2d07d4-49cb-4523-801a-da002df36602 -status: experimental +status: test description: | Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information. references: diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml index d3622d65893..2e88fb44245 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml @@ -1,6 +1,6 @@ title: Firewall Configuration Discovery Via Netsh.EXE id: 0e4164da-94bc-450d-a7be-a4b176179f1f -status: experimental +status: test description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules diff --git a/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml b/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml index d7ee73f3ad0..485cd79ae4c 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml @@ -3,7 +3,7 @@ id: 811e0002-b13b-4a15-9d00-a613fce66e42 related: - id: 5722dff1-4bdd-4949-86ab-fbaf707e767a type: similar -status: experimental +status: test description: | Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. diff --git a/rules/windows/process_creation/proc_creation_win_rar_susp_greedy_compression.yml b/rules/windows/process_creation/proc_creation_win_rar_susp_greedy_compression.yml index 1f352d1030a..a20d74aefec 100644 --- a/rules/windows/process_creation/proc_creation_win_rar_susp_greedy_compression.yml +++ b/rules/windows/process_creation/proc_creation_win_rar_susp_greedy_compression.yml @@ -1,6 +1,6 @@ title: Suspicious Greedy Compression Using Rar.EXE id: afe52666-401e-4a02-b4ff-5d128990b8cb -status: experimental +status: test description: Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes references: - https://decoded.avast.io/martinchlumecky/png-steganography diff --git a/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml b/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml index 4ea1796db78..fcb0e03b63e 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml @@ -3,7 +3,7 @@ id: 8cbc9475-8d05-4e27-9c32-df960716c701 related: - id: 85b88e05-dadc-430b-8a9e-53ff1cd30aae type: similar -status: experimental +status: test description: | Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image. diff --git a/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml b/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml index 90b12f0ee3a..5c4ba1404d0 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml @@ -1,6 +1,6 @@ title: Renamed Cloudflared.EXE Execution id: e0c69ebd-b54f-4aed-8ae3-e3467843f3f0 -status: experimental +status: test description: Detects the execution of a renamed "cloudflared" binary. references: - https://github.com/cloudflare/cloudflared/releases diff --git a/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml index aee49b14846..24ed2273c40 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml @@ -3,7 +3,7 @@ id: 5ce0f04e-3efc-42af-839d-5b3a543b76c0 related: - id: cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca type: derived -status: experimental +status: test description: Detects process execution from a fake recycle bin folder, often used to avoid security solution. references: - https://www.mandiant.com/resources/blog/infected-usb-steal-secrets diff --git a/rules/windows/process_creation/proc_creation_win_tar_compression.yml b/rules/windows/process_creation/proc_creation_win_tar_compression.yml index 3cf3fcfa076..f33ea772d1c 100644 --- a/rules/windows/process_creation/proc_creation_win_tar_compression.yml +++ b/rules/windows/process_creation/proc_creation_win_tar_compression.yml @@ -1,6 +1,6 @@ title: Compressed File Creation Via Tar.EXE id: 418a3163-3247-4b7b-9933-dcfcb7c52ea9 -status: experimental +status: test description: | Detects execution of "tar.exe" in order to create a compressed file. Adversaries may abuse various utilities to compress or encrypt data before exfiltration. diff --git a/rules/windows/process_creation/proc_creation_win_tar_extraction.yml b/rules/windows/process_creation/proc_creation_win_tar_extraction.yml index 98298b3e9f4..bee906158cb 100644 --- a/rules/windows/process_creation/proc_creation_win_tar_extraction.yml +++ b/rules/windows/process_creation/proc_creation_win_tar_extraction.yml @@ -1,6 +1,6 @@ title: Compressed File Extraction Via Tar.EXE id: bf361876-6620-407a-812f-bfe11e51e924 -status: experimental +status: test description: | Detects execution of "tar.exe" in order to extract compressed file. Adversaries may abuse various utilities in order to decompress data to avoid detection. diff --git a/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml b/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml index 021da471ef2..bee0ff1c884 100644 --- a/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml +++ b/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml @@ -1,6 +1,6 @@ title: Potentially Suspicious Command Targeting Teams Sensitive Files id: d2eb17db-1d39-41dc-b57f-301f6512fa75 -status: experimental +status: test description: | Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams. The database might contain authentication tokens and other sensitive information about the logged in accounts. diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml index 40460c76c12..7e7e9597dad 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml @@ -3,7 +3,7 @@ id: 9d5a1274-922a-49d0-87f3-8c653483b909 related: - id: d85ecdd7-b855-4e6e-af59-d9c78b5b861e type: derived -status: experimental +status: test description: | Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, diff --git a/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml index d0f0402e788..d145cbafc91 100644 --- a/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml @@ -1,6 +1,6 @@ title: Cscript/Wscript Potentially Suspicious Child Process id: b6676963-0353-4f88-90f5-36c20d443c6a -status: experimental +status: test description: | Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32. Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others. diff --git a/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml b/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml index 6617d2e6ee4..5f7f98775ba 100644 --- a/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml +++ b/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml @@ -3,7 +3,7 @@ id: 85b88e05-dadc-430b-8a9e-53ff1cd30aae related: - id: 8cbc9475-8d05-4e27-9c32-df960716c701 type: similar -status: experimental +status: test description: | Detects registry value settings that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image. diff --git a/rules/windows/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml b/rules/windows/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml index 1880756efb7..5e439d63d83 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via AppCompat RegisterAppRestart Layer id: b86852fb-4c77-48f9-8519-eb1b2c308b59 -status: experimental +status: test description: | Detects the setting of the REGISTERAPPRESTART compatibility layer on an application. This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API. diff --git a/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml b/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml index b2ec4054504..2bb0b269d26 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml @@ -7,7 +7,7 @@ related: type: similar - id: 61d0475c-173f-4844-86f7-f3eebae1c66b # PowerShell ScriptBlock type: similar -status: experimental +status: test description: Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3 diff --git a/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml b/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml index aecb6d1c2e2..88939c9dd6c 100644 --- a/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml +++ b/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml @@ -3,7 +3,7 @@ id: c420410f-c2d8-4010-856b-dffe21866437 related: - id: 98dedfdd-8333-49d4-9f23-d7018cccae53 # process_creation type: similar -status: experimental +status: test description: | Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases. From 0cb8d0e091f8c010e7792f2f9fcb6151a89897ac Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 1 Nov 2024 10:47:36 +0100 Subject: [PATCH 084/144] Merge PR #5063 from @Neo23x0 - Add & Update rules related to the suspicious creation of ".rdp" files new: .RDP File Created by Outlook Process update: .RDP File Created By Uncommon Application - Add `olk.exe` to cover the new version of outlook --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- ...t_win_office_outlook_rdp_file_creation.yml | 32 +++++++++++++++++++ .../file_event_win_rdp_file_susp_creation.yml | 12 +++++-- 2 files changed, 41 insertions(+), 3 deletions(-) create mode 100644 rules/windows/file/file_event/file_event_win_office_outlook_rdp_file_creation.yml diff --git a/rules/windows/file/file_event/file_event_win_office_outlook_rdp_file_creation.yml b/rules/windows/file/file_event/file_event_win_office_outlook_rdp_file_creation.yml new file mode 100644 index 00000000000..7b091164d53 --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_office_outlook_rdp_file_creation.yml @@ -0,0 +1,32 @@ +title: .RDP File Created by Outlook Process +id: f748c45a-f8d3-4e6f-b617-fe176f695b8f +related: + - id: fccfb43e-09a7-4bd2-8b37-a5a7df33386d + type: derived +status: experimental +description: | + Detects the creation of files with the ".rdp" extensions in the temporary directory that Outlook uses when opening attachments. + This can be used to detect spear-phishing campaigns that use RDP files as attachments. +references: + - https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/ + - https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/ + - https://www.linkedin.com/feed/update/urn:li:ugcPost:7257437202706493443?commentUrn=urn%3Ali%3Acomment%3A%28ugcPost%3A7257437202706493443%2C7257522819985543168%29&dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287257522819985543168%2Curn%3Ali%3AugcPost%3A7257437202706493443%29 +author: Florian Roth +date: 2024-11-01 +tags: + - attack.defense-evasion +logsource: + product: windows + category: file_event +detection: + selection_extension: + TargetFilename|endswith: '.rdp' + selection_location: + - TargetFilename|contains: '\AppData\Local\Packages\Microsoft.Outlook_' # New Outlook + - TargetFilename|contains|all: + - '\AppData\Local\Microsoft\Windows\' + - '\Content.Outlook\' + condition: all of selection_* +falsepositives: + - Whenever someone receives an RDP file as an email attachment and decides to save or open it right from the attachments +level: high diff --git a/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml b/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml index 55ce57aa928..760c848d78d 100644 --- a/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml +++ b/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml @@ -1,12 +1,17 @@ -title: RDP File Creation From Suspicious Application +title: .RDP File Created By Uncommon Application id: fccfb43e-09a7-4bd2-8b37-a5a7df33386d +related: + - id: f748c45a-f8d3-4e6f-b617-fe176f695b8f + type: derived status: test -description: Detects Rclone config file being created +description: | + Detects creation of a file with an ".rdp" extension by an application that doesn't commonly create such files. references: - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/ - https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-04-18 +modified: 2024-11-01 tags: - attack.defense-evasion logsource: @@ -14,6 +19,7 @@ logsource: category: file_event detection: selection: + TargetFilename|endswith: '.rdp' Image|endswith: # Covers browsers - '\brave.exe' @@ -28,6 +34,7 @@ detection: - '\Vivaldi.exe' - '\Whale.exe' # Covers email clients + - '\olk.exe' # Outlook - '\Outlook.exe' - '\RuntimeBroker.exe' # If the windows mail client is used - '\Thunderbird.exe' @@ -37,7 +44,6 @@ detection: - '\msteams.exe' - '\Slack.exe' - '\teams.exe' - TargetFilename|contains: '.rdp' condition: selection falsepositives: - Unknown From 04df2e483a5e269995c49079e36e2927c656ea74 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 1 Nov 2024 10:49:49 +0100 Subject: [PATCH 085/144] Merge PR #5051 from @nasbench - Archive new rule references and update cache file chore: archive new rule references and update cache file Co-authored-by: nasbench --- .github/latest_archiver_output.md | 1054 ++++++++++++++--------------- tests/rule-references.txt | 18 + 2 files changed, 545 insertions(+), 527 deletions(-) diff --git a/.github/latest_archiver_output.md b/.github/latest_archiver_output.md index dd075557ff0..d699adc0d56 100644 --- a/.github/latest_archiver_output.md +++ b/.github/latest_archiver_output.md @@ -1,6 +1,6 @@ # Reference Archiver Results -Last Execution: 2024-10-01 02:09:15 +Last Execution: 2024-11-01 02:08:46 ### Archiver Script Results @@ -11,570 +11,570 @@ N/A #### Already Archived References -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4649 -- https://learn.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture -- https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/ -- https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature -- https://gist.github.com/nasbench/ca6ef95db04ae04ffd1e0b1ce709cadd -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7 -- https://x.com/yarden_shafir/status/1822667605175324787 -- https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt -- https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/ -- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml -- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4699 -- https://anydesk.com/en/changelog/windows -- https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-0-16-1-scheduled-task-execution-at-scale-via-gpo.html -- https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior +- https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/ +- https://pentestlab.blog/tag/svchost/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6281 +- https://github.com/FalconForceTeam/FalconFriday/blob/master/Discovery/ADWS_Connection_from_Unexpected_Binary-Win.md +- https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete +- https://ss64.com/nt/shell.html +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8 +- https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview +- https://www.logpoint.com/en/blog/shenanigans-of-scheduled-tasks/ +- https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/ +- https://twitter.com/0gtweet/status/1720419490519752955 +- https://asec.ahnlab.com/en/78944/ +- https://research.splunk.com/endpoint/10399c1e-f51e-11eb-b920-acde48001122/ +- https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf +- https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/ +- https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13 +- https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa #### Error While Archiving References -- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/ -- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ -- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf -- https://www.group-ib.com/blog/apt41-world-tour-2021/ -- https://www.huntress.com/blog/attacking-mssql-servers-pt-ii -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in -- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ -- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ -- https://redcanary.com/blog/msix-installers/ -- https://github.com/yardenshafir/conference_talks/blob/3de1f5d7c02656c35117f067fbff0a219c304b09/OffensiveCon_2023_Your_Mitigations_are_My_Opportunities.pdf -- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ -- https://web.archive.org/web/20210512154016/https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts -- https://ss64.com/nt/shell.html -- https://github.com/search?q=repo%3AHackplayers%2Fevil-winrm++shell.run%28&type=code -- https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml -- https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia -- https://redcanary.com/blog/threat-detection/process-masquerading/ -- https://www.logpoint.com/en/blog/shenanigans-of-scheduled-tasks/ -- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic -- https://objective-see.org/blog/blog_0x1E.html -- https://gtfobins.github.io/gtfobins/env/#shell -- https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/ -- https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump -- https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt -- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers -- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ -- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/ -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10) -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel -- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations -- https://medium.com/@NullByteWht/hacking-macos-how-to-dump-1password-keepassx-lastpass-passwords-in-plaintext-723c5b1c311b -- https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html -- https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support -- https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication -- https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/ -- https://www.elastic.co/guide/en/security/current/group-policy-abuse-for-privilege-addition.html#_setup_275 -- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a -- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray -- https://defr0ggy.github.io/research/Utilizing-BTunnel-For-Data-Exfiltration/ -- https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732 -- https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1 -- https://bazaar.abuse.ch/browse/tag/one/ -- https://twitter.com/Kostastsale/status/1480716528421011458 -- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 -- https://web.archive.org/web/20231210115125/http://www.xuetr.com/ -- https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all -- https://www.loobins.io/binaries/pbpaste/ -- https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/ -- https://twitter.com/standa_t/status/1808868985678803222 -- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ -- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/ -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles -- https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal -- https://gtfobins.github.io/gtfobins/nawk/#shell -- https://x.com/Max_Mal_/status/1826179497084739829 -- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html -- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf -- https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/ -- https://github.com/0xthirteen/SharpMove/ +- https://paper.seebug.org/1495/ +- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 +- https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps +- https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues +- https://learn.microsoft.com/en-us/windows/client-management/manage-recall - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address -- https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu -- https://megatools.megous.com/ -- https://gtfobins.github.io/gtfobins/capsh/#shell -- https://web.archive.org/web/20220519091349/https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/ -- https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository -- https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html -- https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/ -- https://www.action1.com/documentation/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776 -- https://www.loobins.io/binaries/nscurl/ -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::SecurityPage_AutoDetect -- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts -- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661 -- https://linux.die.net/man/1/arecord +- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/ +- https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e +- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html +- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771 +- https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/ +- https://github.com/safedv/RustiveDump/blob/1a9b026b477587becfb62df9677cede619d42030/src/main.rs#L35 +- https://blog.sekoia.io/scattered-spider-laying-new-eggs/ +- https://labs.withsecure.com/publications/kapeka +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd +- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/ +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management +- https://twitter.com/th3_protoCOL/status/1480621526764322817 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes +- https://github.com/embedi/CVE-2017-11882 +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/ +- https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/ - https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy -- https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html -- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ -- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/ -- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743 -- https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1 -- https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes -- https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors -- https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/ -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide -- https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role -- https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand -- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/replace -- https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer -- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ -- https://tria.ge/240521-ynezpagf56/behavioral1 -- https://github.com/FalconForceTeam/SOAPHound -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname -- https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior +- https://linux.die.net/man/1/arecord +- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173 +- https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump +- https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/ +- https://github.com/nettitude/SharpWSUS - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations -- https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html -- https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet -- https://gtfobins.github.io/gtfobins/git/#shell -- https://web.archive.org/web/20220422215221/https://twitter.com/malware_traffic/status/1517622327000846338 -- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications -- https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes -- https://www.loobins.io/binaries/launchctl/ -- https://twitter.com/MsftSecIntel/status/1737895710169628824 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup -- https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/ -- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule -- https://gtfobins.github.io/gtfobins/flock/#shell -- https://github.com/GhostPack/SharpDPAPI -- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities -- https://trustedsec.com/blog/oops-i-udld-it-again -- https://www.loobins.io/binaries/tmutil/ -- https://web.archive.org/web/20211001064856/https://github.com/snovvcrash/DInjector -- https://tria.ge/240307-1hlldsfe7t/behavioral2/analog?main_event=Registry&op=SetValueKeyInt -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.4 -- https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1 -- https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420 -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators -- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/ +- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands -- https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2 -- https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/set_1 -- https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/ -- https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension -- https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization -- https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1 -- https://blackpointcyber.com/resources/blog/breaking-through-the-screen/ -- https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html -- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory -- https://gtfobins.github.io/gtfobins/rsync/#shell -- https://www.sans.org/blog/defending-against-scattered-spider-and-the-com-with-cybercrime-intelligence/ -- https://www.tarasco.org/security/pwdump_7/ -- https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625 -- https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ -- https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216 -- https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare -- https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps -- https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/ -- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html -- https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/ -- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/ -- https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps +- https://www.loobins.io/binaries/launchctl/ +- https://www.softperfect.com/products/networkscanner/ +- https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1 +- https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::SecurityPage_AutoDetect +- https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker +- https://www.elastic.co/guide/en/security/current/startup-logon-script-added-to-group-policy-object.html +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated +- https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010 +- https://twitter.com/Kostastsale/status/1646256901506605063?s=20 +- https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/ - https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ -- https://github.com/nettitude/SharpWSUS -- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a -- https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/ -- https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings -- https://labs.nettitude.com/blog/introducing-sharpwsus/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) -- https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps -- https://twitter.com/Max_Mal_/status/1775222576639291859 -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed -- https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/ -- https://tria.ge/220422-1pw1pscfdl/ -- https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708 -- https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 -- https://ss64.com/mac/chflags.html -- https://gtfobins.github.io/gtfobins/gawk/#shell -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete -- https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6281 -- https://www.microsoft.com/en-us/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/ -- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ -- https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder -- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf -- https://github.com/antonioCoco/RoguePotato +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname +- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf +- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ +- https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections - https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195 -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations -- https://localtonet.com/documents/supported-tunnels -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698 -- https://tria.ge/220422-1nnmyagdf2/ -- https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48 +- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software +- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ +- https://ss64.com/mac/hdiutil.html +- https://gtfobins.github.io/gtfobins/git/#shell +- https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials +- https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029 +- https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/logfile/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address +- https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/ +- https://tria.ge/240307-1hlldsfe7t/behavioral2/analog?main_event=Registry&op=SetValueKeyInt +- https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634 +- https://www.action1.com/documentation/ +- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode - https://twitter.com/TheDFIRReport/status/1482078434327244805 -- https://research.splunk.com/endpoint/10399c1e-f51e-11eb-b920-acde48001122/ -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management -- https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/ +- https://web.archive.org/web/20211001064856/https://github.com/snovvcrash/DInjector +- https://bazaar.abuse.ch/browse/tag/one/ +- https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role - https://www.cyberciti.biz/faq/how-force-kill-process-linux/ -- https://twitter.com/NathanMcNulty/status/1785051227568632263 -- https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp -- https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/ -- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/ -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker -- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 -- https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin -- https://blog.sekoia.io/scattered-spider-laying-new-eggs/ -- https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF -- https://strontic.github.io/xcyclopedia/library/aclui.dll-F883E9CA757B622B032FDCA5BF33D0DF.html -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#private_repository_forking -- https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool -- https://github.com/joaoviictorti/RustRedOps/tree/ce04369a246006d399e8c61d9fe0e6b34f988a49/Self_Deletion -- https://twitter.com/0gtweet/status/1720419490519752955 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010 -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4 +- https://web.archive.org/web/20220422215221/https://twitter.com/malware_traffic/status/1517622327000846338 +- https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/ +- https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698 +- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers +- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423 +- https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication +- https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/ +- https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership +- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/ +- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ +- https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661 +- https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216 +- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/ +- https://unit42.paloaltonetworks.com/chromeloader-malware/ - https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/ -- https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/ -- https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634 -- https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files -- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html +- https://www.attackiq.com/2023/09/20/emulating-rhysida/ +- https://www.loobins.io/binaries/tmutil/ +- https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ +- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe +- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue - https://app.any.run/tasks/9a8fd563-4c54-4d0a-9ad8-1fe08339cbc3/ -- https://asec.ahnlab.com/en/78944/ -- https://www.elastic.co/guide/en/security/current/startup-logon-script-added-to-group-policy-object.html -- https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934 -- https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive -- https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials -- https://tria.ge/240731-jh4crsycnb/behavioral2 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown - https://gtfobins.github.io/gtfobins/awk/#shell -- https://www.group-ib.com/resources/threat-research/red-curl-2.html -- https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps -- https://cloud.google.com/logging/docs/audit/understanding-audit-logs -- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647 -- https://www.trustedsec.com/blog/art_of_kerberoast/ -- https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/ -- https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa -- https://twitter.com/Kostastsale/status/1646256901506605063?s=20 -- https://www.sans.org/cyber-security-summit/archives -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11) -- https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-browser -- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace -- https://app.any.run/tasks/25970bb5-f864-4e9e-9e1b-cc8ff9e6386a -- https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg -- https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e -- https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf -- https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/ -- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/ -- https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/ -- https://bazaar.abuse.ch/browse/signature/RaspberryRobin/ -- https://github.com/Ylianst/MeshAgent -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_IncludeUnspecifiedLocalSites -- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ -- https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ -- https://gtfobins.github.io/gtfobins/python/#shell +- https://learn.microsoft.com/en-us/windows/win32/shell/launch +- https://gtfobins.github.io/gtfobins/capsh/#shell +- https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/ +- https://gtfobins.github.io/gtfobins/c89/#shell +- https://twitter.com/NathanMcNulty/status/1785051227568632263 +- https://www.virustotal.com/gui/file/ded20df574b843aaa3c8e977c2040e1498ae17c12924a19868df5b12dee6dfdd +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup +- https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions +- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673 +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1 -- https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html -- https://evasions.checkpoint.com/techniques/macos.html -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority -- https://x.com/_st0pp3r_/status/1742203752361128162?s=20 +- https://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/ +- https://gtfobins.github.io/gtfobins/nawk/#shell +- https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior +- https://github.com/Ylianst/MeshAgent +- https://objective-see.org/blog/blog_0x1E.html +- https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019 +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012 +- https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html +- https://twitter.com/1ZRR4H/status/1537501582727778304 +- https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel +- https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/ +- https://tria.ge/220422-1nnmyagdf2/ +- https://tria.ge/220422-1pw1pscfdl/ +- https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/ +- https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/ +- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a +- https://www.microsoft.com/en-us/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/ +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/ +- https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.4 +- https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211 +- https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf +- https://github.com/joaoviictorti/RustRedOps/tree/ce04369a246006d399e8c61d9fe0e6b34f988a49/Self_Deletion +- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/ +- https://gtfobins.github.io/gtfobins/c99/#shell +- https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray +- https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2 +- https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776 +- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/ +- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create +- https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md +- https://twitter.com/standa_t/status/1808868985678803222 - https://twitter.com/DTCERT/status/1712785421845790799 -- https://ss64.com/nt/set.html -- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ -- https://us-cert.cisa.gov/ncas/alerts/aa21-008a -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673 -- https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability -- https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2 -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult -- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes -- https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/ -- https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis -- https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16 -- https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/ -- https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/ -- https://twitter.com/th3_protoCOL/status/1480621526764322817 -- https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch -- https://github.com/embedi/CVE-2017-11882 -- https://objective-see.org/blog/blog_0x6D.html - https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/ -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4706 -- https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf -- https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ -- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ -- https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/ -- https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/ -- https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0 -- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html -- https://ipurple.team/2024/07/15/sharphound-detection/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616 -- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine -- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials -- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software -- https://paper.seebug.org/1495/ -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services -- https://tria.ge/240123-rapteaahhr/behavioral1 -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2 -- https://web.archive.org/web/20200530031906/https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/ -- https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10) +- https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/ +- https://labs.nettitude.com/blog/introducing-sharpwsus/ +- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794 +- https://gtfobins.github.io/gtfobins/gcc/#shell +- https://www.cyberciti.biz/faq/linux-remove-user-command/ +- https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/ +- https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html +- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in +- https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1 +- https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging +- https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934 +- https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38 +- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ +- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/ +- https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor +- https://localtonet.com/documents/supported-tunnels +- https://github.com/rapid7/metasploit-framework/issues/11337 - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN -- https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/ +- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ +- https://cloud.google.com/logging/docs/audit/understanding-audit-logs +- https://x.com/Max_Mal_/status/1826179497084739829 +- https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258 +- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule +- https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization - https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool -- https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership -- https://github.com/CICADA8-Research/RemoteKrbRelay -- https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/ -- https://gtfobins.github.io/gtfobins/mawk/#shell -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#things-to-monitor -- https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/ -- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/ -- https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/ -- https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/ -- https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/ -- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/ -- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 -- https://www.tenable.com/security/research/tra-2023-11 -- https://boinc.berkeley.edu/ -- https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues -- https://asec.ahnlab.com/en/40263/ -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/ -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771 -- https://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40 -- https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf -- https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd -- https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html -- https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html -- https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor -- https://twitter.com/1ZRR4H/status/1537501582727778304 -- https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install -- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo -- https://ss64.com/mac/hdiutil.html -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2 +- https://strontic.github.io/xcyclopedia/library/aclui.dll-F883E9CA757B622B032FDCA5BF33D0DF.html +- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/ +- https://tria.ge/231212-r1bpgaefar/behavioral2 +- https://tria.ge/240123-rapteaahhr/behavioral1 +- https://www.loobins.io/binaries/pbpaste/ +- https://www.elastic.co/guide/en/security/current/group-policy-abuse-for-privilege-addition.html#_setup_275 +- https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare +- https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0 +- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/ +- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a +- https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741 +- https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html +- https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic +- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 +- https://github.com/yardenshafir/conference_talks/blob/3de1f5d7c02656c35117f067fbff0a219c304b09/OffensiveCon_2023_Your_Mitigations_are_My_Opportunities.pdf - https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038 -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/ -- https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps -- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/ -- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_UNCAsIntranet -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated -- https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval -- https://blog.morphisec.com/vmware-identity-manager-attack-backdoor +- https://blackpointcyber.com/resources/blog/breaking-through-the-screen/ +- https://cloud.google.com/access-context-manager/docs/audit-logging +- https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/ +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4 +- https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html +- https://github.com/grayhatkiller/SharpExShell +- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently +- https://gtfobins.github.io/gtfobins/rsync/#shell +- https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/ +- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script +- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set +- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16 +- https://github.com/FalconForceTeam/SOAPHound +- https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2 +- https://twitter.com/Kostastsale/status/1480716528421011458 - https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates -- https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp -- https://learn.microsoft.com/en-us/windows/win32/shell/launch -- https://github.com/rapid7/metasploit-framework/issues/11337 -- https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response -- https://www.attackiq.com/2023/09/20/emulating-rhysida/ -- https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging -- https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain +- https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet +- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html +- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/ +- https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11) -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183 -- https://securelist.com/network-tunneling-with-qemu/111803/ -- https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/ -- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script -- https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/ -- https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/ -- https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps -- https://www.cve.org/CVERecord?id=CVE-2024-1709 -- https://learn.microsoft.com/en-us/windows/win32/shell/app-registration -- https://www.loobins.io/binaries/hdiutil/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac +- https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/ +- https://tria.ge/240226-fhbe7sdc39/behavioral1 +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority +- https://redcanary.com/blog/msix-installers/ +- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine +- https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609 +- https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval +- https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/ +- https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings +- https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token +- https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool +- https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html +- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/ +- https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/ +- https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown +- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b +- https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 +- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html +- https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3 +- https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors +- https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html +- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/ - https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things -- https://malware.guide/browser-hijacker/remove-onelaunch-virus/ -- https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html -- https://tria.ge/240225-jlylpafb24/behavioral1/analog?main_event=Registry&op=SetValueKeyInt -- https://support.google.com/a/answer/9261439 -- https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022 -- https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens +- https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/ +- https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension +- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction +- https://www.sans.org/cyber-security-summit/archives +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo - https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details -- https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html -- https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091 -- https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327 -- https://web.archive.org/web/20190508165435/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf +- https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC +- https://support.google.com/a/answer/9261439 +- https://boinc.berkeley.edu/ +- https://www.loobins.io/binaries/xattr/ - https://app.any.run/tasks/fa99cedc-9d2f-4115-a08e-291429ce3692 -- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction -- https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack -- https://www.cyberciti.biz/faq/linux-remove-user-command/ -- https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16 -- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#new-owner -- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml +- https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/ +- https://tria.ge/240521-ynezpagf56/behavioral1 +- https://web.archive.org/web/20190508165435/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf +- https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code +- https://gtfobins.github.io/gtfobins/mawk/#shell +- https://www.loobins.io/binaries/hdiutil/ +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country +- https://ipurple.team/2024/09/10/browser-stored-credentials/ +- https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_ProxyByPass +- https://thehackernews.com/2024/03/github-rolls-out-default-secret.html +- https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps +- https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support +- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/ +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183 +- https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/ +- https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ +- https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3 -- https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections -- https://news.ycombinator.com/item?id=29504755 -- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/ -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4 -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8 +- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ +- https://adsecurity.org/?p=1785 - https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml -- https://www.qemu.org/docs/master/system/invocation.html#hxtool-5 -- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/ -- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b -- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently -- https://www.huntress.com/blog/attacking-mssql-servers +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins +- https://learn.microsoft.com/en-us/windows/win32/msi/event-logging +- https://news.ycombinator.com/item?id=29504755 +- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash +- https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml +- https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp +- https://gtfobins.github.io/gtfobins/find/#shell +- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage +- https://web.archive.org/web/20220614030603/http://www.powertheshell.com/ntfsstreams/ +- https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup +- https://web.archive.org/web/20220519091349/https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/ +- https://www.trustedsec.com/blog/art_of_kerberoast/ +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles +- https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens +- https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys +- https://ipurple.team/2024/07/15/sharphound-detection/ +- https://tria.ge/240731-jh4crsycnb/behavioral2 +- https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c +- https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation - https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps -- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel +- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html +- https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis +- https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/ +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration +- https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732 +- https://malware.guide/browser-hijacker/remove-onelaunch-virus/ +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators +- https://objective-see.org/blog/blog_0x6D.html +- https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult +- https://github.com/antonioCoco/RoguePotato +- https://bazaar.abuse.ch/browse/signature/RaspberryRobin/ +- https://defr0ggy.github.io/research/Utilizing-BTunnel-For-Data-Exfiltration/ +- https://www.tenable.com/security/research/tra-2023-11 +- https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html +- https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420 +- https://twitter.com/MsftSecIntel/status/1737895710169628824 +- https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html +- https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging +- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities +- https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior +- https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability +- https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive +- https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1 +- https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/ +- https://www.huntress.com/blog/attacking-mssql-servers +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts +- https://gtfobins.github.io/gtfobins/gawk/#shell +- https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis +- https://github.com/0xthirteen/SharpMove/ +- https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/ +- https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/ +- https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/ +- https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps +- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 +- https://www.group-ib.com/resources/threat-research/red-curl-2.html - https://darkatlas.io/blog/medusa-ransomware-group-opsec-failure -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29 -- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/ -- https://ngrok.com/blog-post/new-ngrok-domains -- https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609 +- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise +- https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ +- https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps +- https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16 - https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure -- https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps -- https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ -- https://docs.microsoft.com/en-us/sql/tools/bcp-utility -- https://gtfobins.github.io/gtfobins/find/#shell -- https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/ -- https://nvd.nist.gov/vuln/detail/CVE-2024-3400 -- https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address -- https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13 -- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration -- https://learn.microsoft.com/en-us/windows/win32/msi/event-logging -- https://www.anyviewer.com/help/remote-technical-support.html -- https://tria.ge/240226-fhbe7sdc39/behavioral1 -- https://learn.microsoft.com/en-us/azure/dns/dns-zones-records -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 -- https://github.com/grayhatkiller/SharpExShell -- https://gtfobins.github.io/gtfobins/gcc/#shell -- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ -- https://twitter.com/Cryptolaemus1/status/1517634855940632576 -- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted -- https://www.virustotal.com/gui/file/ded20df574b843aaa3c8e977c2040e1498ae17c12924a19868df5b12dee6dfdd -- https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change -- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967 +- https://evasions.checkpoint.com/techniques/macos.html +- https://twitter.com/th3_protoCOL/status/1536788652889497600 +- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-info.js#L55 +- https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#new-owner +- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks +- https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role - https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps -- https://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/ -- https://www.loobins.io/binaries/xattr/ -- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173 -- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx -- https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38 -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4 -- https://cloud.google.com/access-context-manager/docs/audit-logging -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_ProxyByPass -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012 -- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 -- https://web.archive.org/web/20230329172447/https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html +- https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327 +- https://www.group-ib.com/blog/apt41-world-tour-2021/ +- https://www.loobins.io/binaries/nscurl/ +- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns +- https://www.tarasco.org/security/pwdump_7/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038 - https://learn.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml- -- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ -- https://gtfobins.github.io/gtfobins/c89/#shell +- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/ +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) +- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel +- https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool +- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf +- https://ss64.com/nt/set.html +- https://us-cert.cisa.gov/ncas/alerts/aa21-259a +- https://www.qemu.org/docs/master/system/invocation.html#hxtool-5 +- https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html +- https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v +- https://nored0x.github.io/red-teaming/office-persistence/#what-is-a-wll-file +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743 +- https://github.com/GhostPack/SharpDPAPI +- https://medium.com/@NullByteWht/hacking-macos-how-to-dump-1password-keepassx-lastpass-passwords-in-plaintext-723c5b1c311b +- https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/ +- https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/set_1 +- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967 +- https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/ +- https://www.fortiguard.com/psirt/FG-IR-22-398 +- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml +- https://ngrok.com/blog-post/new-ngrok-domains +- https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ +- https://twitter.com/Cryptolaemus1/status/1517634855940632576 +- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ +- https://github.com/gentilkiwi/mimikatz +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/ +- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ -- https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade +- https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details +- https://redcanary.com/blog/threat-detection/process-masquerading/ +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4 +- https://x.com/_st0pp3r_/status/1742203752361128162?s=20 +- https://learn.microsoft.com/en-us/azure/dns/dns-zones-records +- https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand +- https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/ +- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ +- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4 +- https://adsecurity.org/?p=3513 - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ -- https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/ -- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 -- https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps -- https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794 -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country -- https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423 -- https://thehackernews.com/2024/03/github-rolls-out-default-secret.html -- https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/ +- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted +- https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc +- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings +- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory +- https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/ +- https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/ +- https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html +- https://megatools.megous.com/ +- https://blog.morphisec.com/vmware-identity-manager-attack-backdoor +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp +- https://nvd.nist.gov/vuln/detail/CVE-2024-3400 +- https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu - https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/ -- https://github.com/gentilkiwi/mimikatz -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/ +- https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf +- https://www.sans.org/blog/defending-against-scattered-spider-and-the-com-with-cybercrime-intelligence/ +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide +- https://ss64.com/mac/chflags.html +- https://github.com/search?q=repo%3AHackplayers%2Fevil-winrm++shell.run%28&type=code +- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ +- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins +- https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal +- https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html +- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf +- https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#private_repository_forking +- https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/ +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 +- https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF +- https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48 +- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/ +- https://www.huntress.com/blog/attacking-mssql-servers-pt-ii +- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer +- https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/ +- https://asec.ahnlab.com/en/61000/ +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4 - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation -- https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/ +- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/ +- https://gtfobins.github.io/gtfobins/python/#shell +- https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown +- https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/ +- https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg +- https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7 +- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/ +- https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708 +- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ +- https://web.archive.org/web/20231210115125/http://www.xuetr.com/ +- https://tria.ge/240225-jlylpafb24/behavioral1/analog?main_event=Registry&op=SetValueKeyInt +- https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade +- https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps +- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace +- https://blog.talosintelligence.com/gophish-powerrat-dcrat/ +- https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia - https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/ -- https://ss64.com/osx/sw_vers.html -- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc -- https://adsecurity.org/?p=3513 -- https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/ -- https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/ -- https://www.softperfect.com/products/networkscanner/ -- https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211 -- https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/ -- https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-browser - https://tria.ge/231023-lpw85she57/behavioral2 -- https://learn.microsoft.com/en-us/windows/client-management/manage-recall -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78 -- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks -- https://github.com/FalconForceTeam/FalconFriday/blob/master/Discovery/ADWS_Connection_from_Unexpected_Binary-Win.md -- https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/ -- https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys -- https://adsecurity.org/?p=1785 -- https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html -- https://tria.ge/231212-r1bpgaefar/behavioral2 -- https://nored0x.github.io/red-teaming/office-persistence/#what-is-a-wll-file -- https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027 -- https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/ -- https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2 -- https://asec.ahnlab.com/en/61000/ -- https://web.archive.org/web/20220614030603/http://www.powertheshell.com/ntfsstreams/ -- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-info.js#L55 -- https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins -- https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access -- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis +- https://learn.microsoft.com/en-us/windows/win32/shell/app-registration +- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/ - https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php -- https://pentestlab.blog/tag/svchost/ -- https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl -- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns -- https://gtfobins.github.io/gtfobins/c99/#shell -- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/ -- https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/ -- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ -- https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior -- https://us-cert.cisa.gov/ncas/alerts/aa21-259a -- https://unit42.paloaltonetworks.com/chromeloader-malware/ -- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4 -- https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior -- https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/ -- https://twitter.com/th3_protoCOL/status/1536788652889497600 -- https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role +- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ +- https://asec.ahnlab.com/en/40263/ +- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/replace +- https://securelist.com/network-tunneling-with-qemu/111803/ +- https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ -- https://www.fortiguard.com/psirt/FG-IR-22-398 -- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash -- https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in -- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage -- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue -- https://labs.withsecure.com/publications/kapeka -- https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741 -- https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html -- https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access +- https://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40 +- https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625 - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference +- https://web.archive.org/web/20210512154016/https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1 +- https://www.securonix.com/blog/seolurker-attack-campaign-uses-seo-poisoning-fake-google-ads-to-install-malware/ +- https://twitter.com/Max_Mal_/status/1775222576639291859 +- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage +- https://docs.microsoft.com/en-us/sql/tools/bcp-utility +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac +- https://github.com/wietze/HijackLibs/tree/dc9c9f2f94e6872051dab58fbafb043fdd8b4176/yml/3rd_party/python +- https://www.cve.org/CVERecord?id=CVE-2024-1709 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery +- https://app.any.run/tasks/25970bb5-f864-4e9e-9e1b-cc8ff9e6386a +- https://web.archive.org/web/20230329172447/https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html +- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ +- https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/ +- https://web.archive.org/web/20200530031906/https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/ +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78 +- https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer +- https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4706 +- https://gtfobins.github.io/gtfobins/flock/#shell +- https://ss64.com/osx/sw_vers.html +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11) +- https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ +- https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install +- https://github.com/CICADA8-Research/RemoteKrbRelay +- https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all +- https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#things-to-monitor +- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/ +- https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/ +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/ +- https://www.anyviewer.com/help/remote-technical-support.html +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647 +- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ +- https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41 +- https://us-cert.cisa.gov/ncas/alerts/aa21-008a +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 +- https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository +- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_UNCAsIntranet +- https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response +- https://gtfobins.github.io/gtfobins/env/#shell +- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html +- https://blog.talosintelligence.com/uat-5647-romcom/ +- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes +- https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 +- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 +- https://trustedsec.com/blog/oops-i-udld-it-again +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_IncludeUnspecifiedLocalSites +- https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior +- https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/ +- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services +- https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022 diff --git a/tests/rule-references.txt b/tests/rule-references.txt index 65c2fa05e8c..c0d417d3a2b 100644 --- a/tests/rule-references.txt +++ b/tests/rule-references.txt @@ -3824,3 +3824,21 @@ https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/se https://anydesk.com/en/changelog/windows https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-0-16-1-scheduled-task-execution-at-scale-via-gpo.html https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior +https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/ +https://pentestlab.blog/tag/svchost/ +https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6281 +https://github.com/FalconForceTeam/FalconFriday/blob/master/Discovery/ADWS_Connection_from_Unexpected_Binary-Win.md +https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1 +https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete +https://ss64.com/nt/shell.html +https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8 +https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview +https://www.logpoint.com/en/blog/shenanigans-of-scheduled-tasks/ +https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/ +https://twitter.com/0gtweet/status/1720419490519752955 +https://asec.ahnlab.com/en/78944/ +https://research.splunk.com/endpoint/10399c1e-f51e-11eb-b920-acde48001122/ +https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf +https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/ +https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13 +https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa From 14ce104a16099ffff56dd3337def522a9e5b1a6f Mon Sep 17 00:00:00 2001 From: Ahmed Farouk Date: Fri, 1 Nov 2024 21:45:17 +0200 Subject: [PATCH 086/144] Merge PR #5058 from @ahmedfarou22 - Add new rules related to command execution via run dialogue new: Potentially Suspicious Command Executed Via Run Dialog Box - Registry new: Command Executed Via Run Dialog Box - Registry --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- .../registry_set_runmru_command_execution.yml | 46 +++++++++++++++++ ...stry_set_runmru_susp_command_execution.yml | 50 +++++++++++++++++++ 2 files changed, 96 insertions(+) create mode 100644 rules-threat-hunting/windows/registry/registry_set/registry_set_runmru_command_execution.yml create mode 100644 rules/windows/registry/registry_set/registry_set_runmru_susp_command_execution.yml diff --git a/rules-threat-hunting/windows/registry/registry_set/registry_set_runmru_command_execution.yml b/rules-threat-hunting/windows/registry/registry_set/registry_set_runmru_command_execution.yml new file mode 100644 index 00000000000..7fb8a360f0a --- /dev/null +++ b/rules-threat-hunting/windows/registry/registry_set/registry_set_runmru_command_execution.yml @@ -0,0 +1,46 @@ +title: Command Executed Via Run Dialog Box - Registry +id: f9d091f6-f1c7-4873-a24f-050b4a02b4dd +related: + - id: a7df0e9e-91a5-459a-a003-4cde67c2ff5d + type: derived +status: experimental +description: | + Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. + This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps. +references: + - https://www.forensafe.com/blogs/runmrukey.html + - https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71 +author: Ahmed Farouk, Nasreddine Bencherchali +date: 2024-11-01 +tags: + - detection.threat-hunting + - attack.execution +logsource: + product: windows + category: registry_set +detection: + selection: + TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' + filter_main_mrulist: + TargetObject|endswith: '\MRUList' + filter_optional_ping: + Details|contains: 'ping' + filter_optional_generic: + Details: + - '%appdata%\1' + - '%localappdata%\1' + - '%public%\1' + - '%temp%\1' + - 'calc\1' + - 'dxdiag\1' + - 'explorer\1' + - 'gpedit.msc\1' + - 'mmc\1' + - 'notepad\1' + - 'regedit\1' + - 'services.msc\1' + - 'winver\1' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* +falsepositives: + - Likely +level: low diff --git a/rules/windows/registry/registry_set/registry_set_runmru_susp_command_execution.yml b/rules/windows/registry/registry_set/registry_set_runmru_susp_command_execution.yml new file mode 100644 index 00000000000..6a6613ec96a --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_runmru_susp_command_execution.yml @@ -0,0 +1,50 @@ +title: Potentially Suspicious Command Executed Via Run Dialog Box - Registry +id: a7df0e9e-91a5-459a-a003-4cde67c2ff5d +related: + - id: f9d091f6-f1c7-4873-a24f-050b4a02b4dd + type: derived +status: test +description: | + Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. + This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps. +references: + - https://medium.com/@ahmed.moh.farou2/fake-captcha-campaign-on-arabic-pirated-movie-sites-delivers-lumma-stealer-4f203f7adabf + - https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71 + - https://www.forensafe.com/blogs/runmrukey.html +author: Ahmed Farouk, Nasreddine Bencherchali +date: 2024-11-01 +tags: + - attack.execution + - attack.t1059.001 +logsource: + product: windows + category: registry_set +detection: + selection_key: + TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' + selection_powershell_command: + Details|contains: + - 'powershell' + - 'pwsh' + selection_powershell_susp_keywords: + Details|contains: + - ' -e ' + - ' -ec ' + - ' -en ' + - ' -enc ' + - ' -enco' + - 'ftp' + - 'Hidden' + - 'http' + - 'iex' + - 'Invoke-' + selection_wmic_command: + Details|contains: 'wmic' + selection_wmic_susp_keywords: + Details|contains: + - 'shadowcopy' + - 'process call create' + condition: selection_key and (all of selection_powershell_* or all of selection_wmic_*) +falsepositives: + - Unknown +level: high From e1787dad3871aa6a0a6fe4c2c3c366a5eaedee5c Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 1 Nov 2024 20:52:27 +0100 Subject: [PATCH 087/144] Merge PR #5067 from @nasbench - Add missing reference links chore: add missing reference links to some rules --- .../registry_set/registry_set_runmru_command_execution.yml | 1 + .../registry_set/registry_set_runmru_susp_command_execution.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/rules-threat-hunting/windows/registry/registry_set/registry_set_runmru_command_execution.yml b/rules-threat-hunting/windows/registry/registry_set/registry_set_runmru_command_execution.yml index 7fb8a360f0a..b4032e6f38a 100644 --- a/rules-threat-hunting/windows/registry/registry_set/registry_set_runmru_command_execution.yml +++ b/rules-threat-hunting/windows/registry/registry_set/registry_set_runmru_command_execution.yml @@ -10,6 +10,7 @@ description: | references: - https://www.forensafe.com/blogs/runmrukey.html - https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71 + - https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/ author: Ahmed Farouk, Nasreddine Bencherchali date: 2024-11-01 tags: diff --git a/rules/windows/registry/registry_set/registry_set_runmru_susp_command_execution.yml b/rules/windows/registry/registry_set/registry_set_runmru_susp_command_execution.yml index 6a6613ec96a..1d92c06231c 100644 --- a/rules/windows/registry/registry_set/registry_set_runmru_susp_command_execution.yml +++ b/rules/windows/registry/registry_set/registry_set_runmru_susp_command_execution.yml @@ -11,6 +11,7 @@ references: - https://medium.com/@ahmed.moh.farou2/fake-captcha-campaign-on-arabic-pirated-movie-sites-delivers-lumma-stealer-4f203f7adabf - https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71 - https://www.forensafe.com/blogs/runmrukey.html + - https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/ author: Ahmed Farouk, Nasreddine Bencherchali date: 2024-11-01 tags: From fe999a5e9e9efa93f46fb44fc2f37f9a91b8e6c3 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 4 Nov 2024 11:25:05 +0100 Subject: [PATCH 088/144] Merge PR #5070 from @Neo23x0 - Update `.RDP File Created by Outlook Process` update: .RDP File Created by Outlook Process - Add new paths for Outlook apps in Windows 11 --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- .../file_event_win_office_outlook_rdp_file_creation.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/file/file_event/file_event_win_office_outlook_rdp_file_creation.yml b/rules/windows/file/file_event/file_event_win_office_outlook_rdp_file_creation.yml index 7b091164d53..046310174d6 100644 --- a/rules/windows/file/file_event/file_event_win_office_outlook_rdp_file_creation.yml +++ b/rules/windows/file/file_event/file_event_win_office_outlook_rdp_file_creation.yml @@ -13,6 +13,7 @@ references: - https://www.linkedin.com/feed/update/urn:li:ugcPost:7257437202706493443?commentUrn=urn%3Ali%3Acomment%3A%28ugcPost%3A7257437202706493443%2C7257522819985543168%29&dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287257522819985543168%2Curn%3Ali%3AugcPost%3A7257437202706493443%29 author: Florian Roth date: 2024-11-01 +modified: 2024-11-03 tags: - attack.defense-evasion logsource: @@ -22,7 +23,9 @@ detection: selection_extension: TargetFilename|endswith: '.rdp' selection_location: - - TargetFilename|contains: '\AppData\Local\Packages\Microsoft.Outlook_' # New Outlook + - TargetFilename|contains: + - '\AppData\Local\Packages\Microsoft.Outlook_' # New Outlook + - '\AppData\Local\Microsoft\Olk\Attachments\' # New Outlook - TargetFilename|contains|all: - '\AppData\Local\Microsoft\Windows\' - '\Content.Outlook\' From cfa6d8aa7dcfb9ccf066b972cbee5f0a97df63a1 Mon Sep 17 00:00:00 2001 From: Koifman Date: Mon, 4 Nov 2024 12:32:02 +0200 Subject: [PATCH 089/144] Merge PR #5064 from @Koifman - Add missing ATT&CK tag to `Monero Crypto Coin Mining Pool Lookup` chore: add missing ATT&CK tag to `Monero Crypto Coin Mining Pool Lookup` --- rules/network/dns/net_dns_pua_cryptocoin_mining_xmr.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/network/dns/net_dns_pua_cryptocoin_mining_xmr.yml b/rules/network/dns/net_dns_pua_cryptocoin_mining_xmr.yml index d980f568948..498e6b8b966 100644 --- a/rules/network/dns/net_dns_pua_cryptocoin_mining_xmr.yml +++ b/rules/network/dns/net_dns_pua_cryptocoin_mining_xmr.yml @@ -9,6 +9,7 @@ date: 2021-10-24 tags: - attack.impact - attack.t1496 + - attack.exfiltration - attack.t1567 logsource: category: dns From 243003c21a85b331bb06b9adbdbbb289a19e6b3d Mon Sep 17 00:00:00 2001 From: Arnim Rupp <46819580+ruppde@users.noreply.github.com> Date: Mon, 4 Nov 2024 11:45:07 +0100 Subject: [PATCH 090/144] Merge PR #5068 from @ruppde - Update rules in the Antivirus category with additional strings and signature names update: Antivirus Hacktool Detection - Add additional hacktools signature names. update: Antivirus Password Dumper Detection - Add additional password dumpers such as "DumpPert", "Lazagne", "pypykatz", etc. update: Antivirus Ransomware Detection - Add additional ransomware signature names. fix: Antivirus Relevant File Paths Alerts - Remove the path "\Client" as it is too generic for a detection rule. fix: Antivirus Web Shell Detection - Removed overlapping strings "ASP/Agent", "PHP/Agent", "JSP/Agent". --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- rules/category/antivirus/av_exploiting.yml | 6 +++-- rules/category/antivirus/av_hacktool.yml | 16 +++++++++----- .../category/antivirus/av_password_dumper.yml | 22 ++++++++++++++++--- rules/category/antivirus/av_ransomware.yml | 20 +++++++++++++++-- .../category/antivirus/av_relevant_files.yml | 8 ++++--- rules/category/antivirus/av_webshell.yml | 13 ++++++----- 6 files changed, 63 insertions(+), 22 deletions(-) diff --git a/rules/category/antivirus/av_exploiting.yml b/rules/category/antivirus/av_exploiting.yml index f5a4c1a949e..0639a147d2b 100644 --- a/rules/category/antivirus/av_exploiting.yml +++ b/rules/category/antivirus/av_exploiting.yml @@ -1,7 +1,9 @@ title: Antivirus Exploitation Framework Detection id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864 status: stable -description: Detects a highly relevant Antivirus alert that reports an exploitation framework. +description: | + Detects a highly relevant Antivirus alert that reports an exploitation framework. + This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place. references: - https://www.nextron-systems.com/?s=antivirus - https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797 @@ -9,7 +11,7 @@ references: - https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466 author: Florian Roth (Nextron Systems), Arnim Rupp date: 2018-09-09 -modified: 2024-07-17 +modified: 2024-11-02 tags: - attack.execution - attack.t1203 diff --git a/rules/category/antivirus/av_hacktool.yml b/rules/category/antivirus/av_hacktool.yml index 154a63e98a8..851c5a18bc1 100644 --- a/rules/category/antivirus/av_hacktool.yml +++ b/rules/category/antivirus/av_hacktool.yml @@ -1,13 +1,15 @@ title: Antivirus Hacktool Detection id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba status: stable -description: Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool. +description: | + Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool. + This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place. references: - https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/ - https://www.nextron-systems.com/?s=antivirus author: Florian Roth (Nextron Systems), Arnim Rupp date: 2021-08-16 -modified: 2024-07-17 +modified: 2024-11-02 tags: - attack.execution - attack.t1204 @@ -16,8 +18,7 @@ logsource: detection: selection: - Signature|startswith: - - 'Adfind' - - 'ATK/' + - 'ATK/' # Sophos - 'Exploit.Script.CVE' - 'HKTL' - 'HTOOL' @@ -27,7 +28,6 @@ detection: # - 'FRP.' - Signature|contains: - 'Adfind' - - 'ATK/' # Sophos - 'Brutel' - 'BruteR' - 'Cobalt' @@ -36,10 +36,10 @@ detection: - 'DumpCreds' - 'FastReverseProxy' - 'Hacktool' + - 'Havoc' - 'Impacket' - 'Keylogger' - 'Koadic' - - 'Lazagne' - 'Mimikatz' - 'Nighthawk' - 'PentestPowerShell' @@ -51,12 +51,16 @@ detection: - 'PWCrack' - 'PWDump' - 'Rozena' + - 'Rusthound' - 'Sbelt' - 'Seatbelt' - 'SecurityTool' - 'SharpDump' + - 'SharpHound' - 'Shellcode' - 'Sliver' + - 'Snaffler' + - 'SOAPHound' - 'Splinter' - 'Swrort' - 'TurtleLoader' diff --git a/rules/category/antivirus/av_password_dumper.yml b/rules/category/antivirus/av_password_dumper.yml index 0cfb9a8a2d1..bbf4e861da8 100644 --- a/rules/category/antivirus/av_password_dumper.yml +++ b/rules/category/antivirus/av_password_dumper.yml @@ -1,14 +1,16 @@ title: Antivirus Password Dumper Detection id: 78cc2dd2-7d20-4d32-93ff-057084c38b93 status: stable -description: Detects a highly relevant Antivirus alert that reports a password dumper. +description: | + Detects a highly relevant Antivirus alert that reports a password dumper. + This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place. references: - https://www.nextron-systems.com/?s=antivirus - https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619 - https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448 -author: Florian Roth (Nextron Systems) +author: Florian Roth (Nextron Systems), Arnim Rupp date: 2018-09-09 -modified: 2024-10-08 +modified: 2024-11-02 tags: - attack.credential-access - attack.t1003 @@ -21,13 +23,19 @@ detection: selection: - Signature|startswith: 'PWS' - Signature|contains: + - 'Certify' - 'DCSync' - 'DumpCreds' - 'DumpLsass' + - 'DumpPert' - 'HTool/WCE' - 'Kekeo' + - 'Lazagne' - 'LsassDump' - 'Mimikatz' + - 'MultiDump' + - 'Nanodump' + - 'NativeDump' - 'Outflank' - 'PShlSpy' - 'PSWTool' @@ -35,9 +43,17 @@ detection: - 'PWDump' - 'PWS.' - 'PWSX' + - 'pypykatz' - 'Rubeus' + - 'SafetyKatz' - 'SecurityTool' + - 'SharpChrome' + - 'SharpDPAPI' - 'SharpDump' + - 'SharpKatz' + - 'SharpS.' # Sharpsploit, e.g. 530ea2ff9049f5dfdfa0a2e9c27c2e3c0685eb6cbdf85370c20a7bfae49f592d + - 'ShpKatz' + - 'TrickDump' condition: selection falsepositives: - Unlikely diff --git a/rules/category/antivirus/av_ransomware.yml b/rules/category/antivirus/av_ransomware.yml index b4fa40e1a20..2c3a7667f99 100644 --- a/rules/category/antivirus/av_ransomware.yml +++ b/rules/category/antivirus/av_ransomware.yml @@ -1,7 +1,9 @@ title: Antivirus Ransomware Detection id: 4c6ca276-d4d0-4a8c-9e4c-d69832f8671f status: test -description: Detects a highly relevant Antivirus alert that reports ransomware. +description: | + Detects a highly relevant Antivirus alert that reports ransomware. + This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place. references: - https://www.nextron-systems.com/?s=antivirus - https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916 @@ -9,9 +11,10 @@ references: - https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045 - https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d - https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c + - https://www.virustotal.com/gui/file/6f0f20da34396166df352bf301b3c59ef42b0bc67f52af3d541b0161c47ede05 author: Florian Roth (Nextron Systems), Arnim Rupp date: 2022-05-12 -modified: 2023-02-03 +modified: 2024-11-02 tags: - attack.t1486 logsource: @@ -20,21 +23,34 @@ detection: selection: Signature|contains: - 'BlackWorm' + - 'Chaos' + - 'Cobra' + - 'ContiCrypt' - 'Crypter' - 'CRYPTES' - 'Cryptor' + - 'CylanCrypt' + - 'DelShad' - 'Destructor' - 'Filecoder' - 'GandCrab' - 'GrandCrab' + - 'Haperlock' + - 'Hiddentear' + - 'HydraCrypt' - 'Krypt' + - 'Lockbit' - 'Locker' + - 'Mallox' - 'Phobos' - 'Ransom' - 'Ryuk' - 'Ryzerlo' + - 'Stopcrypt' - 'Tescrypt' - 'TeslaCrypt' + - 'WannaCry' + - 'Xorist' condition: selection falsepositives: - Unlikely diff --git a/rules/category/antivirus/av_relevant_files.yml b/rules/category/antivirus/av_relevant_files.yml index eaa8530204b..752e5ee7a2d 100644 --- a/rules/category/antivirus/av_relevant_files.yml +++ b/rules/category/antivirus/av_relevant_files.yml @@ -1,12 +1,14 @@ title: Antivirus Relevant File Paths Alerts id: c9a88268-0047-4824-ba6e-4d81ce0b907c status: test -description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name. +description: | + Detects an Antivirus alert in a highly relevant file path or with a relevant file name. + This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place. references: - https://www.nextron-systems.com/?s=antivirus author: Florian Roth (Nextron Systems), Arnim Rupp date: 2018-09-09 -modified: 2024-07-17 +modified: 2024-11-02 tags: - attack.resource-development - attack.t1588 @@ -21,7 +23,7 @@ detection: - ':\Users\Public\' - ':\Windows\' - '/www/' - - '\Client\' + # - '\Client\' - '\inetpub\' - '\tsclient\' - 'apache' diff --git a/rules/category/antivirus/av_webshell.yml b/rules/category/antivirus/av_webshell.yml index bd756b6fa5c..e831e5f62ab 100644 --- a/rules/category/antivirus/av_webshell.yml +++ b/rules/category/antivirus/av_webshell.yml @@ -4,6 +4,7 @@ status: test description: | Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches. + This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place. references: - https://www.nextron-systems.com/?s=antivirus - https://github.com/tennc/webshell @@ -17,7 +18,7 @@ references: - https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection author: Florian Roth (Nextron Systems), Arnim Rupp date: 2018-09-09 -modified: 2024-07-17 +modified: 2024-11-02 tags: - attack.persistence - attack.t1505.003 @@ -35,13 +36,13 @@ detection: - 'Troj/ASP' - 'Troj/JSP' - 'Troj/PHP' - - 'VBS/Uxor' # looking for 'VBS/' would also find downloaders and droppers meant for desktops + - 'VBS/Uxor' # looking for 'VBS/' would also find downloader's and droppers meant for desktops - Signature|contains: - - 'ASP_' # looking for 'VBS_' would also find downloaders and droppers meant for desktops + - 'ASP_' # looking for 'VBS_' would also find downloader's and droppers meant for desktops - 'ASP:' - 'ASP.Agent' - 'ASP/' - - 'ASP/Agent' + # - 'ASP/Agent' - 'Aspdoor' - 'ASPXSpy' - 'Backdoor.ASP' @@ -61,14 +62,14 @@ detection: - 'JSP:' - 'JSP.Agent' - 'JSP/' - - 'JSP/Agent' + # - 'JSP/Agent' - 'Perl:' - 'Perl/' - 'PHP_' - 'PHP:' - 'PHP.Agent' - 'PHP/' - - 'PHP/Agent' + # - 'PHP/Agent' - 'PHPShell' - 'PShlSpy' - 'SinoChoper' From 4f4ef7a8cc077b2b54c71c598db50fe8b1f14d55 Mon Sep 17 00:00:00 2001 From: wieso-itzi <85185077+wieso-itzi@users.noreply.github.com> Date: Mon, 4 Nov 2024 12:15:00 +0100 Subject: [PATCH 091/144] Merge PR #5042 from @wieso-itzi - Update Python PTY rules update: Python Spawning Pretty TTY Via PTY Module - Update the logic to account for the possibility of calling the spawn function via a variable, as an alias or other methods. update: Python Reverse Shell Execution Via PTY And Socket Modules - Add additional strings to increase accuracy and coverage. --------- Signed-off-by: wieso-itzi <85185077+wieso-itzi@users.noreply.github.com> Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- .../proc_creation_lnx_python_pty_spawn.yml | 21 ++++++++++--------- ...proc_creation_lnx_python_reverse_shell.yml | 10 +++++---- 2 files changed, 17 insertions(+), 14 deletions(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml b/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml index a75bd0cbd09..374279fbf01 100644 --- a/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml +++ b/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml @@ -1,15 +1,16 @@ -title: Python Spawning Pretty TTY +title: Python Spawning Pretty TTY Via PTY Module id: c4042d54-110d-45dd-a0e1-05c47822c937 related: - id: 32e62bc7-3de0-4bb1-90af-532978fe42c0 type: similar status: test -description: Detects python spawning a pretty tty which could be indicative of potential reverse shell activity +description: | + Detects a python process calling to the PTY module in order to spawn a pretty tty which could be indicative of potential reverse shell activity. references: - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/ author: Nextron Systems date: 2022-06-03 -modified: 2023-06-16 +modified: 2024-11-04 tags: - attack.execution - attack.t1059 @@ -25,13 +26,13 @@ detection: - Image|contains: - '/python2.' # python image is always of the form ../python3.10; ../python is just a symlink - '/python3.' - selection_cli_1: - CommandLine|contains|all: + selection_cli_import: + CommandLine|contains: - 'import pty' - - '.spawn(' - selection_cli_2: - CommandLine|contains: 'from pty import spawn' - condition: selection_img and 1 of selection_cli_* + - 'from pty ' + selection_cli_spawn: + CommandLine|contains: 'spawn' + condition: all of selection_* falsepositives: - Unknown -level: high +level: medium diff --git a/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml b/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml index 218f8e6e99c..202d8034fc6 100644 --- a/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml @@ -1,15 +1,16 @@ -title: Potential Python Reverse Shell +title: Python Reverse Shell Execution Via PTY And Socket Modules id: 32e62bc7-3de0-4bb1-90af-532978fe42c0 related: - id: c4042d54-110d-45dd-a0e1-05c47822c937 type: similar status: test -description: Detects executing python with keywords related to network activity that could indicate a potential reverse shell +description: | + Detects the execution of python with calls to the socket and pty module in order to connect and spawn a potential reverse shell. references: - - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet - https://www.revshells.com/ author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)' date: 2023-04-24 +modified: 2024-11-04 tags: - attack.execution logsource: @@ -22,7 +23,8 @@ detection: - ' -c ' - 'import' - 'pty' - - 'spawn(' + - 'socket' + - 'spawn' - '.connect' condition: selection falsepositives: From 5d1cf4b9de60859cdbd8801703a5a001ee5b8ab9 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 13 Nov 2024 23:21:16 +0100 Subject: [PATCH 092/144] Merge PR #5076 from @Neo23x0 - Fix `Suspicious SYSTEM User Process Creation` fix: Suspicious SYSTEM User Process Creation - filter false positives with Google Updater uninstall script --- .../proc_creation_win_susp_system_user_anomaly.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml b/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml index 3996deda6cc..05427278224 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml @@ -7,7 +7,7 @@ references: - https://tools.thehacker.recipes/mimikatz/modules author: Florian Roth (Nextron Systems), David ANDRE (additional keywords) date: 2021-12-20 -modified: 2024-07-22 +modified: 2024-11-11 tags: - attack.credential-access - attack.defense-evasion @@ -74,7 +74,10 @@ detection: - 'MiniDump' # Process dumping method apart from procdump - 'net user ' filter_main_ping: - CommandLine|contains: 'ping 127.0.0.1 -n' + CommandLine|contains|all: + - 'ping' + - '127.0.0.1' + - ' -n ' filter_vs: Image|endswith: '\PING.EXE' ParentCommandLine|contains: '\DismFoDInstall.cmd' From 4ec3e69de0feb042f0e18e0c3ada939812e72b4e Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Sun, 17 Nov 2024 23:44:45 +0100 Subject: [PATCH 093/144] Merge PR #5080 from @nasbench - Archive new rule references and update cache file chore: archive new rule references and update cache file Co-authored-by: nasbench --- .github/latest_archiver_output.md | 1042 ++++++++++++++--------------- tests/rule-references.txt | 17 + 2 files changed, 533 insertions(+), 526 deletions(-) diff --git a/.github/latest_archiver_output.md b/.github/latest_archiver_output.md index d699adc0d56..2e12880b4a0 100644 --- a/.github/latest_archiver_output.md +++ b/.github/latest_archiver_output.md @@ -1,6 +1,6 @@ # Reference Archiver Results -Last Execution: 2024-11-01 02:08:46 +Last Execution: 2024-11-15 02:06:55 ### Archiver Script Results @@ -11,570 +11,560 @@ N/A #### Already Archived References -- https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/ -- https://pentestlab.blog/tag/svchost/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6281 -- https://github.com/FalconForceTeam/FalconFriday/blob/master/Discovery/ADWS_Connection_from_Unexpected_Binary-Win.md -- https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete -- https://ss64.com/nt/shell.html -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8 -- https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview -- https://www.logpoint.com/en/blog/shenanigans-of-scheduled-tasks/ -- https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/ -- https://twitter.com/0gtweet/status/1720419490519752955 -- https://asec.ahnlab.com/en/78944/ -- https://research.splunk.com/endpoint/10399c1e-f51e-11eb-b920-acde48001122/ -- https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf -- https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/ -- https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13 -- https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa +- https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps +- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue +- https://github.com/nettitude/SharpWSUS +- https://www.elastic.co/guide/en/security/current/startup-logon-script-added-to-group-policy-object.html +- https://learn.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml- +- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 +- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts +- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a +- https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027 +- https://nored0x.github.io/red-teaming/office-persistence/#what-is-a-wll-file +- https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things +- https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/ +- https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-browser +- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction +- https://www.securonix.com/blog/seolurker-attack-campaign-uses-seo-poisoning-fake-google-ads-to-install-malware/ +- https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates #### Error While Archiving References -- https://paper.seebug.org/1495/ -- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 -- https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps -- https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues -- https://learn.microsoft.com/en-us/windows/client-management/manage-recall -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address -- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/ -- https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e -- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html -- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771 -- https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/ -- https://github.com/safedv/RustiveDump/blob/1a9b026b477587becfb62df9677cede619d42030/src/main.rs#L35 -- https://blog.sekoia.io/scattered-spider-laying-new-eggs/ -- https://labs.withsecure.com/publications/kapeka -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd -- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/ -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management -- https://twitter.com/th3_protoCOL/status/1480621526764322817 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes -- https://github.com/embedi/CVE-2017-11882 -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/ -- https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/ -- https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy -- https://linux.die.net/man/1/arecord -- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173 -- https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump -- https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/ -- https://github.com/nettitude/SharpWSUS -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations -- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 -- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands -- https://www.loobins.io/binaries/launchctl/ -- https://www.softperfect.com/products/networkscanner/ -- https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1 -- https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::SecurityPage_AutoDetect -- https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker -- https://www.elastic.co/guide/en/security/current/startup-logon-script-added-to-group-policy-object.html -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated -- https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010 -- https://twitter.com/Kostastsale/status/1646256901506605063?s=20 -- https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/ -- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname -- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf -- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ -- https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections -- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195 -- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software -- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ -- https://ss64.com/mac/hdiutil.html -- https://gtfobins.github.io/gtfobins/git/#shell -- https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials -- https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029 -- https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/logfile/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address -- https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/ -- https://tria.ge/240307-1hlldsfe7t/behavioral2/analog?main_event=Registry&op=SetValueKeyInt +- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ +- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ +- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray +- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage +- https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609 +- https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack +- https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html - https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634 -- https://www.action1.com/documentation/ -- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode -- https://twitter.com/TheDFIRReport/status/1482078434327244805 -- https://web.archive.org/web/20211001064856/https://github.com/snovvcrash/DInjector -- https://bazaar.abuse.ch/browse/tag/one/ -- https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role -- https://www.cyberciti.biz/faq/how-force-kill-process-linux/ -- https://web.archive.org/web/20220422215221/https://twitter.com/malware_traffic/status/1517622327000846338 -- https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/ -- https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698 -- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers -- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423 -- https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication -- https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/ -- https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership -- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/ -- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ -- https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/ +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3 +- https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code +- https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/ +- https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal +- https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661 -- https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216 -- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/ -- https://unit42.paloaltonetworks.com/chromeloader-malware/ -- https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/ -- https://www.attackiq.com/2023/09/20/emulating-rhysida/ -- https://www.loobins.io/binaries/tmutil/ - https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe -- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue -- https://app.any.run/tasks/9a8fd563-4c54-4d0a-9ad8-1fe08339cbc3/ -- https://gtfobins.github.io/gtfobins/awk/#shell +- https://github.com/0xthirteen/SharpMove/ +- https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install +- https://labs.nettitude.com/blog/introducing-sharpwsus/ +- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage +- https://www.loobins.io/binaries/hdiutil/ +- https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html +- https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html +- https://web.archive.org/web/20210512154016/https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1 +- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash +- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_IncludeUnspecifiedLocalSites +- https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776 +- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/ +- https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/ +- https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/ +- https://medium.com/@NullByteWht/hacking-macos-how-to-dump-1password-keepassx-lastpass-passwords-in-plaintext-723c5b1c311b +- https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/ +- https://paper.seebug.org/1495/ +- https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7 +- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer +- https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins +- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/ +- https://github.com/GhostPack/SharpDPAPI +- https://www.loobins.io/binaries/nscurl/ - https://learn.microsoft.com/en-us/windows/win32/shell/launch -- https://gtfobins.github.io/gtfobins/capsh/#shell -- https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/ -- https://gtfobins.github.io/gtfobins/c89/#shell -- https://twitter.com/NathanMcNulty/status/1785051227568632263 -- https://www.virustotal.com/gui/file/ded20df574b843aaa3c8e977c2040e1498ae17c12924a19868df5b12dee6dfdd +- https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details +- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding +- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 +- https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/ +- https://redcanary.com/blog/msix-installers/ +- https://learn.microsoft.com/en-us/windows/win32/msi/event-logging +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#new-owner +- https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis +- https://learn.microsoft.com/en-us/windows/win32/shell/app-registration +- https://strontic.github.io/xcyclopedia/library/aclui.dll-F883E9CA757B622B032FDCA5BF33D0DF.html +- https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/ +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4 +- https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48 +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create +- https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup -- https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions -- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673 -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1 -- https://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/ -- https://gtfobins.github.io/gtfobins/nawk/#shell -- https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior -- https://github.com/Ylianst/MeshAgent +- https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows +- https://blog.talosintelligence.com/gophish-powerrat-dcrat/ +- https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior +- https://tria.ge/240731-jh4crsycnb/behavioral2 +- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/ +- https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1 +- https://app.any.run/tasks/9a8fd563-4c54-4d0a-9ad8-1fe08339cbc3/ +- https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258 +- https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/ +- https://www.elastic.co/guide/en/security/current/group-policy-abuse-for-privilege-addition.html#_setup_275 +- https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection +- https://github.com/gentilkiwi/mimikatz +- https://app.any.run/tasks/25970bb5-f864-4e9e-9e1b-cc8ff9e6386a +- https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin +- https://twitter.com/NathanMcNulty/status/1785051227568632263 +- https://tria.ge/240521-ynezpagf56/behavioral1 +- https://blackpointcyber.com/resources/blog/breaking-through-the-screen/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2 - https://objective-see.org/blog/blog_0x1E.html -- https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019 -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012 -- https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html -- https://twitter.com/1ZRR4H/status/1537501582727778304 -- https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel +- https://gtfobins.github.io/gtfobins/python/#shell +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4706 +- https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732 +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010 +- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/ +- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf +- https://www.cyberciti.biz/faq/linux-remove-user-command/ +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#private_repository_forking +- https://ss64.com/osx/sw_vers.html - https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/ -- https://tria.ge/220422-1nnmyagdf2/ -- https://tria.ge/220422-1pw1pscfdl/ -- https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/ +- https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/ +- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ +- https://github.com/search?q=repo%3AHackplayers%2Fevil-winrm++shell.run%28&type=code +- https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216 +- https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md +- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 - https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/ -- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038 +- https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/ +- https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091 +- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts +- https://gtfobins.github.io/gtfobins/gawk/#shell +- https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41 - https://www.microsoft.com/en-us/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/ -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/ -- https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.4 -- https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211 -- https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf -- https://github.com/joaoviictorti/RustRedOps/tree/ce04369a246006d399e8c61d9fe0e6b34f988a49/Self_Deletion -- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/ -- https://gtfobins.github.io/gtfobins/c99/#shell -- https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray -- https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2 -- https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776 -- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/ -- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create -- https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md -- https://twitter.com/standa_t/status/1808868985678803222 -- https://twitter.com/DTCERT/status/1712785421845790799 -- https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10) -- https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/ -- https://labs.nettitude.com/blog/introducing-sharpwsus/ +- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4 +- https://ngrok.com/blog-post/new-ngrok-domains +- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority +- https://github.com/antonioCoco/RoguePotato +- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address +- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands +- https://www.fortiguard.com/psirt/FG-IR-22-398 +- https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml +- https://blog.talosintelligence.com/uat-5647-romcom/ +- https://www.action1.com/documentation/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval +- https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ - http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794 -- https://gtfobins.github.io/gtfobins/gcc/#shell -- https://www.cyberciti.biz/faq/linux-remove-user-command/ -- https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/ -- https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html -- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in -- https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1 -- https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging -- https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934 -- https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647 +- https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/ +- https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743 +- https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/ +- https://www.trustedsec.com/blog/art_of_kerberoast/ - https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ -- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/ -- https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor -- https://localtonet.com/documents/supported-tunnels -- https://github.com/rapid7/metasploit-framework/issues/11337 -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN -- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ -- https://cloud.google.com/logging/docs/audit/understanding-audit-logs -- https://x.com/Max_Mal_/status/1826179497084739829 -- https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule -- https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization -- https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool -- https://strontic.github.io/xcyclopedia/library/aclui.dll-F883E9CA757B622B032FDCA5BF33D0DF.html -- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/ -- https://tria.ge/231212-r1bpgaefar/behavioral2 -- https://tria.ge/240123-rapteaahhr/behavioral1 -- https://www.loobins.io/binaries/pbpaste/ -- https://www.elastic.co/guide/en/security/current/group-policy-abuse-for-privilege-addition.html#_setup_275 -- https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare -- https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0 -- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/ -- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a -- https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741 -- https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html -- https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic -- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 -- https://github.com/yardenshafir/conference_talks/blob/3de1f5d7c02656c35117f067fbff0a219c304b09/OffensiveCon_2023_Your_Mitigations_are_My_Opportunities.pdf -- https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/ -- https://blackpointcyber.com/resources/blog/breaking-through-the-screen/ - https://cloud.google.com/access-context-manager/docs/audit-logging -- https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/ -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4 -- https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html -- https://github.com/grayhatkiller/SharpExShell -- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently +- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx +- https://app.any.run/tasks/fa99cedc-9d2f-4115-a08e-291429ce3692 +- https://medium.com/@ahmed.moh.farou2/fake-captcha-campaign-on-arabic-pirated-movie-sites-delivers-lumma-stealer-4f203f7adabf +- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine +- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ +- https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support +- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace +- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/ +- https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf - https://gtfobins.github.io/gtfobins/rsync/#shell -- https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/ -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script -- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set +- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ +- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations +- https://asec.ahnlab.com/en/61000/ +- https://www.attackiq.com/2023/09/20/emulating-rhysida/ +- https://tria.ge/231212-r1bpgaefar/behavioral2 +- https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging +- https://github.com/joaoviictorti/RustRedOps/tree/ce04369a246006d399e8c61d9fe0e6b34f988a49/Self_Deletion +- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/ +- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ +- https://malware.guide/browser-hijacker/remove-onelaunch-virus/ +- https://www.cyberciti.biz/faq/how-force-kill-process-linux/ +- https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/ +- https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare +- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf +- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/ +- https://gtfobins.github.io/gtfobins/c99/#shell +- https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis +- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml +- https://www.forensafe.com/blogs/runmrukey.html +- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ +- https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html +- https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior +- https://twitter.com/Max_Mal_/status/1775222576639291859 +- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ +- https://gtfobins.github.io/gtfobins/c89/#shell - https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16 -- https://github.com/FalconForceTeam/SOAPHound -- https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/ +- https://www.loobins.io/binaries/launchctl/ +- https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71 +- https://adsecurity.org/?p=3513 +- https://labs.withsecure.com/publications/kapeka +- https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension +- https://gtfobins.github.io/gtfobins/capsh/#shell +- https://github.com/embedi/CVE-2017-11882 +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac +- https://news.ycombinator.com/item?id=29504755 +- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183 +- https://boinc.berkeley.edu/ - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2 -- https://twitter.com/Kostastsale/status/1480716528421011458 -- https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates -- https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet -- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html -- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/ -- https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations +- https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain +- https://www.softperfect.com/products/networkscanner/ +- https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication +- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials +- https://www.qemu.org/docs/master/system/invocation.html#hxtool-5 +- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in +- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed +- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services +- https://web.archive.org/web/20211001064856/https://github.com/snovvcrash/DInjector +- https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/ +- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ +- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ +- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/ +- https://x.com/Max_Mal_/status/1826179497084739829 +- https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ +- https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg +- https://www.virustotal.com/gui/file/ded20df574b843aaa3c8e977c2040e1498ae17c12924a19868df5b12dee6dfdd +- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software +- https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/ - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11) -- https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/ -- https://tria.ge/240226-fhbe7sdc39/behavioral1 -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority -- https://redcanary.com/blog/msix-installers/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine -- https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609 -- https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval -- https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/ -- https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings -- https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token -- https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool -- https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html -- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/ -- https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/ -- https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection +- https://github.com/safedv/RustiveDump/blob/1a9b026b477587becfb62df9677cede619d42030/src/main.rs#L35 - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown -- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b -- https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 -- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html -- https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3 -- https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors -- https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html -- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/ -- https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things -- https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/ -- https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension -- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction +- https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) +- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis +- https://twitter.com/Cryptolaemus1/status/1517634855940632576 +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/ +- https://gtfobins.github.io/gtfobins/mawk/#shell +- https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes +- https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10) +- https://twitter.com/standa_t/status/1808868985678803222 +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/ +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators +- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ +- https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/ +- https://github.com/wietze/HijackLibs/tree/dc9c9f2f94e6872051dab58fbafb043fdd8b4176/yml/3rd_party/python - https://www.sans.org/cyber-security-summit/archives -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo -- https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details +- https://www.group-ib.com/resources/threat-research/red-curl-2.html +- https://ipurple.team/2024/07/15/sharphound-detection/ - https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC -- https://support.google.com/a/answer/9261439 -- https://boinc.berkeley.edu/ -- https://www.loobins.io/binaries/xattr/ -- https://app.any.run/tasks/fa99cedc-9d2f-4115-a08e-291429ce3692 -- https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/ -- https://tria.ge/240521-ynezpagf56/behavioral1 -- https://web.archive.org/web/20190508165435/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf -- https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code -- https://gtfobins.github.io/gtfobins/mawk/#shell -- https://www.loobins.io/binaries/hdiutil/ -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country -- https://ipurple.team/2024/09/10/browser-stored-credentials/ -- https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_ProxyByPass -- https://thehackernews.com/2024/03/github-rolls-out-default-secret.html -- https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps -- https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support -- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/ -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183 -- https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/ -- https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ -- https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html -- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html -- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ -- https://adsecurity.org/?p=1785 -- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins -- https://learn.microsoft.com/en-us/windows/win32/msi/event-logging -- https://news.ycombinator.com/item?id=29504755 -- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash -- https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml -- https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp -- https://gtfobins.github.io/gtfobins/find/#shell -- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage -- https://web.archive.org/web/20220614030603/http://www.powertheshell.com/ntfsstreams/ -- https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup -- https://web.archive.org/web/20220519091349/https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/ -- https://www.trustedsec.com/blog/art_of_kerberoast/ -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::SecurityPage_AutoDetect +- https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool +- https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability +- https://defr0ggy.github.io/research/Utilizing-BTunnel-For-Data-Exfiltration/ +- https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging +- https://ss64.com/mac/chflags.html +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4 +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 - https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens -- https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys -- https://ipurple.team/2024/07/15/sharphound-detection/ -- https://tria.ge/240731-jh4crsycnb/behavioral2 -- https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c -- https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation -- https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps -- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html -- https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis -- https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/ +- https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html +- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode +- https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/ +- https://securelist.com/network-tunneling-with-qemu/111803/ +- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers +- https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues +- https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/ +- https://web.archive.org/web/20220519091349/https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/ +- https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps +- https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown +- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/ +- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks +- https://www.loobins.io/binaries/pbpaste/ +- https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420 +- https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management +- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference +- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ +- https://gtfobins.github.io/gtfobins/git/#shell +- https://docs.microsoft.com/en-us/sql/tools/bcp-utility - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration -- https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732 -- https://malware.guide/browser-hijacker/remove-onelaunch-virus/ -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11) +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2 +- https://www.cve.org/CVERecord?id=CVE-2024-1709 +- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 +- https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in +- https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b +- https://web.archive.org/web/20190508165435/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf +- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/ +- https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/ +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78 +- https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html - https://objective-see.org/blog/blog_0x6D.html -- https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult -- https://github.com/antonioCoco/RoguePotato +- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set +- https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response +- https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771 +- https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029 - https://bazaar.abuse.ch/browse/signature/RaspberryRobin/ -- https://defr0ggy.github.io/research/Utilizing-BTunnel-For-Data-Exfiltration/ -- https://www.tenable.com/security/research/tra-2023-11 - https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html -- https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420 -- https://twitter.com/MsftSecIntel/status/1737895710169628824 -- https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html -- https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging -- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities -- https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior -- https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability -- https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive -- https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1 -- https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/ -- https://www.huntress.com/blog/attacking-mssql-servers -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts -- https://gtfobins.github.io/gtfobins/gawk/#shell -- https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis -- https://github.com/0xthirteen/SharpMove/ -- https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/ -- https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/ -- https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/ -- https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps -- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 -- https://www.group-ib.com/resources/threat-research/red-curl-2.html +- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications +- https://github.com/FalconForceTeam/SOAPHound +- https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization +- https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit +- https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/ +- https://x.com/_st0pp3r_/status/1742203752361128162?s=20 +- https://bazaar.abuse.ch/browse/tag/one/ +- https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt +- https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423 +- https://ipurple.team/2024/09/10/browser-stored-credentials/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts +- https://gtfobins.github.io/gtfobins/env/#shell +- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf +- https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022 +- https://blog.sekoia.io/scattered-spider-laying-new-eggs/ +- https://www.loobins.io/binaries/tmutil/ +- https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/ +- https://github.com/yardenshafir/conference_talks/blob/3de1f5d7c02656c35117f067fbff0a219c304b09/OffensiveCon_2023_Your_Mitigations_are_My_Opportunities.pdf +- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html - https://darkatlas.io/blog/medusa-ransomware-group-opsec-failure -- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise -- https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ +- https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/replace +- https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps +- https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2 +- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ +- https://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/ +- https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/ +- https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327 +- https://gtfobins.github.io/gtfobins/awk/#shell +- https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup +- https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer +- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/ - https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps -- https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure +- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes +- https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html +- https://web.archive.org/web/20200530031906/https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/ +- https://tria.ge/240307-1hlldsfe7t/behavioral2/analog?main_event=Registry&op=SetValueKeyInt +- https://megatools.megous.com/ +- https://www.tarasco.org/security/pwdump_7/ +- https://www.linkedin.com/feed/update/urn:li:ugcPost:7257437202706493443?commentUrn=urn%3Ali%3Acomment%3A%28ugcPost%3A7257437202706493443%2C7257522819985543168%29&dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287257522819985543168%2Curn%3Ali%3AugcPost%3A7257437202706493443%29 +- https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/logfile/ +- https://us-cert.cisa.gov/ncas/alerts/aa21-008a +- https://github.com/CICADA8-Research/RemoteKrbRelay +- https://web.archive.org/web/20220614030603/http://www.powertheshell.com/ntfsstreams/ +- https://ss64.com/mac/hdiutil.html +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide +- https://twitter.com/th3_protoCOL/status/1480621526764322817 +- https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet +- https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership +- https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool +- https://adsecurity.org/?p=1785 +- https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html +- https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/ +- https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade +- https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation +- https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0 +- https://gtfobins.github.io/gtfobins/nawk/#shell +- https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive +- https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2 - https://evasions.checkpoint.com/techniques/macos.html -- https://twitter.com/th3_protoCOL/status/1536788652889497600 -- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-info.js#L55 +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4 +- https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp +- https://www.huntress.com/blog/attacking-mssql-servers-pt-ii +- https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/ +- https://learn.microsoft.com/en-us/azure/dns/dns-zones-records +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery +- https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps +- https://www.tenable.com/security/research/tra-2023-11 +- https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy +- https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708 +- https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/ +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently +- https://web.archive.org/web/20230329172447/https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html +- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ +- https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps +- https://trustedsec.com/blog/oops-i-udld-it-again +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698 +- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted +- https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors +- https://cloud.google.com/logging/docs/audit/understanding-audit-logs +- https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/ +- https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps +- https://tria.ge/240226-fhbe7sdc39/behavioral1 +- https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019 +- https://unit42.paloaltonetworks.com/chromeloader-malware/ +- https://ss64.com/nt/set.html +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_ProxyByPass +- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/ +- https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu +- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +- https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012 +- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/ +- https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/ +- https://gtfobins.github.io/gtfobins/flock/#shell - https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#new-owner -- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks -- https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role -- https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps -- https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327 -- https://www.group-ib.com/blog/apt41-world-tour-2021/ -- https://www.loobins.io/binaries/nscurl/ -- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns -- https://www.tarasco.org/security/pwdump_7/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038 -- https://learn.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml- -- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/ -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) -- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications +- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/ +- https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7 +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles +- https://www.huntress.com/blog/attacking-mssql-servers +- https://github.com/grayhatkiller/SharpExShell +- https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html +- https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php +- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 +- https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/ +- https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details +- https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/ +- https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/ +- https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html +- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195 +- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing +- https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/set_1 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup +- https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/ +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise +- https://thehackernews.com/2024/03/github-rolls-out-default-secret.html +- https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf +- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173 - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel -- https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool -- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf -- https://ss64.com/nt/set.html -- https://us-cert.cisa.gov/ncas/alerts/aa21-259a -- https://www.qemu.org/docs/master/system/invocation.html#hxtool-5 +- https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/ +- https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16 +- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html +- https://www.anyviewer.com/help/remote-technical-support.html +- https://www.sans.org/blog/defending-against-scattered-spider-and-the-com-with-cybercrime-intelligence/ +- https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1 +- https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/ +- https://tria.ge/220422-1nnmyagdf2/ +- https://web.archive.org/web/20231210115125/http://www.xuetr.com/ +- https://redcanary.com/blog/threat-detection/process-masquerading/ +- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities +- https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38 +- https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps +- https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ +- https://localtonet.com/documents/supported-tunnels - https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html -- https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v -- https://nored0x.github.io/red-teaming/office-persistence/#what-is-a-wll-file -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743 -- https://github.com/GhostPack/SharpDPAPI -- https://medium.com/@NullByteWht/hacking-macos-how-to-dump-1password-keepassx-lastpass-passwords-in-plaintext-723c5b1c311b -- https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/ -- https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/set_1 -- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967 -- https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/ -- https://www.fortiguard.com/psirt/FG-IR-22-398 +- https://github.com/Ylianst/MeshAgent +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname +- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script +- https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool +- https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/ +- https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html +- https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF - https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml -- https://ngrok.com/blog-post/new-ngrok-domains -- https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ -- https://twitter.com/Cryptolaemus1/status/1517634855940632576 - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ -- https://github.com/gentilkiwi/mimikatz -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/ -- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts -- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ -- https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details -- https://redcanary.com/blog/threat-detection/process-masquerading/ -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4 -- https://x.com/_st0pp3r_/status/1742203752361128162?s=20 -- https://learn.microsoft.com/en-us/azure/dns/dns-zones-records -- https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand -- https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/ -- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ -- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4 -- https://adsecurity.org/?p=3513 -- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ -- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted -- https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc -- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings -- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory -- https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/ -- https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/ +- https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.4 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#things-to-monitor +- https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/ +- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/ +- https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings +- https://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40 +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation +- https://twitter.com/th3_protoCOL/status/1536788652889497600 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634 +- https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch +- https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c +- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ - https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html -- https://megatools.megous.com/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) +- https://learn.microsoft.com/en-us/windows/client-management/manage-recall +- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-info.js#L55 +- https://web.archive.org/web/20220422215221/https://twitter.com/malware_traffic/status/1517622327000846338 +- https://www.group-ib.com/blog/apt41-world-tour-2021/ +- https://linux.die.net/man/1/arecord +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29 +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_UNCAsIntranet +- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address +- https://twitter.com/DTCERT/status/1712785421845790799 +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1 +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel +- https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump +- https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access +- https://tria.ge/240123-rapteaahhr/behavioral1 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo +- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings - https://blog.morphisec.com/vmware-identity-manager-attack-backdoor -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp -- https://nvd.nist.gov/vuln/detail/CVE-2024-3400 -- https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu +- https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/ +- https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/ +- https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html +- https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v +- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html +- https://twitter.com/TheDFIRReport/status/1482078434327244805 +- https://support.google.com/a/answer/9261439 - https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/ -- https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf -- https://www.sans.org/blog/defending-against-scattered-spider-and-the-com-with-cybercrime-intelligence/ -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide -- https://ss64.com/mac/chflags.html -- https://github.com/search?q=repo%3AHackplayers%2Fevil-winrm++shell.run%28&type=code -- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ -- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins -- https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal -- https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html -- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf -- https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#private_repository_forking -- https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/ -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 -- https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF -- https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48 -- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/ -- https://www.huntress.com/blog/attacking-mssql-servers-pt-ii -- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer -- https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/ -- https://asec.ahnlab.com/en/61000/ -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4 -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation -- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/ -- https://gtfobins.github.io/gtfobins/python/#shell -- https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown -- https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/ -- https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg -- https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7 -- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/ -- https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708 -- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ -- https://web.archive.org/web/20231210115125/http://www.xuetr.com/ +- https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625 +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult +- https://twitter.com/MsftSecIntel/status/1737895710169628824 +- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ +- https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files +- https://www.virustotal.com/gui/file/6f0f20da34396166df352bf301b3c59ef42b0bc67f52af3d541b0161c47ede05 +- https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673 +- https://nvd.nist.gov/vuln/detail/CVE-2024-3400 +- https://asec.ahnlab.com/en/40263/ +- https://twitter.com/1ZRR4H/status/1537501582727778304 +- https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/ +- https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/ +- https://tria.ge/220422-1pw1pscfdl/ +- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/ - https://tria.ge/240225-jlylpafb24/behavioral1/analog?main_event=Registry&op=SetValueKeyInt -- https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade -- https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps -- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace -- https://blog.talosintelligence.com/gophish-powerrat-dcrat/ -- https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia -- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-browser +- https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder +- https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository +- https://gtfobins.github.io/gtfobins/gcc/#shell +- https://twitter.com/Kostastsale/status/1646256901506605063?s=20 +- https://github.com/rapid7/metasploit-framework/issues/11337 +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/ +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations +- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role - https://tria.ge/231023-lpw85she57/behavioral2 -- https://learn.microsoft.com/en-us/windows/win32/shell/app-registration +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token - https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/ -- https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php -- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ -- https://asec.ahnlab.com/en/40263/ -- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/replace -- https://securelist.com/network-tunneling-with-qemu/111803/ -- https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps -- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access -- https://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40 -- https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625 -- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference -- https://web.archive.org/web/20210512154016/https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1 -- https://www.securonix.com/blog/seolurker-attack-campaign-uses-seo-poisoning-fake-google-ads-to-install-malware/ -- https://twitter.com/Max_Mal_/status/1775222576639291859 -- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage -- https://docs.microsoft.com/en-us/sql/tools/bcp-utility -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac -- https://github.com/wietze/HijackLibs/tree/dc9c9f2f94e6872051dab58fbafb043fdd8b4176/yml/3rd_party/python -- https://www.cve.org/CVERecord?id=CVE-2024-1709 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery -- https://app.any.run/tasks/25970bb5-f864-4e9e-9e1b-cc8ff9e6386a -- https://web.archive.org/web/20230329172447/https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html -- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ +- https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER +- https://us-cert.cisa.gov/ncas/alerts/aa21-259a +- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794 +- https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/ +- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ +- https://www.loobins.io/binaries/xattr/ +- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html +- https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/ +- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/ +- https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/ +- https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/ - https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/ -- https://web.archive.org/web/20200530031906/https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/ -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78 -- https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer -- https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4706 -- https://gtfobins.github.io/gtfobins/flock/#shell -- https://ss64.com/osx/sw_vers.html -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11) -- https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ -- https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install -- https://github.com/CICADA8-Research/RemoteKrbRelay -- https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all -- https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#things-to-monitor -- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/ -- https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/ -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/ -- https://www.anyviewer.com/help/remote-technical-support.html -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647 -- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ -- https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41 -- https://us-cert.cisa.gov/ncas/alerts/aa21-008a -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 -- https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository -- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_UNCAsIntranet -- https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response -- https://gtfobins.github.io/gtfobins/env/#shell -- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html -- https://blog.talosintelligence.com/uat-5647-romcom/ -- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes -- https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 -- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 -- https://trustedsec.com/blog/oops-i-udld-it-again -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_IncludeUnspecifiedLocalSites -- https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior -- https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/ -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services -- https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022 +- https://gtfobins.github.io/gtfobins/find/#shell +- https://twitter.com/Kostastsale/status/1480716528421011458 +- https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections +- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address diff --git a/tests/rule-references.txt b/tests/rule-references.txt index c0d417d3a2b..f626848facd 100644 --- a/tests/rule-references.txt +++ b/tests/rule-references.txt @@ -3842,3 +3842,20 @@ https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_4 https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/ https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13 https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa +https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps +https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue +https://github.com/nettitude/SharpWSUS +https://www.elastic.co/guide/en/security/current/startup-logon-script-added-to-group-policy-object.html +https://learn.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml- +https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 +https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts +https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a +https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027 +https://nored0x.github.io/red-teaming/office-persistence/#what-is-a-wll-file +https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things +https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/ +https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html +https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-browser +https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction +https://www.securonix.com/blog/seolurker-attack-campaign-uses-seo-poisoning-fake-google-ads-to-install-malware/ +https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates From 503bd67fca163ea520cb8b3d4bb507592bc970f9 Mon Sep 17 00:00:00 2001 From: IsaacDunham <94355024+IsaacDunham@users.noreply.github.com> Date: Sun, 17 Nov 2024 17:46:02 -0500 Subject: [PATCH 094/144] Merge PR #5077 from @IsaacDunham - Add `Potentially Suspicious Azure Front Door Connection` new: Potentially Suspicious Azure Front Door Connection --------- Co-authored-by: nasbench --- ...connection_win_susp_azurefd_connection.yml | 48 +++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 rules-threat-hunting/windows/network_connection/net_connection_win_susp_azurefd_connection.yml diff --git a/rules-threat-hunting/windows/network_connection/net_connection_win_susp_azurefd_connection.yml b/rules-threat-hunting/windows/network_connection/net_connection_win_susp_azurefd_connection.yml new file mode 100644 index 00000000000..ba54258df85 --- /dev/null +++ b/rules-threat-hunting/windows/network_connection/net_connection_win_susp_azurefd_connection.yml @@ -0,0 +1,48 @@ +title: Potentially Suspicious Azure Front Door Connection +id: 8cb4d14e-776e-43c2-8fb9-91e7fcea32b4 +status: experimental +description: | + Detects connections with Azure Front Door (known legitimate service that can be leveraged for C2) + that fall outside of known benign behavioral baseline (not using common apps or common azurefd.net endpoints) +references: + - https://lots-project.com/site/2a2e617a75726566642e6e6574 + - https://medium.com/r3d-buck3t/red-teaming-in-cloud-leverage-azure-frontdoor-cdn-for-c2-redirectors-79dd9ca98178 + - https://www.fortalicesolutions.com/posts/hiding-behind-the-front-door-with-azure-domain-fronting +author: Isaac Dunham +date: 2024-11-07 +tags: + - attack.t1102.002 + - attack.t1090.004 + - detection.threat-hunting +logsource: + category: network_connection + product: windows +detection: + selection: + DestinationHostname|contains: 'azurefd.net' + filter_main_web_browsers: + Image|endswith: + - 'brave.exe' + - 'chrome.exe' + - 'chromium.exe' + - 'firefox.exe' + - 'msedge.exe' + - 'msedgewebview2.exe' + - 'opera.exe' + - 'vivaldi.exe' + filter_main_common_talkers: + Image|endswith: 'searchapp.exe' # Windows search service uses signifcant amount of Azure FD + filter_main_known_benign_domains: + DestinationHostname|contains: + - 'afdxtest.z01.azurefd.net' # used by Cortana; Cisco Umbrella top 1m + - 'fp-afd.azurefd.net' # used by Cortana; Cisco Umbrella top 1m + - 'fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net' # used by Cortana; Cisco Umbrella top 1m + - 'roxy.azurefd.net' # used by Cortana; Cisco Umbrella top 1m + - 'powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net' # Used by VS Code; Cisco Umbrella top 1m + - 'storage-explorer-publishing-feapcgfgbzc2cjek.b01.azurefd.net' # Used by Azure Storage Explorer; Cisco Umbrella top 1m + - 'graph.azurefd.net' # MS Graph; Cisco Umbrella top 1m + condition: selection and not 1 of filter_main_* +falsepositives: + - Results are not inherently suspicious, but should be investigated during threat hunting for potential cloud C2. + - Organization-specific Azure Front Door endpoints +level: medium From 5aa899415b44023f46851a2a55a8696f6e115f2a Mon Sep 17 00:00:00 2001 From: Gameel Ali Date: Mon, 18 Nov 2024 00:46:53 +0200 Subject: [PATCH 095/144] Merge PR #5075 from @MalGamy12 - Update `Potentially Suspicious Cabinet File Expansion` update: Potentially Suspicious Cabinet File Expansion - Add new paths for built-in shares --------- Co-authored-by: nasbench --- .../proc_creation_win_expand_cabinet_files.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml b/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml index 53a7bca6ac6..4fc249624dd 100644 --- a/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml +++ b/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml @@ -7,7 +7,7 @@ references: - https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/ author: Bhabesh Raj, X__Junior (Nextron Systems) date: 2021-07-30 -modified: 2024-03-05 +modified: 2024-11-13 tags: - attack.defense-evasion - attack.t1218 @@ -21,12 +21,14 @@ detection: selection_folders_1: CommandLine|contains: - ':\Perflogs\' + - ':\ProgramData' - ':\Users\Public\' + - ':\Windows\Temp\' + - '\Admin$\' + - '\AppData\Local\Temp\' + - '\AppData\Roaming\' + - '\C$\' - '\Temporary Internet' - - ':\ProgramData' - - '\AppData\Local\Temp' - - '\AppData\Roaming\Temp' - - ':\Windows\Temp' selection_folders_2: - CommandLine|contains|all: - ':\Users\' From 4e9ef005c2906b6d5b1de02e51affe733477e7c6 Mon Sep 17 00:00:00 2001 From: dan21san <98960305+dan21san@users.noreply.github.com> Date: Mon, 18 Nov 2024 00:01:50 +0100 Subject: [PATCH 096/144] Merge PR #5061 from @dan21san - Update `Mail Forwarding/Redirecting Activity In O365` update: Mail Forwarding/Redirecting Activity In O365 - Add additional parameters to increase coverage --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- .../audit/microsoft365_susp_email_forwarding_activity.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/rules-threat-hunting/cloud/m365/audit/microsoft365_susp_email_forwarding_activity.yml b/rules-threat-hunting/cloud/m365/audit/microsoft365_susp_email_forwarding_activity.yml index ab06ca5890c..c0a2ec12a01 100644 --- a/rules-threat-hunting/cloud/m365/audit/microsoft365_susp_email_forwarding_activity.yml +++ b/rules-threat-hunting/cloud/m365/audit/microsoft365_susp_email_forwarding_activity.yml @@ -4,8 +4,10 @@ status: test description: Detects email forwarding or redirecting acitivty in O365 Audit logs. references: - https://redcanary.com/blog/email-forwarding-rules/ + - https://github.com/PwC-IR/Business-Email-Compromise-Guide/blob/fe29ce06aef842efe4eb448c26bbe822bf5b895d/PwC-Business_Email_Compromise-Guide.pdf author: RedCanary Team (idea), Harjot Singh @cyb3rjy0t date: 2023-10-11 +modified: 2024-11-17 tags: - attack.exfiltration - attack.t1020 @@ -31,9 +33,12 @@ detection: - 'New-InboxRule' - 'Set-InboxRule' Parameters|contains: - - 'ForwardTo' - 'ForwardAsAttachmentTo' + - 'ForwardingAddress' + - 'ForwardingSmtpAddress' + - 'ForwardTo' - 'RedirectTo' + - 'RedirectToRecipients' condition: 1 of selection_* falsepositives: - False positives are expected from legitimate mail forwarding rules. You need organisation specific knowledge. Filter out the domains that are allowed as forwarding targets as well as any additional metadata that you can use for exclusion from trusted sources/targets in order to promote this to a potential detection rule. From 41a59142d7cc9c9f98a936f1f195898a36a17490 Mon Sep 17 00:00:00 2001 From: Jonathan Peters <143413578+cod3nym@users.noreply.github.com> Date: Mon, 18 Nov 2024 22:43:01 +0100 Subject: [PATCH 097/144] Merge PR #5081 from @cod3nym - Add `Potential File Extension Spoofing Using Right-to-Left Override` new: Potential File Extension Spoofing Using Right-to-Left Override --------- Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- ...ht_to_left_override_extension_spoofing.yml | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing.yml diff --git a/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing.yml b/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing.yml new file mode 100644 index 00000000000..abe674df87f --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing.yml @@ -0,0 +1,34 @@ +title: Potential File Extension Spoofing Using Right-to-Left Override +id: 979baf41-ca44-4540-9d0c-4fcef3b5a3a4 +related: + - id: ad691d92-15f2-4181-9aa4-723c74f9ddc3 + type: derived +status: experimental +description: | + Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions. +references: + - https://redcanary.com/blog/right-to-left-override/ + - https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method +author: Jonathan Peters (Nextron Systems), Florian Roth (Nextron Systems) +date: 2024-11-17 +tags: + - attack.execution + - attack.defense-evasion + - attack.t1036.002 +logsource: + category: file_event + product: windows +detection: + selection_rtlo_unicode: + TargetFilename|contains: '\u202e' + selection_extensions: + TargetFilename|contains: + - 'fpd..' + - 'nls..' + - 'vsc..' + - 'xcod.' + - 'xslx.' + condition: all of selection_* +falsepositives: + - Filenames that contains scriptures such as arabic or hebrew might make use of this character +level: high From 6f4c6d70312c322ad920158d34769f714d273ed1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gr=C3=A9gory=20Wychowaniec?= Date: Wed, 20 Nov 2024 20:43:21 +0100 Subject: [PATCH 098/144] Merge PR #5054 from @gregorywychowaniec-zt - Update `App Assigned To Azure RBAC/Microsoft Entra Role` update: App Assigned To Azure RBAC/Microsoft Entra Role - Add a constraint to limit the detection to service principal only --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- rules/cloud/azure/audit_logs/azure_app_role_added.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/cloud/azure/audit_logs/azure_app_role_added.yml b/rules/cloud/azure/audit_logs/azure_app_role_added.yml index acfa45c0fd6..a0d240787e3 100644 --- a/rules/cloud/azure/audit_logs/azure_app_role_added.yml +++ b/rules/cloud/azure/audit_logs/azure_app_role_added.yml @@ -1,4 +1,4 @@ -title: App Role Added +title: App Assigned To Azure RBAC/Microsoft Entra Role id: b04934b2-0a68-4845-8a19-bdfed3a68a7a status: test description: Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner. @@ -6,6 +6,7 @@ references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' date: 2022-07-19 +modified: 2024-11-04 tags: - attack.persistence - attack.privilege-escalation @@ -15,6 +16,7 @@ logsource: service: auditlogs detection: selection: + targetResources.type: 'Service Principal' properties.message: - Add member to role - Add eligible member to role From d0e4e78f7a9d6db8624a6001a56597972d64b7d7 Mon Sep 17 00:00:00 2001 From: Nathan <37495851+AlbinoGazelle@users.noreply.github.com> Date: Wed, 20 Nov 2024 11:44:32 -0800 Subject: [PATCH 099/144] Merge PR #5086 from @AlbinoGazelle - Update ESXCLI reference docs after Broadcom acquisition of VMWare chore: update broken references to ESXCLI rules --- .../proc_creation_lnx_esxcli_network_discovery.yml | 2 +- .../proc_creation_lnx_esxcli_permission_change_admin.yml | 2 +- .../proc_creation_lnx_esxcli_storage_discovery.yml | 2 +- .../proc_creation_lnx_esxcli_syslog_config_change.yml | 2 +- .../proc_creation_lnx_esxcli_system_discovery.yml | 2 +- .../proc_creation_lnx_esxcli_user_account_creation.yml | 2 +- .../process_creation/proc_creation_lnx_esxcli_vm_discovery.yml | 2 +- .../linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml | 2 +- .../proc_creation_lnx_esxcli_vsan_discovery.yml | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml index 01f9f2a1e7d..e38284e6c02 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml @@ -4,7 +4,7 @@ status: test description: Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration. references: - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/ - - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_network.html + - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_network.html author: Cedric Maurugeon date: 2023-09-04 tags: diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml index e0d84eb4083..935355215ac 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml @@ -3,7 +3,7 @@ id: 9691f58d-92c1-4416-8bf3-2edd753ec9cf status: test description: Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account. references: - - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html + - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html author: Nasreddine Bencherchali (Nextron Systems) date: 2023-09-04 tags: diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml index 112773edc9b..ba8a14992bc 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml @@ -5,7 +5,7 @@ description: Detects execution of the "esxcli" command with the "storage" flag i references: - https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html - https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html - - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_storage.html + - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_storage.html author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon date: 2023-09-04 tags: diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml index 7a9aaa4022f..31fc23e0350 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml @@ -4,7 +4,7 @@ status: test description: Detects changes to the ESXi syslog configuration via "esxcli" references: - https://support.solarwinds.com/SuccessCenter/s/article/Configure-ESXi-Syslog-to-LEM?language=en_US - - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html + - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html author: Cedric Maurugeon date: 2023-09-04 tags: diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml index b3e56ea01d9..3774bc1fa37 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml @@ -4,7 +4,7 @@ status: test description: Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc. references: - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/ - - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html + - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html author: Cedric Maurugeon date: 2023-09-04 tags: diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_user_account_creation.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_user_account_creation.yml index fa7319486c7..569c45b8944 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_user_account_creation.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_user_account_creation.yml @@ -3,7 +3,7 @@ id: b28e4eb3-8bbc-4f0c-819f-edfe8e2f25db status: test description: Detects user account creation on ESXi system via esxcli references: - - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html + - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html author: Cedric Maurugeon date: 2023-08-22 tags: diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml index 503618cb215..2c8002469b3 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml @@ -4,7 +4,7 @@ status: test description: Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs. references: - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/ - - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html + - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vm.html - https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/ - https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html author: Cedric Maurugeon diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml index 9afeb12b41f..38611900366 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml @@ -4,7 +4,7 @@ status: test description: Detects execution of the "esxcli" command with the "vm" and "kill" flag in order to kill/shutdown a specific VM. references: - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/ - - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html + - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vm.html - https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/ - https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml index 844503adc2c..c0f07e128a7 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml @@ -5,7 +5,7 @@ description: Detects execution of the "esxcli" command with the "vsan" flag in o references: - https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html - https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html - - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vsan.html + - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vsan.html author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon date: 2023-09-04 tags: From d804e9cba10fa2e3bdabeca0cc330158c58de016 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 25 Nov 2024 09:30:14 +0100 Subject: [PATCH 100/144] Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac update: GALLIUM IOCs - remove custom dedicated hash fields update: Malicious DLL Load By Compromised 3CXDesktopApp - remove custom dedicated hash fields update: Potential Compromised 3CXDesktopApp Execution - remove custom dedicated hash fields update: HackTool Named File Stream Created - remove custom dedicated hash fields update: PUA - Process Hacker Driver Load - remove custom dedicated hash fields update: PUA - System Informer Driver Load - remove custom dedicated hash fields update: Vulnerable HackSys Extreme Vulnerable Driver Load - remove custom dedicated hash fields update: Vulnerable WinRing0 Driver Load - remove custom dedicated hash fields update: WinDivert Driver Load - remove custom dedicated hash fields update: HackTool - SharpEvtMute DLL Load - remove custom dedicated hash fields update: HackTool - CoercedPotato Execution - remove custom dedicated hash fields update: HackTool - CreateMiniDump Execution - remove custom dedicated hash fields update: Hacktool Execution - Imphash - remove custom dedicated hash fields update: HackTool - GMER Rootkit Detector and Remover Execution - remove custom dedicated hash fields update: HackTool - HandleKatz LSASS Dumper Execution - remove custom dedicated hash fields update: HackTool - Impersonate Execution - remove custom dedicated hash fields update: HackTool - LocalPotato Execution - remove custom dedicated hash fields update: HackTool - PCHunter Execution - remove custom dedicated hash fields update: HackTool - PPID Spoofing SelectMyParent Tool Execution - remove custom dedicated hash fields update: HackTool - Stracciatella Execution - remove custom dedicated hash fields update: HackTool - SysmonEOP Execution - remove custom dedicated hash fields update: HackTool - UACMe Akagi Execution - remove custom dedicated hash fields update: HackTool - Windows Credential Editor (WCE) Execution - remove custom dedicated hash fields update: MpiExec Lolbin - remove custom dedicated hash fields update: PUA - Fast Reverse Proxy (FRP) Execution - remove custom dedicated hash fields update: PUA- IOX Tunneling Tool Execution - remove custom dedicated hash fields update: PUA - Nimgrab Execution - remove custom dedicated hash fields update: PUA - NPS Tunneling Tool Execution - remove custom dedicated hash fields update: PUA - Process Hacker Execution - remove custom dedicated hash fields update: PUA - System Informer Execution - remove custom dedicated hash fields update: Remote Access Tool - NetSupport Execution From Unusual Location - remove custom dedicated hash fields update: Renamed AdFind Execution - remove custom dedicated hash fields update: Renamed AutoIt Execution - remove custom dedicated hash fields update: Renamed NetSupport RAT Execution - remove custom dedicated hash fields update: Renamed PAExec Execution - remove custom dedicated hash fields update: Potential SquiblyTwo Technique Execution - remove custom dedicated hash fields --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- .../driver_load_win_mal_poortry_driver.yml | 22 -- ...oad_win_vuln_avast_anti_rootkit_driver.yml | 6 +- .../driver_load_win_vuln_dell_driver.yml | 10 - .../driver_load_win_vuln_gigabyte_driver.yml | 14 +- .../driver_load_win_vuln_hw_driver.yml | 13 - .../driver_load_win_vuln_lenovo_driver.yml | 8 +- .../windows/proc_creation_win_apt_gallium.yml | 2 +- .../proc_creation_win_renamed_paexec.yml | 5 - .../proc_creation_win_apt_gallium_iocs.yml | 47 +-- ...e_load_malware_3cx_compromise_susp_dll.yml | 21 +- ...n_win_malware_3cx_compromise_execution.yml | 34 +- ...eate_stream_hash_hktl_generic_download.yml | 311 ++++++------------ .../driver_load_win_pua_process_hacker.yml | 25 +- .../driver_load_win_pua_system_informer.yml | 51 +-- .../driver_load_win_vuln_hevd_driver.yml | 19 +- .../driver_load_win_vuln_winring0_driver.yml | 23 +- .../driver_load/driver_load_win_windivert.yml | 77 ++--- .../image_load_hktl_sharpevtmute.yml | 5 +- .../proc_creation_win_hktl_coercedpotato.yml | 14 +- .../proc_creation_win_hktl_createminidump.yml | 3 +- ...ation_win_hktl_execution_via_imphashes.yml | 269 +++++---------- .../proc_creation_win_hktl_gmer.yml | 6 +- .../proc_creation_win_hktl_handlekatz.yml | 11 +- .../proc_creation_win_hktl_impersonate.yml | 10 +- .../proc_creation_win_hktl_localpotato.yml | 5 +- .../proc_creation_win_hktl_pchunter.yml | 15 +- .../proc_creation_win_hktl_selectmyparent.yml | 7 +- ...ation_win_hktl_stracciatella_execution.yml | 4 +- .../proc_creation_win_hktl_sysmoneop.yml | 11 +- .../proc_creation_win_hktl_uacme.yml | 15 +- .../proc_creation_win_hktl_wce.yml | 11 +- .../proc_creation_win_lolbin_mpiexec.yml | 3 +- .../proc_creation_win_pua_frp.yml | 13 +- .../proc_creation_win_pua_iox.yml | 13 +- .../proc_creation_win_pua_nimgrab.yml | 6 +- .../proc_creation_win_pua_nps.yml | 13 +- .../proc_creation_win_pua_process_hacker.yml | 38 +-- .../proc_creation_win_pua_system_informer.yml | 25 +- ...mote_access_tools_netsupport_susp_exec.yml | 3 +- .../proc_creation_win_renamed_adfind.yml | 11 +- .../proc_creation_win_renamed_autoit.yml | 14 +- ...oc_creation_win_renamed_netsupport_rat.yml | 3 +- .../proc_creation_win_renamed_paexec.yml | 11 +- ...oc_creation_win_wmic_squiblytwo_bypass.yml | 6 +- tests/test_logsource.py | 32 +- 45 files changed, 380 insertions(+), 885 deletions(-) diff --git a/deprecated/windows/driver_load_win_mal_poortry_driver.yml b/deprecated/windows/driver_load_win_mal_poortry_driver.yml index 48f28f61fda..6caec819aa2 100644 --- a/deprecated/windows/driver_load_win_mal_poortry_driver.yml +++ b/deprecated/windows/driver_load_win_mal_poortry_driver.yml @@ -42,28 +42,6 @@ detection: - 'MD5=0f16a43f7989034641fd2de3eb268bf1' - 'MD5=ee6b1a79cb6641aa44c762ee90786fe0' - 'MD5=909f3fc221acbe999483c87d9ead024a' - selection_hash: - - sha256: - - '0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc' - - '9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c' - - '8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104' - - 'd7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c' - - '05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4' - - 'c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497' - - sha1: - - '31cc8718894d6e6ce8c132f68b8caaba39b5ba7a' - - 'a804ebec7e341b4d98d9e94f6e4860a55ea1638d' - - '6debce728bcff73d9d1d334df0c6b1c3735e295c' - - 'cc65bf60600b64feece5575f21ab89e03a728332' - - '3ef30c95e40a854cc4ded94fc503d0c3dc3e620e' - - 'b2f955b3e6107f831ebe67997f8586d4fe9f3e98' - - md5: - - '10f3679384a03cb487bda9621ceb5f90' - - '04a88f5974caa621cee18f34300fc08a' - - '6fcf56f6ca3210ec397e55f727353c4a' - - '0f16a43f7989034641fd2de3eb268bf1' - - 'ee6b1a79cb6641aa44c762ee90786fe0' - - '909f3fc221acbe999483c87d9ead024a' condition: 1 of selection* falsepositives: - Legitimate BIOS driver updates (should be rare) diff --git a/deprecated/windows/driver_load_win_vuln_avast_anti_rootkit_driver.yml b/deprecated/windows/driver_load_win_vuln_avast_anti_rootkit_driver.yml index d298daa1266..78d2eca21c7 100644 --- a/deprecated/windows/driver_load_win_vuln_avast_anti_rootkit_driver.yml +++ b/deprecated/windows/driver_load_win_vuln_avast_anti_rootkit_driver.yml @@ -19,16 +19,12 @@ detection: - 'MD5=a179c4093d05a3e1ee73f6ff07f994aa' - 'SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4' - 'SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1' - selection_other: - - md5: 'a179c4093d05a3e1ee73f6ff07f994aa' - - sha1: '5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4' - - sha256: '4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1' driver_img: ImageLoaded|endswith: '\aswArPot.sys' driver_status: - Signed: 'false' - SignatureStatus: Expired - condition: 1 of selection* or all of driver_* + condition: selection_sysmon or all of driver_* falsepositives: - Unknown level: high diff --git a/deprecated/windows/driver_load_win_vuln_dell_driver.yml b/deprecated/windows/driver_load_win_vuln_dell_driver.yml index 8b3699e6151..54de81246a7 100644 --- a/deprecated/windows/driver_load_win_vuln_dell_driver.yml +++ b/deprecated/windows/driver_load_win_vuln_dell_driver.yml @@ -26,16 +26,6 @@ detection: - 'SHA1=10B30BDEE43B3A2EC4AA63375577ADE650269D25' - 'MD5=C996D7971C49252C582171D9380360F2' - 'MD5=D2FD132AB7BBC6BBB87A84F026FA0244' - selection_hash: - - sha256: - - '0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5' - - 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1' - - sha1: - - 'c948ae14761095e4d76b55d9de86412258be7afd' - - '10b30bdee43b3a2ec4aa63375577ade650269d25' - - md5: - - 'c996d7971c49252c582171d9380360f2' - - 'd2fd132ab7bbc6bbb87a84f026fa0244' condition: 1 of selection* falsepositives: - Legitimate BIOS driver updates (should be rare) diff --git a/deprecated/windows/driver_load_win_vuln_gigabyte_driver.yml b/deprecated/windows/driver_load_win_vuln_gigabyte_driver.yml index 65fc7e80a39..9fabbd75eb6 100644 --- a/deprecated/windows/driver_load_win_vuln_gigabyte_driver.yml +++ b/deprecated/windows/driver_load_win_vuln_gigabyte_driver.yml @@ -18,7 +18,7 @@ logsource: product: windows category: driver_load detection: - selection_sysmon: + selection: Hashes|contains: - 'MD5=9AB9F3B75A2EB87FAFB1B7361BE9DFB3' - 'MD5=C832A4313FF082258240B61B88EFA025' @@ -26,17 +26,7 @@ detection: - 'SHA1=1F1CE28C10453ACBC9D3844B4604C59C0AB0AD46' - 'SHA256=31F4CFB4C71DA44120752721103A16512444C13C2AC2D857A7E6F13CB679B427' - 'SHA256=CFC5C585DD4E592DD1A08887DED28B92D9A5820587B6F4F8FA4F56D60289259B' - selection_other: - - md5: - - '9ab9f3b75a2eb87fafb1b7361be9dfb3' - - 'c832a4313ff082258240b61b88efa025' - - sha1: - - 'fe10018af723986db50701c8532df5ed98b17c39' - - '1f1ce28c10453acbc9d3844b4604c59c0ab0ad46' - - sha256: - - '31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427' - - 'cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b' - condition: 1 of selection* + condition: selection falsepositives: - Unknown level: high diff --git a/deprecated/windows/driver_load_win_vuln_hw_driver.yml b/deprecated/windows/driver_load_win_vuln_hw_driver.yml index 197602021de..cd053e89fc5 100644 --- a/deprecated/windows/driver_load_win_vuln_hw_driver.yml +++ b/deprecated/windows/driver_load_win_vuln_hw_driver.yml @@ -28,19 +28,6 @@ detection: - 'MD5=3247014BA35D406475311A2EAB0C4657' - 'MD5=376B1E8957227A3639EC1482900D9B97' - 'MD5=45C2D133D41D2732F3653ED615A745C8' - selection_other: - - sha256: - - '4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8' - - '55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa' - - '6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5' - - sha1: - - '74e4e3006b644392f5fcea4a9bae1d9d84714b57' - - '18f34a0005e82a9a1556ba40b997b0eae554d5fd' - - '4e56e0b1d12664c05615c69697a2f5c5d893058a' - - md5: - - '3247014ba35d406475311a2eab0c4657' - - '376b1e8957227a3639ec1482900d9b97' - - '45c2d133d41d2732f3653ed615a745c8' condition: 1 of selection* falsepositives: - Unknown diff --git a/deprecated/windows/driver_load_win_vuln_lenovo_driver.yml b/deprecated/windows/driver_load_win_vuln_lenovo_driver.yml index da246890da6..8beda59edd7 100644 --- a/deprecated/windows/driver_load_win_vuln_lenovo_driver.yml +++ b/deprecated/windows/driver_load_win_vuln_lenovo_driver.yml @@ -16,16 +16,12 @@ logsource: category: driver_load product: windows detection: - selection_sysmon: + selection: Hashes|contains: - 'SHA256=F05B1EE9E2F6AB704B8919D5071BECBCE6F9D0F9D0BA32A460C41D5272134ABE' - 'SHA1=B89A8EEF5AEAE806AF5BA212A8068845CAFDAB6F' - 'MD5=B941C8364308990EE4CC6EADF7214E0F' - selection_hash: - - sha256: 'f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe' - - sha1: 'b89a8eef5aeae806af5ba212a8068845cafdab6f' - - md5: 'b941c8364308990ee4cc6eadf7214e0f' - condition: 1 of selection* + condition: selection falsepositives: - Legitimate driver loads (old driver that didn't receive an update) level: high diff --git a/deprecated/windows/proc_creation_win_apt_gallium.yml b/deprecated/windows/proc_creation_win_apt_gallium.yml index 1fd597db581..d32ba2dc31e 100644 --- a/deprecated/windows/proc_creation_win_apt_gallium.yml +++ b/deprecated/windows/proc_creation_win_apt_gallium.yml @@ -25,7 +25,7 @@ detection: - ':\Program Files(x86)\' - ':\Program Files\' legitimate_executable: - sha1: 'e570585edc69f9074cb5e8a790708336bd45ca0f' + Hashes|contains: 'SHA1=e570585edc69f9074cb5e8a790708336bd45ca0f' condition: legitimate_executable and not legitimate_process_path falsepositives: - Unknown diff --git a/deprecated/windows/proc_creation_win_renamed_paexec.yml b/deprecated/windows/proc_creation_win_renamed_paexec.yml index ee7785188fd..742cbe8849b 100644 --- a/deprecated/windows/proc_creation_win_renamed_paexec.yml +++ b/deprecated/windows/proc_creation_win_renamed_paexec.yml @@ -21,11 +21,6 @@ logsource: detection: selection: - Product|contains: 'PAExec' - - Imphash: - - 11D40A7B7876288F919AB819CC2D9802 - - 6444f8a34e99b8f7d9647de66aabe516 - - dfd6aa3f7b2b1035b76b718f1ddc689f - - 1a6cca4d5460b1710a12dea39e4a592c - Hashes|contains: - IMPHASH=11D40A7B7876288F919AB819CC2D9802 - IMPHASH=6444f8a34e99b8f7d9647de66aabe516 diff --git a/rules-emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml b/rules-emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml index f9741258feb..3e50597903c 100644 --- a/rules-emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml +++ b/rules-emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml @@ -7,7 +7,7 @@ references: - https://github.com/Azure/Azure-Sentinel/blob/a02ce85c96f162de6f8cc06f07a53b6525f0ff7f/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/GalliumIOCs.yaml author: Tim Burrell date: 2020-02-07 -modified: 2023-03-09 +modified: 2024-11-23 tags: - attack.credential-access - attack.command-and-control @@ -19,7 +19,7 @@ logsource: product: windows category: process_creation detection: - selection_sysmon: + selection: Hashes|contains: - 'SHA256=9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd' - 'SHA256=7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b' @@ -59,48 +59,7 @@ detection: - 'SHA1=4923d460e22fbbf165bbbaba168e5a46b8157d9f' - 'SHA1=f201504bd96e81d0d350c3a8332593ee1c9e09de' - 'SHA1=ddd2db1127632a2a52943a2fe516a2e7d05d70d2' - selection_hashes: - - sha256: - - '9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd' - - '7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b' - - '657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5' - - '2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29' - - '52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77' - - 'a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3' - - '5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022' - - '6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883' - - '3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e' - - '1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7' - - 'fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1' - - '7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c' - - '178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945' - - '51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9' - - '889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79' - - '332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf' - - '44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08' - - '63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef' - - '056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070' - - sha1: - - '53a44c2396d15c3a03723fa5e5db54cafd527635' - - '9c5e496921e3bc882dc40694f1dcc3746a75db19' - - 'aeb573accfd95758550cf30bf04f389a92922844' - - '79ef78a797403a4ed1a616c68e07fff868a8650a' - - '4f6f38b4cec35e895d91c052b1f5a83d665c2196' - - '1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d' - - 'e841a63e47361a572db9a7334af459ddca11347a' - - 'c28f606df28a9bc8df75a4d5e5837fc5522dd34d' - - '2e94b305d6812a9f96e6781c888e48c7fb157b6b' - - 'dd44133716b8a241957b912fa6a02efde3ce3025' - - '8793bf166cb89eb55f0593404e4e933ab605e803' - - 'a39b57032dbb2335499a51e13470a7cd5d86b138' - - '41cc2b15c662bc001c0eb92f6cc222934f0beeea' - - 'd209430d6af54792371174e70e27dd11d3def7a7' - - '1c6452026c56efd2c94cea7e0f671eb55515edb0' - - 'c6b41d3afdcdcaf9f442bbe772f5da871801fd5a' - - '4923d460e22fbbf165bbbaba168e5a46b8157d9f' - - 'f201504bd96e81d0d350c3a8332593ee1c9e09de' - - 'ddd2db1127632a2a52943a2fe516a2e7d05d70d2' - condition: 1 of selection_* + condition: selection falsepositives: - Unknown level: high diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml index 05341bdc13f..a2e3c3f3a90 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml @@ -21,6 +21,7 @@ references: - https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-03-31 +modified: 2024-11-23 tags: - attack.defense-evasion - detection.emerging-threats @@ -28,7 +29,7 @@ logsource: category: image_load product: windows detection: - selection_hashes_1: + selection: Hashes|contains: # ffmpeg.dll - 'SHA256=7986BBAEE8940DA11CE089383521AB420C443AB7B15ED42AED91FD31CE833896' @@ -46,23 +47,7 @@ detection: - 'SHA256=8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423' - 'SHA1=3B3E778B647371262120A523EB873C20BB82BEAF' - 'MD5=7FAEA2B01796B80D180399040BB69835' - selection_hashes_2: - - sha256: - - '7986BBAEE8940DA11CE089383521AB420C443AB7B15ED42AED91FD31CE833896' - - '11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03' - - 'F79C3B0ADB6EC7BCC8BC9AE955A1571AAED6755A28C8B17B1D7595EE86840952' - - '8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423' - - sha1: - - 'BF939C9C261D27EE7BB92325CC588624FCA75429' - - '20D554A80D759C50D6537DD7097FED84DD258B3E' - - '894E7D4FFD764BB458809C7F0643694B036EAD30' - - '3B3E778B647371262120A523EB873C20BB82BEAF' - - md5: - - '74BC2D0B6680FAA1A5A76B27E5479CBC' - - '82187AD3F0C6C225E2FBA0C867280CC9' - - '11BC82A9BD8297BD0823BCE5D6202082' - - '7FAEA2B01796B80D180399040BB69835' - condition: 1 of selection_* + condition: selection falsepositives: - Unlikely level: critical diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml index 187e04614a6..bc7941a8d4c 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml @@ -21,7 +21,7 @@ references: - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-03-29 -modified: 2023-03-31 +modified: 2024-11-23 tags: - attack.defense-evasion - attack.t1218 @@ -31,7 +31,7 @@ logsource: category: process_creation product: windows detection: - selection_hashes_1: + selection_hashes: Hashes|contains: # 3CX Desktop 18.12.407 - 'SHA256=DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC' @@ -60,41 +60,13 @@ detection: - 'SHA1=BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E' - 'MD5=F3D4144860CA10BA60F7EF4D176CC736' - 'MD5=0EEB1C0133EB4D571178B2D9D14CE3E9' - selection_hashes_2: - - sha256: - - 'DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC' - - '54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02' - - 'D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE' - - 'FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405' - - '5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734' - - 'A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203' - - 'AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868' - - '59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983' - - sha1: - - '480DC408EF50BE69EBCF84B95750F7E93A8A1859' - - '3B43A5D8B83C637D00D769660D01333E88F5A187' - - '6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA' - - 'E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1' - - '8433A94AEDB6380AC8D4610AF643FB0E5220C5CB' - - '413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5' - - 'BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA' - - 'BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E' - - md5: - - 'BB915073385DD16A846DFA318AFA3C19' - - '08D79E1FFFA244CC0DC61F7D2036ACA9' - - '4965EDF659753E3C05D800C6C8A23A7A' - - '9833A4779B69B38E3E51F04E395674C6' - - '704DB9184700481A56E5100FB56496CE' - - '8EE6802F085F7A9DF7E0303E65722DC0' - - 'F3D4144860CA10BA60F7EF4D176CC736' - - '0EEB1C0133EB4D571178B2D9D14CE3E9' selection_pe_1: - OriginalFileName: '3CXDesktopApp.exe' - Image|endswith: '\3CXDesktopApp.exe' - Product: '3CX Desktop App' selection_pe_2: FileVersion|contains: '18.12.' - condition: all of selection_pe_* or 1 of selection_hashes_* + condition: all of selection_pe_* or selection_hashes falsepositives: - Legitimate usage of 3CXDesktopApp level: high diff --git a/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml b/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml index 9391e7301af..eb61e2c691a 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml @@ -16,7 +16,7 @@ references: - https://github.com/wavestone-cdt/EDRSandblast author: Florian Roth (Nextron Systems) date: 2022-08-24 -modified: 2024-01-02 +modified: 2024-11-23 tags: - attack.defense-evasion - attack.s0139 @@ -27,212 +27,109 @@ logsource: definition: 'Requirements: Sysmon config with Imphash logging activated' detection: selection: - - Imphash: - - bcca3c247b619dcd13c8cdff5f123932 # PetitPotam - - 3a19059bd7688cb88e70005f18efc439 # PetitPotam - - bf6223a49e45d99094406777eb6004ba # PetitPotam - - 0c106686a31bfe2ba931ae1cf6e9dbc6 # Mimikatz - - 0d1447d4b3259b3c2a1d4cfb7ece13c3 # Mimikatz - - 1b0369a1e06271833f78ffa70ffb4eaf # Mimikatz - - 4c1b52a19748428e51b14c278d0f58e3 # Mimikatz - - 4d927a711f77d62cebd4f322cb57ec6f # Mimikatz - - 66ee036df5fc1004d9ed5e9a94a1086a # Mimikatz - - 672b13f4a0b6f27d29065123fe882dfc # Mimikatz - - 6bbd59cea665c4afcc2814c1327ec91f # Mimikatz - - 725bb81dc24214f6ecacc0cfb36ad30d # Mimikatz - - 9528a0e91e28fbb88ad433feabca2456 # Mimikatz - - 9da6d5d77be11712527dcab86df449a3 # Mimikatz - - a6e01bc1ab89f8d91d9eab72032aae88 # Mimikatz - - b24c5eddaea4fe50c6a96a2a133521e4 # Mimikatz - - d21bbc50dcc169d7b4d0f01962793154 # Mimikatz - - fcc251cceae90d22c392215cc9a2d5d6 # Mimikatz - - 23867a89c2b8fc733be6cf5ef902f2d1 # JuicyPotato - - a37ff327f8d48e8a4d2f757e1b6e70bc # JuicyPotato - - f9a28c458284584a93b14216308d31bd # JuicyPotatoNG - - 6118619783fc175bc7ebecff0769b46e # RoguePotato - - 959a83047e80ab68b368fdb3f4c6e4ea # RoguePotato - - 563233bfa169acc7892451f71ad5850a # RoguePotato - - 87575cb7a0e0700eb37f2e3668671a08 # RoguePotato - - 13f08707f759af6003837a150a371ba1 # Pwdump - - 1781f06048a7e58b323f0b9259be798b # Pwdump - - 233f85f2d4bc9d6521a6caae11a1e7f5 # Pwdump - - 24af2584cbf4d60bbe5c6d1b31b3be6d # Pwdump - - 632969ddf6dbf4e0f53424b75e4b91f2 # Pwdump - - 713c29b396b907ed71a72482759ed757 # Pwdump - - 749a7bb1f0b4c4455949c0b2bf7f9e9f # Pwdump - - 8628b2608957a6b0c6330ac3de28ce2e # Pwdump - - 8b114550386e31895dfab371e741123d # Pwdump - - 94cb940a1a6b65bed4d5a8f849ce9793 # PwDumpX - - 9d68781980370e00e0bd939ee5e6c141 # Pwdump - - b18a1401ff8f444056d29450fbc0a6ce # Pwdump - - cb567f9498452721d77a451374955f5f # Pwdump - - 730073214094cd328547bf1f72289752 # Htran - - 17b461a082950fc6332228572138b80c # Cobalt Strike beacons - - dc25ee78e2ef4d36faa0badf1e7461c9 # Cobalt Strike beacons - - 819b19d53ca6736448f9325a85736792 # Cobalt Strike beacons - - 829da329ce140d873b4a8bde2cbfaa7e # Cobalt Strike beacons - - c547f2e66061a8dffb6f5a3ff63c0a74 # PPLDump - - 0588081ab0e63ba785938467e1b10cca # PPLDump - - 0d9ec08bac6c07d9987dfd0f1506587c # NanoDump - - bc129092b71c89b4d4c8cdf8ea590b29 # NanoDump - - 4da924cf622d039d58bce71cdf05d242 # NanoDump - - e7a3a5c377e2d29324093377d7db1c66 # NanoDump - - 9a9dbec5c62f0380b4fa5fd31deffedf # NanoDump - - af8a3976ad71e5d5fdfb67ddb8dadfce # NanoDump - - 0c477898bbf137bbd6f2a54e3b805ff4 # NanoDump - - 0ca9f02b537bcea20d4ea5eb1a9fe338 # NanoDump - - 3ab3655e5a14d4eefc547f4781bf7f9e # NanoDump - - e6f9d5152da699934b30daab206471f6 # NanoDump - - 3ad59991ccf1d67339b319b15a41b35d # NanoDump - - ffdd59e0318b85a3e480874d9796d872 # NanoDump - - 0cf479628d7cc1ea25ec7998a92f5051 # NanoDump - - 07a2d4dcbd6cb2c6a45e6b101f0b6d51 # NanoDump - - d6d0f80386e1380d05cb78e871bc72b1 # NanoDump - - 38d9e015591bbfd4929e0d0f47fa0055 # HandleKatz - - 0e2216679ca6e1094d63322e3412d650 # HandleKatz - - ada161bf41b8e5e9132858cb54cab5fb # DripLoader - - 2a1bc4913cd5ecb0434df07cb675b798 # DripLoader - - 11083e75553baae21dc89ce8f9a195e4 # DripLoader - - a23d29c9e566f2fa8ffbb79267f5df80 # DripLoader - - 4a07f944a83e8a7c2525efa35dd30e2f # CreateMiniDump - - 767637c23bb42cd5d7397cf58b0be688 # UACMe Akagi - - 14c4e4c72ba075e9069ee67f39188ad8 # UACMe Akagi - - 3c782813d4afce07bbfc5a9772acdbdc # UACMe Akagi - - 7d010c6bb6a3726f327f7e239166d127 # UACMe Akagi - - 89159ba4dd04e4ce5559f132a9964eb3 # UACMe Akagi - - 6f33f4a5fc42b8cec7314947bd13f30f # UACMe Akagi - - 5834ed4291bdeb928270428ebbaf7604 # UACMe Akagi - - 5a8a8a43f25485e7ee1b201edcbc7a38 # UACMe Akagi - - dc7d30b90b2d8abf664fbed2b1b59894 # UACMe Akagi - - 41923ea1f824fe63ea5beb84db7a3e74 # UACMe Akagi - - 3de09703c8e79ed2ca3f01074719906b # UACMe Akagi - - a53a02b997935fd8eedcb5f7abab9b9f # WCE - - e96a73c7bf33a464c510ede582318bf2 # WCE - - 32089b8851bbf8bc2d014e9f37288c83 # Sliver Stagers - - 09D278F9DE118EF09163C6140255C690 # Dumpert - - 03866661686829d806989e2fc5a72606 # Dumpert - - e57401fbdadcd4571ff385ab82bd5d6d # Dumpert - - 84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte - - 19584675d94829987952432e018d5056 # SysmonQuiet - - 330768a4f172e10acb6287b87289d83b # ShaprEvtMute Hook - - 885c99ccfbe77d1cbfcb9c4e7c1a3313 # Forkatz - - 22a22bc9e4e0d2f189f1ea01748816ac # PPLKiller - - 7fa30e6bb7e8e8a69155636e50bf1b28 # PPLKiller - - 96df3a3731912449521f6f8d183279b1 # Backstab - - 7e6cf3ff4576581271ac8a313b2aab46 # Backstab - - 51791678f351c03a0eb4e2a7b05c6e17 # Backstab - - 25ce42b079282632708fc846129e98a5 # Forensia - - 021bcca20ba3381b11bdde26b4e62f20 # EDRSandBlast - - 59223b5f52d8799d38e0754855cbdf42 # EDRSandBlast - - 81e75d8f1d276c156653d3d8813e4a43 # EDRSandBlast - - 17244e8b6b8227e57fe709ccad421420 # EDRSandBlast - - 5b76da3acdedc8a5cdf23a798b5936b4 # EDRSandBlast - - cb2b65bb77d995cc1c0e5df1c860133c # EDRSandBlast - - 40445337761d80cf465136fafb1f63e6 # EDRSandBlast - - 8a790f401b29fa87bc1e56f7272b3aa6 # EDRSilencer - - Hash|contains: # Sysmon field hashes contains all types - - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam - - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam - - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam - - IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6 # Mimikatz - - IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3 # Mimikatz - - IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF # Mimikatz - - IMPHASH=4C1B52A19748428E51B14C278D0F58E3 # Mimikatz - - IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F # Mimikatz - - IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A # Mimikatz - - IMPHASH=672B13F4A0B6F27D29065123FE882DFC # Mimikatz - - IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F # Mimikatz - - IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D # Mimikatz - - IMPHASH=9528A0E91E28FBB88AD433FEABCA2456 # Mimikatz - - IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3 # Mimikatz - - IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88 # Mimikatz - - IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4 # Mimikatz - - IMPHASH=D21BBC50DCC169D7B4D0F01962793154 # Mimikatz - - IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6 # Mimikatz - - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato - - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato - - IMPHASH=F9A28C458284584A93B14216308D31BD # JuicyPotatoNG - - IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato - - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato - - IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato - - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato - - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump - - IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump - - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump - - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump - - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump - - IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump - - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump - - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump - - IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump - - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX - - IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump - - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump - - IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump - - IMPHASH=730073214094CD328547BF1F72289752 # Htran - - IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons - - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons - - IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons - - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons - - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump - - IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump - - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump - - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump - - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump - - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump - - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump - - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump - - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump - - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump - - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump - - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump - - IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump - - IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump - - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump - - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump - - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump - - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz - - IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz - - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader - - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader - - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader - - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader - - IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump - - IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi - - IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi - - IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi - - IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi - - IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi - - IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi - - IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi - - IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi - - IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi - - IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi - - IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi - - IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE - - IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE - - IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers - - IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert - - IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert - - IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert - - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte - - IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet - - IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook - - IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 # Forkatz - - IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC # PPLKiller - - IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 # PPLKiller - - IMPHASH=96DF3A3731912449521F6F8D183279B1 # Backstab - - IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46 # Backstab - - IMPHASH=51791678F351C03A0EB4E2A7B05C6E17 # Backstab - - IMPHASH=25CE42B079282632708FC846129E98A5 # Forensia - - IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20 # EDRSandBlast - - IMPHASH=59223B5F52D8799D38E0754855CBDF42 # EDRSandBlast - - IMPHASH=81E75D8F1D276C156653D3D8813E4A43 # EDRSandBlast - - IMPHASH=17244E8B6B8227E57FE709CCAD421420 # EDRSandBlast - - IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4 # EDRSandBlast - - IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C # EDRSandBlast - - IMPHASH=40445337761D80CF465136FAFB1F63E6 # EDRSandBlast - - IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6 # EDRSilencer + Hash|contains: # Sysmon field hashes contains all types + - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam + - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam + - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam + - IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6 # Mimikatz + - IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3 # Mimikatz + - IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF # Mimikatz + - IMPHASH=4C1B52A19748428E51B14C278D0F58E3 # Mimikatz + - IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F # Mimikatz + - IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A # Mimikatz + - IMPHASH=672B13F4A0B6F27D29065123FE882DFC # Mimikatz + - IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F # Mimikatz + - IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D # Mimikatz + - IMPHASH=9528A0E91E28FBB88AD433FEABCA2456 # Mimikatz + - IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3 # Mimikatz + - IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88 # Mimikatz + - IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4 # Mimikatz + - IMPHASH=D21BBC50DCC169D7B4D0F01962793154 # Mimikatz + - IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6 # Mimikatz + - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato + - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato + - IMPHASH=F9A28C458284584A93B14216308D31BD # JuicyPotatoNG + - IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato + - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato + - IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato + - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato + - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump + - IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump + - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump + - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump + - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump + - IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump + - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump + - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump + - IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump + - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX + - IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump + - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump + - IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump + - IMPHASH=730073214094CD328547BF1F72289752 # Htran + - IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons + - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons + - IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons + - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons + - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump + - IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump + - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump + - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump + - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump + - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump + - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump + - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump + - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump + - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump + - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump + - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump + - IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump + - IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump + - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump + - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump + - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump + - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz + - IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz + - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader + - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader + - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader + - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader + - IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump + - IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi + - IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi + - IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi + - IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi + - IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi + - IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi + - IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi + - IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi + - IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi + - IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi + - IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi + - IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE + - IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE + - IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers + - IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert + - IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert + - IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert + - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte + - IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet + - IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook + - IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 # Forkatz + - IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC # PPLKiller + - IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 # PPLKiller + - IMPHASH=96DF3A3731912449521F6F8D183279B1 # Backstab + - IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46 # Backstab + - IMPHASH=51791678F351C03A0EB4E2A7B05C6E17 # Backstab + - IMPHASH=25CE42B079282632708FC846129E98A5 # Forensia + - IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20 # EDRSandBlast + - IMPHASH=59223B5F52D8799D38E0754855CBDF42 # EDRSandBlast + - IMPHASH=81E75D8F1D276C156653D3D8813E4A43 # EDRSandBlast + - IMPHASH=17244E8B6B8227E57FE709CCAD421420 # EDRSandBlast + - IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4 # EDRSandBlast + - IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C # EDRSandBlast + - IMPHASH=40445337761D80CF465136FAFB1F63E6 # EDRSandBlast + - IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6 # EDRSilencer condition: selection falsepositives: - Unknown diff --git a/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml b/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml index eccbd6cfe6d..e6987a0829a 100644 --- a/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml +++ b/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml @@ -9,7 +9,7 @@ references: - https://processhacker.sourceforge.io/ author: Florian Roth (Nextron Systems) date: 2022-11-16 -modified: 2023-05-08 +modified: 2024-11-23 tags: - attack.privilege-escalation - cve.2021-21551 @@ -18,21 +18,14 @@ logsource: category: driver_load product: windows detection: - selection_image: - ImageLoaded|endswith: '\kprocesshacker.sys' - selection_processhack_sysmon: - Hashes|contains: - - 'IMPHASH=821D74031D3F625BCBD0DF08B70F1E77' - - 'IMPHASH=F86759BB4DE4320918615DC06E998A39' - - 'IMPHASH=0A64EEB85419257D0CE32BD5D55C3A18' - - 'IMPHASH=6E7B34DFC017700B1517B230DF6FF0D0' - selection_processhack_hashes: - Imphash: - - '821D74031D3F625BCBD0DF08B70F1E77' - - 'F86759BB4DE4320918615DC06E998A39' - - '0A64EEB85419257D0CE32BD5D55C3A18' - - '6E7B34DFC017700B1517B230DF6FF0D0' - condition: 1 of selection_* + selection: + - ImageLoaded|endswith: '\kprocesshacker.sys' + - Hashes|contains: + - 'IMPHASH=821D74031D3F625BCBD0DF08B70F1E77' + - 'IMPHASH=F86759BB4DE4320918615DC06E998A39' + - 'IMPHASH=0A64EEB85419257D0CE32BD5D55C3A18' + - 'IMPHASH=6E7B34DFC017700B1517B230DF6FF0D0' + condition: selection falsepositives: - Legitimate use of process hacker or system informer by developers or system administrators level: high diff --git a/rules/windows/driver_load/driver_load_win_pua_system_informer.yml b/rules/windows/driver_load/driver_load_win_pua_system_informer.yml index 10dfa7c4a5c..27b135255ad 100644 --- a/rules/windows/driver_load/driver_load_win_pua_system_informer.yml +++ b/rules/windows/driver_load/driver_load_win_pua_system_informer.yml @@ -10,6 +10,7 @@ references: - https://github.com/winsiderss/systeminformer author: Florian Roth (Nextron Systems) date: 2023-05-08 +modified: 2024-11-23 tags: - attack.privilege-escalation - attack.t1543 @@ -17,39 +18,23 @@ logsource: category: driver_load product: windows detection: - selection_image: - ImageLoaded|endswith: '\SystemInformer.sys' - selection_systeminformer_sysmon: - Hashes|contains: - - 'SHA256=8B9AD98944AC9886EA4CB07700E71B78BE4A2740934BB7E46CA3B56A7C59AD24' - - 'SHA256=A41348BEC147CA4D9EA2869817527EB5CEA2E20202AF599D2B30625433BCF454' - - 'SHA256=38EE0A88AF8535A11EFE8D8DA9C6812AA07067B75A64D99705A742589BDD846D' - - 'SHA256=A773891ACF203A7EB0C0D30942FB1347648F1CD918AE2BFD9A4857B4DCF5081B' - - 'SHA256=4C3B81AC88A987BBDF7D41FA0AECC2CEDF5B9BD2F45E7A21F376D05345FC211D' - - 'SHA256=3241BC14BEC51CE6A691B9A3562E5C1D52E9D057D27A3D67FD0B245C350B6D34' - - 'SHA256=047C42E9BBA28366868847C7DAFC1E043FB038C796422D37220493517D68EE89' - - 'SHA256=18931DC81E95D0020466FA091E16869DBE824E543A4C2C8FE644FA71A0F44FEB' - - 'SHA256=B4C2EF76C204273132FDE38F0DED641C2C5EE767652E64E4C4071A4A973B6C1B' - - 'SHA256=640954AFC268565F7DAA6E6F81A8EE05311E33E34332B501A3C3FE5B22ADEA97' - - 'SHA256=251BE949F662C838718F8AA0A5F8211FB90346D02BD63FF91E6B224E0E01B656' - - 'SHA256=E2606F272F7BA054DF16BE464FDA57211EF0D14A0D959F9C8DCB0575DF1186E4' - - 'SHA256=3A9E1D17BEEB514F1B9B3BACAEE7420285DE5CBDCE89C5319A992C6CBD1DE138' - selection_systeminformer_hashes: - sha256: - - '8b9ad98944ac9886ea4cb07700e71b78be4a2740934bb7e46ca3b56a7c59ad24' - - 'a41348bec147ca4d9ea2869817527eb5cea2e20202af599d2b30625433bcf454' - - '38ee0a88af8535a11efe8d8da9c6812aa07067b75a64d99705a742589bdd846d' - - 'a773891acf203a7eb0c0d30942fb1347648f1cd918ae2bfd9a4857b4dcf5081b' - - '4c3b81ac88a987bbdf7d41fa0aecc2cedf5b9bd2f45e7a21f376d05345fc211d' - - '3241bc14bec51ce6a691b9a3562e5c1d52e9d057d27a3d67fd0b245c350b6d34' - - '047c42e9bba28366868847c7dafc1e043fb038c796422d37220493517d68ee89' - - '18931dc81e95d0020466fa091e16869dbe824e543a4c2c8fe644fa71a0f44feb' - - 'b4c2ef76c204273132fde38f0ded641c2c5ee767652e64e4c4071a4a973b6c1b' - - '640954afc268565f7daa6e6f81a8ee05311e33e34332b501a3c3fe5b22adea97' - - '251be949f662c838718f8aa0a5f8211fb90346d02bd63ff91e6b224e0e01b656' - - 'e2606f272f7ba054df16be464fda57211ef0d14a0d959f9c8dcb0575df1186e4' - - '3a9e1d17beeb514f1b9b3bacaee7420285de5cbdce89c5319a992c6cbd1de138' - condition: 1 of selection_* + selection: + - ImageLoaded|endswith: '\SystemInformer.sys' + - Hashes|contains: + - 'SHA256=8B9AD98944AC9886EA4CB07700E71B78BE4A2740934BB7E46CA3B56A7C59AD24' + - 'SHA256=A41348BEC147CA4D9EA2869817527EB5CEA2E20202AF599D2B30625433BCF454' + - 'SHA256=38EE0A88AF8535A11EFE8D8DA9C6812AA07067B75A64D99705A742589BDD846D' + - 'SHA256=A773891ACF203A7EB0C0D30942FB1347648F1CD918AE2BFD9A4857B4DCF5081B' + - 'SHA256=4C3B81AC88A987BBDF7D41FA0AECC2CEDF5B9BD2F45E7A21F376D05345FC211D' + - 'SHA256=3241BC14BEC51CE6A691B9A3562E5C1D52E9D057D27A3D67FD0B245C350B6D34' + - 'SHA256=047C42E9BBA28366868847C7DAFC1E043FB038C796422D37220493517D68EE89' + - 'SHA256=18931DC81E95D0020466FA091E16869DBE824E543A4C2C8FE644FA71A0F44FEB' + - 'SHA256=B4C2EF76C204273132FDE38F0DED641C2C5EE767652E64E4C4071A4A973B6C1B' + - 'SHA256=640954AFC268565F7DAA6E6F81A8EE05311E33E34332B501A3C3FE5B22ADEA97' + - 'SHA256=251BE949F662C838718F8AA0A5F8211FB90346D02BD63FF91E6B224E0E01B656' + - 'SHA256=E2606F272F7BA054DF16BE464FDA57211EF0D14A0D959F9C8DCB0575DF1186E4' + - 'SHA256=3A9E1D17BEEB514F1B9B3BACAEE7420285DE5CBDCE89C5319A992C6CBD1DE138' + condition: selection falsepositives: - System Informer is regularly used legitimately by system administrators or developers. Apply additional filters accordingly level: medium diff --git a/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml index cd35b93aa20..6ea75fa8223 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml @@ -6,7 +6,7 @@ references: - https://github.com/hacksysteam/HackSysExtremeVulnerableDriver author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-18 -modified: 2022-11-19 +modified: 2024-11-23 tags: - attack.privilege-escalation - attack.t1543.003 @@ -14,17 +14,12 @@ logsource: product: windows category: driver_load detection: - selection_name: - ImageLoaded|endswith: '\HEVD.sys' - selection_sysmon: - Hashes|contains: - - 'IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5' # Version 3.0 - - 'IMPHASH=c46ea2e651fd5f7f716c8867c6d13594' # Version 3.0 - selection_other: - Imphash: - - 'f26d0b110873a1c7d8c4f08fbeab89c5' # Version 3.0 - - 'c46ea2e651fd5f7f716c8867c6d13594' # Version 3.0 - condition: 1 of selection* + selection: + - ImageLoaded|endswith: '\HEVD.sys' + - Hashes|contains: + - 'IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5' # Version 3.0 + - 'IMPHASH=c46ea2e651fd5f7f716c8867c6d13594' # Version 3.0 + condition: selection falsepositives: - Unlikely level: high diff --git a/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml index 56aa9a0e0ec..a844938bbf0 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml @@ -7,7 +7,7 @@ references: - https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/ author: Florian Roth (Nextron Systems) date: 2022-07-26 -modified: 2022-11-19 +modified: 2024-11-23 tags: - attack.privilege-escalation - attack.t1543.003 @@ -15,18 +15,15 @@ logsource: product: windows category: driver_load detection: - selection_name: - ImageLoaded|endswith: - - '\WinRing0x64.sys' - - '\WinRing0.sys' - - '\WinRing0.dll' - - '\WinRing0x64.dll' - - '\winring00x64.sys' - selection_sysmon: - Hashes|contains: 'IMPHASH=D41FA95D4642DC981F10DE36F4DC8CD7' - selection_other: - Imphash: 'd41fa95d4642dc981f10de36f4dc8cd7' - condition: 1 of selection* + selection: + - Hashes|contains: 'IMPHASH=D41FA95D4642DC981F10DE36F4DC8CD7' + - ImageLoaded|endswith: + - '\WinRing0x64.sys' + - '\WinRing0.sys' + - '\WinRing0.dll' + - '\WinRing0x64.dll' + - '\winring00x64.sys' + condition: selection falsepositives: - Unknown level: high diff --git a/rules/windows/driver_load/driver_load_win_windivert.yml b/rules/windows/driver_load/driver_load_win_windivert.yml index 43a6d033500..2b08c4ac885 100644 --- a/rules/windows/driver_load/driver_load_win_windivert.yml +++ b/rules/windows/driver_load/driver_load_win_windivert.yml @@ -7,7 +7,7 @@ references: - https://rastamouse.me/ntlm-relaying-via-cobalt-strike/ author: Florian Roth (Nextron Systems) date: 2021-07-30 -modified: 2022-11-19 +modified: 2024-11-23 tags: - attack.collection - attack.defense-evasion @@ -18,54 +18,33 @@ logsource: product: windows detection: selection: - ImageLoaded|contains: - - '\WinDivert.sys' - - '\WinDivert64.sys' - # Other used names - - '\NordDivert.sys' - - '\lingtiwfp.sys' - - '\eswfp.sys' - selection_sysmon: - Hashes|contains: - - 'IMPHASH=0604bb7cb4bb851e2168d5c7d9399087' - - 'IMPHASH=2e5f0e649d97f32b03c09e4686d0574f' - - 'IMPHASH=52f8aa269f69f0edad9e8fcdaedce276' - - 'IMPHASH=c0e5d314da39dbf65a2dbff409cc2c76' - - 'IMPHASH=58623490691babe8330adc81cd04a663' - - 'IMPHASH=8ee39b48656e4d6b8459d7ba7da7438b' - - 'IMPHASH=45ee545ae77e8d43fc70ede9efcd4c96' - - 'IMPHASH=a1b2e245acd47e4a348e1a552a02859a' - - 'IMPHASH=2a5f85fe4609461c6339637594fa9b0a' - - 'IMPHASH=6b2c6f95233c2914d1d488ee27531acc' - - 'IMPHASH=9f2fdd3f9ab922bbb0560a7df46f4342' - - 'IMPHASH=d8a719865c448b1bd2ec241e46ac1c88' - - 'IMPHASH=0ea54f8c9af4a2fe8367fa457f48ed38' - - 'IMPHASH=9d519ae0a0864d6d6ae3f8b6c9c70af6' - - 'IMPHASH=a74929edfc3289895e3f2885278947ae' - - 'IMPHASH=a66b476c2d06c370f0a53b5537f2f11e' - - 'IMPHASH=bdcd836a46bc2415773f6b5ea77a46e4' - - 'IMPHASH=c28cd6ccd83179e79dac132a553693d9' - selection_hashes: - Imphash: - - '0604bb7cb4bb851e2168d5c7d9399087' - - '2e5f0e649d97f32b03c09e4686d0574f' - - '52f8aa269f69f0edad9e8fcdaedce276' - - 'c0e5d314da39dbf65a2dbff409cc2c76' - - '58623490691babe8330adc81cd04a663' - - '8ee39b48656e4d6b8459d7ba7da7438b' - - '45ee545ae77e8d43fc70ede9efcd4c96' - - 'a1b2e245acd47e4a348e1a552a02859a' - - '2a5f85fe4609461c6339637594fa9b0a' - - '6b2c6f95233c2914d1d488ee27531acc' - - '9f2fdd3f9ab922bbb0560a7df46f4342' - - 'd8a719865c448b1bd2ec241e46ac1c88' - - '0ea54f8c9af4a2fe8367fa457f48ed38' - - '9d519ae0a0864d6d6ae3f8b6c9c70af6' - - 'a74929edfc3289895e3f2885278947ae' - - 'a66b476c2d06c370f0a53b5537f2f11e' - - 'bdcd836a46bc2415773f6b5ea77a46e4' - - 'c28cd6ccd83179e79dac132a553693d9' - condition: 1 of selection* + - ImageLoaded|contains: + - '\WinDivert.sys' + - '\WinDivert64.sys' + # Other used names + - '\NordDivert.sys' + - '\lingtiwfp.sys' + - '\eswfp.sys' + - Hashes|contains: + - 'IMPHASH=0604bb7cb4bb851e2168d5c7d9399087' + - 'IMPHASH=2e5f0e649d97f32b03c09e4686d0574f' + - 'IMPHASH=52f8aa269f69f0edad9e8fcdaedce276' + - 'IMPHASH=c0e5d314da39dbf65a2dbff409cc2c76' + - 'IMPHASH=58623490691babe8330adc81cd04a663' + - 'IMPHASH=8ee39b48656e4d6b8459d7ba7da7438b' + - 'IMPHASH=45ee545ae77e8d43fc70ede9efcd4c96' + - 'IMPHASH=a1b2e245acd47e4a348e1a552a02859a' + - 'IMPHASH=2a5f85fe4609461c6339637594fa9b0a' + - 'IMPHASH=6b2c6f95233c2914d1d488ee27531acc' + - 'IMPHASH=9f2fdd3f9ab922bbb0560a7df46f4342' + - 'IMPHASH=d8a719865c448b1bd2ec241e46ac1c88' + - 'IMPHASH=0ea54f8c9af4a2fe8367fa457f48ed38' + - 'IMPHASH=9d519ae0a0864d6d6ae3f8b6c9c70af6' + - 'IMPHASH=a74929edfc3289895e3f2885278947ae' + - 'IMPHASH=a66b476c2d06c370f0a53b5537f2f11e' + - 'IMPHASH=bdcd836a46bc2415773f6b5ea77a46e4' + - 'IMPHASH=c28cd6ccd83179e79dac132a553693d9' + condition: selection falsepositives: - Legitimate WinDivert driver usage level: high diff --git a/rules/windows/image_load/image_load_hktl_sharpevtmute.yml b/rules/windows/image_load/image_load_hktl_sharpevtmute.yml index c105113960b..c6f4f0f3b0a 100644 --- a/rules/windows/image_load/image_load_hktl_sharpevtmute.yml +++ b/rules/windows/image_load/image_load_hktl_sharpevtmute.yml @@ -9,7 +9,7 @@ references: - https://github.com/bats3c/EvtMute author: Florian Roth (Nextron Systems) date: 2022-09-07 -modified: 2023-02-17 +modified: 2024-11-23 tags: - attack.defense-evasion - attack.t1562.002 @@ -18,8 +18,7 @@ logsource: product: windows detection: selection: - - Hashes|contains: 'IMPHASH=330768A4F172E10ACB6287B87289D83B' - - Imphash: '330768a4f172e10acb6287b87289d83b' + Hashes|contains: 'IMPHASH=330768A4F172E10ACB6287B87289D83B' condition: selection falsepositives: - Other DLLs with the same Imphash diff --git a/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml b/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml index d8e5173d0c1..3b96f699e55 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml @@ -7,7 +7,7 @@ references: - https://blog.hackvens.fr/articles/CoercedPotato.html author: Florian Roth (Nextron Systems) date: 2023-10-11 -modified: 2024-04-15 +modified: 2024-11-23 tags: - attack.defense-evasion - attack.privilege-escalation @@ -21,14 +21,10 @@ detection: selection_params: CommandLine|contains: ' --exploitId ' selection_loader_imphash: - - Imphash: - - 'a75d7669db6b2e107a44c4057ff7f7d6' - - 'f91624350e2c678c5dcbe5e1f24e22c9' - - '14c81850a079a87e83d50ca41c709a15' - - Hashes|contains: - - 'IMPHASH=A75D7669DB6B2E107A44C4057FF7F7D6' - - 'IMPHASH=F91624350E2C678C5DCBE5E1F24E22C9' - - 'IMPHASH=14C81850A079A87E83D50CA41C709A15' + Hashes|contains: + - 'IMPHASH=A75D7669DB6B2E107A44C4057FF7F7D6' + - 'IMPHASH=F91624350E2C678C5DCBE5E1F24E22C9' + - 'IMPHASH=14C81850A079A87E83D50CA41C709A15' condition: 1 of selection_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml b/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml index 843f4ac159d..3ce12edb2f5 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml @@ -6,7 +6,7 @@ references: - https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass author: Florian Roth (Nextron Systems) date: 2019-12-22 -modified: 2023-02-04 +modified: 2024-11-23 tags: - attack.credential-access - attack.t1003.001 @@ -16,7 +16,6 @@ logsource: detection: selection: - Image|endswith: '\CreateMiniDump.exe' - - Imphash: '4a07f944a83e8a7c2525efa35dd30e2f' - Hashes|contains: 'IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f' condition: selection falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml b/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml index a1d8ff8d8a4..f58409ee183 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml @@ -6,7 +6,7 @@ references: - Internal Research author: Florian Roth (Nextron Systems) date: 2022-03-04 -modified: 2024-02-07 +modified: 2024-11-23 tags: - attack.credential-access - attack.t1588.002 @@ -16,184 +16,95 @@ logsource: product: windows detection: selection: - - Imphash: - - bcca3c247b619dcd13c8cdff5f123932 # PetitPotam - - 3a19059bd7688cb88e70005f18efc439 # PetitPotam - - bf6223a49e45d99094406777eb6004ba # PetitPotam - - 23867a89c2b8fc733be6cf5ef902f2d1 # JuicyPotato - - a37ff327f8d48e8a4d2f757e1b6e70bc # JuicyPotato - - f9a28c458284584a93b14216308d31bd # JuicyPotatoNG - - 6118619783fc175bc7ebecff0769b46e # RoguePotato - - 959a83047e80ab68b368fdb3f4c6e4ea # RoguePotato - - 563233bfa169acc7892451f71ad5850a # RoguePotato - - 87575cb7a0e0700eb37f2e3668671a08 # RoguePotato - - 13f08707f759af6003837a150a371ba1 # Pwdump - - 1781f06048a7e58b323f0b9259be798b # Pwdump - - 233f85f2d4bc9d6521a6caae11a1e7f5 # Pwdump - - 24af2584cbf4d60bbe5c6d1b31b3be6d # Pwdump - - 632969ddf6dbf4e0f53424b75e4b91f2 # Pwdump - - 713c29b396b907ed71a72482759ed757 # Pwdump - - 749a7bb1f0b4c4455949c0b2bf7f9e9f # Pwdump - - 8628b2608957a6b0c6330ac3de28ce2e # Pwdump - - 8b114550386e31895dfab371e741123d # Pwdump - - 94cb940a1a6b65bed4d5a8f849ce9793 # PwDumpX - - 9d68781980370e00e0bd939ee5e6c141 # Pwdump - - b18a1401ff8f444056d29450fbc0a6ce # Pwdump - - cb567f9498452721d77a451374955f5f # Pwdump - - 730073214094cd328547bf1f72289752 # Htran - - 17b461a082950fc6332228572138b80c # Cobalt Strike beacons - - dc25ee78e2ef4d36faa0badf1e7461c9 # Cobalt Strike beacons - - 819b19d53ca6736448f9325a85736792 # Cobalt Strike beacons - - 829da329ce140d873b4a8bde2cbfaa7e # Cobalt Strike beacons - - c547f2e66061a8dffb6f5a3ff63c0a74 # PPLDump - - 0588081ab0e63ba785938467e1b10cca # PPLDump - - 0d9ec08bac6c07d9987dfd0f1506587c # NanoDump - - bc129092b71c89b4d4c8cdf8ea590b29 # NanoDump - - 4da924cf622d039d58bce71cdf05d242 # NanoDump - - e7a3a5c377e2d29324093377d7db1c66 # NanoDump - - 9a9dbec5c62f0380b4fa5fd31deffedf # NanoDump - - af8a3976ad71e5d5fdfb67ddb8dadfce # NanoDump - - 0c477898bbf137bbd6f2a54e3b805ff4 # NanoDump - - 0ca9f02b537bcea20d4ea5eb1a9fe338 # NanoDump - - 3ab3655e5a14d4eefc547f4781bf7f9e # NanoDump - - e6f9d5152da699934b30daab206471f6 # NanoDump - - 3ad59991ccf1d67339b319b15a41b35d # NanoDump - - ffdd59e0318b85a3e480874d9796d872 # NanoDump - - 0cf479628d7cc1ea25ec7998a92f5051 # NanoDump - - 07a2d4dcbd6cb2c6a45e6b101f0b6d51 # NanoDump - - d6d0f80386e1380d05cb78e871bc72b1 # NanoDump - - 38d9e015591bbfd4929e0d0f47fa0055 # HandleKatz - - 0e2216679ca6e1094d63322e3412d650 # HandleKatz - - ada161bf41b8e5e9132858cb54cab5fb # DripLoader - - 2a1bc4913cd5ecb0434df07cb675b798 # DripLoader - - 11083e75553baae21dc89ce8f9a195e4 # DripLoader - - a23d29c9e566f2fa8ffbb79267f5df80 # DripLoader - - 4a07f944a83e8a7c2525efa35dd30e2f # CreateMiniDump - - 767637c23bb42cd5d7397cf58b0be688 # UACMe Akagi - - 14c4e4c72ba075e9069ee67f39188ad8 # UACMe Akagi - - 3c782813d4afce07bbfc5a9772acdbdc # UACMe Akagi - - 7d010c6bb6a3726f327f7e239166d127 # UACMe Akagi - - 89159ba4dd04e4ce5559f132a9964eb3 # UACMe Akagi - - 6f33f4a5fc42b8cec7314947bd13f30f # UACMe Akagi - - 5834ed4291bdeb928270428ebbaf7604 # UACMe Akagi - - 5a8a8a43f25485e7ee1b201edcbc7a38 # UACMe Akagi - - dc7d30b90b2d8abf664fbed2b1b59894 # UACMe Akagi - - 41923ea1f824fe63ea5beb84db7a3e74 # UACMe Akagi - - 3de09703c8e79ed2ca3f01074719906b # UACMe Akagi - - a53a02b997935fd8eedcb5f7abab9b9f # WCE - - e96a73c7bf33a464c510ede582318bf2 # WCE - - 32089b8851bbf8bc2d014e9f37288c83 # Sliver Stagers - - 09D278F9DE118EF09163C6140255C690 # Dumpert - - 03866661686829d806989e2fc5a72606 # Dumpert - - e57401fbdadcd4571ff385ab82bd5d6d # Dumpert - - 84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte - - 19584675d94829987952432e018d5056 # SysmonQuiet - - 330768a4f172e10acb6287b87289d83b # ShaprEvtMute Hook - - 885c99ccfbe77d1cbfcb9c4e7c1a3313 # Forkatz - - 22a22bc9e4e0d2f189f1ea01748816ac # PPLKiller - - 7fa30e6bb7e8e8a69155636e50bf1b28 # PPLKiller - - 96df3a3731912449521f6f8d183279b1 # Backstab - - 7e6cf3ff4576581271ac8a313b2aab46 # Backstab - - 51791678f351c03a0eb4e2a7b05c6e17 # Backstab - - 25ce42b079282632708fc846129e98a5 # Forensia - - 021bcca20ba3381b11bdde26b4e62f20 # EDRSandBlast - - 59223b5f52d8799d38e0754855cbdf42 # EDRSandBlast - - 81e75d8f1d276c156653d3d8813e4a43 # EDRSandBlast - - 17244e8b6b8227e57fe709ccad421420 # EDRSandBlast - - 5b76da3acdedc8a5cdf23a798b5936b4 # EDRSandBlast - - cb2b65bb77d995cc1c0e5df1c860133c # EDRSandBlast - - 40445337761d80cf465136fafb1f63e6 # EDRSandBlast - - 8a790f401b29fa87bc1e56f7272b3aa6 # EDRSilencer - - b50199e952c875241b9ce06c971ce3c1 # EventLogCrasher - - Hashes|contains: # Sysmon field hashes contains all types - - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam - - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam - - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam - - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato - - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato - - IMPHASH=F9A28C458284584A93B14216308D31BD # JuicyPotatoNG - - IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato - - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato - - IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato - - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato - - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump - - IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump - - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump - - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump - - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump - - IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump - - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump - - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump - - IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump - - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX - - IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump - - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump - - IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump - - IMPHASH=730073214094CD328547BF1F72289752 # Htran - - IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons - - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons - - IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons - - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons - - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump - - IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump - - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump - - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump - - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump - - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump - - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump - - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump - - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump - - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump - - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump - - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump - - IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump - - IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump - - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump - - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump - - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump - - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz - - IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz - - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader - - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader - - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader - - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader - - IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump - - IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi - - IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi - - IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi - - IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi - - IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi - - IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi - - IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi - - IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi - - IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi - - IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi - - IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi - - IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE - - IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE - - IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers - - IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert - - IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert - - IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert - - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte - - IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet - - IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook - - IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 # Forkatz - - IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC # PPLKiller - - IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 # PPLKiller - - IMPHASH=96DF3A3731912449521F6F8D183279B1 # Backstab - - IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46 # Backstab - - IMPHASH=51791678F351C03A0EB4E2A7B05C6E17 # Backstab - - IMPHASH=25CE42B079282632708FC846129E98A5 # Forensia - - IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20 # EDRSandBlast - - IMPHASH=59223B5F52D8799D38E0754855CBDF42 # EDRSandBlast - - IMPHASH=81E75D8F1D276C156653D3D8813E4A43 # EDRSandBlast - - IMPHASH=17244E8B6B8227E57FE709CCAD421420 # EDRSandBlast - - IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4 # EDRSandBlast - - IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C # EDRSandBlast - - IMPHASH=40445337761D80CF465136FAFB1F63E6 # EDRSandBlast - - IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6 # EDRSilencer - - IMPHASH=B50199E952C875241B9CE06C971CE3C1 # EventLogCrasher + Hashes|contains: # Sysmon field hashes contains all types + - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam + - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam + - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam + - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato + - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato + - IMPHASH=F9A28C458284584A93B14216308D31BD # JuicyPotatoNG + - IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato + - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato + - IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato + - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato + - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump + - IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump + - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump + - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump + - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump + - IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump + - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump + - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump + - IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump + - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX + - IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump + - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump + - IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump + - IMPHASH=730073214094CD328547BF1F72289752 # Htran + - IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons + - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons + - IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons + - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons + - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump + - IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump + - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump + - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump + - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump + - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump + - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump + - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump + - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump + - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump + - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump + - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump + - IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump + - IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump + - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump + - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump + - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump + - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz + - IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz + - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader + - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader + - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader + - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader + - IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump + - IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi + - IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi + - IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi + - IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi + - IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi + - IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi + - IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi + - IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi + - IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi + - IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi + - IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi + - IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE + - IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE + - IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers + - IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert + - IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert + - IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert + - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte + - IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet + - IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook + - IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 # Forkatz + - IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC # PPLKiller + - IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 # PPLKiller + - IMPHASH=96DF3A3731912449521F6F8D183279B1 # Backstab + - IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46 # Backstab + - IMPHASH=51791678F351C03A0EB4E2A7B05C6E17 # Backstab + - IMPHASH=25CE42B079282632708FC846129E98A5 # Forensia + - IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20 # EDRSandBlast + - IMPHASH=59223B5F52D8799D38E0754855CBDF42 # EDRSandBlast + - IMPHASH=81E75D8F1D276C156653D3D8813E4A43 # EDRSandBlast + - IMPHASH=17244E8B6B8227E57FE709CCAD421420 # EDRSandBlast + - IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4 # EDRSandBlast + - IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C # EDRSandBlast + - IMPHASH=40445337761D80CF465136FAFB1F63E6 # EDRSandBlast + - IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6 # EDRSilencer + - IMPHASH=B50199E952C875241B9CE06C971CE3C1 # EventLogCrasher condition: selection falsepositives: - Legitimate use of one of these tools diff --git a/rules/windows/process_creation/proc_creation_win_hktl_gmer.yml b/rules/windows/process_creation/proc_creation_win_hktl_gmer.yml index 37472dfda27..6c08ebdcc76 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_gmer.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_gmer.yml @@ -6,7 +6,7 @@ references: - http://www.gmer.net/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-10-05 -modified: 2023-02-13 +modified: 2024-11-23 tags: - attack.defense-evasion logsource: @@ -20,10 +20,6 @@ detection: - 'MD5=E9DC058440D321AA17D0600B3CA0AB04' - 'SHA1=539C228B6B332F5AA523E5CE358C16647D8BBE57' - 'SHA256=E8A3E804A96C716A3E9B69195DB6FFB0D33E2433AF871E4D4E1EAB3097237173' - selection_other: - - md5: 'e9dc058440d321aa17d0600b3ca0ab04' - - sha1: '539c228b6b332f5aa523e5ce358c16647d8bbe57' - - sha256: 'e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173' condition: 1 of selection_* falsepositives: - Unlikely diff --git a/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml b/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml index 96532d62d1c..5037f155aac 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml @@ -6,7 +6,7 @@ references: - https://github.com/codewhitesec/HandleKatz author: Florian Roth (Nextron Systems) date: 2022-08-18 -modified: 2024-04-15 +modified: 2024-11-23 tags: - attack.credential-access - attack.t1003.001 @@ -18,12 +18,9 @@ detection: Image|endswith: '\loader.exe' CommandLine|contains: '--pid:' selection_loader_imphash: - - Imphash: - - '38d9e015591bbfd4929e0d0f47fa0055' - - '0e2216679ca6e1094d63322e3412d650' - - Hashes|contains: - - 'IMPHASH=38D9E015591BBFD4929E0D0F47FA0055' - - 'IMPHASH=0E2216679CA6E1094D63322E3412D650' + Hashes|contains: + - 'IMPHASH=38D9E015591BBFD4929E0D0F47FA0055' + - 'IMPHASH=0E2216679CA6E1094D63322E3412D650' selection_flags: CommandLine|contains|all: - '--pid:' diff --git a/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml b/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml index 6e60530eb8a..37cef8dcf51 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml @@ -7,7 +7,7 @@ references: - https://github.com/sensepost/impersonate author: Sai Prashanth Pulisetti @pulisettis date: 2022-12-21 -modified: 2023-02-08 +modified: 2024-11-23 tags: - attack.privilege-escalation - attack.defense-evasion @@ -24,16 +24,12 @@ detection: - ' list ' - ' exec ' - ' adduser ' - selection_hash_plain: + selection_hash: Hashes|contains: - 'MD5=9520714AB576B0ED01D1513691377D01' - 'SHA256=E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A' - 'IMPHASH=0A358FFC1697B7A07D0E817AC740DF62' - selection_hash_ext: - - md5: '9520714AB576B0ED01D1513691377D01' - - sha256: 'E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A' - - Imphash: '0A358FFC1697B7A07D0E817AC740DF62' - condition: all of selection_commandline_* or 1 of selection_hash_* + condition: all of selection_commandline_* or selection_hash falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml b/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml index 0562b0755b1..546fc5bbb6f 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml @@ -7,6 +7,7 @@ references: - https://github.com/decoder-it/LocalPotato author: Nasreddine Bencherchali (Nextron Systems) date: 2023-02-14 +modified: 2024-11-23 tags: - attack.defense-evasion - attack.privilege-escalation @@ -25,10 +26,6 @@ detection: Hashes|contains: - 'IMPHASH=E1742EE971D6549E8D4D81115F88F1FC' - 'IMPHASH=DD82066EFBA94D7556EF582F247C8BB5' - selection_hash_ext: - Imphash: - - 'E1742EE971D6549E8D4D81115F88F1FC' - - 'DD82066EFBA94D7556EF582F247C8BB5' condition: 1 of selection_* falsepositives: - Unlikely diff --git a/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml b/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml index 73034df1690..9b6aad13359 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml @@ -8,7 +8,7 @@ references: - https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali date: 2022-10-10 -modified: 2023-02-13 +modified: 2024-11-23 tags: - attack.execution - attack.discovery @@ -38,19 +38,6 @@ detection: - 'MD5=228DD0C2E6287547E26FFBD973A40F14' - 'SHA256=55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C' - 'IMPHASH=0479F44DF47CFA2EF1CCC4416A538663' - selection_hash_values: - - md5: - - '228dd0c2e6287547e26ffbd973a40f14' - - '987b65cd9b9f4e9a1afd8f8b48cf64a7' - - sha1: - - '5f1cbc3d99558307bc1250d084fa968521482025' - - '3fb89787cb97d902780da080545584d97fb1c2eb' - - sha256: - - '2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32' - - '55f041bf4e78e9bfa6d4ee68be40e496ce3a1353e1ca4306598589e19802522c' - - Imphash: - - '444d210cea1ff8112f256a4997eed7ff' - - '0479f44df47cfa2ef1ccc4416a538663' condition: 1 of selection_* falsepositives: - Unlikely diff --git a/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml b/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml index 3adbb501d27..619cac573fc 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml @@ -9,7 +9,7 @@ references: - https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files author: Florian Roth (Nextron Systems) date: 2022-07-23 -modified: 2023-03-07 +modified: 2024-11-23 tags: - attack.defense-evasion - attack.t1134.004 @@ -37,11 +37,6 @@ detection: - 'spoofppid' - 'spoofedppid' - Description: 'SelectMyParent' - - Imphash: - - '04d974875bd225f00902b4cad9af3fbc' - - 'a782af154c9e743ddf3f3eb2b8f3d16e' - - '89059503d7fbf470e68f7e63313da3ad' - - 'ca28337632625c8281ab8a130b3d6bad' - Hashes|contains: - 'IMPHASH=04D974875BD225F00902B4CAD9AF3FBC' - 'IMPHASH=A782AF154C9E743DDF3F3EB2B8F3D16E' diff --git a/rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml b/rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml index bf261ee3de5..c700138b6af 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml @@ -6,6 +6,7 @@ references: - https://github.com/mgeeky/Stracciatella author: pH-T (Nextron Systems) date: 2023-04-17 +modified: 2024-11-23 tags: - attack.execution - attack.defense-evasion @@ -22,9 +23,6 @@ detection: - Hashes|contains: - 'SHA256=9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956' - 'SHA256=fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a' - - sha256: - - '9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956' - - 'fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a' condition: selection falsepositives: - Unlikely diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml b/rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml index 479fd4e84a9..d9bdcabccd1 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml @@ -6,7 +6,7 @@ references: - https://github.com/Wh04m1001/SysmonEoP author: Florian Roth (Nextron Systems) date: 2022-12-04 -modified: 2024-04-15 +modified: 2024-11-23 tags: - cve.2022-41120 - attack.t1068 @@ -18,12 +18,9 @@ detection: selection_img: Image|endswith: '\SysmonEOP.exe' selection_hash: - - Hashes|contains: - - 'IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5' - - 'IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC' - - Imphash: - - '22f4089eb8aba31e1bb162c6d9bf72e5' - - '5123fa4c4384d431cd0d893eeb49bbec' + Hashes|contains: + - 'IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5' + - 'IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC' condition: 1 of selection_* falsepositives: - Unlikely diff --git a/rules/windows/process_creation/proc_creation_win_hktl_uacme.yml b/rules/windows/process_creation/proc_creation_win_hktl_uacme.yml index 26f73345f5e..de6f7fea237 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_uacme.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_uacme.yml @@ -6,7 +6,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems) date: 2021-08-30 -modified: 2022-11-19 +modified: 2024-11-23 tags: - attack.defense-evasion - attack.privilege-escalation @@ -46,19 +46,6 @@ detection: - 'IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894' - 'IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74' - 'IMPHASH=3DE09703C8E79ED2CA3F01074719906B' - selection_hashes_other: - Imphash: - - '767637c23bb42cd5d7397cf58b0be688' - - '14c4e4c72ba075e9069ee67f39188ad8' - - '3c782813d4afce07bbfc5a9772acdbdc' - - '7d010c6bb6a3726f327f7e239166d127' - - '89159ba4dd04e4ce5559f132a9964eb3' - - '6f33f4a5fc42b8cec7314947bd13f30f' - - '5834ed4291bdeb928270428ebbaf7604' - - '5a8a8a43f25485e7ee1b201edcbc7a38' - - 'dc7d30b90b2d8abf664fbed2b1b59894' - - '41923ea1f824fe63ea5beb84db7a3e74' - - '3de09703c8e79ed2ca3f01074719906b' condition: 1 of selection_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_hktl_wce.yml b/rules/windows/process_creation/proc_creation_win_hktl_wce.yml index 71036a587a1..df6647bdebe 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_wce.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_wce.yml @@ -6,7 +6,7 @@ references: - https://www.ampliasecurity.com/research/windows-credentials-editor/ author: Florian Roth (Nextron Systems) date: 2019-12-31 -modified: 2023-02-04 +modified: 2024-11-23 tags: - attack.credential-access - attack.t1003.001 @@ -16,12 +16,9 @@ logsource: product: windows detection: selection_1: - - Imphash: - - a53a02b997935fd8eedcb5f7abab9b9f - - e96a73c7bf33a464c510ede582318bf2 - - Hashes|contains: # Sysmon field hashes contains all types - - IMPHASH=a53a02b997935fd8eedcb5f7abab9b9f - - IMPHASH=e96a73c7bf33a464c510ede582318bf2 + Hashes|contains: # Sysmon field hashes contains all types + - IMPHASH=a53a02b997935fd8eedcb5f7abab9b9f + - IMPHASH=e96a73c7bf33a464c510ede582318bf2 selection_2: CommandLine|endswith: '.exe -S' ParentImage|endswith: '\services.exe' diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_mpiexec.yml b/rules/windows/process_creation/proc_creation_win_lolbin_mpiexec.yml index b68553abebc..d1d47f27357 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_mpiexec.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_mpiexec.yml @@ -7,7 +7,7 @@ references: - https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps author: Florian Roth (Nextron Systems) date: 2022-01-11 -modified: 2022-03-04 +modified: 2024-11-23 tags: - attack.execution - attack.defense-evasion @@ -18,7 +18,6 @@ logsource: detection: selection_binary: - Image|endswith: '\mpiexec.exe' - - Imphash: 'd8b52ef6aaa3a81501bdfff9dbb96217' - Hashes|contains: 'IMPHASH=d8b52ef6aaa3a81501bdfff9dbb96217' selection_flags: CommandLine|contains: diff --git a/rules/windows/process_creation/proc_creation_win_pua_frp.yml b/rules/windows/process_creation/proc_creation_win_pua_frp.yml index 19b5098c00a..b0e07ad75bb 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_frp.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_frp.yml @@ -7,7 +7,7 @@ references: - https://github.com/fatedier/frp author: frack113, Florian Roth date: 2022-09-02 -modified: 2023-02-04 +modified: 2024-11-23 tags: - attack.command-and-control - attack.t1090 @@ -23,13 +23,10 @@ detection: CommandLine|contains: '\frpc.ini' selection_hashes: # v0.44.0 - - Hashes|contains: - - "MD5=7D9C233B8C9E3F0EA290D2B84593C842" - - "SHA1=06DDC9280E1F1810677935A2477012960905942F" - - "SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C" - - md5: '7d9c233b8c9e3f0ea290d2b84593c842' - - sha1: '06ddc9280e1f1810677935a2477012960905942f' - - sha256: '57b0936b8d336d8e981c169466a15a5fd21a7d5a2c7daf62d5e142ee860e387c' + Hashes|contains: + - "MD5=7D9C233B8C9E3F0EA290D2B84593C842" + - "SHA1=06DDC9280E1F1810677935A2477012960905942F" + - "SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C" condition: 1 of selection_* falsepositives: - Legitimate use diff --git a/rules/windows/process_creation/proc_creation_win_pua_iox.yml b/rules/windows/process_creation/proc_creation_win_pua_iox.yml index 3c4738818ba..d0c0ab9c543 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_iox.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_iox.yml @@ -6,7 +6,7 @@ references: - https://github.com/EddieIvan01/iox author: Florian Roth (Nextron Systems) date: 2022-10-08 -modified: 2023-02-08 +modified: 2024-11-23 tags: - attack.command-and-control - attack.t1090 @@ -24,13 +24,10 @@ detection: - '.exe proxy -r ' selection_hashes: # v0.4 - - Hashes|contains: - - "MD5=9DB2D314DD3F704A02051EF5EA210993" - - "SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD" - - "SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731" - - md5: '9db2d314dd3f704a02051ef5ea210993' - - sha1: '039130337e28a6623ecf9a0a3da7d92c5964d8dd' - - sha256: 'c6cf82919b809967d9d90ea73772a8aa1c1eb3bc59252d977500f64f1a0d6731' + Hashes|contains: + - "MD5=9DB2D314DD3F704A02051EF5EA210993" + - "SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD" + - "SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731" condition: 1 of selection* falsepositives: - Legitimate use diff --git a/rules/windows/process_creation/proc_creation_win_pua_nimgrab.yml b/rules/windows/process_creation/proc_creation_win_pua_nimgrab.yml index 3d3f0b8aa12..868659ae65e 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_nimgrab.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_nimgrab.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md author: frack113 date: 2022-08-28 -modified: 2023-02-13 +modified: 2024-11-23 tags: - attack.command-and-control - attack.t1105 @@ -21,10 +21,6 @@ detection: - MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B - SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559 - IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45 - selection_hash: - - md5: 2DD44C3C29D667F5C0EF5F9D7C7FFB8B - - sha256: F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559 - - Imphash: C07FDDD21D123EA9B3A08EEF44AAAC45 condition: 1 of selection_* falsepositives: - Legitimate use of Nim on a developer systems diff --git a/rules/windows/process_creation/proc_creation_win_pua_nps.yml b/rules/windows/process_creation/proc_creation_win_pua_nps.yml index f696f7a32ce..03077d5d981 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_nps.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_nps.yml @@ -6,7 +6,7 @@ references: - https://github.com/ehang-io/nps author: Florian Roth (Nextron Systems) date: 2022-10-08 -modified: 2023-02-04 +modified: 2024-11-23 tags: - attack.command-and-control - attack.t1090 @@ -25,13 +25,10 @@ detection: CommandLine|contains: ' -config=npc' selection_hashes: # v0.26.10 - - Hashes|contains: - - "MD5=AE8ACF66BFE3A44148964048B826D005" - - "SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181" - - "SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856" - - md5: 'ae8acf66bfe3a44148964048b826d005' - - sha1: 'cea49e9b9b67f3a13ad0be1c2655293ea3c18181' - - sha256: '5a456283392ffceeeaca3d3426c306eb470304637520d72fed1cc1febbbd6856' + Hashes|contains: + - "MD5=AE8ACF66BFE3A44148964048B826D005" + - "SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181" + - "SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856" condition: 1 of selection_* falsepositives: - Legitimate use diff --git a/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml b/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml index 485cd79ae4c..f56f78b169d 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml @@ -13,7 +13,7 @@ references: - https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/ author: Florian Roth (Nextron Systems) date: 2022-10-10 -modified: 2023-12-11 +modified: 2024-11-23 tags: - attack.defense-evasion - attack.discovery @@ -26,7 +26,7 @@ logsource: category: process_creation product: windows detection: - selection_image: + selection: - Image|contains: '\ProcessHacker_' - Image|endswith: '\ProcessHacker.exe' - OriginalFileName: @@ -34,30 +34,16 @@ detection: - 'Process Hacker' - Description: 'Process Hacker' - Product: 'Process Hacker' - selection_hashes: - Hashes|contains: - - 'MD5=68F9B52895F4D34E74112F3129B3B00D' - - 'MD5=B365AF317AE730A67C936F21432B9C71' - - 'SHA1=A0BDFAC3CE1880B32FF9B696458327CE352E3B1D' - - 'SHA1=C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E' - - 'SHA256=D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F' - - 'SHA256=BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4' - - 'IMPHASH=3695333C60DEDECDCAFF1590409AA462' - - 'IMPHASH=04DE0AD9C37EB7BD52043D2ECAC958DF' - selection_hash_values: - - md5: - - '68f9b52895f4d34e74112f3129b3b00d' - - 'b365af317ae730a67c936f21432b9c71' - - sha1: - - 'c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e' - - 'a0bdfac3ce1880b32ff9b696458327ce352e3b1d' - - sha256: - - 'd4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f' - - 'bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4' - - Imphash: - - '04de0ad9c37eb7bd52043d2ecac958df' - - '3695333c60dedecdcaff1590409aa462' - condition: 1 of selection_* + - Hashes|contains: + - 'MD5=68F9B52895F4D34E74112F3129B3B00D' + - 'MD5=B365AF317AE730A67C936F21432B9C71' + - 'SHA1=A0BDFAC3CE1880B32FF9B696458327CE352E3B1D' + - 'SHA1=C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E' + - 'SHA256=D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F' + - 'SHA256=BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4' + - 'IMPHASH=3695333C60DEDECDCAFF1590409AA462' + - 'IMPHASH=04DE0AD9C37EB7BD52043D2ECAC958DF' + condition: selection falsepositives: - While sometimes 'Process Hacker is used by legitimate administrators, the execution of Process Hacker must be investigated and allowed on a case by case basis level: medium diff --git a/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml b/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml index 42420aa9b2e..9d599252d2d 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml @@ -9,6 +9,7 @@ references: - https://github.com/winsiderss/systeminformer author: Florian Roth (Nextron Systems) date: 2023-05-08 +modified: 2024-11-23 tags: - attack.persistence - attack.privilege-escalation @@ -21,25 +22,19 @@ logsource: category: process_creation product: windows detection: - selection_image: + selection: - Image|endswith: '\SystemInformer.exe' - OriginalFileName: 'SystemInformer.exe' - Description: 'System Informer' - Product: 'System Informer' - selection_hashes: - Hashes|contains: - # Note: add other hashes as needed - # 3.0.11077.6550 - - 'MD5=19426363A37C03C3ED6FEDF57B6696EC' - - 'SHA1=8B12C6DA8FAC0D5E8AB999C31E5EA04AF32D53DC' - - 'SHA256=8EE9D84DE50803545937A63C686822388A3338497CDDB660D5D69CF68B68F287' - - 'IMPHASH=B68908ADAEB5D662F87F2528AF318F12' - selection_hash_values: - - md5: '19426363A37C03C3ED6FEDF57B6696EC' - - sha1: '8B12C6DA8FAC0D5E8AB999C31E5EA04AF32D53DC' - - sha256: '8EE9D84DE50803545937A63C686822388A3338497CDDB660D5D69CF68B68F287' - - Imphash: 'B68908ADAEB5D662F87F2528AF318F12' - condition: 1 of selection_* + - Hashes|contains: + # Note: add other hashes as needed + # 3.0.11077.6550 + - 'MD5=19426363A37C03C3ED6FEDF57B6696EC' + - 'SHA1=8B12C6DA8FAC0D5E8AB999C31E5EA04AF32D53DC' + - 'SHA256=8EE9D84DE50803545937A63C686822388A3338497CDDB660D5D69CF68B68F287' + - 'IMPHASH=B68908ADAEB5D662F87F2528AF318F12' + condition: selection falsepositives: - System Informer is regularly used legitimately by system administrators or developers. Apply additional filters accordingly level: medium diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml index 88b2be2998d..abfab0a376f 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml @@ -6,7 +6,7 @@ references: - https://redcanary.com/blog/misbehaving-rats/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-09-19 -modified: 2023-03-05 +modified: 2024-11-23 tags: - attack.defense-evasion logsource: @@ -17,7 +17,6 @@ detection: - Image|endswith: '\client32.exe' - Product|contains: 'NetSupport Remote Control' - OriginalFileName|contains: 'client32.exe' - - Imphash: a9d50692e95b79723f3e76fcf70d023e - Hashes|contains: IMPHASH=a9d50692e95b79723f3e76fcf70d023e filter: Image|startswith: diff --git a/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml b/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml index ea6b2b07db3..a0d2faf5987 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml @@ -11,7 +11,7 @@ references: - https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md author: Florian Roth (Nextron Systems) date: 2022-08-21 -modified: 2023-02-14 +modified: 2024-11-23 tags: - attack.discovery - attack.t1018 @@ -44,12 +44,9 @@ detection: - 'computers_active' - 'computers_pwdnotreqd' selection_2: - - Imphash: - - bca5675746d13a1f246e2da3c2217492 - - 53e117a96057eaf19c41380d0e87f1c2 - - Hashes|contains: - - 'IMPHASH=BCA5675746D13A1F246E2DA3C2217492' - - 'IMPHASH=53E117A96057EAF19C41380D0E87F1C2' + Hashes|contains: + - 'IMPHASH=BCA5675746D13A1F246E2DA3C2217492' + - 'IMPHASH=53E117A96057EAF19C41380D0E87F1C2' selection_3: OriginalFileName: 'AdFind.exe' filter: diff --git a/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml b/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml index 71266141e31..c3dd2775f99 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml @@ -10,7 +10,7 @@ references: - https://www.autoitscript.com/site/ author: Florian Roth (Nextron Systems) date: 2023-06-04 -modified: 2023-09-19 +modified: 2024-11-23 tags: - attack.defense-evasion - attack.t1027 @@ -23,14 +23,10 @@ detection: - ' /AutoIt3ExecuteScript' - ' /ErrorStdOut' selection_2: - - Imphash: - - 'fdc554b3a8683918d731685855683ddf' # AutoIt v2 - doesn't cover all binaries - - 'cd30a61b60b3d60cecdb034c8c83c290' # AutoIt v2 - doesn't cover all binaries - - 'f8a00c72f2d667d2edbb234d0c0ae000' # AutoIt v3 - doesn't cover all binaries - - Hashes|contains: - - 'IMPHASH=FDC554B3A8683918D731685855683DDF' # AutoIt v2 - doesn't cover all binaries - - 'IMPHASH=CD30A61B60B3D60CECDB034C8C83C290' # AutoIt v2 - doesn't cover all binaries - - 'IMPHASH=F8A00C72F2D667D2EDBB234D0C0AE000' # AutoIt v3 - doesn't cover all binaries + Hashes|contains: + - 'IMPHASH=FDC554B3A8683918D731685855683DDF' # AutoIt v2 - doesn't cover all binaries + - 'IMPHASH=CD30A61B60B3D60CECDB034C8C83C290' # AutoIt v2 - doesn't cover all binaries + - 'IMPHASH=F8A00C72F2D667D2EDBB234D0C0AE000' # AutoIt v3 - doesn't cover all binaries selection_3: OriginalFileName: - 'AutoIt3.exe' diff --git a/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml b/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml index b0ac2fd5ddf..41b356c4447 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml @@ -6,7 +6,7 @@ references: - https://redcanary.com/blog/misbehaving-rats/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-09-19 -modified: 2023-02-04 +modified: 2024-11-23 tags: - attack.defense-evasion logsource: @@ -16,7 +16,6 @@ detection: selection: - Product|contains: 'NetSupport Remote Control' - OriginalFileName|contains: 'client32.exe' - - Imphash: a9d50692e95b79723f3e76fcf70d023e - Hashes|contains: IMPHASH=A9D50692E95B79723F3E76FCF70D023E filter: Image|endswith: '\client32.exe' diff --git a/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml b/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml index 0866f475618..bc58e99e819 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml @@ -10,7 +10,7 @@ references: - https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf author: Florian Roth (Nextron Systems), Jason Lynch date: 2021-05-22 -modified: 2023-02-14 +modified: 2024-11-23 tags: - attack.defense-evasion - attack.t1202 @@ -22,20 +22,15 @@ detection: - Description: 'PAExec Application' - OriginalFileName: 'PAExec.exe' - Product|contains: 'PAExec' - - Imphash: - - 11D40A7B7876288F919AB819CC2D9802 - - 6444f8a34e99b8f7d9647de66aabe516 - - dfd6aa3f7b2b1035b76b718f1ddc689f - - 1a6cca4d5460b1710a12dea39e4a592c - Hashes|contains: - IMPHASH=11D40A7B7876288F919AB819CC2D9802 - IMPHASH=6444f8a34e99b8f7d9647de66aabe516 - IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f - IMPHASH=1a6cca4d5460b1710a12dea39e4a592c - filter: + filter_main_known_location: - Image|endswith: '\paexec.exe' - Image|startswith: 'C:\Windows\PAExec-' - condition: selection and not filter + condition: selection and not 1 of filter_main_* falsepositives: - Weird admins that rename their tools - Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing diff --git a/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml b/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml index 305acaae6fb..6799b2ebe4c 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml @@ -9,7 +9,7 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Wmic/ author: Markus Neis, Florian Roth date: 2019-01-16 -modified: 2023-02-15 +modified: 2024-11-23 tags: - attack.defense-evasion - attack.t1047 @@ -24,10 +24,6 @@ detection: selection_pe: - Image|endswith: '\wmic.exe' - OriginalFileName: 'wmic.exe' - - Imphash: - - 1B1A3F43BF37B5BFE60751F2EE2F326E - - 37777A96245A3C74EB217308F3546F4C - - 9D87C9D67CE724033C0B40CC4CA1B206 - Hashes|contains: # Sysmon field hashes contains all types - IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E - IMPHASH=37777A96245A3C74EB217308F3546F4C diff --git a/tests/test_logsource.py b/tests/test_logsource.py index e5426ae4382..022836c34f3 100644 --- a/tests/test_logsource.py +++ b/tests/test_logsource.py @@ -282,22 +282,22 @@ def load_fields_json(name: str): # Add common field for product in data: for category in data[product]["category"]: - if "Hashes" in data[product]["category"][category]: - data[product]["category"][category] += [ - "md5", - "sha1", - "sha256", - "Imphash", - ] - if ( - "Hash" in data[product]["category"][category] - ): # Sysmon 15 create_stream_hash - data[product]["category"][category] += [ - "md5", - "sha1", - "sha256", - "Imphash", - ] + # if "Hashes" in data[product]["category"][category]: + # data[product]["category"][category] += [ + # "md5", + # "sha1", + # "sha256", + # "Imphash", + # ] + # if ( + # "Hash" in data[product]["category"][category] + # ): # Sysmon 15 create_stream_hash + # data[product]["category"][category] += [ + # "md5", + # "sha1", + # "sha256", + # "Imphash", + # ] if "common" in data[product].keys(): data[product]["category"][category] += data[product]["common"] for service in data[product]["service"]: From 374f00350761a05cd2b1513cd2f1c625a2189acd Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 29 Nov 2024 13:06:11 +0100 Subject: [PATCH 101/144] Merge PR #5093 from @Neo23x0 - Fix `Creation of WerFault.exe/Wer.dll in Unusual Folder` fix: Creation of WerFault.exe/Wer.dll in Unusual Folder - Add filter for windows update/installation folder `C:\Windows\SoftwareDistribution\` --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- .../file_event_win_werfault_dll_hijacking.yml | 20 ++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml b/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml index b36b0b47bec..dc64f6d294c 100644 --- a/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml +++ b/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml @@ -1,11 +1,12 @@ -title: Creation of an WerFault.exe in Unusual Folder +title: Creation of WerFault.exe/Wer.dll in Unusual Folder id: 28a452f3-786c-4fd8-b8f2-bddbe9d616d1 status: test -description: Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking +description: Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking. references: - https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/ author: frack113 date: 2022-05-09 +modified: 2024-11-28 tags: - attack.persistence - attack.defense-evasion @@ -18,12 +19,13 @@ detection: TargetFilename|endswith: - '\WerFault.exe' - '\wer.dll' - filter_whitelist: - TargetFilename|contains: - - '\System32\' - - '\SysWOW64\' - - '\WinSxS\' - condition: selection and not filter_whitelist + filter_main_known_locations: + TargetFilename|startswith: + - 'C:\Windows\SoftwareDistribution\' + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + - 'C:\Windows\WinSxS\' + condition: selection and not 1 of filter_main_* falsepositives: - Unknown -level: high +level: medium From 4075c508d178bcc3fbdc991b50ac424cce539dc7 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Sun, 1 Dec 2024 13:39:50 +0100 Subject: [PATCH 102/144] Merge PR #5101 from @nasbench - Archive new rule references and update cache file chore: archive new rule references and update cache file Co-authored-by: nasbench --- .github/latest_archiver_output.md | 1015 ++++++++++++++--------------- tests/rule-references.txt | 15 + 2 files changed, 518 insertions(+), 512 deletions(-) diff --git a/.github/latest_archiver_output.md b/.github/latest_archiver_output.md index 2e12880b4a0..61bb3c1b997 100644 --- a/.github/latest_archiver_output.md +++ b/.github/latest_archiver_output.md @@ -1,570 +1,561 @@ # Reference Archiver Results -Last Execution: 2024-11-15 02:06:55 +Last Execution: 2024-12-01 02:17:42 ### Archiver Script Results #### Newly Archived References -N/A +- https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/ +- https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu +- https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html #### Already Archived References -- https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps -- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue -- https://github.com/nettitude/SharpWSUS -- https://www.elastic.co/guide/en/security/current/startup-logon-script-added-to-group-policy-object.html -- https://learn.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml- -- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 -- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts -- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a -- https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027 -- https://nored0x.github.io/red-teaming/office-persistence/#what-is-a-wll-file -- https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things -- https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/ -- https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-browser -- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction -- https://www.securonix.com/blog/seolurker-attack-campaign-uses-seo-poisoning-fake-google-ads-to-install-malware/ -- https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates +- https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/ +- https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac +- https://blog.talosintelligence.com/gophish-powerrat-dcrat/ +- https://github.com/search?q=repo%3AHackplayers%2Fevil-winrm++shell.run%28&type=code +- https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.4 +- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer +- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_network.html +- https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details +- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace +- https://www.sans.org/cyber-security-summit/archives #### Error While Archiving References +- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b +- https://www.cyberciti.biz/faq/how-force-kill-process-linux/ +- https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand +- https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ -- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ -- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray -- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage -- https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609 -- https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack -- https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html -- https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3 -- https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code -- https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/ -- https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal -- https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 +- https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump +- https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps +- https://nvd.nist.gov/vuln/detail/CVE-2024-3400 +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently +- https://web.archive.org/web/20220422215221/https://twitter.com/malware_traffic/status/1517622327000846338 +- https://www.virustotal.com/gui/file/ded20df574b843aaa3c8e977c2040e1498ae17c12924a19868df5b12dee6dfdd +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661 -- https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ -- https://github.com/0xthirteen/SharpMove/ -- https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install -- https://labs.nettitude.com/blog/introducing-sharpwsus/ -- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage -- https://www.loobins.io/binaries/hdiutil/ -- https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html -- https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html -- https://web.archive.org/web/20210512154016/https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1 -- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash -- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ +- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/ +- https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations +- https://www.trustedsec.com/blog/art_of_kerberoast/ +- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4 +- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing +- https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771 +- https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/ +- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations +- https://tria.ge/220422-1nnmyagdf2/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd +- https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis +- https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors +- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ +- https://twitter.com/Kostastsale/status/1646256901506605063?s=20 +- https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/ +- https://www.fortiguard.com/psirt/FG-IR-22-398 +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 +- https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/ +- https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4706 +- https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/ +- https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens +- https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup +- https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic +- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ +- https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis +- https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension +- https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ +- https://objective-see.org/blog/blog_0x1E.html +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray +- https://twitter.com/MsftSecIntel/status/1737895710169628824 +- https://web.archive.org/web/20231210115125/http://www.xuetr.com/ +- https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/ +- https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/ +- https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool +- https://x.com/_st0pp3r_/status/1742203752361128162?s=20 +- https://www.loobins.io/binaries/nscurl/ +- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script +- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/ - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_IncludeUnspecifiedLocalSites -- https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776 -- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/ -- https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/ +- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode +- https://objective-see.org/blog/blog_0x6D.html +- https://www.huntress.com/blog/attacking-mssql-servers +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role +- https://lots-project.com/site/2a2e617a75726566642e6e6574 +- https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all +- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195 +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide +- https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker +- https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files +- https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/ - https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/ -- https://medium.com/@NullByteWht/hacking-macos-how-to-dump-1password-keepassx-lastpass-passwords-in-plaintext-723c5b1c311b -- https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/ -- https://paper.seebug.org/1495/ -- https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7 -- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer -- https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins -- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/ -- https://github.com/GhostPack/SharpDPAPI -- https://www.loobins.io/binaries/nscurl/ -- https://learn.microsoft.com/en-us/windows/win32/shell/launch -- https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details -- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding -- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 -- https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/ -- https://redcanary.com/blog/msix-installers/ -- https://learn.microsoft.com/en-us/windows/win32/msi/event-logging -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#new-owner -- https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis -- https://learn.microsoft.com/en-us/windows/win32/shell/app-registration -- https://strontic.github.io/xcyclopedia/library/aclui.dll-F883E9CA757B622B032FDCA5BF33D0DF.html -- https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/ -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4 -- https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48 -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create -- https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4 -- https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows -- https://blog.talosintelligence.com/gophish-powerrat-dcrat/ +- https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216 +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/ +- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user +- https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ +- https://github.com/FalconForceTeam/SOAPHound +- https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain - https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior -- https://tria.ge/240731-jh4crsycnb/behavioral2 -- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/ -- https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1 +- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf +- https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes +- https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address +- https://twitter.com/standa_t/status/1808868985678803222 +- https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/ +- https://github.com/PwC-IR/Business-Email-Compromise-Guide/blob/fe29ce06aef842efe4eb448c26bbe822bf5b895d/PwC-Business_Email_Compromise-Guide.pdf +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 +- https://us-cert.cisa.gov/ncas/alerts/aa21-259a +- https://github.com/rapid7/metasploit-framework/issues/11337 +- https://twitter.com/TheDFIRReport/status/1482078434327244805 +- https://twitter.com/Kostastsale/status/1480716528421011458 +- https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673 +- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage +- https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy - https://app.any.run/tasks/9a8fd563-4c54-4d0a-9ad8-1fe08339cbc3/ -- https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258 -- https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/ -- https://www.elastic.co/guide/en/security/current/group-policy-abuse-for-privilege-addition.html#_setup_275 -- https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection -- https://github.com/gentilkiwi/mimikatz -- https://app.any.run/tasks/25970bb5-f864-4e9e-9e1b-cc8ff9e6386a +- https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html +- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc +- https://www.linkedin.com/feed/update/urn:li:ugcPost:7257437202706493443?commentUrn=urn%3Ali%3Acomment%3A%28ugcPost%3A7257437202706493443%2C7257522819985543168%29&dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287257522819985543168%2Curn%3Ali%3AugcPost%3A7257437202706493443%29 +- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash +- https://www.softperfect.com/products/networkscanner/ +- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/ +- https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change +- https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html - https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin -- https://twitter.com/NathanMcNulty/status/1785051227568632263 -- https://tria.ge/240521-ynezpagf56/behavioral1 -- https://blackpointcyber.com/resources/blog/breaking-through-the-screen/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2 -- https://objective-see.org/blog/blog_0x1E.html -- https://gtfobins.github.io/gtfobins/python/#shell -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4706 -- https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732 -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010 -- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/ -- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials +- https://github.com/yardenshafir/conference_talks/blob/3de1f5d7c02656c35117f067fbff0a219c304b09/OffensiveCon_2023_Your_Mitigations_are_My_Opportunities.pdf +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins +- https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication +- https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_ProxyByPass +- https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior +- https://ngrok.com/blog-post/new-ngrok-domains +- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ +- https://gtfobins.github.io/gtfobins/rsync/#shell +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3 +- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/ +- https://defr0ggy.github.io/research/Utilizing-BTunnel-For-Data-Exfiltration/ +- https://ipurple.team/2024/09/10/browser-stored-credentials/ +- https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934 +- https://github.com/0xthirteen/SharpMove/ +- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html +- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a +- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ +- https://boinc.berkeley.edu/ +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4 +- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ +- https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install +- https://adsecurity.org/?p=1785 +- https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258 - https://www.cyberciti.biz/faq/linux-remove-user-command/ -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#private_repository_forking -- https://ss64.com/osx/sw_vers.html -- https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel +- https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708 +- https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616 +- https://twitter.com/NathanMcNulty/status/1785051227568632263 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647 +- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vsan.html +- https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/ +- https://www.loobins.io/binaries/hdiutil/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10) +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78 +- https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2 +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_UNCAsIntranet - https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/ -- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ -- https://github.com/search?q=repo%3AHackplayers%2Fevil-winrm++shell.run%28&type=code -- https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216 -- https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md -- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 -- https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038 - https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/ -- https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091 -- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts -- https://gtfobins.github.io/gtfobins/gawk/#shell -- https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41 -- https://www.microsoft.com/en-us/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/ -- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4 -- https://ngrok.com/blog-post/new-ngrok-domains -- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority -- https://github.com/antonioCoco/RoguePotato -- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address -- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands -- https://www.fortiguard.com/psirt/FG-IR-22-398 -- https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml -- https://blog.talosintelligence.com/uat-5647-romcom/ -- https://www.action1.com/documentation/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval -- https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ -- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647 +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation +- https://labs.nettitude.com/blog/introducing-sharpwsus/ +- https://www.tarasco.org/security/pwdump_7/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown +- https://www.fortalicesolutions.com/posts/hiding-behind-the-front-door-with-azure-domain-fronting +- https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes +- https://tria.ge/231023-lpw85she57/behavioral2 +- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html - https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/ -- https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743 -- https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/ -- https://www.trustedsec.com/blog/art_of_kerberoast/ -- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated +- https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/ +- https://redcanary.com/blog/threat-detection/process-masquerading/ +- https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html +- https://twitter.com/Cryptolaemus1/status/1517634855940632576 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup +- https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/ +- https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps +- https://learn.microsoft.com/en-us/windows/win32/shell/app-registration +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp +- https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7 +- https://www.attackiq.com/2023/09/20/emulating-rhysida/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management +- https://tria.ge/220422-1pw1pscfdl/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698 +- https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e +- https://asec.ahnlab.com/en/61000/ +- https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#private_repository_forking +- https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership +- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe +- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks +- https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/ +- https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html +- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vm.html +- https://www.loobins.io/binaries/xattr/ - https://cloud.google.com/access-context-manager/docs/audit-logging -- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx -- https://app.any.run/tasks/fa99cedc-9d2f-4115-a08e-291429ce3692 -- https://medium.com/@ahmed.moh.farou2/fake-captcha-campaign-on-arabic-pirated-movie-sites-delivers-lumma-stealer-4f203f7adabf -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine -- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ +- https://medium.com/@NullByteWht/hacking-macos-how-to-dump-1password-keepassx-lastpass-passwords-in-plaintext-723c5b1c311b +- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule +- https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/ +- https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/ +- https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys +- https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html +- https://bazaar.abuse.ch/browse/signature/RaspberryRobin/ +- https://www.elastic.co/guide/en/security/current/group-policy-abuse-for-privilege-addition.html#_setup_275 +- https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps +- https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2 +- https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg +- https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php +- https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps +- https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps +- https://tria.ge/240225-jlylpafb24/behavioral1/analog?main_event=Registry&op=SetValueKeyInt +- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns - https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support -- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace -- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/ -- https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf -- https://gtfobins.github.io/gtfobins/rsync/#shell -- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ -- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations -- https://asec.ahnlab.com/en/61000/ -- https://www.attackiq.com/2023/09/20/emulating-rhysida/ -- https://tria.ge/231212-r1bpgaefar/behavioral2 -- https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1 - https://github.com/joaoviictorti/RustRedOps/tree/ce04369a246006d399e8c61d9fe0e6b34f988a49/Self_Deletion -- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/ -- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ -- https://malware.guide/browser-hijacker/remove-onelaunch-virus/ -- https://www.cyberciti.biz/faq/how-force-kill-process-linux/ -- https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/ -- https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare -- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf -- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/ -- https://gtfobins.github.io/gtfobins/c99/#shell -- https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis -- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml -- https://www.forensafe.com/blogs/runmrukey.html -- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ -- https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html -- https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior -- https://twitter.com/Max_Mal_/status/1775222576639291859 -- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ -- https://gtfobins.github.io/gtfobins/c89/#shell -- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16 -- https://www.loobins.io/binaries/launchctl/ +- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/ +- https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues - https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71 -- https://adsecurity.org/?p=3513 -- https://labs.withsecure.com/publications/kapeka -- https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension -- https://gtfobins.github.io/gtfobins/capsh/#shell +- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-info.js#L55 +- https://blackpointcyber.com/resources/blog/breaking-through-the-screen/ +- https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool +- https://learn.microsoft.com/en-us/windows/win32/shell/launch +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in +- https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval +- https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v +- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743 +- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ - https://github.com/embedi/CVE-2017-11882 -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac +- https://linux.die.net/man/1/arecord - https://news.ycombinator.com/item?id=29504755 -- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183 -- https://boinc.berkeley.edu/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations -- https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain -- https://www.softperfect.com/products/networkscanner/ -- https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication +- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ +- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ +- https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/set_1 +- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml +- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html +- https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776 +- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications +- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage +- https://ss64.com/osx/sw_vers.html +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#things-to-monitor +- https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response +- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1 +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 +- https://redcanary.com/blog/msix-installers/ +- https://gtfobins.github.io/gtfobins/capsh/#shell +- https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit +- https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1 +- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings +- https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md +- https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF +- https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48 +- https://tria.ge/240226-fhbe7sdc39/behavioral1 +- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx +- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ +- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/ +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::SecurityPage_AutoDetect +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed +- https://tria.ge/240521-ynezpagf56/behavioral1 +- https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps +- https://github.com/GhostPack/SharpDPAPI +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2 +- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ +- https://gtfobins.github.io/gtfobins/env/#shell +- https://www.huntress.com/blog/attacking-mssql-servers-pt-ii +- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ - https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials - https://www.qemu.org/docs/master/system/invocation.html#hxtool-5 -- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a +- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/ - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in -- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services -- https://web.archive.org/web/20211001064856/https://github.com/snovvcrash/DInjector -- https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/ -- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ -- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ -- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/ -- https://x.com/Max_Mal_/status/1826179497084739829 -- https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ -- https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg -- https://www.virustotal.com/gui/file/ded20df574b843aaa3c8e977c2040e1498ae17c12924a19868df5b12dee6dfdd -- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software -- https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/ +- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult +- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml +- https://web.archive.org/web/20220614030603/http://www.powertheshell.com/ntfsstreams/ +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations +- https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html +- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/ +- https://thehackernews.com/2024/03/github-rolls-out-default-secret.html +- https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/ +- https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/ +- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf +- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities +- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11) +- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_storage.html +- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf +- https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection +- https://www.group-ib.com/resources/threat-research/red-curl-2.html - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11) +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts +- https://github.com/antonioCoco/RoguePotato +- https://www.virustotal.com/gui/file/6f0f20da34396166df352bf301b3c59ef42b0bc67f52af3d541b0161c47ede05 +- https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/ +- https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html +- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference +- https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732 +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29 +- https://gtfobins.github.io/gtfobins/gcc/#shell +- https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/ +- https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority +- https://gtfobins.github.io/gtfobins/c89/#shell +- https://www.anyviewer.com/help/remote-technical-support.html +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4 +- https://web.archive.org/web/20220519091349/https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/ +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/ +- https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/ +- https://gtfobins.github.io/gtfobins/gawk/#shell +- https://github.com/grayhatkiller/SharpExShell +- https://blog.sekoia.io/scattered-spider-laying-new-eggs/ +- https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html +- https://trustedsec.com/blog/oops-i-udld-it-again - https://github.com/safedv/RustiveDump/blob/1a9b026b477587becfb62df9677cede619d42030/src/main.rs#L35 - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown -- https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) -- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis -- https://twitter.com/Cryptolaemus1/status/1517634855940632576 -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/ -- https://gtfobins.github.io/gtfobins/mawk/#shell -- https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes +- https://gtfobins.github.io/gtfobins/find/#shell +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role +- https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#new-owner +- https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/ +- https://twitter.com/th3_protoCOL/status/1536788652889497600 +- https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor +- https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal +- https://blog.morphisec.com/vmware-identity-manager-attack-backdoor +- https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634 +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address - https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10) -- https://twitter.com/standa_t/status/1808868985678803222 -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/ -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators -- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ -- https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/ -- https://github.com/wietze/HijackLibs/tree/dc9c9f2f94e6872051dab58fbafb043fdd8b4176/yml/3rd_party/python -- https://www.sans.org/cyber-security-summit/archives -- https://www.group-ib.com/resources/threat-research/red-curl-2.html -- https://ipurple.team/2024/07/15/sharphound-detection/ -- https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::SecurityPage_AutoDetect -- https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool -- https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability -- https://defr0ggy.github.io/research/Utilizing-BTunnel-For-Data-Exfiltration/ +- https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia +- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ - https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging -- https://ss64.com/mac/chflags.html -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4 -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 -- https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens -- https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html -- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode -- https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/ -- https://securelist.com/network-tunneling-with-qemu/111803/ +- https://gtfobins.github.io/gtfobins/awk/#shell +- https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/ +- https://malware.guide/browser-hijacker/remove-onelaunch-virus/ +- https://gtfobins.github.io/gtfobins/flock/#shell +- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/ +- https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0 +- https://www.action1.com/documentation/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625 +- https://twitter.com/Max_Mal_/status/1775222576639291859 +- https://github.com/CICADA8-Research/RemoteKrbRelay +- https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327 +- https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c +- https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior +- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173 +- https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/ +- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins - https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers -- https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues -- https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/ -- https://web.archive.org/web/20220519091349/https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/ -- https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps -- https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown -- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/ -- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks -- https://www.loobins.io/binaries/pbpaste/ - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420 -- https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management -- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference -- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ -- https://gtfobins.github.io/gtfobins/git/#shell -- https://docs.microsoft.com/en-us/sql/tools/bcp-utility -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11) +- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory +- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ +- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183 +- https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps +- https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/ +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/ +- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 +- https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create +- https://web.archive.org/web/20200530031906/https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/ +- https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211 +- https://www.group-ib.com/blog/apt41-world-tour-2021/ +- https://paper.seebug.org/1495/ +- https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/ +- https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/ +- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794 - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2 +- https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/ +- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis +- https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository +- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services +- https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html +- https://tria.ge/231212-r1bpgaefar/behavioral2 +- https://ss64.com/nt/set.html +- https://www.loobins.io/binaries/tmutil/ +- https://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423 +- https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/ +- https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections +- https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/ +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010 +- https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/ +- https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl - https://www.cve.org/CVERecord?id=CVE-2024-1709 -- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 -- https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in -- https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b -- https://web.archive.org/web/20190508165435/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf +- https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609 +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators +- https://support.google.com/a/answer/9261439 +- https://gtfobins.github.io/gtfobins/python/#shell +- https://github.com/wietze/HijackLibs/tree/dc9c9f2f94e6872051dab58fbafb043fdd8b4176/yml/3rd_party/python +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation +- https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder +- https://us-cert.cisa.gov/ncas/alerts/aa21-008a +- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine +- https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/ +- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2 +- https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/ - https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/ -- https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/ -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78 -- https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html -- https://objective-see.org/blog/blog_0x6D.html -- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set -- https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response -- https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771 -- https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029 -- https://bazaar.abuse.ch/browse/signature/RaspberryRobin/ -- https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html -- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications -- https://github.com/FalconForceTeam/SOAPHound -- https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization -- https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit -- https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/ -- https://x.com/_st0pp3r_/status/1742203752361128162?s=20 -- https://bazaar.abuse.ch/browse/tag/one/ +- https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ +- https://strontic.github.io/xcyclopedia/library/aclui.dll-F883E9CA757B622B032FDCA5BF33D0DF.html - https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt -- https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423 -- https://ipurple.team/2024/09/10/browser-stored-credentials/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts -- https://gtfobins.github.io/gtfobins/env/#shell -- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf -- https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022 -- https://blog.sekoia.io/scattered-spider-laying-new-eggs/ -- https://www.loobins.io/binaries/tmutil/ -- https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/ -- https://github.com/yardenshafir/conference_talks/blob/3de1f5d7c02656c35117f067fbff0a219c304b09/OffensiveCon_2023_Your_Mitigations_are_My_Opportunities.pdf -- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html -- https://darkatlas.io/blog/medusa-ransomware-group-opsec-failure -- https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934 +- https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/ +- https://tria.ge/240123-rapteaahhr/behavioral1 +- https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html +- https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/replace -- https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps -- https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2 -- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ -- https://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/ -- https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/ -- https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327 -- https://gtfobins.github.io/gtfobins/awk/#shell -- https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup -- https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer -- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/ -- https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes -- https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html -- https://web.archive.org/web/20200530031906/https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/ -- https://tria.ge/240307-1hlldsfe7t/behavioral2/analog?main_event=Registry&op=SetValueKeyInt -- https://megatools.megous.com/ -- https://www.tarasco.org/security/pwdump_7/ -- https://www.linkedin.com/feed/update/urn:li:ugcPost:7257437202706493443?commentUrn=urn%3Ali%3Acomment%3A%28ugcPost%3A7257437202706493443%2C7257522819985543168%29&dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287257522819985543168%2Curn%3Ali%3AugcPost%3A7257437202706493443%29 +- https://web.archive.org/web/20230329172447/https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html +- https://gtfobins.github.io/gtfobins/c99/#shell +- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands +- https://x.com/Max_Mal_/status/1826179497084739829 +- https://learn.microsoft.com/en-us/windows/win32/msi/event-logging +- https://app.any.run/tasks/fa99cedc-9d2f-4115-a08e-291429ce3692 +- https://gtfobins.github.io/gtfobins/git/#shell +- https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/ +- https://labs.withsecure.com/publications/kapeka +- https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ +- https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ - https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/logfile/ -- https://us-cert.cisa.gov/ncas/alerts/aa21-008a -- https://github.com/CICADA8-Research/RemoteKrbRelay -- https://web.archive.org/web/20220614030603/http://www.powertheshell.com/ntfsstreams/ -- https://ss64.com/mac/hdiutil.html -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide -- https://twitter.com/th3_protoCOL/status/1480621526764322817 -- https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet -- https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership -- https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool -- https://adsecurity.org/?p=1785 -- https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html -- https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/ -- https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade -- https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation -- https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0 -- https://gtfobins.github.io/gtfobins/nawk/#shell -- https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive -- https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2 +- https://securelist.com/network-tunneling-with-qemu/111803/ +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration - https://evasions.checkpoint.com/techniques/macos.html -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4 -- https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp -- https://www.huntress.com/blog/attacking-mssql-servers-pt-ii -- https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/ -- https://learn.microsoft.com/en-us/azure/dns/dns-zones-records -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery -- https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps -- https://www.tenable.com/security/research/tra-2023-11 -- https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy -- https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708 -- https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/ -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently -- https://web.archive.org/web/20230329172447/https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html -- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ -- https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps -- https://trustedsec.com/blog/oops-i-udld-it-again -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698 -- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted -- https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors -- https://cloud.google.com/logging/docs/audit/understanding-audit-logs -- https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/ -- https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps -- https://tria.ge/240226-fhbe7sdc39/behavioral1 -- https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019 -- https://unit42.paloaltonetworks.com/chromeloader-malware/ -- https://ss64.com/nt/set.html -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_ProxyByPass -- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/ -- https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu -- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations -- https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012 -- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/ -- https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/ -- https://gtfobins.github.io/gtfobins/flock/#shell -- https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html -- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/ -- https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7 -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles -- https://www.huntress.com/blog/attacking-mssql-servers -- https://github.com/grayhatkiller/SharpExShell -- https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html -- https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php -- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 -- https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/ -- https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details -- https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/ -- https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/ -- https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html -- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195 -- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing -- https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/set_1 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup -- https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/ -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise -- https://thehackernews.com/2024/03/github-rolls-out-default-secret.html -- https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf -- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel -- https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/ -- https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16 -- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html -- https://www.anyviewer.com/help/remote-technical-support.html -- https://www.sans.org/blog/defending-against-scattered-spider-and-the-com-with-cybercrime-intelligence/ -- https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1 -- https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/ -- https://tria.ge/220422-1nnmyagdf2/ -- https://web.archive.org/web/20231210115125/http://www.xuetr.com/ -- https://redcanary.com/blog/threat-detection/process-masquerading/ -- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities -- https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38 +- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/ +- https://megatools.megous.com/ +- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set +- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ +- https://cloud.google.com/logging/docs/audit/understanding-audit-logs +- https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins - https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps -- https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ -- https://localtonet.com/documents/supported-tunnels -- https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html -- https://github.com/Ylianst/MeshAgent -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script -- https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool -- https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/ +- https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows +- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ +- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/ +- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16 +- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ +- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html -- https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF -- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml -- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ -- https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.4 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#things-to-monitor -- https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/ -- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/ -- https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings -- https://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40 -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation -- https://twitter.com/th3_protoCOL/status/1536788652889497600 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634 -- https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch -- https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c -- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ -- https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) +- https://gtfobins.github.io/gtfobins/nawk/#shell +- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted +- https://darkatlas.io/blog/medusa-ransomware-group-opsec-failure +- https://learn.microsoft.com/en-us/azure/dns/dns-zones-records +- https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/ +- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 +- https://github.com/gentilkiwi/mimikatz - https://learn.microsoft.com/en-us/windows/client-management/manage-recall -- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-info.js#L55 -- https://web.archive.org/web/20220422215221/https://twitter.com/malware_traffic/status/1517622327000846338 -- https://www.group-ib.com/blog/apt41-world-tour-2021/ -- https://linux.die.net/man/1/arecord -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29 -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_UNCAsIntranet -- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address -- https://twitter.com/DTCERT/status/1712785421845790799 -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1 -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel -- https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump -- https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access -- https://tria.ge/240123-rapteaahhr/behavioral1 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo -- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings -- https://blog.morphisec.com/vmware-identity-manager-attack-backdoor +- https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/ - https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/ -- https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/ -- https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html -- https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v -- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html -- https://twitter.com/TheDFIRReport/status/1482078434327244805 -- https://support.google.com/a/answer/9261439 -- https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/ -- https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625 -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult -- https://twitter.com/MsftSecIntel/status/1737895710169628824 -- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ -- https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files -- https://www.virustotal.com/gui/file/6f0f20da34396166df352bf301b3c59ef42b0bc67f52af3d541b0161c47ede05 -- https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673 -- https://nvd.nist.gov/vuln/detail/CVE-2024-3400 -- https://asec.ahnlab.com/en/40263/ -- https://twitter.com/1ZRR4H/status/1537501582727778304 -- https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/ -- https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/ -- https://tria.ge/220422-1pw1pscfdl/ +- https://web.archive.org/web/20190508165435/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf - https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/ -- https://tria.ge/240225-jlylpafb24/behavioral1/analog?main_event=Registry&op=SetValueKeyInt -- https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder -- https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository -- https://gtfobins.github.io/gtfobins/gcc/#shell -- https://twitter.com/Kostastsale/status/1646256901506605063?s=20 -- https://github.com/rapid7/metasploit-framework/issues/11337 -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/ -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations -- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role -- https://tria.ge/231023-lpw85she57/behavioral2 -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token +- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ +- https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare +- https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/ +- https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/ +- https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16 +- https://twitter.com/1ZRR4H/status/1537501582727778304 +- https://blog.talosintelligence.com/uat-5647-romcom/ +- https://www.sans.org/blog/defending-against-scattered-spider-and-the-com-with-cybercrime-intelligence/ +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7 +- https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/ - https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/ +- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/ +- https://unit42.paloaltonetworks.com/chromeloader-malware/ +- https://medium.com/r3d-buck3t/red-teaming-in-cloud-leverage-azure-frontdoor-cdn-for-c2-redirectors-79dd9ca98178 +- https://www.forensafe.com/blogs/runmrukey.html +- https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/ +- https://www.loobins.io/binaries/launchctl/ +- https://github.com/Ylianst/MeshAgent +- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ +- https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029 +- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ +- https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38 +- https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization - https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER -- https://us-cert.cisa.gov/ncas/alerts/aa21-259a -- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794 -- https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/ -- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ -- https://www.loobins.io/binaries/xattr/ -- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html -- https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/ -- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/ -- https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/ +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise +- https://www.microsoft.com/en-us/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/ +- https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41 +- https://www.tenable.com/security/research/tra-2023-11 +- https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html +- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc +- https://localtonet.com/documents/supported-tunnels +- https://twitter.com/DTCERT/status/1712785421845790799 +- https://www.loobins.io/binaries/pbpaste/ +- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 - https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/ -- https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/ -- https://gtfobins.github.io/gtfobins/find/#shell -- https://twitter.com/Kostastsale/status/1480716528421011458 -- https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4 +- https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/ +- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/ +- https://twitter.com/th3_protoCOL/status/1480621526764322817 +- https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/ +- https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging +- https://web.archive.org/web/20210512154016/https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1 +- https://bazaar.abuse.ch/browse/tag/one/ +- https://ipurple.team/2024/07/15/sharphound-detection/ +- https://ss64.com/mac/hdiutil.html +- https://tria.ge/240307-1hlldsfe7t/behavioral2/analog?main_event=Registry&op=SetValueKeyInt +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4 +- https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address +- https://ss64.com/mac/chflags.html +- https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability +- https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive +- https://gtfobins.github.io/gtfobins/mawk/#shell +- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/ +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4 +- https://app.any.run/tasks/25970bb5-f864-4e9e-9e1b-cc8ff9e6386a +- https://asec.ahnlab.com/en/40263/ +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 +- https://docs.microsoft.com/en-us/sql/tools/bcp-utility +- https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf +- https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 +- https://medium.com/@ahmed.moh.farou2/fake-captcha-campaign-on-arabic-pirated-movie-sites-delivers-lumma-stealer-4f203f7adabf +- https://tria.ge/240731-jh4crsycnb/behavioral2 +- https://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/ +- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ +- https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/ +- https://web.archive.org/web/20211001064856/https://github.com/snovvcrash/DInjector +- https://adsecurity.org/?p=3513 diff --git a/tests/rule-references.txt b/tests/rule-references.txt index f626848facd..88df0e48bb1 100644 --- a/tests/rule-references.txt +++ b/tests/rule-references.txt @@ -3859,3 +3859,18 @@ https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protectio https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction https://www.securonix.com/blog/seolurker-attack-campaign-uses-seo-poisoning-fake-google-ads-to-install-malware/ https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates +https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/ +https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet +https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac +https://blog.talosintelligence.com/gophish-powerrat-dcrat/ +https://github.com/search?q=repo%3AHackplayers%2Fevil-winrm++shell.run%28&type=code +https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp +https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.4 +https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer +https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_network.html +https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details +https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace +https://www.sans.org/cyber-security-summit/archives +https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/ +https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu +https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html From 9367349016607a73a0778ce9be745db6ac161426 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Sun, 1 Dec 2024 13:40:32 +0100 Subject: [PATCH 103/144] Merge PR #5101 from @nasbench - Promote older rules status from `experimental` to `test` chore: promote older rules status from experimental to test Co-authored-by: nasbench --- ...oc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml | 2 +- .../net_connection_win_malware_pikabot_rundll32_activity.yml | 2 +- .../Pikabot/proc_creation_win_malware_pikabot_discovery.yml | 2 +- .../proc_creation_win_malware_pikabot_rundll32_hollowing.yml | 2 +- ...creation_win_malware_pikabot_rundll32_uncommon_extension.yml | 2 +- .../proc_creation_win_apt_peach_sandstorm_indicators.yml | 2 +- .../proxy_apt_peach_sandstorm_falsefont_backdoor_c2_coms.yml | 2 +- .../windows/builtin/firewall_as/win_firewall_as_change_rule.yml | 2 +- .../net_connection_win_dfsvc_uncommon_ports.yml | 2 +- .../process_creation/proc_creation_win_iexpress_execution.yml | 2 +- .../process_creation/proc_creation_win_mode_codepage_change.yml | 2 +- .../process_creation/proc_creation_win_susp_event_log_query.yml | 2 +- .../proc_creation_win_wmic_recon_system_info.yml | 2 +- rules/cloud/gcp/audit/gcp_access_policy_deleted.yml | 2 +- .../gcp/audit/gcp_breakglass_container_workload_deployed.yml | 2 +- .../gcp_gworkspace_application_access_levels_modified.yml | 2 +- .../builtin/firewall_as/win_firewall_as_delete_all_rules.yml | 2 +- .../object_access/win_security_wfp_endpoint_agent_blocked.yml | 2 +- .../windows/builtin/security/win_security_hktl_edr_silencer.yml | 2 +- .../create_remote_thread_win_mstsc_susp_location.yml | 2 +- .../file/file_event/file_event_win_sed_file_creation.yml | 2 +- .../file_executable_detected_win_susp_embeded_sed_file.yml | 2 +- .../image_load_dll_system_management_automation_susp_load.yml | 2 +- .../image_load_side_load_cpl_from_non_system_location.yml | 2 +- .../net_connection_win_adws_unusual_connection.yml | 2 +- .../proc_creation_win_hh_chm_remote_download_or_execution.yml | 2 +- .../process_creation/proc_creation_win_hktl_sharpmove.yml | 2 +- .../proc_creation_win_hktl_soaphound_execution.yml | 2 +- .../proc_creation_win_java_susp_child_process.yml | 2 +- .../proc_creation_win_mode_codepage_russian.yml | 2 +- .../proc_creation_win_powershell_malicious_cmdlets.yml | 2 +- .../process_creation/proc_creation_win_pua_pingcastle.yml | 2 +- .../proc_creation_win_pua_pingcastle_script_parent.yml | 2 +- .../process_creation/proc_creation_win_renamed_pingcastle.yml | 2 +- .../process_creation/proc_creation_win_wmic_recon_volume.yml | 2 +- .../proc_creation_win_wscript_cscript_dropper.yml | 2 +- .../registry_set/registry_set_persistence_mycomputer.yml | 2 +- 37 files changed, 37 insertions(+), 37 deletions(-) diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml index c097cace1af..cd160470813 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml @@ -3,7 +3,7 @@ id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343 related: - id: e4556676-fc5c-4e95-8c39-5ef27791541f type: similar -status: experimental +status: test description: Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries. references: - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ diff --git a/rules-emerging-threats/2023/Malware/Pikabot/net_connection_win_malware_pikabot_rundll32_activity.yml b/rules-emerging-threats/2023/Malware/Pikabot/net_connection_win_malware_pikabot_rundll32_activity.yml index ae214147a61..438924e623b 100644 --- a/rules-emerging-threats/2023/Malware/Pikabot/net_connection_win_malware_pikabot_rundll32_activity.yml +++ b/rules-emerging-threats/2023/Malware/Pikabot/net_connection_win_malware_pikabot_rundll32_activity.yml @@ -1,6 +1,6 @@ title: Potential Pikabot C2 Activity id: cae6cee6-0244-44d2-84ed-e65f548eb7dc -status: experimental +status: test description: | Detects the execution of rundll32 that leads to an external network connection. The malware Pikabot has been seen to use this technique to initiate C2-communication through hard-coded Windows binaries. diff --git a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_discovery.yml b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_discovery.yml index d9b56e2f14a..682d448131c 100644 --- a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_discovery.yml +++ b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_discovery.yml @@ -1,6 +1,6 @@ title: Potential Pikabot Discovery Activity id: 698d4431-514f-4c82-af4d-cf573872a9f5 -status: experimental +status: test description: | Detects system discovery activity carried out by Pikabot, such as incl. network, user info and domain groups. The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute). diff --git a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml index 05bbad68d24..8e9bf8d435d 100644 --- a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml +++ b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml @@ -1,6 +1,6 @@ title: Potential Pikabot Hollowing Activity id: d8937fe7-42d5-4b4d-8178-e089c908f63f -status: experimental +status: test description: | Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries. The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries diff --git a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_uncommon_extension.yml b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_uncommon_extension.yml index 67a0f2aed3b..665ecd2b7b4 100644 --- a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_uncommon_extension.yml +++ b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_uncommon_extension.yml @@ -1,6 +1,6 @@ title: Pikabot Fake DLL Extension Execution Via Rundll32.EXE id: 1bf0ba65-9a39-42a2-9271-31d31bf2f0bf -status: experimental +status: test description: | Detects specific process tree behavior linked to "rundll32" executions, wherein the associated DLL lacks a common ".dll" extension, often signaling potential Pikabot activity. references: diff --git a/rules-emerging-threats/2023/TA/Peach-Sandstorm/proc_creation_win_apt_peach_sandstorm_indicators.yml b/rules-emerging-threats/2023/TA/Peach-Sandstorm/proc_creation_win_apt_peach_sandstorm_indicators.yml index 48d394c3a12..77a3e1457f7 100644 --- a/rules-emerging-threats/2023/TA/Peach-Sandstorm/proc_creation_win_apt_peach_sandstorm_indicators.yml +++ b/rules-emerging-threats/2023/TA/Peach-Sandstorm/proc_creation_win_apt_peach_sandstorm_indicators.yml @@ -1,6 +1,6 @@ title: Peach Sandstorm APT Process Activity Indicators id: 2e7bbd54-2f26-476e-b4a1-ba5f1a012614 -status: experimental +status: test description: Detects process creation activity related to Peach Sandstorm APT references: - https://twitter.com/MsftSecIntel/status/1737895710169628824 diff --git a/rules-emerging-threats/2023/TA/Peach-Sandstorm/proxy_apt_peach_sandstorm_falsefont_backdoor_c2_coms.yml b/rules-emerging-threats/2023/TA/Peach-Sandstorm/proxy_apt_peach_sandstorm_falsefont_backdoor_c2_coms.yml index 3bcb089e9ba..dbbdc19354e 100644 --- a/rules-emerging-threats/2023/TA/Peach-Sandstorm/proxy_apt_peach_sandstorm_falsefont_backdoor_c2_coms.yml +++ b/rules-emerging-threats/2023/TA/Peach-Sandstorm/proxy_apt_peach_sandstorm_falsefont_backdoor_c2_coms.yml @@ -1,6 +1,6 @@ title: Potential Peach Sandstorm APT C2 Communication Activity id: b8225208-81d0-4715-a822-12bcdd583e0f -status: experimental +status: test description: Detects potential C2 communication activity related to Peach Sandstorm APT references: - https://twitter.com/MsftSecIntel/status/1737895710169628824 diff --git a/rules-threat-hunting/windows/builtin/firewall_as/win_firewall_as_change_rule.yml b/rules-threat-hunting/windows/builtin/firewall_as/win_firewall_as_change_rule.yml index f2c55c45ce8..29c492e4342 100644 --- a/rules-threat-hunting/windows/builtin/firewall_as/win_firewall_as_change_rule.yml +++ b/rules-threat-hunting/windows/builtin/firewall_as/win_firewall_as_change_rule.yml @@ -1,6 +1,6 @@ title: Firewall Rule Modified In The Windows Firewall Exception List id: 5570c4d9-8fdd-4622-965b-403a5a101aa0 -status: experimental +status: test description: Detects when a rule has been modified in the Windows firewall exception list references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) diff --git a/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_uncommon_ports.yml b/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_uncommon_ports.yml index 8e4edf95401..dbde8764843 100644 --- a/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_uncommon_ports.yml +++ b/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_uncommon_ports.yml @@ -1,6 +1,6 @@ title: Dfsvc.EXE Initiated Network Connection Over Uncommon Port id: 4c5fba4a-9ef6-4f16-823d-606246054741 -status: experimental +status: test description: Detects an initiated network connection over uncommon ports from "dfsvc.exe". A utility used to handled ClickOnce applications. references: - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_iexpress_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_iexpress_execution.yml index f8d49065d19..867788915bd 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_iexpress_execution.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_iexpress_execution.yml @@ -1,6 +1,6 @@ title: New Self Extracting Package Created Via IExpress.EXE id: c2b478fc-09bf-40b2-8768-ab3ec8d61c9a -status: experimental +status: test description: | Detects the "iexpress.exe" utility creating self-extracting packages. Attackers where seen leveraging "iexpress" to compile packages on the fly via ".sed" files. diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_mode_codepage_change.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_mode_codepage_change.yml index 9857b40668f..c728e9e552f 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_mode_codepage_change.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_mode_codepage_change.yml @@ -3,7 +3,7 @@ id: d48c5ffa-3b02-4c0f-9a9e-3c275650dd0e related: - id: 12fbff88-16b5-4b42-9754-cd001a789fb3 type: derived -status: experimental +status: test description: | Detects a CodePage modification using the "mode.com" utility. This behavior has been used by threat actors behind Dharma ransomware. diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_event_log_query.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_event_log_query.yml index 7f5a1827a69..13bc2085cfa 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_event_log_query.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_event_log_query.yml @@ -3,7 +3,7 @@ id: 9cd55b6c-430a-4fa9-96f4-7cadf5229e9f related: - id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf type: derived -status: experimental +status: test description: | Detect attempts to query the contents of the event log using command line utilities. Attackers use this technique in order to look for sensitive information in the logs such as passwords, usernames, IPs, etc. references: diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_wmic_recon_system_info.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_wmic_recon_system_info.yml index 1a54737a100..ac5ca161570 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_wmic_recon_system_info.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_wmic_recon_system_info.yml @@ -3,7 +3,7 @@ id: d85ecdd7-b855-4e6e-af59-d9c78b5b861e related: - id: 9d5a1274-922a-49d0-87f3-8c653483b909 type: derived -status: experimental +status: test description: | Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, including OS, CPU, GPU, disk drive names, memory capacity, display resolution, baseboard, BIOS, diff --git a/rules/cloud/gcp/audit/gcp_access_policy_deleted.yml b/rules/cloud/gcp/audit/gcp_access_policy_deleted.yml index 68171169a64..251dc8cee31 100644 --- a/rules/cloud/gcp/audit/gcp_access_policy_deleted.yml +++ b/rules/cloud/gcp/audit/gcp_access_policy_deleted.yml @@ -1,6 +1,6 @@ title: GCP Access Policy Deleted id: 32438676-1dba-4ac7-bf69-b86cba995e05 -status: experimental +status: test description: | Detects when an access policy that is applied to a GCP cloud resource is deleted. An adversary would be able to remove access policies to gain access to a GCP cloud resource. diff --git a/rules/cloud/gcp/audit/gcp_breakglass_container_workload_deployed.yml b/rules/cloud/gcp/audit/gcp_breakglass_container_workload_deployed.yml index ce1f5b63e04..cf675d705ef 100644 --- a/rules/cloud/gcp/audit/gcp_breakglass_container_workload_deployed.yml +++ b/rules/cloud/gcp/audit/gcp_breakglass_container_workload_deployed.yml @@ -1,6 +1,6 @@ title: GCP Break-glass Container Workload Deployed id: 76737c19-66ee-4c07-b65a-a03301d1573d -status: experimental +status: test description: | Detects the deployment of workloads that are deployed by using the break-glass flag to override Binary Authorization controls. references: diff --git a/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_access_levels_modified.yml b/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_access_levels_modified.yml index 2e1ee57f77a..a52dffb52dc 100644 --- a/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_access_levels_modified.yml +++ b/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_access_levels_modified.yml @@ -1,6 +1,6 @@ title: Google Workspace Application Access Level Modified id: 22f2fb54-5312-435d-852f-7c74f81684ca -status: experimental +status: test description: | Detects when an access level is changed for a Google workspace application. An access level is part of BeyondCorp Enterprise which is Google Workspace's way of enforcing Zero Trust model. diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml b/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml index c19cf42826b..c5e1d274f97 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml @@ -1,6 +1,6 @@ title: All Rules Have Been Deleted From The Windows Firewall Configuration id: 79609c82-a488-426e-abcf-9f341a39365d -status: experimental +status: test description: Detects when a all the rules have been deleted from the Windows Defender Firewall configuration references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) diff --git a/rules/windows/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml b/rules/windows/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml index 14b6344a2a2..3e181b0c008 100644 --- a/rules/windows/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml +++ b/rules/windows/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml @@ -1,6 +1,6 @@ title: Windows Filtering Platform Blocked Connection From EDR Agent Binary id: bacf58c6-e199-4040-a94f-95dea0f1e45a -status: experimental +status: test description: | Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents. Adversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events. diff --git a/rules/windows/builtin/security/win_security_hktl_edr_silencer.yml b/rules/windows/builtin/security/win_security_hktl_edr_silencer.yml index b05e65f769a..4a3cc876cf4 100644 --- a/rules/windows/builtin/security/win_security_hktl_edr_silencer.yml +++ b/rules/windows/builtin/security/win_security_hktl_edr_silencer.yml @@ -1,6 +1,6 @@ title: HackTool - EDRSilencer Execution - Filter Added id: 98054878-5eab-434c-85d4-72d4e5a3361b -status: experimental +status: test description: | Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names. references: diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_mstsc_susp_location.yml b/rules/windows/create_remote_thread/create_remote_thread_win_mstsc_susp_location.yml index 8581ece3220..71e4db9c65c 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_mstsc_susp_location.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_mstsc_susp_location.yml @@ -1,6 +1,6 @@ title: Remote Thread Creation In Mstsc.Exe From Suspicious Location id: c0aac16a-b1e7-4330-bab0-3c27bb4987c7 -status: experimental +status: test description: | Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location. This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials. diff --git a/rules/windows/file/file_event/file_event_win_sed_file_creation.yml b/rules/windows/file/file_event/file_event_win_sed_file_creation.yml index 3f6c06274b4..bff66ec2a0f 100644 --- a/rules/windows/file/file_event/file_event_win_sed_file_creation.yml +++ b/rules/windows/file/file_event/file_event_win_sed_file_creation.yml @@ -3,7 +3,7 @@ id: 760e75d8-c3b5-409b-a9bf-6130b4c4603f related: - id: ab90dab8-c7da-4010-9193-563528cfa347 type: derived -status: experimental +status: test description: | Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location. These files are used by the "iexpress.exe" utility in order to create self extracting packages. diff --git a/rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml b/rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml index 4fa27be5355..f693d5eb272 100644 --- a/rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml +++ b/rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml @@ -3,7 +3,7 @@ id: ab90dab8-c7da-4010-9193-563528cfa347 related: - id: 760e75d8-c3b5-409b-a9bf-6130b4c4603f type: derived -status: experimental +status: test description: | Detects the creation of a binary file with the ".sed" extension. The ".sed" extension stand for Self Extraction Directive files. These files are used by the "iexpress.exe" utility in order to create self extracting packages. diff --git a/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml b/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml index d00f02f6fb4..3637a54b8e3 100644 --- a/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml +++ b/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml @@ -5,7 +5,7 @@ related: type: obsolete - id: fe6e002f-f244-4278-9263-20e4b593827f type: obsolete -status: experimental +status: test description: | Detects loading of essential DLLs used by PowerShell by non-PowerShell process. Detects behavior similar to meterpreter's "load powershell" extension. diff --git a/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location.yml index d5423eff0f1..7cbfd97d7fa 100644 --- a/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location.yml @@ -1,6 +1,6 @@ title: System Control Panel Item Loaded From Uncommon Location id: 2b140a5c-dc02-4bb8-b6b1-8bdb45714cde -status: experimental +status: test description: Detects image load events of system control panel items (.cpl) from uncommon or non-system locations which might be the result of sideloading. references: - https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/ diff --git a/rules/windows/network_connection/net_connection_win_adws_unusual_connection.yml b/rules/windows/network_connection/net_connection_win_adws_unusual_connection.yml index 424a66b2cc7..f1e4091bd67 100644 --- a/rules/windows/network_connection/net_connection_win_adws_unusual_connection.yml +++ b/rules/windows/network_connection/net_connection_win_adws_unusual_connection.yml @@ -1,6 +1,6 @@ title: Uncommon Connection to Active Directory Web Services id: b3ad3c0f-c949-47a1-a30e-b0491ccae876 -status: experimental +status: test description: | Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management. references: diff --git a/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml b/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml index efe011a66bc..5d8620133bc 100644 --- a/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml @@ -1,6 +1,6 @@ title: Remote CHM File Download/Execution Via HH.EXE id: f57c58b3-ee69-4ef5-9041-455bf39aaa89 -status: experimental +status: test description: Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" files. references: - https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharpmove.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharpmove.yml index 0c53139b34a..aa3b7ee72eb 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharpmove.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharpmove.yml @@ -1,6 +1,6 @@ title: HackTool - SharpMove Tool Execution id: 055fb54c-a8f4-4aee-bd44-f74cf30a0d9d -status: experimental +status: test description: | Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options. references: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_soaphound_execution.yml b/rules/windows/process_creation/proc_creation_win_hktl_soaphound_execution.yml index 690f801871d..adf2c6f65c9 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_soaphound_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_soaphound_execution.yml @@ -1,6 +1,6 @@ title: HackTool - SOAPHound Execution id: e92a4287-e072-4a40-9739-370c106bb750 -status: experimental +status: test description: | Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information. references: diff --git a/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml index d6ca9e98ca7..22a99af45b9 100644 --- a/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml @@ -3,7 +3,7 @@ id: 0d34ed8b-1c12-4ff2-828c-16fc860b766d related: - id: dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0 type: similar -status: experimental +status: test description: Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j) references: - https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/ diff --git a/rules/windows/process_creation/proc_creation_win_mode_codepage_russian.yml b/rules/windows/process_creation/proc_creation_win_mode_codepage_russian.yml index a20a99a86b1..539295fbe17 100644 --- a/rules/windows/process_creation/proc_creation_win_mode_codepage_russian.yml +++ b/rules/windows/process_creation/proc_creation_win_mode_codepage_russian.yml @@ -3,7 +3,7 @@ id: 12fbff88-16b5-4b42-9754-cd001a789fb3 related: - id: d48c5ffa-3b02-4c0f-9a9e-3c275650dd0e type: derived -status: experimental +status: test description: | Detects a CodePage modification using the "mode.com" utility to Russian language. This behavior has been used by threat actors behind Dharma ransomware. diff --git a/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml b/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml index 8fa81a13d16..60dd07ed249 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml @@ -5,7 +5,7 @@ related: type: derived - id: 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c type: similar -status: experimental +status: test description: Detects Commandlet names from well-known PowerShell exploitation frameworks references: - https://adsecurity.org/?p=2921 diff --git a/rules/windows/process_creation/proc_creation_win_pua_pingcastle.yml b/rules/windows/process_creation/proc_creation_win_pua_pingcastle.yml index da8445b7309..2d16d55f399 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_pingcastle.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_pingcastle.yml @@ -3,7 +3,7 @@ id: b1cb4ab6-ac31-43f4-adf1-d9d08957419c related: - id: b37998de-a70b-4f33-b219-ec36bf433dc0 type: derived -status: experimental +status: test description: Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level. references: - https://github.com/vletoux/pingcastle diff --git a/rules/windows/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml b/rules/windows/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml index 7a56a9143e8..0ab38f6b8ee 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml @@ -3,7 +3,7 @@ id: b37998de-a70b-4f33-b219-ec36bf433dc0 related: - id: b1cb4ab6-ac31-43f4-adf1-d9d08957419c type: derived -status: experimental +status: test description: | Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location. references: diff --git a/rules/windows/process_creation/proc_creation_win_renamed_pingcastle.yml b/rules/windows/process_creation/proc_creation_win_renamed_pingcastle.yml index b58cd356b22..30eed2445a8 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_pingcastle.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_pingcastle.yml @@ -1,6 +1,6 @@ title: Renamed PingCastle Binary Execution id: 2433a154-bb3d-42e4-86c3-a26bdac91c45 -status: experimental +status: test description: Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields. references: - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/ diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_volume.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_volume.yml index 759f600328e..0ac3eecd659 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_volume.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_volume.yml @@ -3,7 +3,7 @@ id: c79da740-5030-45ec-a2e0-479e824a562c related: - id: d85ecdd7-b855-4e6e-af59-d9c78b5b861e type: similar -status: experimental +status: test description: | An adversary might use WMI to discover information about the system, such as the volume name, size, free space, and other disk information. This can be done using the `wmic` command-line utility and has been diff --git a/rules/windows/process_creation/proc_creation_win_wscript_cscript_dropper.yml b/rules/windows/process_creation/proc_creation_win_wscript_cscript_dropper.yml index 166d3d3faef..b87d7a24212 100644 --- a/rules/windows/process_creation/proc_creation_win_wscript_cscript_dropper.yml +++ b/rules/windows/process_creation/proc_creation_win_wscript_cscript_dropper.yml @@ -3,7 +3,7 @@ id: cea72823-df4d-4567-950c-0b579eaf0846 related: - id: 1e33157c-53b1-41ad-bbcc-780b80b58288 type: similar -status: experimental +status: test description: Detects wscript/cscript executions of scripts located in user directories references: - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/ diff --git a/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml b/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml index 5175d1fd3ef..9651c7595ce 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml @@ -1,6 +1,6 @@ title: Potential Persistence Via MyComputer Registry Keys id: 8fbe98a8-8f9d-44f8-aa71-8c572e29ef06 -status: experimental +status: test description: Detects modification to the "Default" value of the "MyComputer" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example) references: - https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ From 995dac17d1af1499e7fe0a6786ea78ee6415bfe1 Mon Sep 17 00:00:00 2001 From: Gameel Ali Date: Sun, 1 Dec 2024 14:48:59 +0200 Subject: [PATCH 104/144] Merge PR #5084 from @MalGamy12 - Update `COM Object Hijacking Via Modification Of Default System CLSID Default Value` update: COM Object Hijacking Via Modification Of Default System CLSID Default Value - Add 2 new additional built-in COM object GUID that were seen being used for hijacking --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- .../registry_set_persistence_com_hijacking_builtin.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml index a30291b3400..82a4e741382 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml @@ -11,9 +11,10 @@ references: - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea) - https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/ - https://blog.talosintelligence.com/uat-5647-romcom/ + - https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/darkhotel-a-cluster-of-groups-united-by-common-techniques author: Nasreddine Bencherchali (Nextron Systems) date: 2024-07-16 -modified: 2024-10-18 +modified: 2024-11-19 tags: - attack.persistence - attack.t1546.015 @@ -36,6 +37,8 @@ detection: - '\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\' - '\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\' - '\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\' + - '\{7849596a-48ea-486e-8937-a2a3009f31a9}\' + - '\{0b91a74b-ad7c-4a9d-b563-29eef9167172}\' selection_susp_location_1: Details|contains: # Note: Add more suspicious paths and locations From af4138653544b5688e5d00cde3ebf349fd01d205 Mon Sep 17 00:00:00 2001 From: Milad Cheraghi <82805580+CheraghiMilad@users.noreply.github.com> Date: Sun, 1 Dec 2024 16:21:14 +0330 Subject: [PATCH 105/144] Merge PR #5097 from @CheraghiMilad - Update ` System Owner or User Discovery - Linux` update: System Owner or User Discovery - Linux - Add 4 additional tools that can be used for host and user discovery: "whoami", "hostname", "id", "last" --------- Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- rules/linux/auditd/lnx_auditd_user_discovery.yml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_user_discovery.yml b/rules/linux/auditd/lnx_auditd_user_discovery.yml index 0bfbbf39799..90ff5695e41 100644 --- a/rules/linux/auditd/lnx_auditd_user_discovery.yml +++ b/rules/linux/auditd/lnx_auditd_user_discovery.yml @@ -1,12 +1,14 @@ -title: System Owner or User Discovery +title: System Owner or User Discovery - Linux id: 9a0d8ca0-2385-4020-b6c6-cb6153ca56f3 status: test -description: Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. +description: | + Detects the execution of host or user discovery utilities such as "whoami", "hostname", "id", etc. + Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md author: Timur Zinniatullin, oscd.community date: 2019-10-21 -modified: 2021-11-27 +modified: 2024-11-30 tags: - attack.discovery - attack.t1033 @@ -17,9 +19,13 @@ detection: selection: type: 'EXECVE' a0: + - 'hostname' + - 'id' + - 'last' - 'users' - 'w' - 'who' + - 'whoami' condition: selection falsepositives: - Admin activity From c8e1d66a357dc592a2ea1f2e570741cbe5485c33 Mon Sep 17 00:00:00 2001 From: Milad Cheraghi <82805580+CheraghiMilad@users.noreply.github.com> Date: Sun, 1 Dec 2024 16:37:54 +0330 Subject: [PATCH 106/144] Merge PR #5091 from @CheraghiMilad - Update `File and Directory Discovery - Linux` update: File and Directory Discovery - Linux - Add 2 additional binaries, "findmnt" and "mlocate" --------- Co-authored-by: Milad Cheraghi Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- ...ation_lnx_file_and_directory_discovery.yml | 21 ++++++++++++------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_file_and_directory_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_file_and_directory_discovery.yml index 1238daa1a9f..64a3c4b5289 100644 --- a/rules/linux/process_creation/proc_creation_lnx_file_and_directory_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_file_and_directory_discovery.yml @@ -1,12 +1,13 @@ title: File and Directory Discovery - Linux id: d3feb4ee-ff1d-4d3d-bd10-5b28a238cc72 status: test -description: Detects usage of system utilities to discover files and directories +description: | + Detects usage of system utilities such as "find", "tree", "findmnt", etc, to discover files, directories and network shares. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md -author: Daniil Yugoslavskiy, oscd.community +author: Daniil Yugoslavskiy, oscd.community, CheraghiMilad date: 2020-10-19 -modified: 2022-11-25 +modified: 2024-12-01 tags: - attack.discovery - attack.t1083 @@ -14,17 +15,21 @@ logsource: category: process_creation product: linux detection: - select_file_with_asterisk: + selection_file_with_asterisk: Image|endswith: '/file' CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline - select_recursive_ls: + selection_recursive_ls: Image|endswith: '/ls' CommandLine|contains: '-R' - select_find_execution: + selection_find_execution: Image|endswith: '/find' - select_tree_execution: + selection_tree_execution: Image|endswith: '/tree' - condition: 1 of select* + selection_findmnt_execution: + Image|endswith: '/findmnt' + selection_locate_execution: + Image|endswith: '/mlocate' + condition: 1 of selection_* falsepositives: - Legitimate activities level: informational From aac43355507d08fd664e7353acaf9dac2c88b7fb Mon Sep 17 00:00:00 2001 From: Milad Cheraghi <82805580+CheraghiMilad@users.noreply.github.com> Date: Sun, 1 Dec 2024 16:39:27 +0330 Subject: [PATCH 107/144] Merge PR #5102 from @CheraghiMilad - Update `Password Policy Discovery - Linux` update: Password Policy Discovery - Linux - Add additional new paths for "pam.d" , namely "/etc/pam.d/common-account", "/etc/pam.d/common-auth" and "/etc/pam.d/auth" --------- Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- .../auditd/lnx_auditd_password_policy_discovery.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml b/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml index 1b99271476e..02e3e50a421 100644 --- a/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml +++ b/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml @@ -1,4 +1,4 @@ -title: Password Policy Discovery +title: Password Policy Discovery - Linux id: ca94a6db-8106-4737-9ed2-3e3bb826af0a status: stable description: Detects password policy discovery commands @@ -9,7 +9,7 @@ references: - https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu author: Ömer Günal, oscd.community, Pawel Mazur date: 2020-10-08 -modified: 2022-12-18 +modified: 2024-12-01 tags: - attack.discovery - attack.t1201 @@ -20,10 +20,13 @@ detection: selection_files: type: 'PATH' name: + - '/etc/login.defs' + - '/etc/pam.d/auth' + - '/etc/pam.d/common-account' + - '/etc/pam.d/common-auth' - '/etc/pam.d/common-password' - - '/etc/security/pwquality.conf' - '/etc/pam.d/system-auth' - - '/etc/login.defs' + - '/etc/security/pwquality.conf' selection_chage: type: 'EXECVE' a0: 'chage' From f39c9acbc4f2d6dd28db9a0669862ebd3aad8ccb Mon Sep 17 00:00:00 2001 From: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> Date: Sun, 1 Dec 2024 22:17:36 +0545 Subject: [PATCH 108/144] Merge PR #5082 from @swachchhanda000 - Add `Suspicious ShellExec_RunDLL Call Via Ordinal` new: Suspicious ShellExec_RunDLL Call Via Ordinal --------- Co-authored-by: Swachchhanda Shrawan Poudel Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> --- ..._win_rundll32_susp_shellexec_execution.yml | 16 +++-- ...dll32_susp_shellexec_ordinal_execution.yml | 68 +++++++++++++++++++ 2 files changed, 77 insertions(+), 7 deletions(-) create mode 100644 rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_ordinal_execution.yml diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml b/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml index c71a44c8330..35693d65b48 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml @@ -3,6 +3,8 @@ id: d87bd452-6da1-456e-8155-7dc988157b7d related: - id: 36c5146c-d127-4f85-8e21-01bf62355d5a type: obsolete + - id: 8823e85d-31d8-473e-b7f4-92da070f0fc6 + type: similar status: test description: Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack references: @@ -22,16 +24,16 @@ detection: CommandLine|contains: 'ShellExec_RunDLL' selection_suspcli: CommandLine|contains: - # Add more LOLBINs and Susp Paths - - 'regsvr32' - - 'msiexec' - - '\Users\Public\' - - 'odbcconf' + # Note: The ordinal number may differ depending on the DLL version - '\Desktop\' - '\Temp\' - - 'Invoke-' - - 'iex' + - '\Users\Public\' - 'comspec' + - 'iex' + - 'Invoke-' + - 'msiexec' + - 'odbcconf' + - 'regsvr32' condition: all of selection_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_ordinal_execution.yml b/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_ordinal_execution.yml new file mode 100644 index 00000000000..9090643114e --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_ordinal_execution.yml @@ -0,0 +1,68 @@ +title: Suspicious ShellExec_RunDLL Call Via Ordinal +id: 8823e85d-31d8-473e-b7f4-92da070f0fc6 +related: + - id: d87bd452-6da1-456e-8155-7dc988157b7d + type: derived +status: experimental +description: | + Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands. + Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine. +references: + - https://redcanary.com/blog/raspberry-robin/ + - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/ + - https://github.com/SigmaHQ/sigma/issues/1009 + - https://strontic.github.io/xcyclopedia/library/shell32.dll-65DA072F25DE83D9F83653E3FEA3644D.html +author: Swachchhanda Shrawan Poudel +date: 2024-12-01 +tags: + - attack.defense-evasion + - attack.t1218.011 +logsource: + category: process_creation + product: windows +detection: + selection_parent_img: + ParentCommandLine|contains: 'SHELL32.DLL' + selection_parent_ordinal: + ParentCommandLine|contains: + # Note: The ordinal number may differ depending on the DLL version + # Example: rundll32 SHELL32.DLL,#572 "cmd.exe" "/c calc.exe" + - '#568' + - '#570' + - '#572' + - '#576' + selection_susp_cli_parent: + # Note: Add additional binaries and suspicious paths to increase coverage + - ParentCommandLine|contains: + - 'comspec' + - 'iex' + - 'Invoke-' + - 'msiexec' + - 'odbcconf' + - 'regsvr32' + - ParentCommandLine|contains: + - '\Desktop\' + - '\ProgramData\' + - '\Temp\' + - '\Users\Public\' + selection_susp_child_img: + Image|endswith: + - '\bash.exe' + - '\bitsadmin.exe' + - '\cmd.exe' + - '\cscript.exe' + - '\curl.exe' + - '\mshta.exe' + - '\msiexec.exe' + - '\msxsl.exe' + - '\odbcconf.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\regsvr32.exe' + - '\schtasks.exe' + - '\wmic.exe' + - '\wscript.exe' + condition: all of selection_parent_* and 1 of selection_susp_* +falsepositives: + - Unknown +level: high From 6e71f6ad5ef50a725a3670958da7054578e422b6 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 1 Dec 2024 17:35:53 +0100 Subject: [PATCH 109/144] Merge PR #5046 from @frack113 - Add `Setup16.EXE Execution With Custom .Lst File` new: Setup16.EXE Execution With Custom .Lst File --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- ...ation_win_setup16_custom_lst_execution.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_setup16_custom_lst_execution.yml diff --git a/rules/windows/process_creation/proc_creation_win_setup16_custom_lst_execution.yml b/rules/windows/process_creation/proc_creation_win_setup16_custom_lst_execution.yml new file mode 100644 index 00000000000..59562675d67 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_setup16_custom_lst_execution.yml @@ -0,0 +1,27 @@ +title: Setup16.EXE Execution With Custom .Lst File +id: 99c8be4f-3087-4f9f-9c24-8c7e257b442e +status: experimental +description: | + Detects the execution of "Setup16.EXE" and old installation utility with a custom ".lst" file. + These ".lst" file can contain references to external program that "Setup16.EXE" will execute. + Attackers and adversaries might leverage this as a living of the land utility. +references: + - https://www.hexacorn.com/blog/2024/10/12/the-sweet16-the-oldbin-lolbin-called-setup16-exe/ +author: frack113 +date: 2024-12-01 +tags: + - attack.defense-evasion + - attack.t1574.005 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage: 'C:\Windows\SysWOW64\setup16.exe' + ParentCommandLine|contains: ' -m ' + filter_optional_valid_path: + Image|startswith: 'C:\~MSSETUP.T\' + condition: selection and not 1 of filter_optional_* +falsepositives: + - On modern Windows system, the "Setup16" utility is practically never used, hence false positive should be very rare. +level: medium From 6048be5a7a3bf3b923fd4ee8236fed59ef7ff6a1 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sun, 1 Dec 2024 23:29:17 +0100 Subject: [PATCH 110/144] Merge PR #5106 from @nasbench - Add SID version of integrity levels chore: add SID version of IntegrityLevel fix: Suspicious Process By Web Server Process - Fix typo in "ntdsutil" process name --- ...roc_creation_win_exploit_cve_2019_1388.yml | 19 ++++++----- ...oc_creation_win_exploit_cve_2021_41379.yml | 6 ++-- ...n_win_exploit_other_razorinstaller_lpe.yml | 10 +++--- ...roc_creation_win_conhost_legacy_option.yml | 5 ++- ...roc_creation_win_msiexec_install_quiet.yml | 6 ++-- ...y_privilege_escalation_via_service_key.yml | 6 ++-- ..._change_sevice_image_path_by_non_admin.yml | 6 ++-- ...asks_schedule_via_masqueraded_xml_file.yml | 5 ++- ...ation_win_spoolsv_susp_child_processes.yml | 6 ++-- ...ays_install_elevated_windows_installer.yml | 6 ++-- ...tion_win_susp_child_process_as_system_.yml | 6 ++-- ...c_creation_win_susp_non_priv_reg_or_ps.yml | 33 +++++++++---------- ..._creation_win_susp_system_user_anomaly.yml | 6 ++-- ...sinternals_accesschk_check_permissions.yml | 5 --- ...eation_win_tscon_rdp_session_hijacking.yml | 5 ++- ..._creation_win_uac_bypass_changepk_slui.yml | 4 ++- .../proc_creation_win_uac_bypass_cleanmgr.yml | 4 ++- ...win_uac_bypass_cmstp_com_object_access.yml | 4 ++- ...eation_win_uac_bypass_computerdefaults.yml | 4 ++- ...eation_win_uac_bypass_consent_comctl32.yml | 4 ++- .../proc_creation_win_uac_bypass_dismhost.yml | 4 ++- ...ion_win_uac_bypass_idiagnostic_profile.yml | 3 ++ .../proc_creation_win_uac_bypass_ieinstal.yml | 4 ++- ...c_creation_win_uac_bypass_msconfig_gui.yml | 4 ++- ...tion_win_uac_bypass_ntfs_reparse_point.yml | 4 ++- ...oc_creation_win_uac_bypass_pkgmgr_dism.yml | 4 ++- .../proc_creation_win_uac_bypass_sdclt.yml | 6 ++-- .../proc_creation_win_uac_bypass_winsat.yml | 4 ++- .../proc_creation_win_uac_bypass_wmp.yml | 14 ++++---- ...win_uac_bypass_wsreset_integrity_level.yml | 4 ++- ...ll_susp_process_spawned_from_webserver.yml | 4 +-- 31 files changed, 127 insertions(+), 78 deletions(-) diff --git a/rules-emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml b/rules-emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml index 87ece1d91c7..c161099f221 100644 --- a/rules-emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml +++ b/rules-emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml @@ -7,7 +7,7 @@ references: - https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege author: Florian Roth (Nextron Systems) date: 2019-11-20 -modified: 2022-05-27 +modified: 2024-12-01 tags: - attack.privilege-escalation - attack.t1068 @@ -17,17 +17,18 @@ logsource: category: process_creation product: windows detection: - selection: + selection_img: ParentImage|endswith: '\consent.exe' Image|endswith: '\iexplore.exe' CommandLine|contains: ' http' - rights1: - IntegrityLevel: 'System' # for Sysmon users - rights2: - User|contains: # covers many language settings - - 'AUTHORI' - - 'AUTORI' - condition: selection and ( rights1 or rights2 ) + selection_rights: + - IntegrityLevel: + - 'System' # for Sysmon users + - 'S-1-16-16384' # System + - User|contains: # covers many language settings + - 'AUTHORI' + - 'AUTORI' + condition: all of selection_* falsepositives: - Unknown level: critical diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml index 90b5fb8cbdb..ba6f10f9950 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml @@ -9,7 +9,7 @@ references: - https://www.logpoint.com/en/blog/detecting-privilege-escalation-zero-day-cve-2021-41379/ author: Florian Roth (Nextron Systems) date: 2021-11-22 -modified: 2023-02-13 +modified: 2024-12-01 tags: - attack.privilege-escalation - attack.t1068 @@ -30,7 +30,9 @@ detection: - 'pwsh.dll' selection_parent: ParentImage|endswith: '\elevation_service.exe' - IntegrityLevel: 'System' + IntegrityLevel: + - 'System' + - 'S-1-16-16384' # System condition: all of selection_* falsepositives: - Unknown diff --git a/rules-emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml b/rules-emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml index e44c7aef98f..725e9025d78 100644 --- a/rules-emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml +++ b/rules-emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml @@ -7,7 +7,7 @@ references: - https://streamable.com/q2dsji author: Florian Roth (Nextron Systems), Maxime Thiebaut date: 2021-08-23 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.privilege-escalation - attack.t1553 @@ -18,10 +18,12 @@ logsource: detection: selection: ParentImage|endswith: '\RazerInstaller.exe' - IntegrityLevel: 'System' - filter: + IntegrityLevel: + - 'System' + - 'S-1-16-16384' # System + filter_main_razer: Image|startswith: 'C:\Windows\Installer\Razer\Installer\' - condition: selection and not filter + condition: selection and not 1 of filter_main_* falsepositives: - User selecting a different installation folder (check for other sub processes of this explorer.exe process) level: high diff --git a/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml b/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml index 7e412b26610..d50a60c50d9 100644 --- a/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml +++ b/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml @@ -8,6 +8,7 @@ references: - https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control author: frack113 date: 2022-12-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.t1202 @@ -16,7 +17,9 @@ logsource: category: process_creation detection: selection: - IntegrityLevel: 'High' + IntegrityLevel: + - 'High' + - 'S-1-16-12288' CommandLine|contains|all: - 'conhost.exe' - '0xffffffff' diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml b/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml index fdf292ae355..9152850365a 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml @@ -10,7 +10,7 @@ references: - https://twitter.com/_st0pp3r_/status/1583914244344799235 author: frack113 date: 2022-01-16 -modified: 2024-03-13 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.t1218.007 @@ -39,7 +39,9 @@ detection: ParentImage|startswith: 'C:\Windows\Temp\' filter_ccm: ParentImage: 'C:\Windows\CCM\Ccm32BitLauncher.exe' - IntegrityLevel: 'System' + IntegrityLevel: + - 'System' + - 'S-1-16-16384' condition: all of selection_* and not 1 of filter_* falsepositives: - WindowsApps installing updates via the quiet flag diff --git a/rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml b/rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml index df0524ed9c2..5882e2661c8 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml @@ -7,7 +7,7 @@ references: - https://pentestlab.blog/2017/03/31/insecure-registry-permissions/ author: Teymur Kheirkhabarov date: 2019-10-26 -modified: 2023-01-30 +modified: 2024-12-01 tags: - attack.privilege-escalation - attack.t1574.011 @@ -16,7 +16,9 @@ logsource: category: process_creation detection: selection: - IntegrityLevel: 'Medium' + IntegrityLevel: + - 'Medium' + - 'S-1-16-8192' CommandLine|contains|all: - 'ControlSet' - 'services' diff --git a/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml b/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml index 1d3ea3bd064..740e1f8957b 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml @@ -7,7 +7,7 @@ references: - https://pentestlab.blog/2017/03/30/weak-service-permissions/ author: Teymur Kheirkhabarov date: 2019-10-26 -modified: 2022-07-14 +modified: 2024-12-01 tags: - attack.persistence - attack.defense-evasion @@ -19,7 +19,9 @@ logsource: detection: scbynonadmin: Image|endswith: '\sc.exe' - IntegrityLevel: 'Medium' + IntegrityLevel: + - 'Medium' + - 'S-1-16-8192' selection_binpath: CommandLine|contains|all: - 'config' diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml index a7d8db95a25..541d8fc096b 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml @@ -7,6 +7,7 @@ references: - https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml author: Swachchhanda Shrawan Poudel, Elastic (idea) date: 2023-04-20 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.persistence @@ -30,7 +31,9 @@ detection: filter_main_extension_xml: CommandLine|contains: '.xml' filter_main_system_process: - IntegrityLevel: 'System' + IntegrityLevel: + - 'System' + - 'S-1-16-16384' filter_main_rundll32: ParentImage|endswith: '\rundll32.exe' ParentCommandLine|contains|all: diff --git a/rules/windows/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml index e34e32611c9..c18c736d7de 100644 --- a/rules/windows/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml @@ -6,7 +6,7 @@ references: - https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Exploits/Print%20Spooler%20RCE/Suspicious%20Spoolsv%20Child%20Process.md author: Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule) date: 2021-07-11 -modified: 2023-02-09 +modified: 2024-12-01 tags: - attack.execution - attack.t1203 @@ -18,7 +18,9 @@ logsource: detection: spoolsv: ParentImage|endswith: '\spoolsv.exe' - IntegrityLevel: System + IntegrityLevel: + - 'System' + - 'S-1-16-16384' suspicious_unrestricted: Image|endswith: - '\gpupdate.exe' diff --git a/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml b/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml index ef7734a59da..8e4efb8d4c8 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml @@ -6,7 +6,7 @@ references: - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community date: 2020-10-13 -modified: 2023-03-23 +modified: 2024-12-01 tags: - attack.privilege-escalation - attack.t1548.002 @@ -25,7 +25,9 @@ detection: Image|endswith: 'tmp' selection_image_2: Image|endswith: '\msiexec.exe' - IntegrityLevel: 'System' + IntegrityLevel: + - 'System' + - 'S-1-16-16384' filter_installer: ParentImage: 'C:\Windows\System32\services.exe' filter_repair: diff --git a/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml b/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml index ca37a85689d..1234c122754 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml @@ -9,7 +9,7 @@ references: - https://twitter.com/Cyb3rWard0g/status/1453123054243024897 author: Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR) date: 2019-10-26 -modified: 2022-12-15 +modified: 2024-12-01 tags: - attack.privilege-escalation - attack.t1134.002 @@ -32,7 +32,9 @@ detection: - '\SYSTEM' - '\Système' - '\СИСТЕМА' - IntegrityLevel: 'System' + IntegrityLevel: + - 'System' + - 'S-1-16-16384' filter_rundll32: Image|endswith: '\rundll32.exe' CommandLine|contains: 'DavSetCookie' diff --git a/rules/windows/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml b/rules/windows/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml index d4da3213073..a5e46c532b5 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml @@ -6,7 +6,7 @@ references: - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community date: 2020-10-05 -modified: 2022-07-07 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.t1112 @@ -14,18 +14,19 @@ logsource: category: process_creation product: windows detection: - reg: - CommandLine|contains|all: - - 'reg ' - - 'add' - powershell: - CommandLine|contains: - - 'powershell' - - 'set-itemproperty' - - ' sp ' - - 'new-itemproperty' - select_data: - IntegrityLevel: 'Medium' + selection_cli: + - CommandLine|contains|all: + - 'reg ' + - 'add' + - CommandLine|contains: + - 'powershell' + - 'set-itemproperty' + - ' sp ' + - 'new-itemproperty' + selection_data: + IntegrityLevel: + - 'Medium' + - 'S-1-16-8192' CommandLine|contains|all: - 'ControlSet' - 'Services' @@ -33,11 +34,7 @@ detection: - 'ImagePath' - 'FailureCommand' - 'ServiceDLL' - condition: (reg or powershell) and select_data -fields: - - EventID - - IntegrityLevel - - CommandLine + condition: all of selection_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml b/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml index 05427278224..8ddc2570925 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml @@ -7,7 +7,7 @@ references: - https://tools.thehacker.recipes/mimikatz/modules author: Florian Roth (Nextron Systems), David ANDRE (additional keywords) date: 2021-12-20 -modified: 2024-11-11 +modified: 2024-12-01 tags: - attack.credential-access - attack.defense-evasion @@ -20,7 +20,9 @@ logsource: product: windows detection: selection: - IntegrityLevel: System + IntegrityLevel: + - 'System' + - 'S-1-16-16384' User|contains: # covers many language settings - 'AUTHORI' - 'AUTORI' diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml index b744b889649..52606b4428d 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml @@ -31,11 +31,6 @@ detection: - 'qwsu ' - 'uwdqs ' condition: all of selection* -fields: - - IntegrityLevel - - Product - - Description - - CommandLine falsepositives: - System administrator Usage level: medium diff --git a/rules/windows/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml b/rules/windows/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml index da3c8b1ad66..23ba274be70 100644 --- a/rules/windows/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml +++ b/rules/windows/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml @@ -6,6 +6,7 @@ references: - https://twitter.com/Moti_B/status/909449115477659651 author: '@juju4' date: 2022-12-27 +modified: 2024-12-01 tags: - attack.execution logsource: @@ -16,7 +17,9 @@ detection: - Image|endswith: '\tscon.exe' - OriginalFileName: 'tscon.exe' selection_integrity: - IntegrityLevel: SYSTEM + IntegrityLevel: + - 'System' + - 'S-1-16-16384' condition: all of selection_* falsepositives: - Administrative activity diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml index e35de890eca..baa7cabea9c 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml @@ -8,7 +8,7 @@ references: - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf author: Christian Burkard (Nextron Systems) date: 2021-08-23 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -23,6 +23,8 @@ detection: IntegrityLevel: - 'High' - 'System' + - 'S-1-16-16384' # System + - 'S-1-16-12288' # High condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml index 54431028ce1..ebc11bec2c6 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml @@ -6,7 +6,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) date: 2021-08-30 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -21,6 +21,8 @@ detection: IntegrityLevel: - 'High' - 'System' + - 'S-1-16-16384' # System + - 'S-1-16-12288' # High condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml index e57df597952..e78e952d8d2 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml @@ -9,7 +9,7 @@ references: - https://github.com/hfiref0x/UACME author: Nik Seetharaman, Christian Burkard (Nextron Systems) date: 2019-07-31 -modified: 2022-09-21 +modified: 2024-12-01 tags: - attack.execution - attack.defense-evasion @@ -33,6 +33,8 @@ detection: IntegrityLevel: - 'High' - 'System' + - 'S-1-16-16384' # System + - 'S-1-16-12288' # High condition: selection falsepositives: - Legitimate CMSTP use (unlikely in modern enterprise environments) diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml index 0163e1ac983..b5c009b3a1f 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml @@ -6,7 +6,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) date: 2021-08-31 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -19,6 +19,8 @@ detection: IntegrityLevel: - 'High' - 'System' + - 'S-1-16-16384' # System + - 'S-1-16-12288' # High Image: 'C:\Windows\System32\ComputerDefaults.exe' filter: ParentImage|contains: diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml index e21dee1e9b0..959e21ec5ac 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml @@ -6,7 +6,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) date: 2021-08-23 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -21,6 +21,8 @@ detection: IntegrityLevel: - 'High' - 'System' + - 'S-1-16-16384' # System + - 'S-1-16-12288' # High condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml index 8250a092d05..5ec3876d27c 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml @@ -6,7 +6,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) date: 2021-08-30 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -23,6 +23,8 @@ detection: IntegrityLevel: - 'High' - 'System' + - 'S-1-16-16384' # System + - 'S-1-16-12288' # High condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml index 05ecaa8ee28..a9b10889056 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml @@ -6,6 +6,7 @@ references: - https://github.com/Wh04m1001/IDiagnosticProfileUAC author: Nasreddine Bencherchali (Nextron Systems) date: 2022-07-03 +modified: 2024-12-01 tags: - attack.execution - attack.defense-evasion @@ -21,6 +22,8 @@ detection: IntegrityLevel: - 'High' - 'System' + - 'S-1-16-16384' # System + - 'S-1-16-12288' # High condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml index da0fa174b2a..b0590e33dee 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml @@ -6,7 +6,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) date: 2021-08-30 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -19,6 +19,8 @@ detection: IntegrityLevel: - 'High' - 'System' + - 'S-1-16-16384' # System + - 'S-1-16-12288' # High ParentImage|endswith: '\ieinstal.exe' Image|contains: '\AppData\Local\Temp\' Image|endswith: 'consent.exe' diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml index 52bec8124ed..0a4eaa08db0 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml @@ -6,7 +6,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) date: 2021-08-30 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -19,6 +19,8 @@ detection: IntegrityLevel: - 'High' - 'System' + - 'S-1-16-16384' # System + - 'S-1-16-12288' # High ParentImage|endswith: '\AppData\Local\Temp\pkgmgr.exe' CommandLine: '"C:\Windows\system32\msconfig.exe" -5' condition: selection diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml index dfe8b47398f..3db306a9b2a 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml @@ -6,7 +6,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) date: 2021-08-30 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -21,6 +21,8 @@ detection: IntegrityLevel: - 'High' - 'System' + - 'S-1-16-16384' # System + - 'S-1-16-12288' # High selection2: ParentCommandLine: '"C:\Windows\system32\dism.exe" /online /quiet /norestart /add-package /packagepath:"C:\Windows\system32\pe386" /ignorecheck' IntegrityLevel: diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml index 523d2be04ec..a57e45efe4d 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml @@ -6,7 +6,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) date: 2021-08-23 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -21,6 +21,8 @@ detection: IntegrityLevel: - 'High' - 'System' + - 'S-1-16-16384' # System + - 'S-1-16-12288' # High condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_sdclt.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_sdclt.yml index 77976a2efbd..276326a63b2 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_sdclt.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_sdclt.yml @@ -7,7 +7,7 @@ references: - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020-05-02 -modified: 2023-02-14 +modified: 2024-12-01 tags: - attack.privilege-escalation - attack.defense-evasion @@ -18,7 +18,9 @@ logsource: detection: selection: Image|endswith: 'sdclt.exe' - IntegrityLevel: 'High' + IntegrityLevel: + - 'High' + - 'S-1-16-12288' # High condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_winsat.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_winsat.yml index c230f475e9a..2889f4f0f31 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_winsat.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_winsat.yml @@ -6,7 +6,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) date: 2021-08-30 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -19,6 +19,8 @@ detection: IntegrityLevel: - 'High' - 'System' + - 'S-1-16-16384' # System + - 'S-1-16-12288' # High ParentImage|endswith: '\AppData\Local\Temp\system32\winsat.exe' ParentCommandLine|contains: 'C:\Windows \system32\winsat.exe' condition: selection diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml index a365002b800..dda9e21e4f2 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml @@ -6,7 +6,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) date: 2021-08-23 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -15,18 +15,18 @@ logsource: category: process_creation product: windows detection: - selection1: + selection_img_1: Image: 'C:\Program Files\Windows Media Player\osk.exe' - IntegrityLevel: - - 'High' - - 'System' - selection2: + selection_img_2: Image: 'C:\Windows\System32\cmd.exe' ParentCommandLine: '"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s' + selection_integrity: IntegrityLevel: - 'High' - 'System' - condition: 1 of selection* + - 'S-1-16-16384' # System + - 'S-1-16-12288' # High + condition: 1 of selection_img_* and selection_integrity falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml index 2e139752a3b..960e395d83b 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml @@ -8,7 +8,7 @@ references: - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf author: Christian Burkard (Nextron Systems) date: 2021-08-23 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -22,6 +22,8 @@ detection: IntegrityLevel: - 'High' - 'System' + - 'S-1-16-16384' # System + - 'S-1-16-12288' # High condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml b/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml index 476809f3cf0..0fdc959f89e 100644 --- a/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml +++ b/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml @@ -7,7 +7,7 @@ references: - https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) date: 2019-01-16 -modified: 2023-11-11 +modified: 2024-11-26 tags: - attack.persistence - attack.t1505.003 @@ -59,7 +59,7 @@ detection: - '\netdom.exe' - '\netsh.exe' - '\nltest.exe' - - '\ntdutil.exe' + - '\ntdsutil.exe' - '\powershell_ise.exe' - '\powershell.exe' - '\pwsh.exe' From 2a0c9b55509eb250fa81f21fb8a902b69d1a6ba6 Mon Sep 17 00:00:00 2001 From: Matthew Green Date: Wed, 4 Dec 2024 08:14:54 +1100 Subject: [PATCH 111/144] Merge PR #5107 from @mgreen27 - Update `Potential Defense Evasion Via Rename Of Highly Relevant Binaries` update: Potential Defense Evasion Via Rename Of Highly Relevant Binaries - Add ie4uinit.exe and msxsl.exe to old binary rename rule --- .../proc_creation_win_renamed_binary_highly_relevant.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml b/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml index f433daa459e..ced7c19a9f7 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml @@ -21,7 +21,7 @@ references: - https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/ author: Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113 date: 2019-06-15 -modified: 2023-08-23 +modified: 2024-12-03 tags: - attack.defense-evasion - attack.t1036.003 @@ -40,8 +40,10 @@ detection: - 'certutil.exe' - 'cmstp.exe' - 'cscript.exe' + - 'IE4UINIT.EXE' - 'mshta.exe' - 'msiexec.exe' + - 'msxsl.exe' - 'powershell_ise.exe' - 'powershell.exe' - 'psexec.c' # old versions of psexec (2016 seen) @@ -59,8 +61,10 @@ detection: - '\certutil.exe' - '\cmstp.exe' - '\cscript.exe' + - '\ie4uinit.exe' - '\mshta.exe' - '\msiexec.exe' + - '\msxsl.exe' - '\powershell_ise.exe' - '\powershell.exe' - '\psexec.exe' From 6fd57da13139643c6fe3e4a23276ca6ae9a6eec7 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 3 Dec 2024 22:44:37 +0100 Subject: [PATCH 112/144] fix: FPs with NetNTLM downgrade attack (#5108) fix: NetNTLM Downgrade Attack - Registry - Tune the rule for specific registry values in order to reduce FP rate. --------- Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- .../registry_event_net_ntlm_downgrade.yml | 33 ++++++++++++++----- 1 file changed, 24 insertions(+), 9 deletions(-) diff --git a/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml b/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml index d982ab65fd6..9f131a0f32e 100644 --- a/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml +++ b/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml @@ -4,9 +4,10 @@ status: test description: Detects NetNTLM downgrade attack references: - https://web.archive.org/web/20171113231705/https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks -author: Florian Roth (Nextron Systems), wagga + - https://www.ultimatewindowssecurity.com/wiki/page.aspx?spid=NSrpcservers +author: Florian Roth (Nextron Systems), wagga, Nasreddine Bencherchali (Splunk STRT) date: 2018-03-20 -modified: 2022-11-29 +modified: 2024-12-03 tags: - attack.defense-evasion - attack.t1562.001 @@ -15,16 +16,30 @@ logsource: product: windows category: registry_event detection: - selection: + selection_regkey: TargetObject|contains|all: - 'SYSTEM\' - 'ControlSet' - '\Control\Lsa' - TargetObject|endswith: - - '\lmcompatibilitylevel' - - '\NtlmMinClientSec' - - '\RestrictSendingNTLMTraffic' - condition: selection + selection_value_lmcompatibilitylevel: + TargetObject|endswith: '\lmcompatibilitylevel' + Details: + - 'DWORD (0x00000000)' + - 'DWORD (0x00000001)' + - 'DWORD (0x00000002)' + selection_value_ntlmminclientsec: + TargetObject|endswith: '\NtlmMinClientSec' + Details: + - 'DWORD (0x00000000)' # No Security + - 'DWORD (0x00000010)' # Only Integrity + - 'DWORD (0x00000020)' # Only confidentiality + - 'DWORD (0x00000030)' # Both Integrity and confidentiality + selection_value_restrictsendingntlmtraffic: + # Note: The obvious values with issues are 0x00000000 (allow all) and 0x00000001 (audit). + # 0x00000002 can be secure but only if "ClientAllowedNTLMServers" is properly configured + # Hence all values should be monitored and investigated + TargetObject|endswith: '\RestrictSendingNTLMTraffic' + condition: selection_regkey and 1 of selection_value_* falsepositives: - - Unknown + - Services or tools that set the values to more restrictive values level: high From 58017b6b3fc08c720bf29ce75b62c5d7191ad6ec Mon Sep 17 00:00:00 2001 From: Ivan S Date: Sat, 7 Dec 2024 01:19:18 +0200 Subject: [PATCH 113/144] Merge PR #5017 from @saakovv - Add `Modification or Deletion of an AWS RDS Cluster` new: Modification or Deletion of an AWS RDS Cluster --------- Co-authored-by: Ivan.Saakov Co-authored-by: nasbench Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> --- .../cloudtrail/aws_rds_dbcluster_actions.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/cloud/aws/cloudtrail/aws_rds_dbcluster_actions.yml diff --git a/rules/cloud/aws/cloudtrail/aws_rds_dbcluster_actions.yml b/rules/cloud/aws/cloudtrail/aws_rds_dbcluster_actions.yml new file mode 100644 index 00000000000..875c8697180 --- /dev/null +++ b/rules/cloud/aws/cloudtrail/aws_rds_dbcluster_actions.yml @@ -0,0 +1,27 @@ +title: Modification or Deletion of an AWS RDS Cluster +id: 457cc9ac-d8e6-4d1d-8c0e-251d0f11a74c +status: experimental +description: Detects modifications to an RDS cluster or its deletion, which may indicate potential data exfiltration attempts, unauthorized access, or exposure of sensitive information. +references: + - https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBCluster.html + - https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html + - https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc#rds-modifydbinstance +author: Ivan Saakov +date: 2024-12-06 +tags: + - attack.exfiltration + - attack.t1020 +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: rds.amazonaws.com + eventName: + - ModifyDBCluster + - DeleteDBCluster + condition: selection +falsepositives: + - Verify if the modification or deletion was performed by an authorized administrator. + - Confirm if the modification or deletion was part of a planned change or maintenance activity. +level: high From ee821b8e99d981977e84fe2ff1c2231f71de92b7 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 7 Dec 2024 15:47:45 +0100 Subject: [PATCH 114/144] Merge PR #5110 from @Neo23x0 - Update `Remote Access Tool Services Have Been Installed - Security` update: Remote Access Tool Services Have Been Installed - Security - Add anydesk --- .../win_security_service_install_remote_access_software.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml b/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml index e21a9959cba..3bf361f213e 100644 --- a/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml +++ b/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml @@ -9,7 +9,7 @@ references: - https://redcanary.com/blog/misbehaving-rats/ author: Connor Martin, Nasreddine Bencherchali (Nextron Systems) date: 2022-12-23 -modified: 2023-11-15 +modified: 2024-12-07 tags: - attack.persistence - attack.t1543.003 @@ -24,6 +24,7 @@ detection: ServiceName|contains: # Based on https://github.com/SigmaHQ/sigma/pull/2841 - 'AmmyyAdmin' # https://www.ammyy.com/en/ + - 'AnyDesk' # https://usersince99.medium.com/windows-privilege-escalation-8214ceaf4db8 - 'Atera' - 'BASupportExpressSrvcUpdater' # https://www.systemlookup.com/O23/6837-BASupSrvcUpdater_exe.html - 'BASupportExpressStandaloneService' # https://www.systemlookup.com/O23/6839-BASupSrvc_exe.html From c6b7a19b59cd3a12ad0f9c6470eb1ed19b4ef574 Mon Sep 17 00:00:00 2001 From: Milad Cheraghi <82805580+CheraghiMilad@users.noreply.github.com> Date: Sat, 14 Dec 2024 22:19:32 +0330 Subject: [PATCH 115/144] Merge PR #5099 from @CheraghiMilad - Update `Local System Accounts Discovery - Linux` update: Local System Accounts Discovery - Linux - Add additional binaries to read password files such as "less" and "emacs" as well as additional password file locations such as "/etc/pwd.db" --- .../proc_creation_lnx_local_account.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_local_account.yml b/rules/linux/process_creation/proc_creation_lnx_local_account.yml index 40bccc49ac2..403ed87c47e 100644 --- a/rules/linux/process_creation/proc_creation_lnx_local_account.yml +++ b/rules/linux/process_creation/proc_creation_lnx_local_account.yml @@ -4,9 +4,11 @@ status: test description: Detects enumeration of local systeam accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md -author: Alejandro Ortuno, oscd.community + - https://my.f5.com/manage/s/article/K589 + - https://man.freebsd.org/cgi/man.cgi?pwd_mkdb +author: Alejandro Ortuno, oscd.community, CheraghiMilad date: 2020-10-08 -modified: 2024-08-10 +modified: 2024-12-10 tags: - attack.discovery - attack.t1087.001 @@ -28,10 +30,17 @@ detection: - '/tail' - '/vi' - '/vim' + - '/less' + - '/emacs' + - '/sqlite3' + - '/makemap' CommandLine|contains: - '/etc/passwd' - '/etc/shadow' - '/etc/sudoers' + - '/etc/spwd.db' + - '/etc/pwd.db' + - '/etc/master.passwd' selection_4: Image|endswith: '/id' selection_5: From 9b67acfcf6c7e18e3907d9983d6b84031524694e Mon Sep 17 00:00:00 2001 From: Gameel Ali Date: Sat, 14 Dec 2024 21:09:33 +0200 Subject: [PATCH 116/144] Merge PR #5126 from @MalGamy12 - Update `COM Object Hijacking Via Modification Of Default System CLSID Default Value` update: COM Object Hijacking Via Modification Of Default System CLSID Default Value - Add {603D3801-BD81-11d0-A3A5-00C04FD706EC} --------- Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> --- .../registry_set_persistence_com_hijacking_builtin.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml index 82a4e741382..ef1f2a33296 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml @@ -12,9 +12,10 @@ references: - https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/ - https://blog.talosintelligence.com/uat-5647-romcom/ - https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/darkhotel-a-cluster-of-groups-united-by-common-techniques + - https://threatbook.io/blog/Analysis-of-APT-C-60-Attack-on-South-Korea author: Nasreddine Bencherchali (Nextron Systems) date: 2024-07-16 -modified: 2024-11-19 +modified: 2024-12-14 tags: - attack.persistence - attack.t1546.015 @@ -39,6 +40,7 @@ detection: - '\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\' - '\{7849596a-48ea-486e-8937-a2a3009f31a9}\' - '\{0b91a74b-ad7c-4a9d-b563-29eef9167172}\' + - '\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\' selection_susp_location_1: Details|contains: # Note: Add more suspicious paths and locations From a290d221431a631fefed0ad91d66ea577f7144f2 Mon Sep 17 00:00:00 2001 From: Phill Moore Date: Sun, 15 Dec 2024 06:55:43 +1100 Subject: [PATCH 117/144] Merge PR #5125 from @randomaccess3 - Update `Potential Secure Deletion with SDelete` update: Potential Secure Deletion with SDelete - Enhance metadata --------- Co-authored-by: Nasreddine Bencherchali --- ... => win_security_sdelete_potential_secure_deletion.yml} | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) rename rules/windows/builtin/security/{win_security_susp_sdelete.yml => win_security_sdelete_potential_secure_deletion.yml} (76%) diff --git a/rules/windows/builtin/security/win_security_susp_sdelete.yml b/rules/windows/builtin/security/win_security_sdelete_potential_secure_deletion.yml similarity index 76% rename from rules/windows/builtin/security/win_security_susp_sdelete.yml rename to rules/windows/builtin/security/win_security_sdelete_potential_secure_deletion.yml index 4700f531631..23923fcb34d 100644 --- a/rules/windows/builtin/security/win_security_susp_sdelete.yml +++ b/rules/windows/builtin/security/win_security_sdelete_potential_secure_deletion.yml @@ -1,14 +1,14 @@ -title: Secure Deletion with SDelete +title: Potential Secure Deletion with SDelete id: 39a80702-d7ca-4a83-b776-525b1f86a36d status: test -description: Detects renaming of file while deletion with SDelete tool. +description: Detects files that have extensions commonly seen while SDelete is used to wipe files. references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - https://learn.microsoft.com/en-gb/sysinternals/downloads/sdelete author: Thomas Patzke date: 2017-06-14 -modified: 2021-11-27 +modified: 2024-12-13 tags: - attack.impact - attack.defense-evasion @@ -32,4 +32,5 @@ detection: condition: selection falsepositives: - Legitimate usage of SDelete + - Files that are interacted with that have these extensions legitimately level: medium From 44775b80b95290c07c80853ac325a174e05e1dc7 Mon Sep 17 00:00:00 2001 From: Milad Cheraghi <82805580+CheraghiMilad@users.noreply.github.com> Date: Sat, 14 Dec 2024 23:54:15 +0330 Subject: [PATCH 118/144] Merge PR #5117 from @CheraghiMilad - Update `Process Discovery` update: Process Discovery - Add additional processes like "htop" and "atop" --------- Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> Co-authored-by: Nasreddine Bencherchali --- ...roc_creation_lnx_susp_running_process_discovery.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) rename rules/linux/process_creation/proc_creation_lnx_process_discovery.yml => rules-threat-hunting/linux/process_creation/proc_creation_lnx_susp_running_process_discovery.yml (75%) diff --git a/rules/linux/process_creation/proc_creation_lnx_process_discovery.yml b/rules-threat-hunting/linux/process_creation/proc_creation_lnx_susp_running_process_discovery.yml similarity index 75% rename from rules/linux/process_creation/proc_creation_lnx_process_discovery.yml rename to rules-threat-hunting/linux/process_creation/proc_creation_lnx_susp_running_process_discovery.yml index ccb7e71601b..4af8025ffa5 100644 --- a/rules/linux/process_creation/proc_creation_lnx_process_discovery.yml +++ b/rules-threat-hunting/linux/process_creation/proc_creation_lnx_susp_running_process_discovery.yml @@ -6,21 +6,27 @@ description: | Information obtained could be used to gain an understanding of common software/applications running on systems within the network references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md -author: Ömer Günal, oscd.community + - https://www.cyberciti.biz/faq/show-all-running-processes-in-linux/ +author: Ömer Günal, oscd.community, CheraaghiMilad date: 2020-10-06 modified: 2022-07-07 tags: - attack.discovery - attack.t1057 + - detection.threat-hunting logsource: product: linux category: process_creation detection: selection: Image|endswith: + - '/atop' + - '/htop' + - '/pgrep' - '/ps' + - '/pstree' - '/top' condition: selection falsepositives: - Legitimate administration activities -level: informational +level: low From 957c1fc3d98c9a4aa8aa62671d7b8d4924e90fa1 Mon Sep 17 00:00:00 2001 From: Milad Cheraghi <82805580+CheraghiMilad@users.noreply.github.com> Date: Sat, 14 Dec 2024 23:56:02 +0330 Subject: [PATCH 119/144] Merge PR #5119 from @CheraghiMilad - Update `Terminate Linux Process Via Kill` update: Terminate Linux Process Via Kill - Add "xkill" --------- Co-authored-by: Nasreddine Bencherchali --- ..._creation_lnx_susp_process_termination_via_kill.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) rename rules/linux/process_creation/proc_creation_lnx_kill_process.yml => rules-threat-hunting/linux/process_creation/proc_creation_lnx_susp_process_termination_via_kill.yml (78%) diff --git a/rules/linux/process_creation/proc_creation_lnx_kill_process.yml b/rules-threat-hunting/linux/process_creation/proc_creation_lnx_susp_process_termination_via_kill.yml similarity index 78% rename from rules/linux/process_creation/proc_creation_lnx_kill_process.yml rename to rules-threat-hunting/linux/process_creation/proc_creation_lnx_susp_process_termination_via_kill.yml index 0dd9466797b..78192617d31 100644 --- a/rules/linux/process_creation/proc_creation_lnx_kill_process.yml +++ b/rules-threat-hunting/linux/process_creation/proc_creation_lnx_susp_process_termination_via_kill.yml @@ -5,11 +5,14 @@ description: Detects usage of command line tools such as "kill", "pkill" or "kil references: - https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html - https://www.cyberciti.biz/faq/how-force-kill-process-linux/ + - https://www.geeksforgeeks.org/how-to-kill-processes-on-the-linux-desktop-with-xkill/ author: Tuan Le (NCSGroup) date: 2023-03-16 +modified: 2024-12-12 tags: - attack.defense-evasion - attack.t1562 + - detection.threat-hunting logsource: product: linux category: process_creation @@ -17,9 +20,10 @@ detection: selection: Image|endswith: - '/kill' - - '/pkill' - '/killall' + - '/pkill' + - '/xkill' condition: selection falsepositives: - - Likely -level: low + - Unknown +level: medium From 17dcad456f723cc207e524e28bf43efe375c8be8 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 14 Dec 2024 21:44:55 +0100 Subject: [PATCH 120/144] Merge PR #5116 from @Neo23x0 - Add rules and updates related to Cleo exploitation new: CVE-2024-50623 Exploitation Attempt - Cleo update: Webshell Detection With Command Line Keywords - Add suspicious powershell commandline keywords --------- Co-authored-by: Nasreddine Bencherchali --- ...eation_win_exploit_cve_2024_50623_cleo.yml | 33 +++++++++++++++++++ ..._webshell_recon_commands_and_processes.yml | 16 +++++++-- 2 files changed, 47 insertions(+), 2 deletions(-) create mode 100644 rules-emerging-threats/2024/Exploits/CVE-2024-50623/proc_creation_win_exploit_cve_2024_50623_cleo.yml diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-50623/proc_creation_win_exploit_cve_2024_50623_cleo.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-50623/proc_creation_win_exploit_cve_2024_50623_cleo.yml new file mode 100644 index 00000000000..d6b0692c907 --- /dev/null +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-50623/proc_creation_win_exploit_cve_2024_50623_cleo.yml @@ -0,0 +1,33 @@ +title: CVE-2024-50623 Exploitation Attempt - Cleo +id: f007b877-02e3-45b7-8501-1b78c2864029 +status: experimental +description: | + Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline. +references: + - https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild +author: Tanner Filip, Austin Worline, Chad Hudson, Matt Anderson +date: 2024-12-09 +tags: + - attack.execution + - attack.t1190 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\javaw.exe' + ParentCommandLine|contains: + - 'Harmony' + - 'lexicom' + - 'VersaLex' + - 'VLTrader' + Image|endswith: '\cmd.exe' + CommandLine|contains: + - 'powershell' + - ' -enc ' + - ' -EncodedCommand' + - '.Download' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml b/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml index 96feead4ecc..b2ee15af63b 100644 --- a/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml @@ -5,9 +5,10 @@ description: Detects certain command line parameters often used during reconnais references: - https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html - https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/ -author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community + - https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild +author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community, Chad Hudson, Matt Anderson date: 2017-01-01 -modified: 2022-05-13 +modified: 2024-12-14 tags: - attack.persistence - attack.t1505.003 @@ -58,6 +59,17 @@ detection: selection_susp_wmic_utility: OriginalFileName: 'wmic.exe' CommandLine|contains: ' /node:' + selection_susp_powershell_cli: + Image|endswith: + - '\cmd.exe' + - '\powershell.exe' + - '\pwsh.exe' + CommandLine|contains: + - ' -enc ' + - ' -EncodedCommand ' + - ' -w hidden ' + - ' -windowstyle hidden' + - '.WebClient).Download' selection_susp_misc_discovery_binaries: - Image|endswith: - '\dsquery.exe' From 9f54b01218bde8ed60177d1b210cb3ccf625237b Mon Sep 17 00:00:00 2001 From: Djordje Lukic <112394060+djlukic@users.noreply.github.com> Date: Sat, 14 Dec 2024 21:55:02 +0100 Subject: [PATCH 121/144] Merge PR #5122 from @djlukic - Fix `bXOR Operator Usage In PowerShell Command Line - PowerShell Classic` fix: bXOR Operator Usage In PowerShell Command Line - PowerShell Classic - Update the logic to remove unrelated keywords and reduce unwanted matches. --------- Co-authored-by: Djordje Lukic Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> Co-authored-by: Nasreddine Bencherchali --- .../posh_pc_bxor_operator_usage.yml | 29 +++++++++++++++++++ .../posh_pc_xor_commandline.yml | 27 ----------------- 2 files changed, 29 insertions(+), 27 deletions(-) create mode 100644 rules-threat-hunting/windows/powershell/powershell_classic/posh_pc_bxor_operator_usage.yml delete mode 100644 rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml diff --git a/rules-threat-hunting/windows/powershell/powershell_classic/posh_pc_bxor_operator_usage.yml b/rules-threat-hunting/windows/powershell/powershell_classic/posh_pc_bxor_operator_usage.yml new file mode 100644 index 00000000000..fabaf99bf5f --- /dev/null +++ b/rules-threat-hunting/windows/powershell/powershell_classic/posh_pc_bxor_operator_usage.yml @@ -0,0 +1,29 @@ +title: bXOR Operator Usage In PowerShell Command Line - PowerShell Classic +id: 812837bb-b17f-45e9-8bd0-0ec35d2e3bd6 +status: test +description: | + Detects powershell execution with that make use of to the bxor (Bitwise XOR). + Attackers might use as an alternative obfuscation method to Base64 encoded commands. + Investigate the CommandLine and process tree to determine if the activity is malicious. +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=46 + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_arithmetic_operators?view=powershell-5.1 +author: Teymur Kheirkhabarov, Harish Segar +date: 2020-06-29 +modified: 2024-12-11 +tags: + - attack.execution + - attack.t1059.001 + - detection.threat-hunting +logsource: + product: windows + category: ps_classic_start +detection: + selection: + Data|contains|all: + - 'HostName=ConsoleHost' + - ' -bxor ' + condition: selection +falsepositives: + - Unknown +level: low diff --git a/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml b/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml deleted file mode 100644 index c54a451470b..00000000000 --- a/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: Suspicious XOR Encoded PowerShell Command Line - PowerShell -id: 812837bb-b17f-45e9-8bd0-0ec35d2e3bd6 -status: test -description: Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands. -references: - - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=46 -author: Teymur Kheirkhabarov, Harish Segar (rule) -date: 2020-06-29 -modified: 2023-10-27 -tags: - - attack.execution - - attack.t1059.001 -logsource: - product: windows - category: ps_classic_start -detection: - selection: - Data|contains: 'HostName=ConsoleHost' - filter: - Data|contains: - - 'bxor' - - 'char' - - 'join' - condition: selection and filter -falsepositives: - - Unknown -level: medium From 0cb8e32d2682669ac9f128a8c6b0ea04753ee218 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 16 Dec 2024 13:42:23 +0100 Subject: [PATCH 122/144] Merge PR #5130 from @nasbench - Archive new rule references and update cache file chore: archive new rule references and update cache file Co-authored-by: nasbench --- .github/latest_archiver_output.md | 1017 ++++++++++++++--------------- tests/rule-references.txt | 16 + 2 files changed, 524 insertions(+), 509 deletions(-) diff --git a/.github/latest_archiver_output.md b/.github/latest_archiver_output.md index 61bb3c1b997..db507d891e5 100644 --- a/.github/latest_archiver_output.md +++ b/.github/latest_archiver_output.md @@ -1,561 +1,560 @@ # Reference Archiver Results -Last Execution: 2024-12-01 02:17:42 +Last Execution: 2024-12-15 02:14:30 ### Archiver Script Results #### Newly Archived References -- https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/ -- https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu -- https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html +- https://web.archive.org/web/20220614030603/http://www.powertheshell.com/ntfsstreams/ #### Already Archived References -- https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/ -- https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac -- https://blog.talosintelligence.com/gophish-powerrat-dcrat/ -- https://github.com/search?q=repo%3AHackplayers%2Fevil-winrm++shell.run%28&type=code -- https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.4 -- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer -- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_network.html -- https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details -- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace -- https://www.sans.org/cyber-security-summit/archives +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29 +- https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/darkhotel-a-cluster-of-groups-united-by-common-techniques +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address +- https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname +- https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647 +- https://ipurple.team/2024/09/10/browser-stored-credentials/ +- https://www.action1.com/documentation/ +- https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown +- https://strontic.github.io/xcyclopedia/library/shell32.dll-65DA072F25DE83D9F83653E3FEA3644D.html +- https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts +- https://github.com/FalconForceTeam/SOAPHound #### Error While Archiving References -- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b -- https://www.cyberciti.biz/faq/how-force-kill-process-linux/ -- https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand -- https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch -- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ -- https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump -- https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps -- https://nvd.nist.gov/vuln/detail/CVE-2024-3400 -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently -- https://web.archive.org/web/20220422215221/https://twitter.com/malware_traffic/status/1517622327000846338 -- https://www.virustotal.com/gui/file/ded20df574b843aaa3c8e977c2040e1498ae17c12924a19868df5b12dee6dfdd -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661 -- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/ -- https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations -- https://www.trustedsec.com/blog/art_of_kerberoast/ -- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4 -- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing -- https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771 +- https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/ +- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ +- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/ +- https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication +- https://tria.ge/220422-1pw1pscfdl/ +- https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019 +- https://github.com/0xthirteen/SharpMove/ +- https://adsecurity.org/?p=3513 +- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers +- https://www.loobins.io/binaries/launchctl/ +- https://twitter.com/NathanMcNulty/status/1785051227568632263 +- https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/ - https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/ -- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations -- https://tria.ge/220422-1nnmyagdf2/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd +- https://www.tarasco.org/security/pwdump_7/ +- https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior +- https://www.anyviewer.com/help/remote-technical-support.html +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis -- https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors -- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ -- https://twitter.com/Kostastsale/status/1646256901506605063?s=20 -- https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/ -- https://www.fortiguard.com/psirt/FG-IR-22-398 -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 -- https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/ -- https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4706 -- https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/ -- https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens -- https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup -- https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic -- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ -- https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis -- https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension -- https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ -- https://objective-see.org/blog/blog_0x1E.html -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray -- https://twitter.com/MsftSecIntel/status/1737895710169628824 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732 +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 +- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes +- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference +- https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues +- https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/ +- https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029 +- https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1 +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations +- https://learn.microsoft.com/en-us/azure/dns/dns-zones-records +- https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html +- https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/ - https://web.archive.org/web/20231210115125/http://www.xuetr.com/ -- https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/ -- https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/ -- https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool -- https://x.com/_st0pp3r_/status/1742203752361128162?s=20 -- https://www.loobins.io/binaries/nscurl/ -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script -- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/ -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_IncludeUnspecifiedLocalSites +- https://gtfobins.github.io/gtfobins/git/#shell +- https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934 +- https://github.com/safedv/RustiveDump/blob/1a9b026b477587becfb62df9677cede619d42030/src/main.rs#L35 +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3 - https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode -- https://objective-see.org/blog/blog_0x6D.html -- https://www.huntress.com/blog/attacking-mssql-servers -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role -- https://lots-project.com/site/2a2e617a75726566642e6e6574 -- https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all -- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195 -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide -- https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker -- https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files -- https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/ -- https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/ -- https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216 -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/ -- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user -- https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ -- https://github.com/FalconForceTeam/SOAPHound -- https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain -- https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior -- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf -- https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes -- https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address -- https://twitter.com/standa_t/status/1808868985678803222 -- https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/ -- https://github.com/PwC-IR/Business-Email-Compromise-Guide/blob/fe29ce06aef842efe4eb448c26bbe822bf5b895d/PwC-Business_Email_Compromise-Guide.pdf -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 -- https://us-cert.cisa.gov/ncas/alerts/aa21-259a -- https://github.com/rapid7/metasploit-framework/issues/11337 +- https://unit42.paloaltonetworks.com/chromeloader-malware/ - https://twitter.com/TheDFIRReport/status/1482078434327244805 -- https://twitter.com/Kostastsale/status/1480716528421011458 -- https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673 -- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage -- https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy -- https://app.any.run/tasks/9a8fd563-4c54-4d0a-9ad8-1fe08339cbc3/ -- https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html -- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc -- https://www.linkedin.com/feed/update/urn:li:ugcPost:7257437202706493443?commentUrn=urn%3Ali%3Acomment%3A%28ugcPost%3A7257437202706493443%2C7257522819985543168%29&dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287257522819985543168%2Curn%3Ali%3AugcPost%3A7257437202706493443%29 +- https://web.archive.org/web/20190508165435/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf +- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml +- https://securelist.com/network-tunneling-with-qemu/111803/ +- https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior +- https://trustedsec.com/blog/oops-i-udld-it-again +- https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all - https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash -- https://www.softperfect.com/products/networkscanner/ -- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/ -- https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change -- https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html -- https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials -- https://github.com/yardenshafir/conference_talks/blob/3de1f5d7c02656c35117f067fbff0a219c304b09/OffensiveCon_2023_Your_Mitigations_are_My_Opportunities.pdf -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins -- https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication -- https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_ProxyByPass -- https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc +- https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/ - https://ngrok.com/blog-post/new-ngrok-domains -- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ -- https://gtfobins.github.io/gtfobins/rsync/#shell -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3 -- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/ -- https://defr0ggy.github.io/research/Utilizing-BTunnel-For-Data-Exfiltration/ -- https://ipurple.team/2024/09/10/browser-stored-credentials/ -- https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934 -- https://github.com/0xthirteen/SharpMove/ -- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html -- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a -- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ -- https://boinc.berkeley.edu/ - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4 -- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ -- https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install -- https://adsecurity.org/?p=1785 -- https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258 -- https://www.cyberciti.biz/faq/linux-remove-user-command/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel -- https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708 -- https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616 -- https://twitter.com/NathanMcNulty/status/1785051227568632263 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647 -- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vsan.html -- https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/ -- https://www.loobins.io/binaries/hdiutil/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10) -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78 -- https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2 -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_UNCAsIntranet -- https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/ -- https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/ -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation -- https://labs.nettitude.com/blog/introducing-sharpwsus/ -- https://www.tarasco.org/security/pwdump_7/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown -- https://www.fortalicesolutions.com/posts/hiding-behind-the-front-door-with-azure-domain-fronting -- https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes -- https://tria.ge/231023-lpw85she57/behavioral2 -- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html -- https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated -- https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/ -- https://redcanary.com/blog/threat-detection/process-masquerading/ - https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html -- https://twitter.com/Cryptolaemus1/status/1517634855940632576 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup -- https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/ -- https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps -- https://learn.microsoft.com/en-us/windows/win32/shell/app-registration -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp -- https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7 -- https://www.attackiq.com/2023/09/20/emulating-rhysida/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management -- https://tria.ge/220422-1pw1pscfdl/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698 -- https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e -- https://asec.ahnlab.com/en/61000/ -- https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#private_repository_forking -- https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe -- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks -- https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/ -- https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html -- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vm.html -- https://www.loobins.io/binaries/xattr/ -- https://cloud.google.com/access-context-manager/docs/audit-logging -- https://medium.com/@NullByteWht/hacking-macos-how-to-dump-1password-keepassx-lastpass-passwords-in-plaintext-723c5b1c311b -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule -- https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/ -- https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/ -- https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys -- https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html -- https://bazaar.abuse.ch/browse/signature/RaspberryRobin/ -- https://www.elastic.co/guide/en/security/current/group-policy-abuse-for-privilege-addition.html#_setup_275 -- https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps -- https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2 +- https://nvd.nist.gov/vuln/detail/CVE-2024-3400 +- https://blog.sekoia.io/scattered-spider-laying-new-eggs/ - https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg -- https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php -- https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps -- https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps -- https://tria.ge/240225-jlylpafb24/behavioral1/analog?main_event=Registry&op=SetValueKeyInt -- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns -- https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1 -- https://github.com/joaoviictorti/RustRedOps/tree/ce04369a246006d399e8c61d9fe0e6b34f988a49/Self_Deletion -- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/ -- https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues -- https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71 -- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-info.js#L55 -- https://blackpointcyber.com/resources/blog/breaking-through-the-screen/ -- https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool -- https://learn.microsoft.com/en-us/windows/win32/shell/launch -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in -- https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval -- https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v -- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743 -- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ -- https://github.com/embedi/CVE-2017-11882 -- https://linux.die.net/man/1/arecord -- https://news.ycombinator.com/item?id=29504755 -- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ -- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ -- https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/set_1 -- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml -- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html -- https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776 -- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications -- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage +- https://app.any.run/tasks/25970bb5-f864-4e9e-9e1b-cc8ff9e6386a - https://ss64.com/osx/sw_vers.html -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#things-to-monitor -- https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response -- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1 -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 -- https://redcanary.com/blog/msix-installers/ -- https://gtfobins.github.io/gtfobins/capsh/#shell -- https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit -- https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1 -- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings -- https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md -- https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF +- https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/ +- https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/ +- https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/ +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/ +- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ +- https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/ +- https://malware.guide/browser-hijacker/remove-onelaunch-virus/ +- https://github.com/PwC-IR/Business-Email-Compromise-Guide/blob/fe29ce06aef842efe4eb448c26bbe822bf5b895d/PwC-Business_Email_Compromise-Guide.pdf +- https://github.com/gentilkiwi/mimikatz +- https://gtfobins.github.io/gtfobins/find/#shell +- https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc#rds-modifydbinstance +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc +- https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging +- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf +- https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/ +- https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool +- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ +- https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization +- https://github.com/wietze/HijackLibs/tree/dc9c9f2f94e6872051dab58fbafb043fdd8b4176/yml/3rd_party/python +- https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html +- https://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40 +- https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/ +- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ +- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/ +- https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/ +- https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2 +- https://twitter.com/th3_protoCOL/status/1536788652889497600 +- https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps +- https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216 +- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16 +- https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 +- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/ +- https://ss64.com/mac/chflags.html +- https://us-cert.cisa.gov/ncas/alerts/aa21-259a +- https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/ +- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule - https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48 -- https://tria.ge/240226-fhbe7sdc39/behavioral1 -- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx -- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ -- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/ -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::SecurityPage_AutoDetect -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed -- https://tria.ge/240521-ynezpagf56/behavioral1 -- https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps -- https://github.com/GhostPack/SharpDPAPI -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2 -- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ -- https://gtfobins.github.io/gtfobins/env/#shell -- https://www.huntress.com/blog/attacking-mssql-servers-pt-ii -- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ -- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials -- https://www.qemu.org/docs/master/system/invocation.html#hxtool-5 +- https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare +- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ +- https://medium.com/@ahmed.moh.farou2/fake-captcha-campaign-on-arabic-pirated-movie-sites-delivers-lumma-stealer-4f203f7adabf +- https://tria.ge/240307-1hlldsfe7t/behavioral2/analog?main_event=Registry&op=SetValueKeyInt +- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands +- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b +- https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps +- https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging +- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 +- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml +- https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBCluster.html - https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in -- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ +- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications +- https://www.hexacorn.com/blog/2024/10/12/the-sweet16-the-oldbin-lolbin-called-setup16-exe/ - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult -- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml -- https://web.archive.org/web/20220614030603/http://www.powertheshell.com/ntfsstreams/ -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations -- https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html -- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/ -- https://thehackernews.com/2024/03/github-rolls-out-default-secret.html -- https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/ -- https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/ -- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf -- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities -- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11) -- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_storage.html -- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf -- https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection -- https://www.group-ib.com/resources/threat-research/red-curl-2.html -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11) -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts -- https://github.com/antonioCoco/RoguePotato -- https://www.virustotal.com/gui/file/6f0f20da34396166df352bf301b3c59ef42b0bc67f52af3d541b0161c47ede05 -- https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/ -- https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html -- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference -- https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732 -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29 -- https://gtfobins.github.io/gtfobins/gcc/#shell -- https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/ +- https://asec.ahnlab.com/en/40263/ +- https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf - https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority -- https://gtfobins.github.io/gtfobins/c89/#shell -- https://www.anyviewer.com/help/remote-technical-support.html -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4 -- https://web.archive.org/web/20220519091349/https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/ -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/ -- https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/ -- https://gtfobins.github.io/gtfobins/gawk/#shell -- https://github.com/grayhatkiller/SharpExShell -- https://blog.sekoia.io/scattered-spider-laying-new-eggs/ -- https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html -- https://trustedsec.com/blog/oops-i-udld-it-again -- https://github.com/safedv/RustiveDump/blob/1a9b026b477587becfb62df9677cede619d42030/src/main.rs#L35 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown -- https://gtfobins.github.io/gtfobins/find/#shell -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role -- https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#new-owner -- https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/ -- https://twitter.com/th3_protoCOL/status/1536788652889497600 -- https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor -- https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal +- https://twitter.com/1ZRR4H/status/1537501582727778304 +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide +- https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder +- https://learn.microsoft.com/en-us/windows/win32/shell/launch +- https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens +- https://web.archive.org/web/20211001064856/https://github.com/snovvcrash/DInjector - https://blog.morphisec.com/vmware-identity-manager-attack-backdoor -- https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634 -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address -- https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/ -- https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia -- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ -- https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging -- https://gtfobins.github.io/gtfobins/awk/#shell -- https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/ -- https://malware.guide/browser-hijacker/remove-onelaunch-virus/ -- https://gtfobins.github.io/gtfobins/flock/#shell -- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/ - https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0 -- https://www.action1.com/documentation/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625 +- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ +- https://www.huntress.com/blog/attacking-mssql-servers-pt-ii +- https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/ +- https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/set_1 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins +- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html +- https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ +- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a +- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4 +- https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/ +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role +- https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/ +- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_storage.html +- https://www.loobins.io/binaries/pbpaste/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423 +- https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html +- https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal - https://twitter.com/Max_Mal_/status/1775222576639291859 -- https://github.com/CICADA8-Research/RemoteKrbRelay -- https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327 -- https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c -- https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior -- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173 -- https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/ -- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins -- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers -- https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420 -- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory -- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ +- https://www.fortalicesolutions.com/posts/hiding-behind-the-front-door-with-azure-domain-fronting +- https://www.microsoft.com/en-us/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/ +- https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html +- https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray - http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183 -- https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps -- https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/ +- https://us-cert.cisa.gov/ncas/alerts/aa21-008a +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel +- https://news.ycombinator.com/item?id=29504755 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743 +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/ -- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 -- https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create -- https://web.archive.org/web/20200530031906/https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/ -- https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211 +- https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7 +- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set +- https://tria.ge/220422-1nnmyagdf2/ - https://www.group-ib.com/blog/apt41-world-tour-2021/ +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations - https://paper.seebug.org/1495/ -- https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/ -- https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/ -- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794 -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2 -- https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/ -- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis -- https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services -- https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html -- https://tria.ge/231212-r1bpgaefar/behavioral2 -- https://ss64.com/nt/set.html -- https://www.loobins.io/binaries/tmutil/ -- https://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423 -- https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/ -- https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections -- https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/ -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010 -- https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/ -- https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl -- https://www.cve.org/CVERecord?id=CVE-2024-1709 -- https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609 -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators -- https://support.google.com/a/answer/9261439 -- https://gtfobins.github.io/gtfobins/python/#shell -- https://github.com/wietze/HijackLibs/tree/dc9c9f2f94e6872051dab58fbafb043fdd8b4176/yml/3rd_party/python -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation -- https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder -- https://us-cert.cisa.gov/ncas/alerts/aa21-008a - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine -- https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/ -- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2 -- https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/ -- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/ -- https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ -- https://strontic.github.io/xcyclopedia/library/aclui.dll-F883E9CA757B622B032FDCA5BF33D0DF.html -- https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt -- https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/ -- https://tria.ge/240123-rapteaahhr/behavioral1 -- https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html -- https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/replace -- https://web.archive.org/web/20230329172447/https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html -- https://gtfobins.github.io/gtfobins/c99/#shell -- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands -- https://x.com/Max_Mal_/status/1826179497084739829 -- https://learn.microsoft.com/en-us/windows/win32/msi/event-logging -- https://app.any.run/tasks/fa99cedc-9d2f-4115-a08e-291429ce3692 -- https://gtfobins.github.io/gtfobins/git/#shell -- https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/ -- https://labs.withsecure.com/publications/kapeka -- https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ -- https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ -- https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/logfile/ -- https://securelist.com/network-tunneling-with-qemu/111803/ -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration -- https://evasions.checkpoint.com/techniques/macos.html -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel -- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/ -- https://megatools.megous.com/ -- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set -- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ -- https://cloud.google.com/logging/docs/audit/understanding-audit-logs -- https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure +- https://tria.ge/240521-ynezpagf56/behavioral1 +- https://app.any.run/tasks/9a8fd563-4c54-4d0a-9ad8-1fe08339cbc3/ +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker +- https://gtfobins.github.io/gtfobins/mawk/#shell +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78 +- https://www.virustotal.com/gui/file/ded20df574b843aaa3c8e977c2040e1498ae17c12924a19868df5b12dee6dfdd +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/ +- https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71 +- https://gtfobins.github.io/gtfobins/python/#shell +- https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps +- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/ +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2 +- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/ +- https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior +- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10) +- https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4 - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins -- https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps -- https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows -- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ -- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/ -- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16 +- https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/ +- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698 +- https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install +- https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository +- https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16 +- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ +- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vm.html +- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ +- https://www.loobins.io/binaries/xattr/ +- https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings +- https://redcanary.com/blog/msix-installers/ +- https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit +- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::SecurityPage_AutoDetect +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794 +- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673 +- https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/ +- https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain +- https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis +- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials +- https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response +- https://medium.com/@NullByteWht/hacking-macos-how-to-dump-1password-keepassx-lastpass-passwords-in-plaintext-723c5b1c311b +- https://labs.withsecure.com/publications/kapeka +- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vsan.html +- https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html +- https://tria.ge/240731-jh4crsycnb/behavioral2 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661 +- https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps +- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-info.js#L55 +- https://gtfobins.github.io/gtfobins/flock/#shell +- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ +- https://www.linkedin.com/feed/update/urn:li:ugcPost:7257437202706493443?commentUrn=urn%3Ali%3Acomment%3A%28ugcPost%3A7257437202706493443%2C7257522819985543168%29&dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287257522819985543168%2Curn%3Ali%3AugcPost%3A7257437202706493443%29 +- https://tria.ge/231023-lpw85she57/behavioral2 +- https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/ +- https://www.trustedsec.com/blog/art_of_kerberoast/ - http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ -- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes -- https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html +- https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/ +- https://redcanary.com/blog/threat-detection/process-masquerading/ +- https://twitter.com/Kostastsale/status/1646256901506605063?s=20 +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_IncludeUnspecifiedLocalSites +- https://threatbook.io/blog/Analysis-of-APT-C-60-Attack-on-South-Korea +- https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708 +- https://www.softperfect.com/products/networkscanner/ +- https://github.com/embedi/CVE-2017-11882 - https://gtfobins.github.io/gtfobins/nawk/#shell -- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations -- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted -- https://darkatlas.io/blog/medusa-ransomware-group-opsec-failure -- https://learn.microsoft.com/en-us/azure/dns/dns-zones-records -- https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/ -- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 -- https://github.com/gentilkiwi/mimikatz +- https://labs.nettitude.com/blog/introducing-sharpwsus/ +- https://www.ultimatewindowssecurity.com/wiki/page.aspx?spid=NSrpcservers +- https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps +- https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER +- https://web.archive.org/web/20220422215221/https://twitter.com/malware_traffic/status/1517622327000846338 +- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 +- https://www.fortiguard.com/psirt/FG-IR-22-398 +- https://gtfobins.github.io/gtfobins/env/#shell - https://learn.microsoft.com/en-us/windows/client-management/manage-recall -- https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/ -- https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/ -- https://web.archive.org/web/20190508165435/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf -- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/ -- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ -- https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare -- https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/ -- https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/ -- https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16 -- https://twitter.com/1ZRR4H/status/1537501582727778304 -- https://blog.talosintelligence.com/uat-5647-romcom/ -- https://www.sans.org/blog/defending-against-scattered-spider-and-the-com-with-cybercrime-intelligence/ -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles +- https://asec.ahnlab.com/en/61000/ +- https://github.com/CICADA8-Research/RemoteKrbRelay +- https://cloud.google.com/access-context-manager/docs/audit-logging +- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval +- https://github.com/grayhatkiller/SharpExShell +- https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/ +- https://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/ +- https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf +- https://web.archive.org/web/20210512154016/https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1 +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4 +- https://web.archive.org/web/20220519091349/https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/ +- https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/ +- https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609 +- https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_arithmetic_operators?view=powershell-5.1 - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7 -- https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/ -- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/ -- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/ -- https://unit42.paloaltonetworks.com/chromeloader-malware/ +- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ +- https://www.geeksforgeeks.org/how-to-kill-processes-on-the-linux-desktop-with-xkill/ +- https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel +- https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html +- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ +- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ +- https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive +- https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html +- https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091 +- https://www.attackiq.com/2023/09/20/emulating-rhysida/ +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise +- https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors - https://medium.com/r3d-buck3t/red-teaming-in-cloud-leverage-azure-frontdoor-cdn-for-c2-redirectors-79dd9ca98178 -- https://www.forensafe.com/blogs/runmrukey.html -- https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/ -- https://www.loobins.io/binaries/launchctl/ +- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173 +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token +- https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin +- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts +- https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/ +- https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html +- https://gtfobins.github.io/gtfobins/capsh/#shell +- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html - https://github.com/Ylianst/MeshAgent -- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ -- https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029 -- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ +- https://gtfobins.github.io/gtfobins/gawk/#shell +- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/ +- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183 +- https://tria.ge/240123-rapteaahhr/behavioral1 +- https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension +- https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes +- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11) +- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#things-to-monitor +- https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details +- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials +- https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4706 +- https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771 +- https://support.google.com/a/answer/9261439 +- https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ +- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967 +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010 +- https://twitter.com/MsftSecIntel/status/1737895710169628824 +- https://web.archive.org/web/20230329172447/https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role +- https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack +- https://objective-see.org/blog/blog_0x1E.html +- https://twitter.com/Cryptolaemus1/status/1517634855940632576 +- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html +- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf +- https://my.f5.com/manage/s/article/K589 +- https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild +- https://darkatlas.io/blog/medusa-ransomware-group-opsec-failure +- https://www.huntress.com/blog/attacking-mssql-servers +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding +- https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html +- https://blog.talosintelligence.com/uat-5647-romcom/ +- https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/ +- https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/ +- https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade +- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user +- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ +- https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/ +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2 +- https://twitter.com/standa_t/status/1808868985678803222 +- https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently +- https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand +- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html +- https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/ +- https://thehackernews.com/2024/03/github-rolls-out-default-secret.html +- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services +- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation +- https://ss64.com/nt/set.html +- https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup +- https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b +- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script - https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38 -- https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization -- https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise -- https://www.microsoft.com/en-us/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/ -- https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41 -- https://www.tenable.com/security/research/tra-2023-11 -- https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html -- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc -- https://localtonet.com/documents/supported-tunnels -- https://twitter.com/DTCERT/status/1712785421845790799 -- https://www.loobins.io/binaries/pbpaste/ -- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 -- https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/ -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4 - https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/ -- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/ -- https://twitter.com/th3_protoCOL/status/1480621526764322817 -- https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html +- https://github.com/rapid7/metasploit-framework/issues/11337 +- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/ +- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4 +- https://learn.microsoft.com/en-us/windows/win32/shell/app-registration +- https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators +- https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/ +- https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/ +- https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ +- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1 +- https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html +- https://www.cyberciti.biz/faq/linux-remove-user-command/ - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/ -- https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging -- https://web.archive.org/web/20210512154016/https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1 -- https://bazaar.abuse.ch/browse/tag/one/ -- https://ipurple.team/2024/07/15/sharphound-detection/ -- https://ss64.com/mac/hdiutil.html -- https://tria.ge/240307-1hlldsfe7t/behavioral2/analog?main_event=Registry&op=SetValueKeyInt +- https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy +- https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ +- https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change +- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ +- https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/ +- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/ +- https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership +- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) +- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure +- https://gtfobins.github.io/gtfobins/rsync/#shell +- https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps +- https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/ +- https://blackpointcyber.com/resources/blog/breaking-through-the-screen/ +- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html +- https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/ +- https://github.com/antonioCoco/RoguePotato +- https://tria.ge/231212-r1bpgaefar/behavioral2 +- https://www.loobins.io/binaries/hdiutil/ +- https://localtonet.com/documents/supported-tunnels +- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/ +- https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup +- https://bazaar.abuse.ch/browse/signature/RaspberryRobin/ +- https://www.sans.org/blog/defending-against-scattered-spider-and-the-com-with-cybercrime-intelligence/ +- https://www.group-ib.com/resources/threat-research/red-curl-2.html +- https://gtfobins.github.io/gtfobins/awk/#shell +- https://defr0ggy.github.io/research/Utilizing-BTunnel-For-Data-Exfiltration/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address +- https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC +- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp +- https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741 +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_ProxyByPass +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11) +- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software +- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 +- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/ +- https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/ +- https://gtfobins.github.io/gtfobins/gcc/#shell +- https://cloud.google.com/logging/docs/audit/understanding-audit-logs +- https://tria.ge/240226-fhbe7sdc39/behavioral1 +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#private_repository_forking +- https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor +- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx +- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory +- https://tria.ge/240225-jlylpafb24/behavioral1/analog?main_event=Registry&op=SetValueKeyInt +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in +- https://learn.microsoft.com/en-us/windows/win32/msi/event-logging +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows +- https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html +- https://www.virustotal.com/gui/file/6f0f20da34396166df352bf301b3c59ef42b0bc67f52af3d541b0161c47ede05 +- https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41 +- https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/logfile/ +- https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4 -- https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address -- https://ss64.com/mac/chflags.html +- https://app.any.run/tasks/fa99cedc-9d2f-4115-a08e-291429ce3692 +- https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF +- https://man.freebsd.org/cgi/man.cgi?pwd_mkdb +- https://lots-project.com/site/2a2e617a75726566642e6e6574 +- https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022 +- https://github.com/GhostPack/SharpDPAPI +- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create +- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe - https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability -- https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive -- https://gtfobins.github.io/gtfobins/mawk/#shell -- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/ +- https://docs.microsoft.com/en-us/sql/tools/bcp-utility +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/ +- https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html +- https://strontic.github.io/xcyclopedia/library/aclui.dll-F883E9CA757B622B032FDCA5BF33D0DF.html +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management +- https://adsecurity.org/?p=1785 +- https://boinc.berkeley.edu/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated +- https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md +- https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia +- https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/ +- https://gtfobins.github.io/gtfobins/c89/#shell +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1 +- https://twitter.com/th3_protoCOL/status/1480621526764322817 +- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012 +- https://www.qemu.org/docs/master/system/invocation.html#hxtool-5 +- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns +- https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/ +- https://web.archive.org/web/20200530031906/https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/ +- https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/ +- https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625 +- https://www.cyberciti.biz/faq/show-all-running-processes-in-linux/ +- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ +- https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files +- https://github.com/yardenshafir/conference_talks/blob/3de1f5d7c02656c35117f067fbff0a219c304b09/OffensiveCon_2023_Your_Mitigations_are_My_Opportunities.pdf +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634 +- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/ +- https://twitter.com/Kostastsale/status/1480716528421011458 - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4 -- https://app.any.run/tasks/25970bb5-f864-4e9e-9e1b-cc8ff9e6386a -- https://asec.ahnlab.com/en/40263/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic +- https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2 +- https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl +- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings +- https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps +- https://www.loobins.io/binaries/nscurl/ +- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/ +- https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e +- https://www.loobins.io/binaries/tmutil/ - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 -- https://docs.microsoft.com/en-us/sql/tools/bcp-utility -- https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#new-owner +- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address +- https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/ +- https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php +- https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v +- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ +- https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/ +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in +- https://ipurple.team/2024/07/15/sharphound-detection/ +- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access +- https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool +- https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211 +- https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html +- https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327 +- https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo +- https://www.elastic.co/guide/en/security/current/group-policy-abuse-for-privilege-addition.html#_setup_275 +- https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html +- https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/ +- https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/ +- https://megatools.megous.com/ +- https://linux.die.net/man/1/arecord - https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 -- https://medium.com/@ahmed.moh.farou2/fake-captcha-campaign-on-arabic-pirated-movie-sites-delivers-lumma-stealer-4f203f7adabf -- https://tria.ge/240731-jh4crsycnb/behavioral2 -- https://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/ -- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ -- https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/ -- https://web.archive.org/web/20211001064856/https://github.com/snovvcrash/DInjector -- https://adsecurity.org/?p=3513 +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_UNCAsIntranet +- https://www.cve.org/CVERecord?id=CVE-2024-1709 +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/replace +- https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed +- https://twitter.com/DTCERT/status/1712785421845790799 +- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage +- https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/ +- https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html +- https://x.com/_st0pp3r_/status/1742203752361128162?s=20 +- https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support +- https://evasions.checkpoint.com/techniques/macos.html +- https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/ +- https://x.com/Max_Mal_/status/1826179497084739829 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins +- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html +- https://ss64.com/mac/hdiutil.html +- https://www.tenable.com/security/research/tra-2023-11 +- https://www.forensafe.com/blogs/runmrukey.html +- https://bazaar.abuse.ch/browse/tag/one/ +- https://gtfobins.github.io/gtfobins/c99/#shell +- https://objective-see.org/blog/blog_0x6D.html +- https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616 +- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities +- https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections +- https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/ +- https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html +- https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) +- https://www.cyberciti.biz/faq/how-force-kill-process-linux/ +- https://github.com/joaoviictorti/RustRedOps/tree/ce04369a246006d399e8c61d9fe0e6b34f988a49/Self_Deletion diff --git a/tests/rule-references.txt b/tests/rule-references.txt index 88df0e48bb1..22e9505c7b8 100644 --- a/tests/rule-references.txt +++ b/tests/rule-references.txt @@ -3874,3 +3874,19 @@ https://www.sans.org/cyber-security-summit/archives https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/ https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html +https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29 +https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/darkhotel-a-cluster-of-groups-united-by-common-techniques +https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address +https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/ +https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname +https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420 +https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647 +https://ipurple.team/2024/09/10/browser-stored-credentials/ +https://www.action1.com/documentation/ +https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool +https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown +https://strontic.github.io/xcyclopedia/library/shell32.dll-65DA072F25DE83D9F83653E3FEA3644D.html +https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16 +https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts +https://github.com/FalconForceTeam/SOAPHound +https://web.archive.org/web/20220614030603/http://www.powertheshell.com/ntfsstreams/ From a9423d69c3928dd452e5befd61fdac9567eee140 Mon Sep 17 00:00:00 2001 From: jstnk9 Date: Thu, 19 Dec 2024 17:56:18 +0100 Subject: [PATCH 123/144] Merge PR #5123 from @jstnk9 - Add new sigma rules related to lummac and RATs behaviors observed ITW new: Lummac Stealer Activity - Execution Of More.com And Vbc.exe new : File Creation Related To RAT Clients --------- Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> Co-authored-by: Nasreddine Bencherchali --- ...re_generic_creation_configuration_rats.yml | 34 +++++++++++++++++++ ...c_creation_win_malware_lummac_more_vbc.yml | 31 +++++++++++++++++ 2 files changed, 65 insertions(+) create mode 100644 rules-emerging-threats/2024/Malware/Generic/file_event_win_malware_generic_creation_configuration_rats.yml create mode 100644 rules-emerging-threats/2024/Malware/Lummac-Stealer/proc_creation_win_malware_lummac_more_vbc.yml diff --git a/rules-emerging-threats/2024/Malware/Generic/file_event_win_malware_generic_creation_configuration_rats.yml b/rules-emerging-threats/2024/Malware/Generic/file_event_win_malware_generic_creation_configuration_rats.yml new file mode 100644 index 00000000000..fbbd0e98a74 --- /dev/null +++ b/rules-emerging-threats/2024/Malware/Generic/file_event_win_malware_generic_creation_configuration_rats.yml @@ -0,0 +1,34 @@ +title: File Creation Related To RAT Clients +id: 2f3039c8-e8fe-43a9-b5cf-dcd424a2522d +status: experimental +description: | + File .conf created related to VenomRAT, AsyncRAT and Lummac samples observed in the wild. +references: + - https://www.virustotal.com/gui/file/c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761 + - https://www.virustotal.com/gui/file/e96a0c1bc5f720d7f0a53f72e5bb424163c943c24a437b1065957a79f5872675 +author: Joseliyo Sanchez, @Joseliyo_Jstnk +date: 2024-12-19 +tags: + - attack.execution +logsource: + category: file_event + product: windows +detection: + # VT Query: behaviour_files:"\\AppData\\Roaming\\DataLogs\\DataLogs.conf" + # VT Query: behaviour_files:"DataLogs.conf" or behaviour_files:"hvnc.conf" or behaviour_files:"dcrat.conf" + selection_required: + TargetFilename|contains: '\AppData\Roaming\' + selection_variants: + TargetFilename|contains: + - '\mydata\' + - '\datalogs\' + - '\hvnc\' + - '\dcrat\' + TargetFilename|endswith: + - '\datalogs.conf' + - '\hvnc.conf' + - '\dcrat.conf' + condition: all of selection_* +falsepositives: + - Legitimate software creating a file with the same name +level: high diff --git a/rules-emerging-threats/2024/Malware/Lummac-Stealer/proc_creation_win_malware_lummac_more_vbc.yml b/rules-emerging-threats/2024/Malware/Lummac-Stealer/proc_creation_win_malware_lummac_more_vbc.yml new file mode 100644 index 00000000000..527eb6e4590 --- /dev/null +++ b/rules-emerging-threats/2024/Malware/Lummac-Stealer/proc_creation_win_malware_lummac_more_vbc.yml @@ -0,0 +1,31 @@ +title: Lummac Stealer Activity - Execution Of More.com And Vbc.exe +id: 19b3806e-46f2-4b4c-9337-e3d8653245ea +status: experimental +description: | + Detects the execution of more.com and vbc.exe in the process tree. + This behavior was observed by a set of samples related to Lummac Stealer. + The Lummac payload is injected into the vbc.exe process. +references: + - https://www.virustotal.com/gui/search/behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CSysWOW64%255C%255Cmore.com%2522%2520behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CMicrosoft.NET%255C%255CFramework%255C%255Cv4.0.30319%255C%255Cvbc.exe%2522/files + - https://www.virustotal.com/gui/file/14d886517fff2cc8955844b252c985ab59f2f95b2849002778f03a8f07eb8aef + - https://strontic.github.io/xcyclopedia/library/more.com-EDB3046610020EE614B5B81B0439895E.html + - https://strontic.github.io/xcyclopedia/library/vbc.exe-A731372E6F6978CE25617AE01B143351.html +author: Joseliyo Sanchez, @Joseliyo_Jstnk +date: 2024-12-19 +tags: + - attack.defense-evasion + - attack.t1055 +logsource: + category: process_creation + product: windows +detection: + # VT Query: behaviour_processes:"C:\\Windows\\SysWOW64\\more.com" behaviour_processes:"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe" + selection_parent: + ParentImage|endswith: '\more.com' + selection_child: + - Image|endswith: '\vbc.exe' + - OriginalFileName: 'vbc.exe' + condition: all of selection_* +falsepositives: + - Unknown +level: high From 8e8b86aab9cc837d5f8d2c828984270ad7d00f84 Mon Sep 17 00:00:00 2001 From: z00t Date: Thu, 19 Dec 2024 21:07:19 +0400 Subject: [PATCH 124/144] Merge PR #5095 from @faisalusuf - Add new rules related to QuickAssist usage new: QuickAssist Execution new: DNS Query Request By QuickAssist.EXE --------- Co-authored-by: Nasreddine Bencherchali --- .../dns_query/dns_query_win_quickassist.yml | 27 +++++++++++++++++++ ...roc_creation_win_quickassist_execution.yml | 25 +++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 rules/windows/dns_query/dns_query_win_quickassist.yml create mode 100644 rules/windows/process_creation/proc_creation_win_quickassist_execution.yml diff --git a/rules/windows/dns_query/dns_query_win_quickassist.yml b/rules/windows/dns_query/dns_query_win_quickassist.yml new file mode 100644 index 00000000000..4ec687d3caf --- /dev/null +++ b/rules/windows/dns_query/dns_query_win_quickassist.yml @@ -0,0 +1,27 @@ +title: DNS Query Request By QuickAssist.EXE +id: 882e858a-3233-4ba8-855e-2f3d3575803d +status: experimental +description: | + Detects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session. +references: + - https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/ + - https://www.linkedin.com/posts/kevin-beaumont-security_ive-been-assisting-a-few-orgs-hit-with-successful-activity-7268055739116445701-xxjZ/ + - https://x.com/cyb3rops/status/1862406110365245506 + - https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist +author: Muhammad Faisal (@faisalusuf) +date: 2024-12-19 +tags: + - attack.initial-access + - attack.t1071.001 + - attack.t1210 +logsource: + category: dns_query + product: windows +detection: + selection: + Image|endswith: '\QuickAssist.exe' + QueryName|endswith: 'remoteassistance.support.services.microsoft.com' + condition: selection +falsepositives: + - Legitimate use of Quick Assist in the environment. +level: low diff --git a/rules/windows/process_creation/proc_creation_win_quickassist_execution.yml b/rules/windows/process_creation/proc_creation_win_quickassist_execution.yml new file mode 100644 index 00000000000..78987739d6f --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_quickassist_execution.yml @@ -0,0 +1,25 @@ +title: QuickAssist Execution +id: e20b5b14-ce93-4230-88af-981983ef6e74 +status: experimental +description: | + Detects the execution of Microsoft Quick Assist tool "QuickAssist.exe". This utility can be used by attackers to gain remote access. +references: + - https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/ + - https://www.linkedin.com/posts/kevin-beaumont-security_ive-been-assisting-a-few-orgs-hit-with-successful-activity-7268055739116445701-xxjZ/ + - https://x.com/cyb3rops/status/1862406110365245506 + - https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist +author: Muhammad Faisal (@faisalusuf) +date: 2024-12-19 +tags: + - attack.command-and-control + - attack.t1219 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\QuickAssist.exe' + condition: selection +falsepositives: + - Legitimate use of Quick Assist in the environment. +level: low From 2c13dba9f38f5026765a463d6b68e8ad8c84b798 Mon Sep 17 00:00:00 2001 From: Ivan S Date: Thu, 19 Dec 2024 19:35:28 +0200 Subject: [PATCH 125/144] Merge PR #5023 from @saakovv - Add `AWS Key Pair Import Activity` new: AWS Key Pair Import Activity --------- Co-authored-by: Ivan.Saakov Co-authored-by: Nasreddine Bencherchali --- .../aws_ec2_import_key_pair_activity.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/cloud/aws/cloudtrail/aws_ec2_import_key_pair_activity.yml diff --git a/rules/cloud/aws/cloudtrail/aws_ec2_import_key_pair_activity.yml b/rules/cloud/aws/cloudtrail/aws_ec2_import_key_pair_activity.yml new file mode 100644 index 00000000000..0130118809f --- /dev/null +++ b/rules/cloud/aws/cloudtrail/aws_ec2_import_key_pair_activity.yml @@ -0,0 +1,27 @@ +title: AWS Key Pair Import Activity +id: 92f84194-8d9a-4ee0-8699-c30bfac59780 +status: experimental +description: | + Detects the import of SSH key pairs into AWS EC2, which may indicate an attacker attempting to gain unauthorized access to instances. This activity could lead to initial access, persistence, or privilege escalation, potentially compromising sensitive data and operations. +references: + - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ImportKeyPair.html +author: Ivan Saakov +date: 2024-12-19 +tags: + - attack.initial-access + - attack.t1078 + - attack.persistence + - attack.privilege-escalation +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: 'ec2.amazonaws.com' + eventName: 'ImportKeyPair' + condition: selection +falsepositives: + - Legitimate administrative actions by authorized users importing keys for valid purposes. + - Automated processes for infrastructure setup may trigger this alert. + - Verify the user identity, user agent, and source IP address to ensure they are expected. +level: medium From 3449958dbf7ebc7a7effa43d29bffec8cc9d1b69 Mon Sep 17 00:00:00 2001 From: Koifman Date: Thu, 19 Dec 2024 19:41:14 +0200 Subject: [PATCH 126/144] Merge PR #5041 from @Koifman - Update tags for `Register new Logon Process by Rubeus` chore: update tags for `Register new Logon Process by Rubeus` --- .../win_security_register_new_logon_process_by_rubeus.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/builtin/security/win_security_register_new_logon_process_by_rubeus.yml b/rules/windows/builtin/security/win_security_register_new_logon_process_by_rubeus.yml index 12b6abebf09..3ec1b616e18 100644 --- a/rules/windows/builtin/security/win_security_register_new_logon_process_by_rubeus.yml +++ b/rules/windows/builtin/security/win_security_register_new_logon_process_by_rubeus.yml @@ -10,6 +10,7 @@ modified: 2022-10-09 tags: - attack.lateral-movement - attack.privilege-escalation + - attack.credential-access - attack.t1558.003 logsource: product: windows From a8d8dcff8f9d9c3b78dd24dd1e438979c8188ffa Mon Sep 17 00:00:00 2001 From: Ivan S Date: Thu, 19 Dec 2024 21:30:41 +0200 Subject: [PATCH 127/144] Merge PR #5015 from @saakovv - Add `AWS SAML Provider Deletion Activity` new: AWS SAML Provider Deletion Activity --------- Co-authored-by: Ivan.Saakov Co-authored-by: Nasreddine Bencherchali --- .../cloudtrail/aws_delete_saml_provider.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/cloud/aws/cloudtrail/aws_delete_saml_provider.yml diff --git a/rules/cloud/aws/cloudtrail/aws_delete_saml_provider.yml b/rules/cloud/aws/cloudtrail/aws_delete_saml_provider.yml new file mode 100644 index 00000000000..39d0764567b --- /dev/null +++ b/rules/cloud/aws/cloudtrail/aws_delete_saml_provider.yml @@ -0,0 +1,28 @@ +title: AWS SAML Provider Deletion Activity +id: ccd6a6c8-bb4e-4a91-9d2a-07e632819374 +status: experimental +description: | + Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access. + An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it. +references: + - https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteSAMLProvider.html +author: Ivan Saakov +date: 2024-12-19 +tags: + - attack.t1078.004 + - attack.privilege-escalation + - attack.t1531 +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: 'iam.amazonaws.com' + eventName: 'DeleteSAMLProvider' + status: 'success' + condition: selection +falsepositives: + - Automated processes using tools like Terraform may trigger this alert. + - Legitimate administrative actions by authorized system administrators could cause this alert. Verify the user identity, user agent, and hostname to ensure they are expected. + - Deletions by unfamiliar users should be investigated. If the behavior is known and expected, it can be exempted from the rule. +level: medium From aec72e101dd32c2f21e3493640435ab3ca48a5e4 Mon Sep 17 00:00:00 2001 From: Ivan S Date: Thu, 19 Dec 2024 21:30:58 +0200 Subject: [PATCH 128/144] Merge PR #5016 from @saakovv - Add `New AWS Lambda Function URL Configuration Created` new: New AWS Lambda Function URL Configuration Created --------- Co-authored-by: Ivan.Saakov Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> Co-authored-by: Nasreddine Bencherchali --- .../cloudtrail/aws_lambda_function_url.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/cloud/aws/cloudtrail/aws_lambda_function_url.yml diff --git a/rules/cloud/aws/cloudtrail/aws_lambda_function_url.yml b/rules/cloud/aws/cloudtrail/aws_lambda_function_url.yml new file mode 100644 index 00000000000..5d611b64ade --- /dev/null +++ b/rules/cloud/aws/cloudtrail/aws_lambda_function_url.yml @@ -0,0 +1,27 @@ +title: New AWS Lambda Function URL Configuration Created +id: ec541962-c05a-4420-b9ea-84de072d18f4 +status: experimental +description: | + Detects when a user creates a Lambda function URL configuration, which could be used to expose the function to the internet and potentially allow unauthorized access to the function's IAM role for AWS API calls. + This could give an adversary access to the privileges associated with the Lambda service role that is attached to that function. +references: + - https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunctionUrlConfig.html + - https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc + - https://www.wiz.io/blog/how-to-set-secure-defaults-on-aws +author: Ivan Saakov +date: 2024-12-19 +tags: + - attack.initial-access + - attack.privilege-escalation +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: lambda.amazonaws.com + eventName: 'CreateFunctionUrlConfig' + condition: selection +falsepositives: + - Creating a Lambda function URL configuration may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Creating a Lambda function URL configuration from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: medium From e8a6894eca1a86d10ce7601eb29aece905a7cdc2 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 19 Dec 2024 20:38:44 +0100 Subject: [PATCH 129/144] Merge PR #5132 from @Neo23x0 - Update `DNS Query To Remote Access Software Domain From Non-Browser App` update: DNS Query To Remote Access Software Domain From Non-Browser App - Add `getscreen.me` --------- Co-authored-by: Nasreddine Bencherchali --- ...s_query_win_remote_access_software_domains_non_browsers.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml b/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml index 0d00207add1..78e12bf5c59 100644 --- a/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml +++ b/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml @@ -23,7 +23,7 @@ references: - https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization author: frack113, Connor Martin date: 2022-07-11 -modified: 2024-09-13 +modified: 2024-12-17 tags: - attack.command-and-control - attack.t1219 @@ -51,6 +51,7 @@ detection: - 'dwservice.net' - 'express.gotoassist.com' - 'getgo.com' + - 'getscreen.me' # https://x.com/malmoeb/status/1868757130624614860?s=12&t=C0_T_re0wRP_NfKa27Xw9w - 'integratedchat.teamviewer.com' - 'join.zoho.com' - 'kickstart.jumpcloud.com' From 7c830458e703bd238d0bb4368d96fe58318c4388 Mon Sep 17 00:00:00 2001 From: Daniel Koifman Date: Fri, 27 Dec 2024 17:29:04 +0200 Subject: [PATCH 130/144] Merge PR #5138 from @DanielKoifman - Update `Suspicious Windows Service Tampering` update: Suspicious Windows Service Tampering - Add additional services --- .../proc_creation_win_susp_service_tamper.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml index d363c1c4fb9..8d153142bb5 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml @@ -18,10 +18,11 @@ references: - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955 author: Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior date: 2022-09-01 -modified: 2024-10-21 +modified: 2024-12-23 tags: - attack.defense-evasion - attack.t1489 + - attack.t1562.001 logsource: category: process_creation product: windows @@ -148,6 +149,7 @@ detection: - 'mfewc' - 'MMS' - 'mozyprobackup' + - 'mpssvc' - 'MSComplianceAudit' - 'MSDTC' - 'MsDtsServer' @@ -235,6 +237,7 @@ detection: - 'swi_service' - 'swi_update' - 'Symantec' + - 'sysmon' - 'TeamViewer' - 'Telemetryserver' - 'ThreatLockerService' @@ -277,6 +280,7 @@ detection: - 'WRSVC' - 'wsbexchange' - 'WSearch' + - 'wscsvc' - 'Zoolz 2 Service' condition: all of selection_* falsepositives: From 1df3c343910bb708908efc6ce2784e1193819c58 Mon Sep 17 00:00:00 2001 From: Djordje Lukic <112394060+djlukic@users.noreply.github.com> Date: Fri, 27 Dec 2024 16:38:02 +0100 Subject: [PATCH 131/144] Merge PR #5144 from @djlukic - Fix multiple FPs fix: Relevant Anti-Virus Signature Keywords In Application Log - Enhances the `HTool` string to avoid unintended matches. fix: Uncommon AppX Package Locations - Add `https://installer.teams.static.microsoft/` fix: BITS Transfer Job With Uncommon Or Suspicious Remote TLD - Add `dn.onenote.net/` and `cdn.office.net/` fix: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Add filter for `Kaspersky` and `mDNS Responder` --- .../application/Other/win_av_relevant_match.yml | 6 ++++-- ...deployment_server_uncommon_package_locations.yml | 3 ++- ...in_bits_client_new_transfer_via_uncommon_tld.yml | 4 +++- .../win_codeintegrity_attempted_dll_load.yml | 13 ++++++++++++- 4 files changed, 21 insertions(+), 5 deletions(-) diff --git a/rules/windows/builtin/application/Other/win_av_relevant_match.yml b/rules/windows/builtin/application/Other/win_av_relevant_match.yml index 6fe2530d1b1..62bbccddefa 100644 --- a/rules/windows/builtin/application/Other/win_av_relevant_match.yml +++ b/rules/windows/builtin/application/Other/win_av_relevant_match.yml @@ -10,7 +10,7 @@ references: - https://www.nextron-systems.com/?s=antivirus author: Florian Roth (Nextron Systems), Arnim Rupp date: 2017-02-19 -modified: 2024-08-29 +modified: 2024-12-25 tags: - attack.resource-development - attack.t1588 @@ -43,7 +43,9 @@ detection: - 'GrandCrab ' - 'HackTool' - 'HKTL' - - 'HTool' + - 'HTool-' + - '/HTool' + - '.HTool' - 'IISExchgSpawnCMD' - 'Impacket' - 'JSP/BackDoor ' diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml index 4932cd36fa6..f99cf13f302 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml @@ -9,7 +9,7 @@ references: - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-01-11 -modified: 2024-08-29 +modified: 2024-12-25 tags: - attack.defense-evasion logsource: @@ -33,6 +33,7 @@ detection: - 'https://statics.teams.cdn.live.net/' - 'https://statics.teams.cdn.office.net/' - 'microsoft.com' # Example: https://go.microsoft.com/fwlink/?linkid=2160968 + - 'https://installer.teams.static.microsoft/' condition: selection and not 1 of filter_main_* falsepositives: - Unknown diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml index 5f5fc4dce4f..1bed4b7f0de 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml @@ -7,7 +7,7 @@ references: - https://twitter.com/malmoeb/status/1535142803075960832 author: Florian Roth (Nextron Systems) date: 2022-06-10 -modified: 2023-03-27 +modified: 2024-12-25 tags: - attack.defense-evasion - attack.persistence @@ -24,6 +24,8 @@ detection: - '.com/' - '.sfx.ms/' - 'download.mozilla.org/' # https://download.mozilla.org/?product=firefox-101.0.1-partial-101.0&os=win64&lang=en-US + - 'cdn.onenote.net/' + - 'cdn.office.net/' condition: selection and not 1 of filter_main_* falsepositives: - This rule doesn't exclude other known TLDs such as ".org" or ".net". It's recommended to apply additional filters for software and scripts that leverage the BITS service diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml index f9fac468880..f3c8172ecc8 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml @@ -11,7 +11,7 @@ references: - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2022-01-20 -modified: 2024-10-08 +modified: 2024-12-25 tags: - attack.execution logsource: @@ -104,6 +104,17 @@ detection: - FileNameBuffer|contains: '\Program Files\SentinelOne\Sentinel Agent' # Example: Program Files\SentinelOne\Sentinel Agent 23.4.4.223\SentinelAgent.exe - ProcessNameBuffer|contains: '\Program Files\SentinelOne\Sentinel Agent' + filter_optional_national_instruments: + # Example: \device\harddiskvolume3\program files\national instruments\shared\mdns responder\nimdnsnsp.dll + FileNameBuffer|contains: '\National Instruments\Shared\mDNS Responder\' + filter_optional_kaspersky: + # Example: \Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\x64\antimalware_provider.dll + - ProcessNameBuffer|contains|all: + - '\Kaspersky Lab\' + - '\avp.exe' + - FileNameBuffer|contains|all: + - '\Kaspersky Lab\' + - '\antimalware_provider.dll' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Antivirus and other third party products are known to trigger this rule quite a lot. Initial filters and tuning is required before using this rule. From fa68da90b193266a463794ddf6c17d4396570fc6 Mon Sep 17 00:00:00 2001 From: Djordje Lukic <112394060+djlukic@users.noreply.github.com> Date: Sat, 28 Dec 2024 22:40:03 +0100 Subject: [PATCH 132/144] Merge PR #5145 from @djlukic - Update Regex of some rules update: Suspicious Non PowerShell WSMAN COM Provider - Update regex to use `\s+` to account for different parsers update: Renamed Powershell Under Powershell Channel - Update regex to use `\s+` to account for different parsers --------- Co-authored-by: Nasreddine Bencherchali --- .../powershell_classic/posh_pc_renamed_powershell.yml | 4 ++-- .../posh_pc_wsman_com_provider_no_powershell.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml b/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml index 329717393b6..4bd9c7c9805 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml @@ -7,7 +7,7 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: Harish Segar, frack113 date: 2020-06-29 -modified: 2024-10-08 +modified: 2024-12-27 tags: - attack.execution - attack.t1059.001 @@ -30,7 +30,7 @@ detection: filter_main_host_application_null: # Note: Since we're using the raw data field to match. There is no easy way to filter out cases where the "HostApplication" field is null (i.e doesn't exist). We're practically forced to use a regex. # If you're already mapping and extracting the field, then obviously use that directly. - Data|re: 'HostId=[a-zA-Z0-9-]{36} EngineVersion=' + Data|re: 'HostId=[a-zA-Z0-9-]{36}\s+EngineVersion=' condition: selection and not 1 of filter_main_* falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml b/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml index 41f34de7858..bb0aa14b1a6 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml @@ -8,7 +8,7 @@ references: - https://github.com/bohops/WSMan-WinRM author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020-06-24 -modified: 2024-10-08 +modified: 2024-12-27 tags: - attack.execution - attack.t1059.001 @@ -31,7 +31,7 @@ detection: filter_main_host_application_null: # Note: Since we're using the raw data field to match. There is no easy way to filter out cases where the "HostApplication" field is null (i.e doesn't exist). We're practically forced to use a regex. # If you're already mapping and extracting the field, then obviously use that directly. - Data|re: 'HostId=[a-zA-Z0-9-]{36} EngineVersion=' + Data|re: 'HostId=[a-zA-Z0-9-]{36}\s+EngineVersion=' condition: selection and not 1 of filter_main_* falsepositives: - Unknown From 952d518f66a991354634ac6ab5a9ffc26ed41838 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 6 Jan 2025 15:35:53 +0100 Subject: [PATCH 133/144] Merge PR #5150 from @nasbench - Archive new rule references and update cache file chore: archive new rule references and update cache file Co-authored-by: nasbench --- .github/latest_archiver_output.md | 1011 ++++++++++++++--------------- tests/rule-references.txt | 17 + 2 files changed, 522 insertions(+), 506 deletions(-) diff --git a/.github/latest_archiver_output.md b/.github/latest_archiver_output.md index db507d891e5..96cb0b08d5c 100644 --- a/.github/latest_archiver_output.md +++ b/.github/latest_archiver_output.md @@ -1,560 +1,559 @@ # Reference Archiver Results -Last Execution: 2024-12-15 02:14:30 +Last Execution: 2025-01-01 02:08:04 ### Archiver Script Results #### Newly Archived References -- https://web.archive.org/web/20220614030603/http://www.powertheshell.com/ntfsstreams/ +- https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/ #### Already Archived References -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29 -- https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/darkhotel-a-cluster-of-groups-united-by-common-techniques -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address -- https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname -- https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647 -- https://ipurple.team/2024/09/10/browser-stored-credentials/ -- https://www.action1.com/documentation/ -- https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown -- https://strontic.github.io/xcyclopedia/library/shell32.dll-65DA072F25DE83D9F83653E3FEA3644D.html -- https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts -- https://github.com/FalconForceTeam/SOAPHound +- https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership +- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services +- https://github.com/antonioCoco/RoguePotato +- https://gtfobins.github.io/gtfobins/env/#shell +- https://strontic.github.io/xcyclopedia/library/more.com-EDB3046610020EE614B5B81B0439895E.html +- https://twitter.com/MsftSecIntel/status/1737895710169628824 +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2 +- https://github.com/safedv/RustiveDump/blob/1a9b026b477587becfb62df9677cede619d42030/src/main.rs#L35 +- https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc +- https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor +- https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult +- https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal +- https://nvd.nist.gov/vuln/detail/CVE-2024-3400 +- https://www.microsoft.com/en-us/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/ #### Error While Archiving References +- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ +- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ +- https://www.huntress.com/blog/attacking-mssql-servers +- https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661 +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user +- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_storage.html +- https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html +- https://github.com/PwC-IR/Business-Email-Compromise-Guide/blob/fe29ce06aef842efe4eb448c26bbe822bf5b895d/PwC-Business_Email_Compromise-Guide.pdf +- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ +- https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16 +- https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic +- https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF +- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html +- https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/ +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3 +- https://twitter.com/th3_protoCOL/status/1480621526764322817 +- https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch +- https://blog.morphisec.com/vmware-identity-manager-attack-backdoor +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery +- https://github.com/Ylianst/MeshAgent +- https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/ +- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/ +- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ +- https://gtfobins.github.io/gtfobins/c99/#shell +- https://www.loobins.io/binaries/launchctl/ +- https://www.loobins.io/binaries/nscurl/ +- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ +- https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/ +- https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc +- https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/ +- https://gtfobins.github.io/gtfobins/c89/#shell +- https://twitter.com/Kostastsale/status/1480716528421011458 +- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/ +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide +- https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/ +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183 +- https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior +- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a +- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode +- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/ +- https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html +- https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/ +- https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/ +- https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository +- https://ngrok.com/blog-post/new-ngrok-domains +- https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html +- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ +- https://app.any.run/tasks/fa99cedc-9d2f-4115-a08e-291429ce3692 +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations +- https://www.group-ib.com/resources/threat-research/red-curl-2.html +- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns +- https://www.fortiguard.com/psirt/FG-IR-22-398 +- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#things-to-monitor - https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/ -- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ -- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/ -- https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication -- https://tria.ge/220422-1pw1pscfdl/ +- https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/ +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_IncludeUnspecifiedLocalSites +- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe +- https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/ +- https://www.geeksforgeeks.org/how-to-kill-processes-on-the-linux-desktop-with-xkill/ +- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory +- https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes +- https://gtfobins.github.io/gtfobins/git/#shell +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11) +- https://www.anyviewer.com/help/remote-technical-support.html +- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities +- https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/ +- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials +- https://x.com/Max_Mal_/status/1826179497084739829 +- https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/ +- https://ss64.com/mac/hdiutil.html - https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019 -- https://github.com/0xthirteen/SharpMove/ +- https://strontic.github.io/xcyclopedia/library/vbc.exe-A731372E6F6978CE25617AE01B143351.html +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423 +- https://www.trustedsec.com/blog/art_of_kerberoast/ +- https://evasions.checkpoint.com/techniques/macos.html +- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes +- https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior +- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ +- https://paper.seebug.org/1495/ +- https://tria.ge/240225-jlylpafb24/behavioral1/analog?main_event=Registry&op=SetValueKeyInt +- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html - https://adsecurity.org/?p=3513 +- https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability +- https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b +- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/ +- https://web.archive.org/web/20210512154016/https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1 +- https://man.freebsd.org/cgi/man.cgi?pwd_mkdb +- https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/ +- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/ +- https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/ +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012 +- https://www.loobins.io/binaries/tmutil/ +- https://www.virustotal.com/gui/file/14d886517fff2cc8955844b252c985ab59f2f95b2849002778f03a8f07eb8aef +- https://gtfobins.github.io/gtfobins/gcc/#shell +- https://trustedsec.com/blog/oops-i-udld-it-again - https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers -- https://www.loobins.io/binaries/launchctl/ -- https://twitter.com/NathanMcNulty/status/1785051227568632263 -- https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/ -- https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/ -- https://www.tarasco.org/security/pwdump_7/ -- https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior -- https://www.anyviewer.com/help/remote-technical-support.html -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery -- https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732 -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 -- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes -- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference -- https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues -- https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/ -- https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029 +- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html +- https://ipurple.team/2024/07/15/sharphound-detection/ +- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ +- https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/ +- https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure +- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/ +- https://objective-see.org/blog/blog_0x6D.html +- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 +- https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive - https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1 -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations -- https://learn.microsoft.com/en-us/azure/dns/dns-zones-records -- https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html -- https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/ -- https://web.archive.org/web/20231210115125/http://www.xuetr.com/ -- https://gtfobins.github.io/gtfobins/git/#shell -- https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934 -- https://github.com/safedv/RustiveDump/blob/1a9b026b477587becfb62df9677cede619d42030/src/main.rs#L35 -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3 -- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode -- https://unit42.paloaltonetworks.com/chromeloader-malware/ -- https://twitter.com/TheDFIRReport/status/1482078434327244805 -- https://web.archive.org/web/20190508165435/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf -- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml -- https://securelist.com/network-tunneling-with-qemu/111803/ -- https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior -- https://trustedsec.com/blog/oops-i-udld-it-again -- https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all -- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc -- https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/ -- https://ngrok.com/blog-post/new-ngrok-domains -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4 +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_arithmetic_operators?view=powershell-5.1 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/set_1 - https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html -- https://nvd.nist.gov/vuln/detail/CVE-2024-3400 -- https://blog.sekoia.io/scattered-spider-laying-new-eggs/ -- https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg -- https://app.any.run/tasks/25970bb5-f864-4e9e-9e1b-cc8ff9e6386a -- https://ss64.com/osx/sw_vers.html -- https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/ -- https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/ -- https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/ -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/ -- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2 - https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/ -- https://malware.guide/browser-hijacker/remove-onelaunch-virus/ -- https://github.com/PwC-IR/Business-Email-Compromise-Guide/blob/fe29ce06aef842efe4eb448c26bbe822bf5b895d/PwC-Business_Email_Compromise-Guide.pdf -- https://github.com/gentilkiwi/mimikatz -- https://gtfobins.github.io/gtfobins/find/#shell -- https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc#rds-modifydbinstance -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc -- https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging -- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf -- https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/ -- https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool -- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ -- https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization +- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software +- https://web.archive.org/web/20231210115125/http://www.xuetr.com/ +- https://github.com/rapid7/metasploit-framework/issues/11337 - https://github.com/wietze/HijackLibs/tree/dc9c9f2f94e6872051dab58fbafb043fdd8b4176/yml/3rd_party/python -- https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html -- https://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40 -- https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/ -- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ -- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/ -- https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/replace +- https://www.cyberciti.biz/faq/how-force-kill-process-linux/ +- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b - https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2 -- https://twitter.com/th3_protoCOL/status/1536788652889497600 -- https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps -- https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216 -- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16 -- https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 -- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/ -- https://ss64.com/mac/chflags.html -- https://us-cert.cisa.gov/ncas/alerts/aa21-259a -- https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule -- https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48 -- https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare -- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ +- https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091 +- https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand +- https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/ +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/ +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation +- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 +- https://news.ycombinator.com/item?id=29504755 +- https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc#rds-modifydbinstance +- https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues +- https://threatbook.io/blog/Analysis-of-APT-C-60-Attack-on-South-Korea +- https://strontic.github.io/xcyclopedia/library/aclui.dll-F883E9CA757B622B032FDCA5BF33D0DF.html +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/ +- https://tria.ge/240226-fhbe7sdc39/behavioral1 +- https://app.any.run/tasks/9a8fd563-4c54-4d0a-9ad8-1fe08339cbc3/ +- https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis +- https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel +- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-info.js#L55 +- https://gtfobins.github.io/gtfobins/gawk/#shell +- https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 +- https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/ +- https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776 +- https://www.linkedin.com/posts/kevin-beaumont-security_ive-been-assisting-a-few-orgs-hit-with-successful-activity-7268055739116445701-xxjZ/ +- https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details +- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference +- https://web.archive.org/web/20200530031906/https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/ +- https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/ +- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_ProxyByPass - https://medium.com/@ahmed.moh.farou2/fake-captcha-campaign-on-arabic-pirated-movie-sites-delivers-lumma-stealer-4f203f7adabf -- https://tria.ge/240307-1hlldsfe7t/behavioral2/analog?main_event=Registry&op=SetValueKeyInt -- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands -- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b -- https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps -- https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging -- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 -- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml -- https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBCluster.html -- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/ -- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications -- https://www.hexacorn.com/blog/2024/10/12/the-sweet16-the-oldbin-lolbin-called-setup16-exe/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult +- https://tria.ge/240521-ynezpagf56/behavioral1 +- https://us-cert.cisa.gov/ncas/alerts/aa21-259a +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1 +- https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia +- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings - https://asec.ahnlab.com/en/40263/ -- https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf -- https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1 -- https://twitter.com/1ZRR4H/status/1537501582727778304 -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide -- https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder -- https://learn.microsoft.com/en-us/windows/win32/shell/launch -- https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens -- https://web.archive.org/web/20211001064856/https://github.com/snovvcrash/DInjector -- https://blog.morphisec.com/vmware-identity-manager-attack-backdoor -- https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0 -- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ -- https://www.huntress.com/blog/attacking-mssql-servers-pt-ii -- https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/ -- https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/ -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/set_1 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins -- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html -- https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ -- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a -- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4 -- https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/ -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role -- https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/ -- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_storage.html -- https://www.loobins.io/binaries/pbpaste/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423 -- https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html -- https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal -- https://twitter.com/Max_Mal_/status/1775222576639291859 -- https://www.fortalicesolutions.com/posts/hiding-behind-the-front-door-with-azure-domain-fronting -- https://www.microsoft.com/en-us/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/ -- https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html -- https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray -- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/ -- https://us-cert.cisa.gov/ncas/alerts/aa21-008a -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel -- https://news.ycombinator.com/item?id=29504755 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743 -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/ +- https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging +- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195 +- https://github.com/gentilkiwi/mimikatz +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 +- https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/ +- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16 +- https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html +- https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_UNCAsIntranet +- https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ +- https://darkatlas.io/blog/medusa-ransomware-group-opsec-failure +- https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4 +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated +- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted +- https://www.cve.org/CVERecord?id=CVE-2024-1709 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role +- https://linux.die.net/man/1/arecord +- https://learn.microsoft.com/en-us/windows/win32/msi/event-logging +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation +- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ +- https://www.cyberciti.biz/faq/show-all-running-processes-in-linux/ +- https://github.com/embedi/CVE-2017-11882 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) +- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/ +- https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ +- https://redcanary.com/blog/threat-detection/process-masquerading/ - https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7 -- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set -- https://tria.ge/220422-1nnmyagdf2/ -- https://www.group-ib.com/blog/apt41-world-tour-2021/ -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations -- https://paper.seebug.org/1495/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine -- https://tria.ge/240521-ynezpagf56/behavioral1 -- https://app.any.run/tasks/9a8fd563-4c54-4d0a-9ad8-1fe08339cbc3/ -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker -- https://gtfobins.github.io/gtfobins/mawk/#shell -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78 -- https://www.virustotal.com/gui/file/ded20df574b843aaa3c8e977c2040e1498ae17c12924a19868df5b12dee6dfdd -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/ -- https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71 -- https://gtfobins.github.io/gtfobins/python/#shell -- https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps -- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/ -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2 -- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/ -- https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior -- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10) -- https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#new-owner +- https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php +- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash +- https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/ +- https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/ +- https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC +- https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/ +- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html +- https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/ +- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ +- https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin +- https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4 +- https://www.hexacorn.com/blog/2024/10/12/the-sweet16-the-oldbin-lolbin-called-setup16-exe/ +- https://www.virustotal.com/gui/file/6f0f20da34396166df352bf301b3c59ef42b0bc67f52af3d541b0161c47ede05 +- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/ +- https://twitter.com/1ZRR4H/status/1537501582727778304 +- https://gtfobins.github.io/gtfobins/flock/#shell +- https://blackpointcyber.com/resources/blog/breaking-through-the-screen/ - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins -- https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/ -- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) +- https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327 +- https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/ +- https://web.archive.org/web/20220422215221/https://twitter.com/malware_traffic/status/1517622327000846338 +- https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support +- https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/ +- https://gtfobins.github.io/gtfobins/capsh/#shell +- https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0 +- https://github.com/CICADA8-Research/RemoteKrbRelay +- https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain - https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install -- https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository -- https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16 -- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ -- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vm.html -- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ -- https://www.loobins.io/binaries/xattr/ +- https://gtfobins.github.io/gtfobins/mawk/#shell +- https://app.any.run/tasks/25970bb5-f864-4e9e-9e1b-cc8ff9e6386a +- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4 +- https://bazaar.abuse.ch/browse/tag/one/ +- https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html +- https://gtfobins.github.io/gtfobins/nawk/#shell +- https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files +- https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934 +- https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy - https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings -- https://redcanary.com/blog/msix-installers/ +- https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps +- https://www.wiz.io/blog/how-to-set-secure-defaults-on-aws +- https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf +- https://docs.microsoft.com/en-us/sql/tools/bcp-utility +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc +- https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ +- https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c +- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml - https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit -- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::SecurityPage_AutoDetect -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794 -- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673 -- https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/ -- https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain -- https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis -- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials -- https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2 +- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml +- https://www.loobins.io/binaries/xattr/ +- https://lots-project.com/site/2a2e617a75726566642e6e6574 +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 +- https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps +- https://www.elastic.co/guide/en/security/current/group-policy-abuse-for-privilege-addition.html#_setup_275 +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#private_repository_forking - https://medium.com/@NullByteWht/hacking-macos-how-to-dump-1password-keepassx-lastpass-passwords-in-plaintext-723c5b1c311b -- https://labs.withsecure.com/publications/kapeka -- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vsan.html -- https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html -- https://tria.ge/240731-jh4crsycnb/behavioral2 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661 -- https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps -- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-info.js#L55 -- https://gtfobins.github.io/gtfobins/flock/#shell -- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ -- https://www.linkedin.com/feed/update/urn:li:ugcPost:7257437202706493443?commentUrn=urn%3Ali%3Acomment%3A%28ugcPost%3A7257437202706493443%2C7257522819985543168%29&dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287257522819985543168%2Curn%3Ali%3AugcPost%3A7257437202706493443%29 -- https://tria.ge/231023-lpw85she57/behavioral2 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11) +- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ - https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/ -- https://www.trustedsec.com/blog/art_of_kerberoast/ -- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ -- https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/ -- https://redcanary.com/blog/threat-detection/process-masquerading/ -- https://twitter.com/Kostastsale/status/1646256901506605063?s=20 -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_IncludeUnspecifiedLocalSites -- https://threatbook.io/blog/Analysis-of-APT-C-60-Attack-on-South-Korea -- https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708 -- https://www.softperfect.com/products/networkscanner/ -- https://github.com/embedi/CVE-2017-11882 -- https://gtfobins.github.io/gtfobins/nawk/#shell -- https://labs.nettitude.com/blog/introducing-sharpwsus/ -- https://www.ultimatewindowssecurity.com/wiki/page.aspx?spid=NSrpcservers -- https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps -- https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER -- https://web.archive.org/web/20220422215221/https://twitter.com/malware_traffic/status/1517622327000846338 -- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 -- https://www.fortiguard.com/psirt/FG-IR-22-398 -- https://gtfobins.github.io/gtfobins/env/#shell -- https://learn.microsoft.com/en-us/windows/client-management/manage-recall -- https://asec.ahnlab.com/en/61000/ -- https://github.com/CICADA8-Research/RemoteKrbRelay +- https://github.com/joaoviictorti/RustRedOps/tree/ce04369a246006d399e8c61d9fe0e6b34f988a49/Self_Deletion +- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/ +- https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response +- https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/ +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations +- https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html +- https://web.archive.org/web/20220519091349/https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/ +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78 +- https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteSAMLProvider.html +- https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/ +- https://tria.ge/220422-1pw1pscfdl/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address - https://cloud.google.com/access-context-manager/docs/audit-logging -- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval -- https://github.com/grayhatkiller/SharpExShell -- https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/ -- https://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/ +- https://objective-see.org/blog/blog_0x1E.html +- https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps +- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ +- https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization +- https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ +- https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBCluster.html +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673 +- https://ss64.com/nt/set.html +- https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunctionUrlConfig.html +- https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication +- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/ +- https://bazaar.abuse.ch/browse/signature/RaspberryRobin/ +- https://www.fortalicesolutions.com/posts/hiding-behind-the-front-door-with-azure-domain-fronting +- https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/ +- https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/ +- https://www.loobins.io/binaries/hdiutil/ +- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/ +- https://labs.withsecure.com/publications/kapeka +- https://securelist.com/network-tunneling-with-qemu/111803/ +- https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens +- https://gtfobins.github.io/gtfobins/rsync/#shell +- https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/ - https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf -- https://web.archive.org/web/20210512154016/https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1 -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4 -- https://web.archive.org/web/20220519091349/https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/ -- https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/ -- https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609 -- https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_arithmetic_operators?view=powershell-5.1 -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7 -- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ -- https://www.geeksforgeeks.org/how-to-kill-processes-on-the-linux-desktop-with-xkill/ -- https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel -- https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html -- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ -- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ -- https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive -- https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html -- https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091 +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles +- https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71 +- https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt +- https://twitter.com/standa_t/status/1808868985678803222 +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker +- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ +- https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps +- https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/ +- https://defr0ggy.github.io/research/Utilizing-BTunnel-For-Data-Exfiltration/ +- https://localtonet.com/documents/supported-tunnels +- https://us-cert.cisa.gov/ncas/alerts/aa21-008a +- https://www.forensafe.com/blogs/runmrukey.html +- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/ +- https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade - https://www.attackiq.com/2023/09/20/emulating-rhysida/ -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise -- https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors -- https://medium.com/r3d-buck3t/red-teaming-in-cloud-leverage-azure-frontdoor-cdn-for-c2-redirectors-79dd9ca98178 -- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173 -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token -- https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin -- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts -- https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/ -- https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html -- https://gtfobins.github.io/gtfobins/capsh/#shell -- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html -- https://github.com/Ylianst/MeshAgent -- https://gtfobins.github.io/gtfobins/gawk/#shell -- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/ -- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183 -- https://tria.ge/240123-rapteaahhr/behavioral1 -- https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension -- https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes -- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11) -- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#things-to-monitor -- https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details -- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials +- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967 +- https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2 +- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ - https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4706 - https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771 -- https://support.google.com/a/answer/9261439 -- https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ -- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967 -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010 -- https://twitter.com/MsftSecIntel/status/1737895710169628824 -- https://web.archive.org/web/20230329172447/https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role +- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616 +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7 +- https://github.com/yardenshafir/conference_talks/blob/3de1f5d7c02656c35117f067fbff0a219c304b09/OffensiveCon_2023_Your_Mitigations_are_My_Opportunities.pdf +- https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211 +- https://www.virustotal.com/gui/file/e96a0c1bc5f720d7f0a53f72e5bb424163c943c24a437b1065957a79f5872675 - https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack -- https://objective-see.org/blog/blog_0x1E.html -- https://twitter.com/Cryptolaemus1/status/1517634855940632576 -- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html -- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf +- https://www.qemu.org/docs/master/system/invocation.html#hxtool-5 +- https://tria.ge/231212-r1bpgaefar/behavioral2 +- https://megatools.megous.com/ - https://my.f5.com/manage/s/article/K589 -- https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild -- https://darkatlas.io/blog/medusa-ransomware-group-opsec-failure -- https://www.huntress.com/blog/attacking-mssql-servers -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding -- https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html -- https://blog.talosintelligence.com/uat-5647-romcom/ -- https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/ -- https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/ -- https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade -- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user -- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ -- https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/ -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2 -- https://twitter.com/standa_t/status/1808868985678803222 +- https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10) +- https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html +- https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html +- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/ +- https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist +- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins +- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/ +- https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/ +- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743 +- https://www.tenable.com/security/research/tra-2023-11 +- https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/ +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN +- https://www.loobins.io/binaries/pbpaste/ - https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently -- https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand -- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html -- https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/ -- https://thehackernews.com/2024/03/github-rolls-out-default-secret.html -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services -- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation -- https://ss64.com/nt/set.html -- https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup -- https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script -- https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38 -- https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/ -- https://github.com/rapid7/metasploit-framework/issues/11337 -- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations -- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/ -- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732 +- https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps +- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf +- https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections +- https://ss64.com/osx/sw_vers.html +- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ +- https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609 +- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html - https://learn.microsoft.com/en-us/windows/win32/shell/app-registration -- https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators -- https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/ -- https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/ -- https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ -- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1 -- https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html -- https://www.cyberciti.biz/faq/linux-remove-user-command/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country -- https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy -- https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ -- https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change -- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ -- https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/ -- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/ -- https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership -- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) -- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure -- https://gtfobins.github.io/gtfobins/rsync/#shell -- https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps -- https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/ -- https://blackpointcyber.com/resources/blog/breaking-through-the-screen/ -- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html -- https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/ -- https://github.com/antonioCoco/RoguePotato -- https://tria.ge/231212-r1bpgaefar/behavioral2 -- https://www.loobins.io/binaries/hdiutil/ -- https://localtonet.com/documents/supported-tunnels -- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/ -- https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup -- https://bazaar.abuse.ch/browse/signature/RaspberryRobin/ -- https://www.sans.org/blog/defending-against-scattered-spider-and-the-com-with-cybercrime-intelligence/ -- https://www.group-ib.com/resources/threat-research/red-curl-2.html +- https://blog.sekoia.io/scattered-spider-laying-new-eggs/ +- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf +- https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/ +- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/ +- https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/ - https://gtfobins.github.io/gtfobins/awk/#shell -- https://defr0ggy.github.io/research/Utilizing-BTunnel-For-Data-Exfiltration/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address -- https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC -- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp -- https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741 -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_ProxyByPass -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11) -- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software -- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 -- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/ -- https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/ -- https://gtfobins.github.io/gtfobins/gcc/#shell -- https://cloud.google.com/logging/docs/audit/understanding-audit-logs -- https://tria.ge/240226-fhbe7sdc39/behavioral1 -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#private_repository_forking -- https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor +- https://www.sans.org/blog/defending-against-scattered-spider-and-the-com-with-cybercrime-intelligence/ +- https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx -- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory -- https://tria.ge/240225-jlylpafb24/behavioral1/analog?main_event=Registry&op=SetValueKeyInt -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in -- https://learn.microsoft.com/en-us/windows/win32/msi/event-logging +- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698 +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/ +- https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows +- https://redcanary.com/blog/msix-installers/ +- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/ +- https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/ +- https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer +- https://asec.ahnlab.com/en/61000/ - https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html -- https://www.virustotal.com/gui/file/6f0f20da34396166df352bf301b3c59ef42b0bc67f52af3d541b0161c47ede05 -- https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41 -- https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/logfile/ -- https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4 -- https://app.any.run/tasks/fa99cedc-9d2f-4115-a08e-291429ce3692 -- https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF -- https://man.freebsd.org/cgi/man.cgi?pwd_mkdb -- https://lots-project.com/site/2a2e617a75726566642e6e6574 -- https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022 +- https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration +- https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216 +- https://medium.com/r3d-buck3t/red-teaming-in-cloud-leverage-azure-frontdoor-cdn-for-c2-redirectors-79dd9ca98178 +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray +- https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump - https://github.com/GhostPack/SharpDPAPI -- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe -- https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability -- https://docs.microsoft.com/en-us/sql/tools/bcp-utility -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/ -- https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html -- https://strontic.github.io/xcyclopedia/library/aclui.dll-F883E9CA757B622B032FDCA5BF33D0DF.html -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management -- https://adsecurity.org/?p=1785 -- https://boinc.berkeley.edu/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated -- https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md -- https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia -- https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/ -- https://gtfobins.github.io/gtfobins/c89/#shell -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1 -- https://twitter.com/th3_protoCOL/status/1480621526764322817 -- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012 -- https://www.qemu.org/docs/master/system/invocation.html#hxtool-5 -- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns -- https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/ -- https://web.archive.org/web/20200530031906/https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/ -- https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/ -- https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps +- https://www.huntress.com/blog/attacking-mssql-servers-pt-ii +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup +- https://support.google.com/a/answer/9261439 +- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625 -- https://www.cyberciti.biz/faq/show-all-running-processes-in-linux/ -- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ -- https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files -- https://github.com/yardenshafir/conference_talks/blob/3de1f5d7c02656c35117f067fbff0a219c304b09/OffensiveCon_2023_Your_Mitigations_are_My_Opportunities.pdf -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634 -- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/ -- https://twitter.com/Kostastsale/status/1480716528421011458 -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic -- https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2 -- https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl -- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings -- https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps -- https://www.loobins.io/binaries/nscurl/ -- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/ - https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e -- https://www.loobins.io/binaries/tmutil/ -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#new-owner +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741 +- https://gtfobins.github.io/gtfobins/find/#shell +- https://twitter.com/NathanMcNulty/status/1785051227568632263 +- https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html +- https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl +- https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/logfile/ +- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173 +- https://twitter.com/TheDFIRReport/status/1482078434327244805 +- https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38 +- https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder +- https://www.virustotal.com/gui/file/ded20df574b843aaa3c8e977c2040e1498ae17c12924a19868df5b12dee6dfdd - https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address -- https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/ -- https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php +- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/ - https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v -- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ -- https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/ -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in -- https://ipurple.team/2024/07/15/sharphound-detection/ -- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access +- https://boinc.berkeley.edu/ +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4 +- https://github.com/0xthirteen/SharpMove/ +- https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators +- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/ +- https://www.virustotal.com/gui/file/c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761 +- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations +- https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/ +- https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html +- https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708 +- https://adsecurity.org/?p=1785 +- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ +- https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/ +- https://web.archive.org/web/20190508165435/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf +- https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/ +- https://thehackernews.com/2024/03/github-rolls-out-default-secret.html +- https://web.archive.org/web/20230329172447/https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html +- https://twitter.com/Max_Mal_/status/1775222576639291859 +- https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1 +- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise +- https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/ - https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool -- https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211 -- https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html -- https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327 -- https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer +- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ImportKeyPair.html +- https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/ +- https://learn.microsoft.com/en-us/windows/client-management/manage-recall +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010 +- https://twitter.com/Cryptolaemus1/status/1517634855940632576 +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently +- https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool +- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ +- https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change +- https://blog.talosintelligence.com/uat-5647-romcom/ +- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage +- https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create +- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo -- https://www.elastic.co/guide/en/security/current/group-policy-abuse-for-privilege-addition.html#_setup_275 -- https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html -- https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/ -- https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/ -- https://megatools.megous.com/ -- https://linux.die.net/man/1/arecord -- https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_UNCAsIntranet -- https://www.cve.org/CVERecord?id=CVE-2024-1709 -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/replace -- https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed -- https://twitter.com/DTCERT/status/1712785421845790799 -- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage -- https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/ -- https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4 +- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule - https://x.com/_st0pp3r_/status/1742203752361128162?s=20 -- https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support -- https://evasions.checkpoint.com/techniques/macos.html -- https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/ -- https://x.com/Max_Mal_/status/1826179497084739829 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins -- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html -- https://ss64.com/mac/hdiutil.html -- https://www.tenable.com/security/research/tra-2023-11 -- https://www.forensafe.com/blogs/runmrukey.html -- https://bazaar.abuse.ch/browse/tag/one/ -- https://gtfobins.github.io/gtfobins/c99/#shell -- https://objective-see.org/blog/blog_0x6D.html -- https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616 -- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities -- https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections -- https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/ -- https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html -- https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) -- https://www.cyberciti.biz/faq/how-force-kill-process-linux/ -- https://github.com/joaoviictorti/RustRedOps/tree/ce04369a246006d399e8c61d9fe0e6b34f988a49/Self_Deletion +- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html +- https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html +- https://www.linkedin.com/feed/update/urn:li:ugcPost:7257437202706493443?commentUrn=urn%3Ali%3Acomment%3A%28ugcPost%3A7257437202706493443%2C7257522819985543168%29&dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287257522819985543168%2Curn%3Ali%3AugcPost%3A7257437202706493443%29 +- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script +- https://web.archive.org/web/20211001064856/https://github.com/snovvcrash/DInjector +- https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER +- https://tria.ge/240123-rapteaahhr/behavioral1 +- https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48 +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 +- https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg +- https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::SecurityPage_AutoDetect +- https://learn.microsoft.com/en-us/windows/win32/shell/launch +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771 +- https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022 +- https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ +- https://twitter.com/DTCERT/status/1712785421845790799 +- https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/ +- https://learn.microsoft.com/en-us/azure/dns/dns-zones-records +- https://unit42.paloaltonetworks.com/chromeloader-malware/ +- https://www.group-ib.com/blog/apt41-world-tour-2021/ +- https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html +- https://labs.nettitude.com/blog/introducing-sharpwsus/ +- https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634 +- https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps +- https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address +- https://ss64.com/mac/chflags.html +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038 +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials +- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vm.html +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794 +- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ +- https://www.tarasco.org/security/pwdump_7/ +- https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps +- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vsan.html +- https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/ +- https://tria.ge/220422-1nnmyagdf2/ +- https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1 +- https://www.virustotal.com/gui/search/behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CSysWOW64%255C%255Cmore.com%2522%2520behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CMicrosoft.NET%255C%255CFramework%255C%255Cv4.0.30319%255C%255Cvbc.exe%2522/files +- https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild +- https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ +- https://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40 +- https://www.cyberciti.biz/faq/linux-remove-user-command/ +- https://github.com/grayhatkiller/SharpExShell +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4706 +- https://twitter.com/th3_protoCOL/status/1536788652889497600 +- https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html +- https://cloud.google.com/logging/docs/audit/understanding-audit-logs +- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine +- https://twitter.com/Kostastsale/status/1646256901506605063?s=20 +- https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/ +- https://www.softperfect.com/products/networkscanner/ +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token +- https://tria.ge/231023-lpw85she57/behavioral2 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval +- https://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/ +- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd +- https://x.com/cyb3rops/status/1862406110365245506 +- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ +- https://www.ultimatewindowssecurity.com/wiki/page.aspx?spid=NSrpcservers +- https://malware.guide/browser-hijacker/remove-onelaunch-virus/ +- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/ +- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 +- https://tria.ge/240307-1hlldsfe7t/behavioral2/analog?main_event=Registry&op=SetValueKeyInt +- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing +- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ +- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis +- https://gtfobins.github.io/gtfobins/python/#shell +- https://tria.ge/240731-jh4crsycnb/behavioral2 diff --git a/tests/rule-references.txt b/tests/rule-references.txt index 22e9505c7b8..7192856a49d 100644 --- a/tests/rule-references.txt +++ b/tests/rule-references.txt @@ -3890,3 +3890,20 @@ https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedu https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts https://github.com/FalconForceTeam/SOAPHound https://web.archive.org/web/20220614030603/http://www.powertheshell.com/ntfsstreams/ +https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership +https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services +https://github.com/antonioCoco/RoguePotato +https://gtfobins.github.io/gtfobins/env/#shell +https://strontic.github.io/xcyclopedia/library/more.com-EDB3046610020EE614B5B81B0439895E.html +https://twitter.com/MsftSecIntel/status/1737895710169628824 +https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2 +https://github.com/safedv/RustiveDump/blob/1a9b026b477587becfb62df9677cede619d42030/src/main.rs#L35 +https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029 +https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc +https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor +https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps +https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult +https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal +https://nvd.nist.gov/vuln/detail/CVE-2024-3400 +https://www.microsoft.com/en-us/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/ +https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/ From 8734022722f0a84a53d75c2fcc7c779ca9b2fdfc Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 6 Jan 2025 15:36:19 +0100 Subject: [PATCH 134/144] Merge PR #5149 from @nasbench - Promote older rules status from `experimental` to `test` chore: promote older rules status from experimental to test Co-authored-by: nasbench --- ...s_sslvpnd_exploit_cve_2022_42475_exploitation_indicators.yml | 2 +- .../proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml | 2 +- .../file_event_win_exploit_cve_2024_1708_screenconnect.yml | 2 +- .../win_security_exploit_cve_2024_1708_screenconnect.yml | 2 +- ...t_cve_2024_1709_user_database_modification_screenconnect.yml | 2 +- .../CVE-2024-1709/web_exploit_cve_2024_1709_screenconnect.yml | 2 +- ...t_cve_2024_1709_user_database_modification_screenconnect.yml | 2 +- ...in_malware_raspberry_robin_rundll32_shell32_cpl_exection.yml | 2 +- .../2024/TA/DPRK/dns_query_win_apt_dprk_malicious_domains.yml | 2 +- .../file_event_win_apt_unknown_exploitation_indicators.yml | 2 +- ...reation_win_remote_access_tools_screenconnect_child_proc.yml | 2 +- .../registry_set/registry_set_shell_context_menu_tampering.yml | 2 +- rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml | 2 +- .../audit/bitbucket_audit_full_data_export_triggered.yml | 2 +- .../bitbucket_audit_global_permissions_change_detected.yml | 2 +- .../bitbucket_audit_global_secret_scanning_rule_deleted.yml | 2 +- .../bitbucket_audit_global_ssh_settings_change_detected.yml | 2 +- .../audit/bitbucket_audit_log_configuration_update_detected.yml | 2 +- .../bitbucket_audit_project_secret_scanning_allowlist_added.yml | 2 +- ...tbucket_audit_secret_scanning_exempt_repository_detected.yml | 2 +- .../audit/bitbucket_audit_secret_scanning_rule_deleted.yml | 2 +- .../audit/bitbucket_audit_unauthorized_access_detected.yml | 2 +- .../bitbucket_audit_unauthorized_full_data_export_triggered.yml | 2 +- .../bitbucket_audit_user_details_export_attempt_detected.yml | 2 +- .../audit/bitbucket_audit_user_login_failure_detected.yml | 2 +- .../bitbucket_audit_user_login_failure_via_ssh_detected.yml | 2 +- ...bitbucket_audit_user_permissions_export_attempt_detected.yml | 2 +- rules/cloud/github/github_push_protection_bypass_detected.yml | 2 +- rules/cloud/github/github_push_protection_disabled.yml | 2 +- .../win_system_adcs_enrollment_request_denied.yml | 2 +- .../win_system_kdcsvc_tgs_no_suitable_encryption_key_found.yml | 2 +- .../dns_query/dns_query_win_onelaunch_update_service.yml | 2 +- rules/windows/image_load/image_load_susp_unsigned_dll.yml | 2 +- .../powershell_module/posh_pm_hktl_evil_winrm_execution.yml | 2 +- rules/windows/process_access/proc_access_win_lsass_memdump.yml | 2 +- .../proc_creation_win_certutil_encode_susp_extensions.yml | 2 +- .../proc_creation_win_certutil_encode_susp_location.yml | 2 +- .../process_creation/proc_creation_win_chcp_codepage_lookup.yml | 2 +- .../proc_creation_win_cmd_ping_copy_combined_execution.yml | 2 +- .../proc_creation_win_diskshadow_script_mode_susp_ext.yml | 2 +- .../process_creation/proc_creation_win_findstr_download.yml | 2 +- .../proc_creation_win_findstr_subfolder_search.yml | 2 +- .../proc_creation_win_lodctr_performance_counter_tampering.yml | 2 +- .../proc_creation_win_odbcconf_response_file.yml | 2 +- .../proc_creation_win_powershell_invoke_webrequest_download.yml | 2 +- ...oc_creation_win_remote_access_tools_anydesk_revoked_cert.yml | 2 +- ...n_win_remote_access_tools_screenconnect_remote_execution.yml | 2 +- ..._creation_win_remote_access_tools_screenconnect_webshell.yml | 2 +- .../proc_creation_win_remote_access_tools_simple_help.yml | 2 +- .../proc_creation_win_sc_query_interesting_services.yml | 2 +- .../process_creation/proc_creation_win_ssh_port_forward.yml | 2 +- .../proc_creation_win_wget_download_susp_locations.yml | 2 +- .../process_creation/proc_creation_win_whoami_all_execution.yml | 2 +- .../registry_set_sentinelone_shell_context_tampering.yml | 2 +- 54 files changed, 54 insertions(+), 54 deletions(-) diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-42475/fortios_sslvpnd_exploit_cve_2022_42475_exploitation_indicators.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-42475/fortios_sslvpnd_exploit_cve_2022_42475_exploitation_indicators.yml index f483b6e47d1..1bb15c5abf4 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-42475/fortios_sslvpnd_exploit_cve_2022_42475_exploitation_indicators.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-42475/fortios_sslvpnd_exploit_cve_2022_42475_exploitation_indicators.yml @@ -1,6 +1,6 @@ title: Exploitation Indicator Of CVE-2022-42475 id: 293ccb8c-bed8-4868-8296-bef30e303b7e -status: experimental +status: test description: Detects exploitation indicators of CVE-2022-42475 a heap-based buffer overflow in sslvpnd. references: - https://www.fortiguard.com/psirt/FG-IR-22-398 diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml index 76bc58c80e4..9b8e5582e64 100644 --- a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml @@ -1,6 +1,6 @@ title: Qakbot Regsvr32 Calc Pattern id: 0033cf83-fb87-446d-9cac-43d63ad4d5a9 -status: experimental +status: test description: Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot references: - https://github.com/pr0xylife/Qakbot/ diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-1708/file_event_win_exploit_cve_2024_1708_screenconnect.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-1708/file_event_win_exploit_cve_2024_1708_screenconnect.yml index 51d4f2d343f..0f2db55b544 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-1708/file_event_win_exploit_cve_2024_1708_screenconnect.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-1708/file_event_win_exploit_cve_2024_1708_screenconnect.yml @@ -3,7 +3,7 @@ id: 44d7af7e-88e6-4490-be11-55f7ff4d9fc1 related: - id: 4c198a60-7d05-4daf-8bf7-4136fb6f5c62 type: similar -status: experimental +status: test description: | This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708. references: diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-1708/win_security_exploit_cve_2024_1708_screenconnect.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-1708/win_security_exploit_cve_2024_1708_screenconnect.yml index a5b7c079d12..1f5177a1f6d 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-1708/win_security_exploit_cve_2024_1708_screenconnect.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-1708/win_security_exploit_cve_2024_1708_screenconnect.yml @@ -3,7 +3,7 @@ id: 4c198a60-7d05-4daf-8bf7-4136fb6f5c62 related: - id: 44d7af7e-88e6-4490-be11-55f7ff4d9fc1 type: similar -status: experimental +status: test description: | This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708. This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory. diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-1709/file_event_win_exploit_cve_2024_1709_user_database_modification_screenconnect.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-1709/file_event_win_exploit_cve_2024_1709_user_database_modification_screenconnect.yml index 651a9363f40..1520735459d 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-1709/file_event_win_exploit_cve_2024_1709_user_database_modification_screenconnect.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-1709/file_event_win_exploit_cve_2024_1709_user_database_modification_screenconnect.yml @@ -3,7 +3,7 @@ id: 1a821580-588b-4323-9422-660f7e131020 related: - id: 4109cb6a-a4af-438a-9f0c-056abba41c6f type: similar -status: experimental +status: test description: | Detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server. This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions. diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-1709/web_exploit_cve_2024_1709_screenconnect.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-1709/web_exploit_cve_2024_1709_screenconnect.yml index 4914ee493d8..54c5f4a936c 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-1709/web_exploit_cve_2024_1709_screenconnect.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-1709/web_exploit_cve_2024_1709_screenconnect.yml @@ -1,6 +1,6 @@ title: CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation id: d27eabad-9068-401a-b0d6-9eac744d6e67 -status: experimental +status: test description: | Detects GET requests to '/SetupWizard.aspx/[anythinghere]' that indicate exploitation of the ScreenConnect vulnerability CVE-2024-1709. references: diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-1709/win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-1709/win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml index f63b2547f00..ed6c82ce731 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-1709/win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-1709/win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml @@ -3,7 +3,7 @@ id: 4109cb6a-a4af-438a-9f0c-056abba41c6f related: - id: 1a821580-588b-4323-9422-660f7e131020 type: similar -status: experimental +status: test description: | This detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server. This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions. diff --git a/rules-emerging-threats/2024/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_rundll32_shell32_cpl_exection.yml b/rules-emerging-threats/2024/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_rundll32_shell32_cpl_exection.yml index 24eb3cbda42..e0e6cb1ee5b 100644 --- a/rules-emerging-threats/2024/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_rundll32_shell32_cpl_exection.yml +++ b/rules-emerging-threats/2024/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_rundll32_shell32_cpl_exection.yml @@ -1,6 +1,6 @@ title: Potential Raspberry Robin CPL Execution Activity id: 92020b88-9caf-464f-bad8-cd0fb0aa2a81 -status: experimental +status: test description: | Detects the execution of a ".CPL" file located in the user temp directory via the Shell32 DLL "Control_RunDLL" export function. This behavior was observed in multiple Raspberry-Robin variants. diff --git a/rules-emerging-threats/2024/TA/DPRK/dns_query_win_apt_dprk_malicious_domains.yml b/rules-emerging-threats/2024/TA/DPRK/dns_query_win_apt_dprk_malicious_domains.yml index e40426947ff..9a3133c6bda 100644 --- a/rules-emerging-threats/2024/TA/DPRK/dns_query_win_apt_dprk_malicious_domains.yml +++ b/rules-emerging-threats/2024/TA/DPRK/dns_query_win_apt_dprk_malicious_domains.yml @@ -1,6 +1,6 @@ title: DPRK Threat Actor - C2 Communication DNS Indicators id: 4d16c9a6-4362-4863-9940-1dee35f1d70f -status: experimental +status: test description: Detects DNS queries for C2 domains used by DPRK Threat actors. references: - https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2 diff --git a/rules-emerging-threats/2024/TA/SlashAndGrab-Exploitation-In-Wild/file_event_win_apt_unknown_exploitation_indicators.yml b/rules-emerging-threats/2024/TA/SlashAndGrab-Exploitation-In-Wild/file_event_win_apt_unknown_exploitation_indicators.yml index f4d21e4595a..e3db0e2b46f 100644 --- a/rules-emerging-threats/2024/TA/SlashAndGrab-Exploitation-In-Wild/file_event_win_apt_unknown_exploitation_indicators.yml +++ b/rules-emerging-threats/2024/TA/SlashAndGrab-Exploitation-In-Wild/file_event_win_apt_unknown_exploitation_indicators.yml @@ -1,6 +1,6 @@ title: ScreenConnect - SlashAndGrab Exploitation Indicators id: 05164d17-8e11-4d7d-973e-9e4962436b87 -status: experimental +status: test description: | Detects indicators of exploitation by threat actors during exploitation of the "SlashAndGrab" vulnerability related to ScreenConnect as reported Team Huntress references: diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_child_proc.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_child_proc.yml index 432593f2bdd..e8dfcfac80d 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_child_proc.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_child_proc.yml @@ -5,7 +5,7 @@ related: type: derived - id: 7b582f1a-b318-4c6a-bf4e-66fe49bf55a5 type: derived -status: experimental +status: test description: | Detects remote binary or command execution via the ScreenConnect Service. Use this rule in order to hunt for potentially anomalous executions originating from ScreenConnect diff --git a/rules-threat-hunting/windows/registry/registry_set/registry_set_shell_context_menu_tampering.yml b/rules-threat-hunting/windows/registry/registry_set/registry_set_shell_context_menu_tampering.yml index 138f44b31d7..8c4d88f2547 100644 --- a/rules-threat-hunting/windows/registry/registry_set/registry_set_shell_context_menu_tampering.yml +++ b/rules-threat-hunting/windows/registry/registry_set/registry_set_shell_context_menu_tampering.yml @@ -1,6 +1,6 @@ title: Shell Context Menu Command Tampering id: 868df2d1-0939-4562-83a7-27408c4a1ada -status: experimental +status: test description: Detects changes to shell context menu commands. Use this rule to hunt for potential anomalies and suspicious shell commands. references: - https://mrd0x.com/sentinelone-persistence-via-menu-context/ diff --git a/rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml b/rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml index 0cd347efae5..4c9e9d3de9b 100644 --- a/rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml +++ b/rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml @@ -1,6 +1,6 @@ title: AWS Console GetSigninToken Potential Abuse id: f8103686-e3e8-46f3-be72-65f7fcb4aa53 -status: experimental +status: test description: | Detects potentially suspicious events involving "GetSigninToken". An adversary using the "aws_consoler" tool can leverage this console API to create temporary federated credential that help obfuscate which AWS credential is compromised (the original access key) and enables the adversary to pivot from the AWS CLI to console sessions without the need for MFA using the new access key issued in this request. diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_full_data_export_triggered.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_full_data_export_triggered.yml index ab30043f2fa..6c6dad09725 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_full_data_export_triggered.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_full_data_export_triggered.yml @@ -1,6 +1,6 @@ title: Bitbucket Full Data Export Triggered id: 195e1b9d-bfc2-4ffa-ab4e-35aef69815f8 -status: experimental +status: test description: Detects when full data export is attempted. references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml index 2e920a4e307..c47aabd523d 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml @@ -1,6 +1,6 @@ title: Bitbucket Global Permission Changed id: aac6c4f4-87c7-4961-96ac-c3fd3a42c310 -status: experimental +status: test description: Detects global permissions change activity. references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted.yml index 6e8bda2c16c..d85ad0009c4 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted.yml @@ -1,6 +1,6 @@ title: Bitbucket Global Secret Scanning Rule Deleted id: e16cf0f0-ee88-4901-bd0b-4c8d13d9ee05 -status: experimental +status: test description: Detects Bitbucket global secret scanning rule deletion activity. references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected.yml index 39179f0e763..88bb6f2772e 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected.yml @@ -1,6 +1,6 @@ title: Bitbucket Global SSH Settings Changed id: 16ab6143-510a-44e2-a615-bdb80b8317fc -status: experimental +status: test description: Detects Bitbucket global SSH access configuration changes. references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_log_configuration_update_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_log_configuration_update_detected.yml index ce0a8b0aa98..cb09d1cda9d 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_log_configuration_update_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_log_configuration_update_detected.yml @@ -1,6 +1,6 @@ title: Bitbucket Audit Log Configuration Updated id: 6aa12161-235a-4dfb-9c74-fe08df8d8da1 -status: experimental +status: test description: Detects changes to the bitbucket audit log configuration. references: - https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added.yml index b1baeb37115..1b5a7a1fb4b 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added.yml @@ -1,6 +1,6 @@ title: Bitbucket Project Secret Scanning Allowlist Added id: 42ccce6d-7bd3-4930-95cd-e4d83fa94a30 -status: experimental +status: test description: Detects when a secret scanning allowlist rule is added for projects. references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected.yml index 6019e448233..2b4c012ae51 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected.yml @@ -1,6 +1,6 @@ title: Bitbucket Secret Scanning Exempt Repository Added id: b91e8d5e-0033-44fe-973f-b730316f23a1 -status: experimental +status: test description: Detects when a repository is exempted from secret scanning feature. references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted.yml index 5ef1c1901ed..dce9a90f6c3 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted.yml @@ -1,6 +1,6 @@ title: Bitbucket Secret Scanning Rule Deleted id: ff91e3f0-ad15-459f-9a85-1556390c138d -status: experimental +status: test description: Detects when secret scanning rule is deleted for the project or repository. references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_access_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_access_detected.yml index 08ebde49a7c..d07b69e3309 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_access_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_access_detected.yml @@ -1,6 +1,6 @@ title: Bitbucket Unauthorized Access To A Resource id: 7215374a-de4f-4b33-8ba5-70804c9251d3 -status: experimental +status: test description: Detects unauthorized access attempts to a resource. references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_full_data_export_triggered.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_full_data_export_triggered.yml index ebb2f462150..a678f07dc31 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_full_data_export_triggered.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_full_data_export_triggered.yml @@ -1,6 +1,6 @@ title: Bitbucket Unauthorized Full Data Export Triggered id: 34d81081-03c9-4a7f-91c9-5e46af625cde -status: experimental +status: test description: Detects when full data export is attempted an unauthorized user. references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_user_details_export_attempt_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_user_details_export_attempt_detected.yml index a0e96ebd384..ba8d21c409a 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_user_details_export_attempt_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_user_details_export_attempt_detected.yml @@ -1,6 +1,6 @@ title: Bitbucket User Details Export Attempt Detected id: 5259cbf2-0a75-48bf-b57a-c54d6fabaef3 -status: experimental +status: test description: Detects user data export activity. references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml index 7eed1a8403e..4fad0d31bae 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml @@ -1,6 +1,6 @@ title: Bitbucket User Login Failure id: 70ed1d26-0050-4b38-a599-92c53d57d45a -status: experimental +status: test description: | Detects user authentication failure events. Please note that this rule can be noisy and it is recommended to use with correlation based on "author.name" field. diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_via_ssh_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_via_ssh_detected.yml index 9e9a0cebde4..d1fa3fdbdb5 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_via_ssh_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_via_ssh_detected.yml @@ -1,6 +1,6 @@ title: Bitbucket User Login Failure Via SSH id: d3f90469-fb05-42ce-b67d-0fded91bbef3 -status: experimental +status: test description: | Detects SSH user login access failures. Please note that this rule can be noisy and is recommended to use with correlation based on "author.name" field. diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_user_permissions_export_attempt_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_user_permissions_export_attempt_detected.yml index 221d4a24fc9..aff1211d40f 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_user_permissions_export_attempt_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_user_permissions_export_attempt_detected.yml @@ -1,6 +1,6 @@ title: Bitbucket User Permissions Export Attempt id: 87cc6698-3e07-4ba2-9b43-a85a73e151e2 -status: experimental +status: test description: Detects user permission data export attempt. references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html diff --git a/rules/cloud/github/github_push_protection_bypass_detected.yml b/rules/cloud/github/github_push_protection_bypass_detected.yml index 7e537f304b3..a619e57d300 100644 --- a/rules/cloud/github/github_push_protection_bypass_detected.yml +++ b/rules/cloud/github/github_push_protection_bypass_detected.yml @@ -1,6 +1,6 @@ title: Github Push Protection Bypass Detected id: 02cf536a-cf21-4876-8842-4159c8aee3cc -status: experimental +status: test description: Detects when a user bypasses the push protection on a secret detected by secret scanning. references: - https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations diff --git a/rules/cloud/github/github_push_protection_disabled.yml b/rules/cloud/github/github_push_protection_disabled.yml index dff55ef9118..296b8125eb0 100644 --- a/rules/cloud/github/github_push_protection_disabled.yml +++ b/rules/cloud/github/github_push_protection_disabled.yml @@ -1,6 +1,6 @@ title: Github Push Protection Disabled id: ccd55945-badd-4bae-936b-823a735d37dd -status: experimental +status: test description: Detects if the push protection feature is disabled for an organization, enterprise, repositories or custom pattern rules. references: - https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations diff --git a/rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml b/rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml index eebe651bf39..ca0de698b91 100644 --- a/rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml +++ b/rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml @@ -1,6 +1,6 @@ title: Active Directory Certificate Services Denied Certificate Enrollment Request id: 994bfd6d-0a2e-481e-a861-934069fcf5f5 -status: experimental +status: test description: | Detects denied requests by Active Directory Certificate Services. Example of these requests denial include issues with permissions on the certificate template or invalid signatures. diff --git a/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_tgs_no_suitable_encryption_key_found.yml b/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_tgs_no_suitable_encryption_key_found.yml index e87cd0f4fed..2f097f59400 100644 --- a/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_tgs_no_suitable_encryption_key_found.yml +++ b/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_tgs_no_suitable_encryption_key_found.yml @@ -1,6 +1,6 @@ title: No Suitable Encryption Key Found For Generating Kerberos Ticket id: b1e0b3f5-b62e-41be-886a-daffde446ad4 -status: experimental +status: test description: | Detects errors when a target server doesn't have suitable keys for generating kerberos tickets. This issue can occur for example when a service uses a user account or a computer account that is configured for only DES encryption on a computer that is running Windows 7 which has DES encryption for Kerberos authentication disabled. diff --git a/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml b/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml index ee5288b09c8..bb67b6b82d0 100644 --- a/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml +++ b/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml @@ -1,6 +1,6 @@ title: DNS Query Request To OneLaunch Update Service id: df68f791-ad95-447f-a271-640a0dab9cf8 -status: experimental +status: test description: | Detects DNS query requests to "update.onelaunch.com". This domain is associated with the OneLaunch adware application. When the OneLaunch application is installed it will attempt to get updates from this domain. diff --git a/rules/windows/image_load/image_load_susp_unsigned_dll.yml b/rules/windows/image_load/image_load_susp_unsigned_dll.yml index cce9bc1f3ba..c651259e622 100644 --- a/rules/windows/image_load/image_load_susp_unsigned_dll.yml +++ b/rules/windows/image_load/image_load_susp_unsigned_dll.yml @@ -1,6 +1,6 @@ title: Unsigned DLL Loaded by Windows Utility id: b5de0c9a-6f19-43e0-af4e-55ad01f550af -status: experimental +status: test description: | Detects windows utilities loading an unsigned or untrusted DLL. Adversaries often abuse those programs to proxy execution of malicious code. diff --git a/rules/windows/powershell/powershell_module/posh_pm_hktl_evil_winrm_execution.yml b/rules/windows/powershell/powershell_module/posh_pm_hktl_evil_winrm_execution.yml index 2a5248dfb6d..14edd6ab649 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_hktl_evil_winrm_execution.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_hktl_evil_winrm_execution.yml @@ -1,6 +1,6 @@ title: HackTool - Evil-WinRm Execution - PowerShell Module id: 9fe55ea2-4cd6-4491-8a54-dd6871651b51 -status: experimental +status: test description: | Detects the execution of Evil-WinRM via PowerShell Module logs by leveraging the hardcoded strings inside the utility. references: diff --git a/rules/windows/process_access/proc_access_win_lsass_memdump.yml b/rules/windows/process_access/proc_access_win_lsass_memdump.yml index bf8053d1212..f666d4895c4 100755 --- a/rules/windows/process_access/proc_access_win_lsass_memdump.yml +++ b/rules/windows/process_access/proc_access_win_lsass_memdump.yml @@ -1,6 +1,6 @@ title: Potential Credential Dumping Activity Via LSASS id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da -status: experimental +status: test description: | Detects process access requests to the LSASS process with specific call trace calls and access masks. This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature. diff --git a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml index 98edaf1a986..0f50997da81 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml @@ -3,7 +3,7 @@ id: ea0cdc3e-2239-4f26-a947-4e8f8224e464 related: - id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a type: derived -status: experimental +status: test description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the extensions of the file is suspicious references: - https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior diff --git a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml index 6f1fae87e99..b4a8cf6cffc 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml @@ -3,7 +3,7 @@ id: 82a6714f-4899-4f16-9c1e-9a333544d4c3 related: - id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a type: derived -status: experimental +status: test description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations references: - https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior diff --git a/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml b/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml index d86cf13668d..ea4a95808c5 100644 --- a/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml +++ b/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml @@ -1,6 +1,6 @@ title: Console CodePage Lookup Via CHCP id: 7090adee-82e2-4269-bd59-80691e7c6338 -status: experimental +status: test description: Detects use of chcp to look up the system locale value as part of host discovery references: - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/ diff --git a/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml index abbed65b2dd..d96cbf5ad45 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml @@ -1,6 +1,6 @@ title: Potentially Suspicious Ping/Copy Command Combination id: ded2b07a-d12f-4284-9b76-653e37b6c8b0 -status: experimental +status: test description: | Detects uncommon and potentially suspicious one-liner command containing both "ping" and "copy" at the same time, which is usually used by malware. references: diff --git a/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml b/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml index 68c22c51fae..b82b4a93ee3 100644 --- a/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml +++ b/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml @@ -9,7 +9,7 @@ related: type: similar - id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 # Diskshadow Script Mode Execution type: similar -status: experimental +status: test description: | Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension. Initial baselining of the allowed extension list is required. diff --git a/rules/windows/process_creation/proc_creation_win_findstr_download.yml b/rules/windows/process_creation/proc_creation_win_findstr_download.yml index 6b74583968f..95994b838a6 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_download.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_download.yml @@ -3,7 +3,7 @@ id: 587254ee-a24b-4335-b3cd-065c0f1f4baa related: - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f type: obsolete -status: experimental +status: test description: | Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry. references: diff --git a/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml b/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml index f584edbd743..1734125a56f 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml @@ -3,7 +3,7 @@ id: 04936b66-3915-43ad-a8e5-809eadfd1141 related: - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f type: obsolete -status: experimental +status: test description: | Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands. references: diff --git a/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml b/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml index cf707302bd3..7e745360300 100644 --- a/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml +++ b/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml @@ -1,6 +1,6 @@ title: Rebuild Performance Counter Values Via Lodctr.EXE id: cc9d3712-6310-4320-b2df-7cb408274d53 -status: experimental +status: test description: Detects the execution of "lodctr.exe" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions. references: - https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml index fc62df134c1..1b20ada9acd 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml @@ -5,7 +5,7 @@ related: type: similar - id: 65d2be45-8600-4042-b4c0-577a1ff8a60e type: obsolete -status: experimental +status: test description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action. references: - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml b/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml index 5e81fdb2abd..892f6d19f9f 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml @@ -3,7 +3,7 @@ id: 5e3cc4d8-3e68-43db-8656-eaaeefdec9cc related: - id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 type: derived -status: experimental +status: test description: Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/ diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml index 0234458bf40..05010f5d315 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml @@ -1,6 +1,6 @@ title: Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate id: 41f407b5-3096-44ea-a74f-96d04fbc41be -status: experimental +status: test description: | Detects the execution of an AnyDesk binary with a version prior to 8.0.8. Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors. diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution.yml index ebe5cec977c..7848faadace 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution.yml @@ -1,6 +1,6 @@ title: Remote Access Tool - ScreenConnect Remote Command Execution id: b1f73849-6329-4069-bc8f-78a604bb8b23 -status: experimental +status: test description: Detects the execution of a system command via the ScreenConnect RMM service. references: - https://github.com/SigmaHQ/sigma/pull/4467 diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_webshell.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_webshell.yml index 4c96eab5ac8..964b93cc835 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_webshell.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_webshell.yml @@ -1,6 +1,6 @@ title: Remote Access Tool - ScreenConnect Server Web Shell Execution id: b19146a3-25d4-41b4-928b-1e2a92641b1b -status: experimental +status: test description: Detects potential web shell execution from the ScreenConnect server process. references: - https://blackpointcyber.com/resources/blog/breaking-through-the-screen/ diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_simple_help.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_simple_help.yml index f5ae7a5751b..36cbe7befdd 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_simple_help.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_simple_help.yml @@ -1,6 +1,6 @@ title: Remote Access Tool - Simple Help Execution id: 95e60a2b-4705-444b-b7da-ba0ea81a3ee2 -status: experimental +status: test description: | An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. diff --git a/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml b/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml index 7ecfdb1441c..135bbaf94fe 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml @@ -1,6 +1,6 @@ title: Interesting Service Enumeration Via Sc.EXE id: e83e8899-c9b2-483b-b355-5decc942b959 -status: experimental +status: test description: | Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe". Attackers often try to enumerate the services currently running on a system in order to find different attack vectors. diff --git a/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml b/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml index 0e5e79ac389..456e35274ec 100644 --- a/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml +++ b/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml @@ -1,6 +1,6 @@ title: Port Forwarding Activity Via SSH.EXE id: 327f48c1-a6db-4eb8-875a-f6981f1b0183 -status: experimental +status: test description: Detects port forwarding activity via SSH.exe references: - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ diff --git a/rules/windows/process_creation/proc_creation_win_wget_download_susp_locations.yml b/rules/windows/process_creation/proc_creation_win_wget_download_susp_locations.yml index 01636c4e67d..2f37af92a8b 100644 --- a/rules/windows/process_creation/proc_creation_win_wget_download_susp_locations.yml +++ b/rules/windows/process_creation/proc_creation_win_wget_download_susp_locations.yml @@ -1,6 +1,6 @@ title: Suspicious File Download From IP Via Wget.EXE - Paths id: 40aa399c-7b02-4715-8e5f-73572b493f33 -status: experimental +status: test description: Detects potentially suspicious file downloads directly from IP addresses and stored in suspicious locations using Wget.exe references: - https://www.gnu.org/software/wget/manual/wget.html diff --git a/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml b/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml index 22817da9b36..ad25c8fd8d2 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml @@ -1,6 +1,6 @@ title: Enumerate All Information With Whoami.EXE id: c248c896-e412-4279-8c15-1c558067b6fa -status: experimental +status: test description: Detects the execution of "whoami.exe" with the "/all" flag references: - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/ diff --git a/rules/windows/registry/registry_set/registry_set_sentinelone_shell_context_tampering.yml b/rules/windows/registry/registry_set/registry_set_sentinelone_shell_context_tampering.yml index 6ab23312f4a..777a1fdcd09 100644 --- a/rules/windows/registry/registry_set/registry_set_sentinelone_shell_context_tampering.yml +++ b/rules/windows/registry/registry_set/registry_set_sentinelone_shell_context_tampering.yml @@ -1,6 +1,6 @@ title: Potential SentinelOne Shell Context Menu Scan Command Tampering id: 6c304b02-06e6-402d-8be4-d5833cdf8198 -status: experimental +status: test description: Detects potentially suspicious changes to the SentinelOne context menu scan command by a process other than SentinelOne. references: - https://mrd0x.com/sentinelone-persistence-via-menu-context/ From bd2a4c37efde5f69f87040173e990f1f6ff9e234 Mon Sep 17 00:00:00 2001 From: Burak Karaduman <36070747+krdmnbrk@users.noreply.github.com> Date: Tue, 7 Jan 2025 21:00:37 +0300 Subject: [PATCH 135/144] Merge PR #5153 from @krdmnbrk - Add AttackRuleMap to README.md chore: add `AttackRuleMap` project to README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 84debf6d01e..0c66a83ace1 100644 --- a/README.md +++ b/README.md @@ -93,6 +93,7 @@ If you find a false positive or would like to propose a new detection rule idea * [alterix](https://github.com/mtnmunuklu/alterix) - Converts Sigma rules to the query language of CRYPTTECH's SIEM * [AttackIQ](https://www.attackiq.com/2024/01/10/sigmaiq-attackiqs-latest-innovation-for-actionable-detections/) - Sigma Rules integrated in AttackIQ's platform, and [SigmAIQ](https://github.com/AttackIQ/SigmAIQ) for Sigma rule conversion and LLM apps * [Atomic Threat Coverage](https://github.com/atc-project/atomic-threat-coverage) (Since December 2018) +* [AttackRuleMap - Mapping of Atomic Red Team tests and Sigma Rules](https://attackrulemap.com/) * [Confluent Sigma](https://github.com/confluentinc/confluent-sigma) - Kafka Streams supported Sigma rules * [IBM QRadar](https://community.ibm.com/community/user/security/blogs/gladys-koskas1/2023/08/02/qradar-natively-supports-sigma-for-rules-creation) * [Impede Detection Platform](https://impede.ai/) From fad4742996c55d8d4663e611f84877a2b741dc46 Mon Sep 17 00:00:00 2001 From: samuelmonsempessenthorus <139971708+samuelmonsempessenthorus@users.noreply.github.com> Date: Wed, 8 Jan 2025 23:16:36 +0100 Subject: [PATCH 136/144] Merge PR #5155 from @samuelmonsempessenthorus - Add `CVE-2024-49113 Exploitation Attempt - LDAP Nightmare` new: CVE-2024-49113 Exploitation Attempt - LDAP Nightmare --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- ..._exploit_cve_2024_49113_ldap_nightmare.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules-emerging-threats/2024/Exploits/CVE-2024-49113/win_application_error_exploit_cve_2024_49113_ldap_nightmare.yml diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-49113/win_application_error_exploit_cve_2024_49113_ldap_nightmare.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-49113/win_application_error_exploit_cve_2024_49113_ldap_nightmare.yml new file mode 100644 index 00000000000..466d0708209 --- /dev/null +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-49113/win_application_error_exploit_cve_2024_49113_ldap_nightmare.yml @@ -0,0 +1,30 @@ +title: CVE-2024-49113 Exploitation Attempt - LDAP Nightmare +id: 3f2c93c7-7b2a-4d58-bb8d-6f39422d8148 +status: experimental +description: | + Detects exploitation attempt of CVE-2024-49113 known as LDAP Nightmare, based on "Application Error" log where the faulting application is "lsass.exe" and the faulting module is "WLDAP32.dll". +references: + - https://gist.github.com/travisbgreen/82b68bac499edbe0b17dcbfa0c5c71b7 + - https://www.linkedin.com/feed/update/urn:li:activity:7282295814792605698/ +author: Samuel Monsempes +date: 2025-01-08 +tags: + - attack.impact + - attack.t1499 + - cve.2024-49113 + - detection.emerging-threats +logsource: + product: windows + service: application + # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly +detection: + selection: + Provider_Name: 'Application Error' + EventID: 1000 + Data|contains|all: + - 'lsass.exe' + - 'WLDAP32.dll' + condition: selection +falsepositives: + - Unknown +level: high From b162730502c8f208ecdc260dfda26ef3da534c71 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 15 Jan 2025 12:25:00 +0100 Subject: [PATCH 137/144] Merge PR #5159 from @Neo23x0 - Fix `Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation` fix: Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation - Add filter for `\Windows\SoftwareDistribution\Download\` --- .../file_event_win_exploit_cve_2023_36874_wermgr_creation.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation.yml index 58e9685c8ef..c331f0ed1ab 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation.yml @@ -7,7 +7,7 @@ references: - https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-08-23 -modified: 2023-10-08 +modified: 2025-01-13 tags: - attack.execution - cve.2023-36874 @@ -27,6 +27,7 @@ detection: - ':\Windows\SysWOW64\' - ':\Windows\WinSxS\' - ':\WUDownloadCache\' # Windows Update Download Cache + - ':\Windows\SoftwareDistribution\Download\' condition: selection and not 1 of filter_main_* falsepositives: - Unknown From 961753afb084f2f94afdc5ed5af2715fd9071d02 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 19 Jan 2025 21:42:40 +0100 Subject: [PATCH 138/144] Merge PR #5164 from @Neo23x0 - Update `Exploit Framework User Agent` update: Exploit Framework User Agent - Add default Havoc C2 UA --- rules/web/proxy_generic/proxy_ua_frameworks.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/web/proxy_generic/proxy_ua_frameworks.yml b/rules/web/proxy_generic/proxy_ua_frameworks.yml index c6b89bc3f61..88bf367aabc 100644 --- a/rules/web/proxy_generic/proxy_ua_frameworks.yml +++ b/rules/web/proxy_generic/proxy_ua_frameworks.yml @@ -6,7 +6,7 @@ references: - https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/ author: Florian Roth (Nextron Systems) date: 2017-07-08 -modified: 2021-11-27 +modified: 2025-01-18 tags: - attack.command-and-control - attack.t1071.001 @@ -48,6 +48,9 @@ detection: # Exploits - '*wordpress hash grabber*' - '*exploit*' + + # Havoc + - 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36' # https://github.com/HavocFramework/Havoc/issues/519 condition: selection fields: - ClientIP From f3a3392bd24e37ba6058d396f487069c8a3dab16 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Sun, 19 Jan 2025 21:43:16 +0100 Subject: [PATCH 139/144] Merge PR #5161 from @nasbench - Archive new rule references and update cache file chore: archive new rule references and update cache file Co-authored-by: nasbench --- .github/latest_archiver_output.md | 1007 ++++++++++++++--------------- tests/rule-references.txt | 31 + 2 files changed, 527 insertions(+), 511 deletions(-) diff --git a/.github/latest_archiver_output.md b/.github/latest_archiver_output.md index 96cb0b08d5c..3dedb675838 100644 --- a/.github/latest_archiver_output.md +++ b/.github/latest_archiver_output.md @@ -1,559 +1,544 @@ # Reference Archiver Results -Last Execution: 2025-01-01 02:08:04 +Last Execution: 2025-01-15 02:02:12 ### Archiver Script Results #### Newly Archived References -- https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/ +- https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections +- https://web.archive.org/web/20220422215221/https://twitter.com/malware_traffic/status/1517622327000846338 #### Already Archived References -- https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services -- https://github.com/antonioCoco/RoguePotato -- https://gtfobins.github.io/gtfobins/env/#shell -- https://strontic.github.io/xcyclopedia/library/more.com-EDB3046610020EE614B5B81B0439895E.html -- https://twitter.com/MsftSecIntel/status/1737895710169628824 -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2 -- https://github.com/safedv/RustiveDump/blob/1a9b026b477587becfb62df9677cede619d42030/src/main.rs#L35 -- https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc -- https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor -- https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult -- https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal -- https://nvd.nist.gov/vuln/detail/CVE-2024-3400 -- https://www.microsoft.com/en-us/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/ +- https://www.tenable.com/security/research/tra-2023-11 +- https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/ +- https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010 +- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 +- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings +- https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive +- https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/ +- https://gtfobins.github.io/gtfobins/awk/#shell +- https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps +- https://www.forensafe.com/blogs/runmrukey.html +- https://twitter.com/Max_Mal_/status/1775222576639291859 +- https://labs.withsecure.com/publications/kapeka +- https://www.loobins.io/binaries/hdiutil/ +- https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps +- https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps +- https://gtfobins.github.io/gtfobins/mawk/#shell +- https://lots-project.com/site/2a2e617a75726566642e6e6574 +- https://bazaar.abuse.ch/browse/signature/RaspberryRobin/ +- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script +- https://gtfobins.github.io/gtfobins/c89/#shell +- https://app.any.run/tasks/25970bb5-f864-4e9e-9e1b-cc8ff9e6386a +- https://defr0ggy.github.io/research/Utilizing-BTunnel-For-Data-Exfiltration/ +- https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/ +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise +- https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2 +- https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBCluster.html +- https://support.google.com/a/answer/9261439 +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation #### Error While Archiving References -- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ -- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ -- https://www.huntress.com/blog/attacking-mssql-servers -- https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts +- https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/ +- https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows +- https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit +- https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf +- https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy +- https://cloud.google.com/access-context-manager/docs/audit-logging +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#things-to-monitor +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) +- https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/ - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661 -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user -- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_storage.html -- https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html -- https://github.com/PwC-IR/Business-Email-Compromise-Guide/blob/fe29ce06aef842efe4eb448c26bbe822bf5b895d/PwC-Business_Email_Compromise-Guide.pdf -- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ -- https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16 -- https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml +- https://github.com/rapid7/metasploit-framework/issues/11337 +- https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging +- https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html +- https://github.com/GhostPack/SharpDPAPI +- https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/ +- https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/ +- https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps +- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks +- https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteSAMLProvider.html +- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine +- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/ +- https://asec.ahnlab.com/en/40263/ +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic -- https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF -- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html -- https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/ -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3 -- https://twitter.com/th3_protoCOL/status/1480621526764322817 -- https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch -- https://blog.morphisec.com/vmware-identity-manager-attack-backdoor -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery -- https://github.com/Ylianst/MeshAgent -- https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/ -- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/ -- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ -- https://gtfobins.github.io/gtfobins/c99/#shell -- https://www.loobins.io/binaries/launchctl/ +- https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71 +- https://darkatlas.io/blog/medusa-ransomware-group-opsec-failure +- https://www.trustedsec.com/blog/art_of_kerberoast/ +- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ +- https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md +- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html +- https://gist.github.com/travisbgreen/82b68bac499edbe0b17dcbfa0c5c71b7 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo +- https://github.com/CICADA8-Research/RemoteKrbRelay +- https://twitter.com/DTCERT/status/1712785421845790799 +- https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16 +- https://redcanary.com/blog/msix-installers/ - https://www.loobins.io/binaries/nscurl/ -- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ -- https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/ -- https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc -- https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/ -- https://gtfobins.github.io/gtfobins/c89/#shell -- https://twitter.com/Kostastsale/status/1480716528421011458 -- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands +- https://www.virustotal.com/gui/file/ded20df574b843aaa3c8e977c2040e1498ae17c12924a19868df5b12dee6dfdd +- https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1 - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/ -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide -- https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/ -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183 +- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ +- https://tria.ge/220422-1nnmyagdf2/ +- https://app.any.run/tasks/9a8fd563-4c54-4d0a-9ad8-1fe08339cbc3/ +- https://tria.ge/240307-1hlldsfe7t/behavioral2/analog?main_event=Registry&op=SetValueKeyInt +- https://learn.microsoft.com/en-us/windows/client-management/manage-recall +- https://gtfobins.github.io/gtfobins/flock/#shell +- https://github.com/gentilkiwi/mimikatz +- https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/ +- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html +- https://objective-see.org/blog/blog_0x1E.html +- https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated +- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications +- https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt +- https://twitter.com/th3_protoCOL/status/1536788652889497600 +- https://ipurple.team/2024/07/15/sharphound-detection/ +- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/ +- https://www.geeksforgeeks.org/how-to-kill-processes-on-the-linux-desktop-with-xkill/ +- https://twitter.com/standa_t/status/1808868985678803222 +- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing +- https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/ +- https://tria.ge/220422-1pw1pscfdl/ +- https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/ +- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ +- https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc +- https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10) +- https://labs.nettitude.com/blog/introducing-sharpwsus/ +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2 +- https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_UNCAsIntranet +- https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin +- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 +- https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609 +- https://asec.ahnlab.com/en/61000/ +- https://twitter.com/TheDFIRReport/status/1482078434327244805 +- https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand +- https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability +- https://twitter.com/th3_protoCOL/status/1480621526764322817 +- https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211 +- https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934 +- https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/ +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority +- https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF +- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173 +- https://www.linkedin.com/feed/update/urn:li:ugcPost:7257437202706493443?commentUrn=urn%3Ali%3Acomment%3A%28ugcPost%3A7257437202706493443%2C7257522819985543168%29&dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287257522819985543168%2Curn%3Ali%3AugcPost%3A7257437202706493443%29 +- https://gtfobins.github.io/gtfobins/capsh/#shell +- https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch +- https://www.virustotal.com/gui/file/c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776 +- https://github.com/PwC-IR/Business-Email-Compromise-Guide/blob/fe29ce06aef842efe4eb448c26bbe822bf5b895d/PwC-Business_Email_Compromise-Guide.pdf +- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ +- https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html +- https://web.archive.org/web/20190508165435/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf +- https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022 +- https://ss64.com/mac/chflags.html - https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior -- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a -- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode -- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/ -- https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html -- https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/ -- https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/ -- https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository -- https://ngrok.com/blog-post/new-ngrok-domains +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2 +- https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 +- https://us-cert.cisa.gov/ncas/alerts/aa21-259a +- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1 - https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html -- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ -- https://app.any.run/tasks/fa99cedc-9d2f-4115-a08e-291429ce3692 +- https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/ +- https://www.linkedin.com/posts/kevin-beaumont-security_ive-been-assisting-a-few-orgs-hit-with-successful-activity-7268055739116445701-xxjZ/ +- https://www.huntress.com/blog/attacking-mssql-servers-pt-ii +- https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd +- https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding +- https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/ +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 +- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/ +- https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg +- https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys +- https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts +- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vm.html +- https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior +- https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1 +- https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/ +- https://www.cyberciti.biz/faq/how-force-kill-process-linux/ +- https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all +- https://www.ultimatewindowssecurity.com/wiki/page.aspx?spid=NSrpcservers +- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations -- https://www.group-ib.com/resources/threat-research/red-curl-2.html -- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns -- https://www.fortiguard.com/psirt/FG-IR-22-398 -- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#things-to-monitor -- https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/ -- https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/ -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_IncludeUnspecifiedLocalSites -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe -- https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/ -- https://www.geeksforgeeks.org/how-to-kill-processes-on-the-linux-desktop-with-xkill/ -- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory -- https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes -- https://gtfobins.github.io/gtfobins/git/#shell -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11) -- https://www.anyviewer.com/help/remote-technical-support.html +- https://tria.ge/240521-ynezpagf56/behavioral1 +- https://github.com/0xthirteen/SharpMove/ +- https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/ - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities -- https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/ -- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials -- https://x.com/Max_Mal_/status/1826179497084739829 -- https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/ -- https://ss64.com/mac/hdiutil.html -- https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019 -- https://strontic.github.io/xcyclopedia/library/vbc.exe-A731372E6F6978CE25617AE01B143351.html -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423 -- https://www.trustedsec.com/blog/art_of_kerberoast/ -- https://evasions.checkpoint.com/techniques/macos.html +- https://tria.ge/231023-lpw85she57/behavioral2 +- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software +- https://bazaar.abuse.ch/browse/tag/one/ +- https://www.attackiq.com/2023/09/20/emulating-rhysida/ +- https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/ +- https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/ +- https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues +- https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/ - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes -- https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior -- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ -- https://paper.seebug.org/1495/ -- https://tria.ge/240225-jlylpafb24/behavioral1/analog?main_event=Registry&op=SetValueKeyInt -- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html -- https://adsecurity.org/?p=3513 -- https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability -- https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b -- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/ -- https://web.archive.org/web/20210512154016/https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1 -- https://man.freebsd.org/cgi/man.cgi?pwd_mkdb -- https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/ -- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/ -- https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/ -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012 -- https://www.loobins.io/binaries/tmutil/ -- https://www.virustotal.com/gui/file/14d886517fff2cc8955844b252c985ab59f2f95b2849002778f03a8f07eb8aef -- https://gtfobins.github.io/gtfobins/gcc/#shell -- https://trustedsec.com/blog/oops-i-udld-it-again -- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers -- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html -- https://ipurple.team/2024/07/15/sharphound-detection/ -- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ -- https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/ -- https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure -- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/ -- https://objective-see.org/blog/blog_0x6D.html -- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 -- https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive -- https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1 -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_arithmetic_operators?view=powershell-5.1 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/set_1 -- https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2 -- https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/ -- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software -- https://web.archive.org/web/20231210115125/http://www.xuetr.com/ -- https://github.com/rapid7/metasploit-framework/issues/11337 -- https://github.com/wietze/HijackLibs/tree/dc9c9f2f94e6872051dab58fbafb043fdd8b4176/yml/3rd_party/python -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/replace -- https://www.cyberciti.biz/faq/how-force-kill-process-linux/ -- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b -- https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2 -- https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091 -- https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand -- https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/ -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/ -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation -- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 -- https://news.ycombinator.com/item?id=29504755 -- https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc#rds-modifydbinstance -- https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues -- https://threatbook.io/blog/Analysis-of-APT-C-60-Attack-on-South-Korea -- https://strontic.github.io/xcyclopedia/library/aclui.dll-F883E9CA757B622B032FDCA5BF33D0DF.html -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/ -- https://tria.ge/240226-fhbe7sdc39/behavioral1 -- https://app.any.run/tasks/9a8fd563-4c54-4d0a-9ad8-1fe08339cbc3/ -- https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis -- https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel -- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-info.js#L55 -- https://gtfobins.github.io/gtfobins/gawk/#shell -- https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 -- https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/ -- https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776 -- https://www.linkedin.com/posts/kevin-beaumont-security_ive-been-assisting-a-few-orgs-hit-with-successful-activity-7268055739116445701-xxjZ/ -- https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details -- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference -- https://web.archive.org/web/20200530031906/https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/ -- https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/ -- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_ProxyByPass -- https://medium.com/@ahmed.moh.farou2/fake-captcha-campaign-on-arabic-pirated-movie-sites-delivers-lumma-stealer-4f203f7adabf -- https://tria.ge/240521-ynezpagf56/behavioral1 -- https://us-cert.cisa.gov/ncas/alerts/aa21-259a -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1 -- https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia -- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings -- https://asec.ahnlab.com/en/40263/ -- https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging -- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195 -- https://github.com/gentilkiwi/mimikatz -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 -- https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/ -- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16 -- https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html -- https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html -- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_UNCAsIntranet +- https://cloud.google.com/logging/docs/audit/understanding-audit-logs +- https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild +- https://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/ - https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ -- https://darkatlas.io/blog/medusa-ransomware-group-opsec-failure -- https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior +- https://medium.com/@ahmed.moh.farou2/fake-captcha-campaign-on-arabic-pirated-movie-sites-delivers-lumma-stealer-4f203f7adabf - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4 -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated -- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted -- https://www.cve.org/CVERecord?id=CVE-2024-1709 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role -- https://linux.die.net/man/1/arecord -- https://learn.microsoft.com/en-us/windows/win32/msi/event-logging -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation -- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ -- https://www.cyberciti.biz/faq/show-all-running-processes-in-linux/ -- https://github.com/embedi/CVE-2017-11882 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) -- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/ -- https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ -- https://redcanary.com/blog/threat-detection/process-masquerading/ -- https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#new-owner -- https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php -- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash +- https://www.fortalicesolutions.com/posts/hiding-behind-the-front-door-with-azure-domain-fronting +- https://gtfobins.github.io/gtfobins/nawk/#shell +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_ProxyByPass +- https://medium.com/r3d-buck3t/red-teaming-in-cloud-leverage-azure-frontdoor-cdn-for-c2-redirectors-79dd9ca98178 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval +- https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change +- https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/ - https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/ -- https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/ -- https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC -- https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/ -- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html -- https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/ -- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ -- https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin -- https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4 -- https://www.hexacorn.com/blog/2024/10/12/the-sweet16-the-oldbin-lolbin-called-setup16-exe/ -- https://www.virustotal.com/gui/file/6f0f20da34396166df352bf301b3c59ef42b0bc67f52af3d541b0161c47ede05 -- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/ -- https://twitter.com/1ZRR4H/status/1537501582727778304 -- https://gtfobins.github.io/gtfobins/flock/#shell -- https://blackpointcyber.com/resources/blog/breaking-through-the-screen/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616 +- https://learn.microsoft.com/en-us/windows/win32/shell/app-registration +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token +- https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html +- https://www.qemu.org/docs/master/system/invocation.html#hxtool-5 - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) -- https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327 -- https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/ -- https://web.archive.org/web/20220422215221/https://twitter.com/malware_traffic/status/1517622327000846338 -- https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support -- https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/ -- https://gtfobins.github.io/gtfobins/capsh/#shell -- https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0 -- https://github.com/CICADA8-Research/RemoteKrbRelay - https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain -- https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install -- https://gtfobins.github.io/gtfobins/mawk/#shell -- https://app.any.run/tasks/25970bb5-f864-4e9e-9e1b-cc8ff9e6386a -- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4 -- https://bazaar.abuse.ch/browse/tag/one/ +- https://ss64.com/nt/set.html +- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/ +- https://blog.morphisec.com/vmware-identity-manager-attack-backdoor +- https://evasions.checkpoint.com/techniques/macos.html +- https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunctionUrlConfig.html +- https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension +- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ +- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html +- https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder +- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ +- https://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40 +- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195 +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698 +- https://www.loobins.io/binaries/pbpaste/ +- https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091 +- https://medium.com/@NullByteWht/hacking-macos-how-to-dump-1password-keepassx-lastpass-passwords-in-plaintext-723c5b1c311b +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 +- https://x.com/cyb3rops/status/1862406110365245506 +- https://ss64.com/mac/hdiutil.html +- https://twitter.com/1ZRR4H/status/1537501582727778304 +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel +- https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc#rds-modifydbinstance +- https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/ +- https://linux.die.net/man/1/arecord +- https://www.group-ib.com/resources/threat-research/red-curl-2.html +- https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml +- https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/ +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78 +- https://tria.ge/240123-rapteaahhr/behavioral1 +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management +- https://app.any.run/tasks/fa99cedc-9d2f-4115-a08e-291429ce3692 +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker +- https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html +- https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection +- https://news.ycombinator.com/item?id=29504755 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes +- https://web.archive.org/web/20210512154016/https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1 - https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html -- https://gtfobins.github.io/gtfobins/nawk/#shell +- https://gtfobins.github.io/gtfobins/python/#shell +- https://www.fortiguard.com/psirt/FG-IR-22-398 +- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode +- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage +- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ +- https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4 +- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ +- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions +- https://tria.ge/240226-fhbe7sdc39/behavioral1 - https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files -- https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934 -- https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy -- https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings -- https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps -- https://www.wiz.io/blog/how-to-set-secure-defaults-on-aws - https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf -- https://docs.microsoft.com/en-us/sql/tools/bcp-utility -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc -- https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ -- https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c -- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml -- https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2 -- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml -- https://www.loobins.io/binaries/xattr/ -- https://lots-project.com/site/2a2e617a75726566642e6e6574 -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 -- https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps -- https://www.elastic.co/guide/en/security/current/group-policy-abuse-for-privilege-addition.html#_setup_275 -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#private_repository_forking -- https://medium.com/@NullByteWht/hacking-macos-how-to-dump-1password-keepassx-lastpass-passwords-in-plaintext-723c5b1c311b -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11) -- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ -- https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/ -- https://github.com/joaoviictorti/RustRedOps/tree/ce04369a246006d399e8c61d9fe0e6b34f988a49/Self_Deletion -- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/ -- https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response -- https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/ -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations -- https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html +- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf +- https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html +- https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis +- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ +- https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/logfile/ +- https://www.virustotal.com/gui/search/behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CSysWOW64%255C%255Cmore.com%2522%2520behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CMicrosoft.NET%255C%255CFramework%255C%255Cv4.0.30319%255C%255Cvbc.exe%2522/files +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183 +- https://threatbook.io/blog/Analysis-of-APT-C-60-Attack-on-South-Korea - https://web.archive.org/web/20220519091349/https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/ -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78 -- https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteSAMLProvider.html -- https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/ -- https://tria.ge/220422-1pw1pscfdl/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address -- https://cloud.google.com/access-context-manager/docs/audit-logging -- https://objective-see.org/blog/blog_0x1E.html -- https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps -- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ -- https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization +- https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl +- https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia +- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/ +- https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634 +- https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps - https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ -- https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBCluster.html -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673 -- https://ss64.com/nt/set.html -- https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunctionUrlConfig.html -- https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication -- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/ -- https://bazaar.abuse.ch/browse/signature/RaspberryRobin/ -- https://www.fortalicesolutions.com/posts/hiding-behind-the-front-door-with-azure-domain-fronting -- https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/ -- https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/ -- https://www.loobins.io/binaries/hdiutil/ -- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations -- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/ -- https://labs.withsecure.com/publications/kapeka -- https://securelist.com/network-tunneling-with-qemu/111803/ -- https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens -- https://gtfobins.github.io/gtfobins/rsync/#shell -- https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/ -- https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles -- https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71 -- https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt -- https://twitter.com/standa_t/status/1808868985678803222 -- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker -- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ -- https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps -- https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/ -- https://defr0ggy.github.io/research/Utilizing-BTunnel-For-Data-Exfiltration/ -- https://localtonet.com/documents/supported-tunnels -- https://us-cert.cisa.gov/ncas/alerts/aa21-008a -- https://www.forensafe.com/blogs/runmrukey.html -- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/ -- https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade -- https://www.attackiq.com/2023/09/20/emulating-rhysida/ -- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967 -- https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2 -- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ -- https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258 -- https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection -- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616 -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7 -- https://github.com/yardenshafir/conference_talks/blob/3de1f5d7c02656c35117f067fbff0a219c304b09/OffensiveCon_2023_Your_Mitigations_are_My_Opportunities.pdf -- https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211 -- https://www.virustotal.com/gui/file/e96a0c1bc5f720d7f0a53f72e5bb424163c943c24a437b1065957a79f5872675 -- https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack -- https://www.qemu.org/docs/master/system/invocation.html#hxtool-5 -- https://tria.ge/231212-r1bpgaefar/behavioral2 -- https://megatools.megous.com/ -- https://my.f5.com/manage/s/article/K589 -- https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10) -- https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html -- https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html -- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/ -- https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist -- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins -- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/ +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access +- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012 - https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/ -- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743 -- https://www.tenable.com/security/research/tra-2023-11 -- https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/ -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN -- https://www.loobins.io/binaries/pbpaste/ -- https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732 -- https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps -- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf -- https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections -- https://ss64.com/osx/sw_vers.html -- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ -- https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609 -- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html -- https://learn.microsoft.com/en-us/windows/win32/shell/app-registration -- https://blog.sekoia.io/scattered-spider-laying-new-eggs/ -- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf -- https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/ -- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/ -- https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/ -- https://gtfobins.github.io/gtfobins/awk/#shell -- https://www.sans.org/blog/defending-against-scattered-spider-and-the-com-with-cybercrime-intelligence/ -- https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors -- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx -- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698 -- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/ -- https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows -- https://redcanary.com/blog/msix-installers/ -- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/ -- https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/ -- https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer -- https://asec.ahnlab.com/en/61000/ -- https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html -- https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys +- https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration -- https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216 -- https://medium.com/r3d-buck3t/red-teaming-in-cloud-leverage-azure-frontdoor-cdn-for-c2-redirectors-79dd9ca98178 -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray -- https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump -- https://github.com/GhostPack/SharpDPAPI -- https://www.huntress.com/blog/attacking-mssql-servers-pt-ii -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup -- https://support.google.com/a/answer/9261439 -- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625 -- https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3 +- https://github.com/yardenshafir/conference_talks/blob/3de1f5d7c02656c35117f067fbff0a219c304b09/OffensiveCon_2023_Your_Mitigations_are_My_Opportunities.pdf +- https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741 -- https://gtfobins.github.io/gtfobins/find/#shell -- https://twitter.com/NathanMcNulty/status/1785051227568632263 -- https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html -- https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl -- https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/logfile/ -- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173 -- https://twitter.com/TheDFIRReport/status/1482078434327244805 -- https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38 -- https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder -- https://www.virustotal.com/gui/file/ded20df574b843aaa3c8e977c2040e1498ae17c12924a19868df5b12dee6dfdd -- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/ -- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/ -- https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v -- https://boinc.berkeley.edu/ -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4 -- https://github.com/0xthirteen/SharpMove/ -- https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators -- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/ -- https://www.virustotal.com/gui/file/c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761 -- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations -- https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/ -- https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html -- https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708 -- https://adsecurity.org/?p=1785 -- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ -- https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/ -- https://web.archive.org/web/20190508165435/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf -- https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/ -- https://thehackernews.com/2024/03/github-rolls-out-default-secret.html -- https://web.archive.org/web/20230329172447/https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html -- https://twitter.com/Max_Mal_/status/1775222576639291859 -- https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1 -- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications -- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise -- https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/ -- https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool -- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ImportKeyPair.html -- https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/ -- https://learn.microsoft.com/en-us/windows/client-management/manage-recall -- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010 -- https://twitter.com/Cryptolaemus1/status/1517634855940632576 -- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently -- https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool -- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ -- https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change -- https://blog.talosintelligence.com/uat-5647-romcom/ -- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage -- https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41 -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create -- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo +- https://ngrok.com/blog-post/new-ngrok-domains +- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ +- https://www.virustotal.com/gui/file/6f0f20da34396166df352bf301b3c59ef42b0bc67f52af3d541b0161c47ede05 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address +- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/ +- https://malware.guide/browser-hijacker/remove-onelaunch-virus/ +- https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#new-owner - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule -- https://x.com/_st0pp3r_/status/1742203752361128162?s=20 -- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html -- https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html -- https://www.linkedin.com/feed/update/urn:li:ugcPost:7257437202706493443?commentUrn=urn%3Ali%3Acomment%3A%28ugcPost%3A7257437202706493443%2C7257522819985543168%29&dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287257522819985543168%2Curn%3Ali%3AugcPost%3A7257437202706493443%29 -- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script -- https://web.archive.org/web/20211001064856/https://github.com/snovvcrash/DInjector -- https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER -- https://tria.ge/240123-rapteaahhr/behavioral1 -- https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48 -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 -- https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg -- https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country +- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ +- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ImportKeyPair.html +- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4 +- https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication +- https://adsecurity.org/?p=3513 +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure +- https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/ +- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands +- https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare +- https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038 +- https://www.cyberciti.biz/faq/linux-remove-user-command/ - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::SecurityPage_AutoDetect -- https://learn.microsoft.com/en-us/windows/win32/shell/launch -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771 -- https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022 -- https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ -- https://twitter.com/DTCERT/status/1712785421845790799 +- https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer +- https://twitter.com/Kostastsale/status/1480716528421011458 +- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ +- https://x.com/Max_Mal_/status/1826179497084739829 +- https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/ +- https://x.com/_st0pp3r_/status/1742203752361128162?s=20 - https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/ -- https://learn.microsoft.com/en-us/azure/dns/dns-zones-records -- https://unit42.paloaltonetworks.com/chromeloader-malware/ +- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf - https://www.group-ib.com/blog/apt41-world-tour-2021/ +- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/ +- https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings +- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-info.js#L55 +- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide +- https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization +- https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/ +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#private_repository_forking +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in +- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ +- https://us-cert.cisa.gov/ncas/alerts/aa21-008a +- https://www.sans.org/blog/defending-against-scattered-spider-and-the-com-with-cybercrime-intelligence/ +- https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/ +- https://gtfobins.github.io/gtfobins/find/#shell - https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html -- https://labs.nettitude.com/blog/introducing-sharpwsus/ +- https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC +- https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/ +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations +- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role +- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html +- https://www.virustotal.com/gui/file/e96a0c1bc5f720d7f0a53f72e5bb424163c943c24a437b1065957a79f5872675 +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup +- https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ +- https://twitter.com/NathanMcNulty/status/1785051227568632263 +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user +- https://blog.sekoia.io/scattered-spider-laying-new-eggs/ +- https://gtfobins.github.io/gtfobins/rsync/#shell +- https://github.com/wietze/HijackLibs/tree/dc9c9f2f94e6872051dab58fbafb043fdd8b4176/yml/3rd_party/python +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11) +- https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ +- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html +- https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/ +- https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html +- https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/ +- https://web.archive.org/web/20211001064856/https://github.com/snovvcrash/DInjector +- https://tria.ge/240731-jh4crsycnb/behavioral2 +- https://twitter.com/Cryptolaemus1/status/1517634855940632576 +- https://ss64.com/osx/sw_vers.html +- https://gtfobins.github.io/gtfobins/gawk/#shell +- https://www.loobins.io/binaries/launchctl/ +- https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258 +- https://blackpointcyber.com/resources/blog/breaking-through-the-screen/ +- https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) +- https://gtfobins.github.io/gtfobins/gcc/#shell +- https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps +- https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis +- https://twitter.com/Kostastsale/status/1646256901506605063?s=20 +- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673 +- https://learn.microsoft.com/en-us/azure/dns/dns-zones-records +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11) +- https://redcanary.com/blog/threat-detection/process-masquerading/ +- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661 +- https://www.wiz.io/blog/how-to-set-secure-defaults-on-aws +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423 - https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/ -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634 -- https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps +- https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2 +- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/ +- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_storage.html +- https://www.loobins.io/binaries/xattr/ +- https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php +- https://unit42.paloaltonetworks.com/chromeloader-malware/ +- https://www.loobins.io/binaries/tmutil/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp +- https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732 +- https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ +- https://www.linkedin.com/feed/update/urn:li:activity:7282295814792605698/ +- https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1 - https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address -- https://ss64.com/mac/chflags.html -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038 -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4 +- https://web.archive.org/web/20200530031906/https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery +- https://github.com/joaoviictorti/RustRedOps/tree/ce04369a246006d399e8c61d9fe0e6b34f988a49/Self_Deletion +- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ +- https://gtfobins.github.io/gtfobins/git/#shell +- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/replace +- https://my.f5.com/manage/s/article/K589 +- https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e +- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory +- https://tria.ge/231212-r1bpgaefar/behavioral2 +- https://www.anyviewer.com/help/remote-technical-support.html +- https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install +- https://www.cve.org/CVERecord?id=CVE-2024-1709 +- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference +- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers +- https://localtonet.com/documents/supported-tunnels +- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 +- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_IncludeUnspecifiedLocalSites - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials -- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vm.html -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794 -- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ +- https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER +- https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c +- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash +- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis +- https://adsecurity.org/?p=1785 +- https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/ +- https://thehackernews.com/2024/03/github-rolls-out-default-secret.html +- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx +- https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4706 +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4 +- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml +- https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/ +- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ +- https://learn.microsoft.com/en-us/windows/win32/shell/launch +- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/ +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7 +- https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors +- https://boinc.berkeley.edu/ +- https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/ +- https://www.cyberciti.biz/faq/show-all-running-processes-in-linux/ +- https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/ - https://www.tarasco.org/security/pwdump_7/ -- https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps +- https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/ +- https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327 +- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/ +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625 +- https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7 +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_arithmetic_operators?view=powershell-5.1 +- https://www.softperfect.com/products/networkscanner/ +- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b +- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ +- https://web.archive.org/web/20230329172447/https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html +- https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html +- https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/ +- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967 +- https://tria.ge/240225-jlylpafb24/behavioral1/analog?main_event=Registry&op=SetValueKeyInt +- https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0 +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address +- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/ +- https://paper.seebug.org/1495/ +- https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/ +- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup +- https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/ +- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe +- https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ +- https://strontic.github.io/xcyclopedia/library/aclui.dll-F883E9CA757B622B032FDCA5BF33D0DF.html +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/ +- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ +- https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/set_1 +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/ +- https://github.com/embedi/CVE-2017-11882 +- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc +- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/ +- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/ +- https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794 +- https://docs.microsoft.com/en-us/sql/tools/bcp-utility +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed +- https://www.elastic.co/guide/en/security/current/group-policy-abuse-for-privilege-addition.html#_setup_275 +- https://objective-see.org/blog/blog_0x6D.html +- https://trustedsec.com/blog/oops-i-udld-it-again +- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns +- https://strontic.github.io/xcyclopedia/library/vbc.exe-A731372E6F6978CE25617AE01B143351.html +- https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html +- https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38 +- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations +- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/ +- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/ +- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ +- https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack +- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/ +- https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vsan.html -- https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/ -- https://tria.ge/220422-1nnmyagdf2/ -- https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1 -- https://www.virustotal.com/gui/search/behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CSysWOW64%255C%255Cmore.com%2522%2520behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CMicrosoft.NET%255C%255CFramework%255C%255Cv4.0.30319%255C%255Cvbc.exe%2522/files -- https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild -- https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ -- https://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40 -- https://www.cyberciti.biz/faq/linux-remove-user-command/ -- https://github.com/grayhatkiller/SharpExShell -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4706 -- https://twitter.com/th3_protoCOL/status/1536788652889497600 +- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/ - https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html -- https://cloud.google.com/logging/docs/audit/understanding-audit-logs -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine -- https://twitter.com/Kostastsale/status/1646256901506605063?s=20 -- https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/ -- https://www.softperfect.com/products/networkscanner/ -- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token -- https://tria.ge/231023-lpw85she57/behavioral2 -- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval -- https://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/ +- https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html +- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in +- https://web.archive.org/web/20231210115125/http://www.xuetr.com/ +- https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist +- https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/ - https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd -- https://x.com/cyb3rops/status/1862406110365245506 -- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ -- https://www.ultimatewindowssecurity.com/wiki/page.aspx?spid=NSrpcservers -- https://malware.guide/browser-hijacker/remove-onelaunch-virus/ -- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/ -- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 -- https://tria.ge/240307-1hlldsfe7t/behavioral2/analog?main_event=Registry&op=SetValueKeyInt -- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing -- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ -- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis -- https://gtfobins.github.io/gtfobins/python/#shell -- https://tria.ge/240731-jh4crsycnb/behavioral2 +- https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/ +- https://blog.talosintelligence.com/uat-5647-romcom/ +- https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/ +- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/ +- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles +- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a +- https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code +- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage +- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/ +- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771 +- https://gtfobins.github.io/gtfobins/c99/#shell +- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf +- https://learn.microsoft.com/en-us/windows/win32/msi/event-logging +- https://www.huntress.com/blog/attacking-mssql-servers +- https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/ +- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials +- https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/ +- https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48 +- https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/ +- https://www.hexacorn.com/blog/2024/10/12/the-sweet16-the-oldbin-lolbin-called-setup16-exe/ +- https://github.com/grayhatkiller/SharpExShell +- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4 +- https://github.com/Ylianst/MeshAgent +- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently +- https://www.virustotal.com/gui/file/14d886517fff2cc8955844b252c985ab59f2f95b2849002778f03a8f07eb8aef +- https://man.freebsd.org/cgi/man.cgi?pwd_mkdb +- https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v +- https://securelist.com/network-tunneling-with-qemu/111803/ +- https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/ +- https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging +- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel +- https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/ +- https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details +- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html +- https://megatools.megous.com/ +- https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743 diff --git a/tests/rule-references.txt b/tests/rule-references.txt index 7192856a49d..f299c5574e8 100644 --- a/tests/rule-references.txt +++ b/tests/rule-references.txt @@ -3907,3 +3907,34 @@ https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability- https://nvd.nist.gov/vuln/detail/CVE-2024-3400 https://www.microsoft.com/en-us/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/ https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/ +https://www.tenable.com/security/research/tra-2023-11 +https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/ +https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps +https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010 +https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 +https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings +https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive +https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/ +https://gtfobins.github.io/gtfobins/awk/#shell +https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps +https://www.forensafe.com/blogs/runmrukey.html +https://twitter.com/Max_Mal_/status/1775222576639291859 +https://labs.withsecure.com/publications/kapeka +https://www.loobins.io/binaries/hdiutil/ +https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps +https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps +https://gtfobins.github.io/gtfobins/mawk/#shell +https://lots-project.com/site/2a2e617a75726566642e6e6574 +https://bazaar.abuse.ch/browse/signature/RaspberryRobin/ +https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script +https://gtfobins.github.io/gtfobins/c89/#shell +https://app.any.run/tasks/25970bb5-f864-4e9e-9e1b-cc8ff9e6386a +https://defr0ggy.github.io/research/Utilizing-BTunnel-For-Data-Exfiltration/ +https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/ +https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise +https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2 +https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBCluster.html +https://support.google.com/a/answer/9261439 +https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation +https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections +https://web.archive.org/web/20220422215221/https://twitter.com/malware_traffic/status/1517622327000846338 From 06a5d085086d5bab0015b4eed29d591e3321b870 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 19 Jan 2025 21:55:40 +0100 Subject: [PATCH 140/144] Merge PR #5163 from @Neo23x0 - Add/Update Rsync Linux Rules update: Shell Execution via Rsync - Linux - Rework logic to make it more generic and include additional shells. new: Suspicious Invocation of Shell via Rsync --------- Co-authored-by: Nasreddine Bencherchali --- ...roc_creation_lnx_rsync_shell_execution.yml | 31 ++++++++++++---- .../proc_creation_lnx_rsync_shell_spawn.yml | 37 +++++++++++++++++++ 2 files changed, 60 insertions(+), 8 deletions(-) create mode 100644 rules/linux/process_creation/proc_creation_lnx_rsync_shell_spawn.yml diff --git a/rules/linux/process_creation/proc_creation_lnx_rsync_shell_execution.yml b/rules/linux/process_creation/proc_creation_lnx_rsync_shell_execution.yml index 0e68d8e950c..6fdd74444d2 100644 --- a/rules/linux/process_creation/proc_creation_lnx_rsync_shell_execution.yml +++ b/rules/linux/process_creation/proc_creation_lnx_rsync_shell_execution.yml @@ -2,11 +2,12 @@ title: Shell Execution via Rsync - Linux id: e2326866-609f-4015-aea9-7ec634e8aa04 status: experimental description: | - Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. + Detects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. references: - https://gtfobins.github.io/gtfobins/rsync/#shell -author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.), Florian Roth date: 2024-09-02 +modified: 2025-01-18 tags: - attack.execution - attack.t1059 @@ -15,15 +16,29 @@ logsource: product: linux detection: selection_img: - Image|endswith: '/rsync' + Image|endswith: + - '/rsync' + - '/rsyncd' CommandLine|contains: ' -e ' selection_cli: CommandLine|contains: - - 'sh 0<&2 1>&2' - - 'sh 1>&2 0<&2' - selection_null: - CommandLine|contains: '/dev/null' + - '/ash ' + - '/bash ' + - '/dash ' + - '/csh ' + - '/sh ' + - '/zsh ' + - '/tcsh ' + - '/ksh ' + - "'ash " + - "'bash " + - "'dash " + - "'csh " + - "'sh " + - "'zsh " + - "'tcsh " + - "'ksh " condition: all of selection_* falsepositives: - - Unknown + - Legitimate cases in which "rsync" is used to execute a shell level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_rsync_shell_spawn.yml b/rules/linux/process_creation/proc_creation_lnx_rsync_shell_spawn.yml new file mode 100644 index 00000000000..d75fc682da0 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_rsync_shell_spawn.yml @@ -0,0 +1,37 @@ +title: Suspicious Invocation of Shell via Rsync +id: 297241f3-8108-4b3a-8c15-2dda9f844594 +status: experimental +description: | + Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation. +references: + - https://sysdig.com/blog/detecting-and-mitigating-cve-2024-12084-rsync-remote-code-execution/ + - https://gist.github.com/Neo23x0/a20436375a1e26524931dd8ea1a3af10 +author: Florian Roth +date: 2025-01-18 +tags: + - attack.execution + - attack.t1059 + - attack.t1203 +logsource: + category: process_creation + product: linux +detection: + selection: + ParentImage|endswith: + - '/rsync' + - '/rsyncd' + Image|endswith: + - '/ash' + - '/bash' + - '/csh' + - '/dash' + - '/ksh' + - '/sh' + - '/tcsh' + - '/zsh' + filter_main_expected: + CommandLine|contains: ' -e ' + condition: selection and not 1 of filter_main_* +falsepositives: + - Unknown +level: high From 083eb54e30510c4c8631ecf905c71022c65458f6 Mon Sep 17 00:00:00 2001 From: Josh Date: Sun, 19 Jan 2025 16:00:59 -0500 Subject: [PATCH 141/144] Merge PR #5157 from @joshnck - Add `Azure Login Bypassing Conditional Access Policies` new: Azure Login Bypassing Conditional Access Policies --------- Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> Co-authored-by: Nasreddine Bencherchali --- ...microsoft365_bypass_conditional_access.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml diff --git a/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml b/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml new file mode 100644 index 00000000000..ea65230b335 --- /dev/null +++ b/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml @@ -0,0 +1,28 @@ +title: Azure Login Bypassing Conditional Access Policies +id: 13f2d3f5-6497-44a7-bf5f-dc13ffafe5dc +status: experimental +description: | + Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith. +author: Josh Nickels, Marius Rothenbücher +references: + - https://labs.jumpsec.com/tokensmith-bypassing-intune-compliant-device-conditional-access/ + - https://github.com/JumpsecLabs/TokenSmith +date: 2025-01-08 +tags: + - attack.defense-evasion + - attack.t1078 +logsource: + service: audit + product: m365 +detection: + selection: + Operation: 'UserLoggedIn' + ApplicationId: '9ba1a5c7-f17a-4de9-a1f1-6178c8d51223' + ResultStatus: 'Success' + RequestType: 'Cmsi:Cmsi' + filter_main_bjectid: + ObjectId: '0000000a-0000-0000-c000-000000000000' # Microsoft Intune seen when mobile devices are enrolled + condition: selection and not 1 of filter_main_* +falsepositives: + - Unknown +level: high From fb27bee6d8d6eaac4b4d2875ae81b643553fc413 Mon Sep 17 00:00:00 2001 From: Renan LAVAREC Date: Sun, 19 Jan 2025 22:02:29 +0100 Subject: [PATCH 142/144] Merge PR #5152 from @Ti-R - Fix `Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load` fix: Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load - Add exclusion filter `C:\ProgramData\Package Cache\{` to account for cases like the execution of `vcredist` --------- Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> Co-authored-by: Nasreddine Bencherchali --- .../image_load/image_load_dll_vsstrace_susp_load.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml b/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml index 3afd9ff24ce..52f758683f8 100644 --- a/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml +++ b/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml @@ -1,4 +1,4 @@ -title: Suspicious Volume Shadow Copy Vsstrace.dll Load +title: Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load id: 48bfd177-7cf2-412b-ad77-baf923489e82 related: - id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70 # vss_ps.dll @@ -11,7 +11,7 @@ references: - https://github.com/ORCx41/DeleteShadowCopies author: frack113 date: 2023-02-17 -modified: 2023-03-28 +modified: 2025-01-19 tags: - attack.defense-evasion - attack.impact @@ -22,7 +22,7 @@ logsource: detection: selection: ImageLoaded|endswith: '\vsstrace.dll' - filter_windows: + filter_main_windows: - Image: - 'C:\Windows\explorer.exe' - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe' @@ -31,7 +31,8 @@ detection: - 'C:\Windows\SysWOW64\' - 'C:\Windows\Temp\{' # Installers - 'C:\Windows\WinSxS\' - filter_program_files: + - 'C:\ProgramData\Package Cache\{' # Microsoft Visual Redistributable installer VC_redist/vcredist EXE + filter_optional_program_files: # When using this rule in your environment replace the "Program Files" folder by the exact applications you know use this. Examples would be software such as backup solutions Image|startswith: - 'C:\Program Files\' @@ -39,4 +40,4 @@ detection: condition: selection and not 1 of filter_* falsepositives: - Unknown -level: high +level: medium From 48d5c5064c3335a26a333bec06957c17603e4ec4 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 22 Jan 2025 16:29:33 -0500 Subject: [PATCH 143/144] Merge PR #5168 from @defensivedepth - Prepend algo to hash values fix: HackTool - Dumpert Process Dumper Execution - prepend MD5 to hash value fix: Forest Blizzard APT - Process Creation Activity - prepend SHA256 to hash value fix: ManageEngine Endpoint Central Dctask64.EXE Potential Abuse - prepend IMPHASH to hash value fix: Renamed ZOHO Dctask64 Execution - prepend IMPASH to hash value --- .../proc_creation_win_apt_forest_blizzard_activity.yml | 6 +++--- ...in_dctask64_arbitrary_command_and_dll_execution.yml | 10 +++++----- .../proc_creation_win_hktl_dumpert.yml | 4 ++-- .../proc_creation_win_renamed_dctask64.yml | 10 +++++----- 4 files changed, 15 insertions(+), 15 deletions(-) diff --git a/rules-emerging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml b/rules-emerging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml index 840901fde94..da7db97a376 100644 --- a/rules-emerging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml +++ b/rules-emerging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml @@ -8,7 +8,7 @@ references: - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/ author: Nasreddine Bencherchali (Nextron Systems) date: 2024-04-23 -modified: 2024-05-11 +modified: 2025-01-22 tags: - attack.defense-evasion - attack.execution @@ -18,8 +18,8 @@ logsource: detection: selection_hashes: Hashes|contains: - - '6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f' - - 'c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5' + - 'SHA256=6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f' + - 'SHA256=c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5' selection_schtasks_create: Image|endswith: '\schtasks.exe' CommandLine|contains|all: diff --git a/rules/windows/process_creation/proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml b/rules/windows/process_creation/proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml index 2fcbe4e8788..fc560bb5b62 100644 --- a/rules/windows/process_creation/proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml @@ -10,7 +10,7 @@ references: - https://twitter.com/gN3mes1s/status/1222095371175911424 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2020-01-28 -modified: 2024-04-22 +modified: 2025-01-22 tags: - attack.defense-evasion - attack.t1055.001 @@ -21,10 +21,10 @@ detection: selection_img: - Image|endswith: '\dctask64.exe' - Hashes|contains: - - '6834B1B94E49701D77CCB3C0895E1AFD' # Imphash - - '1BB6F93B129F398C7C4A76BB97450BBA' # Imphash - - 'FAA2AC19875FADE461C8D89DCF2710A3' # Imphash - - 'F1039CED4B91572AB7847D26032E6BBF' # Imphash + - 'IMPHASH=6834B1B94E49701D77CCB3C0895E1AFD' + - 'IMPHASH=1BB6F93B129F398C7C4A76BB97450BBA' + - 'IMPHASH=FAA2AC19875FADE461C8D89DCF2710A3' + - 'IMPHASH=F1039CED4B91572AB7847D26032E6BBF' selection_cli: CommandLine|contains: - ' executecmd64 ' diff --git a/rules/windows/process_creation/proc_creation_win_hktl_dumpert.yml b/rules/windows/process_creation/proc_creation_win_hktl_dumpert.yml index 8f1ea5d8091..fd0d206266a 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_dumpert.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_dumpert.yml @@ -7,7 +7,7 @@ references: - https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/ author: Florian Roth (Nextron Systems) date: 2020-02-04 -modified: 2023-02-04 +modified: 2025-01-22 tags: - attack.credential-access - attack.t1003.001 @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - - Hashes|contains: '09D278F9DE118EF09163C6140255C690' + - Hashes|contains: 'MD5=09D278F9DE118EF09163C6140255C690' - CommandLine|contains: 'Dumpert.dll' condition: selection falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml b/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml index f8d82f84a49..e851300f40c 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml @@ -10,7 +10,7 @@ references: - https://twitter.com/gN3mes1s/status/1222095371175911424 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2020-01-28 -modified: 2024-04-22 +modified: 2025-01-22 tags: - attack.defense-evasion - attack.t1036 @@ -23,10 +23,10 @@ logsource: detection: selection: Hashes|contains: - - '6834B1B94E49701D77CCB3C0895E1AFD' # Imphash - - '1BB6F93B129F398C7C4A76BB97450BBA' # Imphash - - 'FAA2AC19875FADE461C8D89DCF2710A3' # Imphash - - 'F1039CED4B91572AB7847D26032E6BBF' # Imphash + - 'IMPHASH=6834B1B94E49701D77CCB3C0895E1AFD' + - 'IMPHASH=1BB6F93B129F398C7C4A76BB97450BBA' + - 'IMPHASH=FAA2AC19875FADE461C8D89DCF2710A3' + - 'IMPHASH=F1039CED4B91572AB7847D26032E6BBF' filter_main_legit_name: Image|endswith: '\dctask64.exe' condition: selection and not 1 of filter_main_* From a99b163c93b265db1ab3e771930b6b97c3c703c5 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 22 Jan 2025 22:30:58 +0100 Subject: [PATCH 144/144] Merge PR #5166 from @frack113 - Fix `Privileged User Has Been Created` fix: Privileged User Has Been Created - Add missing comma to avoid false positives --- rules/linux/builtin/lnx_privileged_user_creation.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/rules/linux/builtin/lnx_privileged_user_creation.yml b/rules/linux/builtin/lnx_privileged_user_creation.yml index 44d9931fdb5..3c87d942851 100644 --- a/rules/linux/builtin/lnx_privileged_user_creation.yml +++ b/rules/linux/builtin/lnx_privileged_user_creation.yml @@ -8,6 +8,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid author: Pawel Mazur date: 2022-12-21 +modified: 2025-01-21 tags: - attack.persistence - attack.t1136.001 @@ -24,10 +25,10 @@ detection: selection_new_user: - 'new user' selection_uids_gids: - - 'GID=0' # root group - - 'UID=0' # root UID - - 'GID=10' # wheel group - - 'GID=27' # sudo group + - 'GID=0,' # root group + - 'UID=0,' # root UID + - 'GID=10,' # wheel group + - 'GID=27,' # sudo group condition: all of selection_* falsepositives: - Administrative activity