From d924b1922934320fbd112cb8000beb075d359b46 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Mon, 27 Nov 2023 11:44:59 -0800 Subject: [PATCH] update dist/ssa for 4.16.0 --- dist/ssa/srs/ssa___anomalous_usage_of_archive_tools.yml | 1 + dist/ssa/srs/ssa___attempt_to_delete_services.yml | 1 + dist/ssa/srs/ssa___attempt_to_disable_services.yml | 1 + ...ssa___attempted_credential_dump_from_registry_via_reg_exe.yml | 1 + dist/ssa/srs/ssa___bcdedit_failure_recovery_modification.yml | 1 + dist/ssa/srs/ssa___clear_unallocated_sector_using_cipher_app.yml | 1 + dist/ssa/srs/ssa___delete_a_net_user.yml | 1 + dist/ssa/srs/ssa___deleting_shadow_copies.yml | 1 + dist/ssa/srs/ssa___deny_permission_using_cacls_utility.yml | 1 + .../ssa___detect_prohibited_applications_spawning_cmd_exe.yml | 1 + ..._detect_prohibited_applications_spawning_cmd_exe_browsers.yml | 1 + ...___detect_prohibited_applications_spawning_cmd_exe_office.yml | 1 + ...etect_prohibited_applications_spawning_cmd_exe_powershell.yml | 1 + dist/ssa/srs/ssa___detect_rclone_command_line_usage.yml | 1 + dist/ssa/srs/ssa___disable_net_user_account.yml | 1 + dist/ssa/srs/ssa___dns_exfiltration_using_nslookup_app.yml | 1 + dist/ssa/srs/ssa___fsutil_zeroing_file.yml | 1 + dist/ssa/srs/ssa___grant_permission_using_cacls_utility.yml | 1 + .../srs/ssa___hiding_files_and_directories_with_attrib_exe.yml | 1 + .../ssa/srs/ssa___modify_acls_permission_of_files_or_folders.yml | 1 + .../srs/ssa___office_product_spawning_windows_script_host.yml | 1 + dist/ssa/srs/ssa___resize_shadowstorage_volume.yml | 1 + dist/ssa/srs/ssa___sdelete_application_execution.yml | 1 + dist/ssa/srs/ssa___services_lolbas_execution_process_spawn.yml | 1 + .../ssa___system_process_running_from_unexpected_location.yml | 1 + dist/ssa/srs/ssa___wbadmin_delete_system_backups.yml | 1 + dist/ssa/srs/ssa___wevtutil_usage_to_clear_logs.yml | 1 + dist/ssa/srs/ssa___wevtutil_usage_to_disable_logs.yml | 1 + dist/ssa/srs/ssa___windows_bits_job_persistence.yml | 1 + dist/ssa/srs/ssa___windows_bitsadmin_download_file.yml | 1 + dist/ssa/srs/ssa___windows_certutil_decode_file.yml | 1 + dist/ssa/srs/ssa___windows_certutil_urlcache_download.yml | 1 + dist/ssa/srs/ssa___windows_certutil_verifyctl_download.yml | 1 + .../ssa___windows_com_hijacking_inprocserver32_modification.yml | 1 + dist/ssa/srs/ssa___windows_curl_upload_to_remote_destination.yml | 1 + ...___windows_default_group_policy_object_modified_with_gpme.yml | 1 + .../srs/ssa___windows_defender_tools_in_non_standard_path.yml | 1 + dist/ssa/srs/ssa___windows_diskshadow_proxy_execution.yml | 1 + .../ssa/srs/ssa___windows_dotnet_binary_in_non_standard_path.yml | 1 + dist/ssa/srs/ssa___windows_exchange_powershell_module_usage.yml | 1 + .../srs/ssa___windows_execute_arbitrary_commands_with_msdt.yml | 1 + .../srs/ssa___windows_file_share_discovery_with_powerview.yml | 1 + dist/ssa/srs/ssa___windows_findstr_gpp_discovery.yml | 1 + .../srs/ssa___windows_ingress_tool_transfer_using_explorer.yml | 1 + .../ssa/srs/ssa___windows_lolbin_binary_in_non_standard_path.yml | 1 + dist/ssa/srs/ssa___windows_mshta_child_process.yml | 1 + dist/ssa/srs/ssa___windows_mshta_command_line_url.yml | 1 + dist/ssa/srs/ssa___windows_mshta_inline_hta_execution.yml | 1 + dist/ssa/srs/ssa___windows_odbcconf_load_response_file.yml | 1 + ...__windows_os_credential_dumping_with_ntdsutil_export_ntds.yml | 1 + .../srs/ssa___windows_os_credential_dumping_with_procdump.yml | 1 + ...windows_powershell_connect_to_internet_with_hidden_window.yml | 1 + ...disabled_kerberos_pre_authentication_discovery_get_aduser.yml | 1 + ...bled_kerberos_pre_authentication_discovery_with_powerview.yml | 1 + dist/ssa/srs/ssa___windows_powershell_downloadfile.yml | 1 + dist/ssa/srs/ssa___windows_powershell_start_bitstransfer.yml | 1 + dist/ssa/srs/ssa___windows_powersploit_gpp_discovery.yml | 1 + dist/ssa/srs/ssa___windows_rasautou_dll_execution.yml | 1 + ...utilities_acccheckconsole_exe_lolbas_in_non_standard_path.yml | 1 + ...e_system_utilities_adplus_exe_lolbas_in_non_standard_path.yml | 1 + ..._system_utilities_advpack_dll_lolbas_in_non_standard_path.yml | 1 + ...m_utilities_agentexecutor_exe_lolbas_in_non_standard_path.yml | 1 + ...em_utilities_appinstaller_exe_lolbas_in_non_standard_path.yml | 1 + ...e_system_utilities_appvlp_exe_lolbas_in_non_standard_path.yml | 1 + ...utilities_aspnet_compiler_exe_lolbas_in_non_standard_path.yml | 1 + ...ename_system_utilities_at_exe_lolbas_in_non_standard_path.yml | 1 + ...system_utilities_atbroker_exe_lolbas_in_non_standard_path.yml | 1 + dist/ssa/srs/ssa___windows_rundll32_comsvcs_memory_dump.yml | 1 + dist/ssa/srs/ssa___windows_rundll32_inline_hta_execution.yml | 1 + dist/ssa/srs/ssa___windows_script_host_spawn_msbuild.yml | 1 + ...ystem_binary_proxy_execution_compiled_html_file_decompile.yml | 1 + ...ry_proxy_execution_compiled_html_file_url_in_command_line.yml | 1 + ...cution_compiled_html_file_using_infotech_storage_handlers.yml | 1 + ...s_system_binary_proxy_execution_msiexec_dllregisterserver.yml | 1 + ...ows_system_binary_proxy_execution_msiexec_remote_download.yml | 1 + ...dows_system_binary_proxy_execution_msiexec_unregister_dll.yml | 1 + dist/ssa/srs/ssa___windows_wmiprvse_spawn_msbuild.yml | 1 + 77 files changed, 77 insertions(+) diff --git a/dist/ssa/srs/ssa___anomalous_usage_of_archive_tools.yml b/dist/ssa/srs/ssa___anomalous_usage_of_archive_tools.yml index 54c9294ede..7c5ea33c46 100644 --- a/dist/ssa/srs/ssa___anomalous_usage_of_archive_tools.yml +++ b/dist/ssa/srs/ssa___anomalous_usage_of_archive_tools.yml @@ -2,6 +2,7 @@ name: Anomalous usage of Archive Tools id: 63614a58-10e2-4c6c-ae81-ea1113681439 version: 1 status: production +detection_type: STREAMING description: The following detection identifies the usage of archive tools from the command line. search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | diff --git a/dist/ssa/srs/ssa___attempt_to_delete_services.yml b/dist/ssa/srs/ssa___attempt_to_delete_services.yml index 9749ef2b85..a2583ba0a4 100644 --- a/dist/ssa/srs/ssa___attempt_to_delete_services.yml +++ b/dist/ssa/srs/ssa___attempt_to_delete_services.yml @@ -2,6 +2,7 @@ name: Attempt To Delete Services id: a0c8c292-d01a-11eb-aa18-acde48001122 version: 3 status: production +detection_type: STREAMING description: The following analytic identifies Windows Service Control, `sc.exe`, attempting to delete a service. This is typically identified in parallel with other instances of service enumeration of attempts to stop a service and then delete it. diff --git a/dist/ssa/srs/ssa___attempt_to_disable_services.yml b/dist/ssa/srs/ssa___attempt_to_disable_services.yml index 839bf2d9e4..057227862f 100644 --- a/dist/ssa/srs/ssa___attempt_to_disable_services.yml +++ b/dist/ssa/srs/ssa___attempt_to_disable_services.yml @@ -2,6 +2,7 @@ name: Attempt To Disable Services id: afb31de4-d023-11eb-98d5-acde48001122 version: 3 status: production +detection_type: STREAMING description: The following analytic identifies Windows Service Control, `sc.exe`, attempting to disable a service. This is typically identified in parallel with other instances of service enumeration of attempts to stop a service and then disable diff --git a/dist/ssa/srs/ssa___attempted_credential_dump_from_registry_via_reg_exe.yml b/dist/ssa/srs/ssa___attempted_credential_dump_from_registry_via_reg_exe.yml index 1d03339a88..1deb51c70b 100644 --- a/dist/ssa/srs/ssa___attempted_credential_dump_from_registry_via_reg_exe.yml +++ b/dist/ssa/srs/ssa___attempted_credential_dump_from_registry_via_reg_exe.yml @@ -2,6 +2,7 @@ name: Attempted Credential Dump From Registry via Reg exe id: 14038953-e5f2-4daf-acff-5452062baf03 version: 4 status: production +detection_type: STREAMING description: The following analytic identifies the use of `reg.exe` attempting to export Windows registry keys that contain hashed credentials. Adversaries will utilize this technique to capture and perform offline password cracking. diff --git a/dist/ssa/srs/ssa___bcdedit_failure_recovery_modification.yml b/dist/ssa/srs/ssa___bcdedit_failure_recovery_modification.yml index ac504d388d..0b992c1570 100644 --- a/dist/ssa/srs/ssa___bcdedit_failure_recovery_modification.yml +++ b/dist/ssa/srs/ssa___bcdedit_failure_recovery_modification.yml @@ -2,6 +2,7 @@ name: BCDEdit Failure Recovery Modification id: 76d79d6e-25bb-40f6-b3b2-e0a6b7e5ea13 version: 1 status: production +detection_type: STREAMING description: This search looks for flags passed to bcdedit.exe modifications to the built-in Windows error recovery boot configurations. This is typically used by ransomware to prevent recovery. diff --git a/dist/ssa/srs/ssa___clear_unallocated_sector_using_cipher_app.yml b/dist/ssa/srs/ssa___clear_unallocated_sector_using_cipher_app.yml index 0d58d38155..4e0e3c8701 100644 --- a/dist/ssa/srs/ssa___clear_unallocated_sector_using_cipher_app.yml +++ b/dist/ssa/srs/ssa___clear_unallocated_sector_using_cipher_app.yml @@ -2,6 +2,7 @@ name: Clear Unallocated Sector Using Cipher App id: 8f907d90-6173-11ec-9c23-acde48001122 version: 1 status: production +detection_type: STREAMING description: this search is to detect execution of `cipher.exe` to clear the unallocated sectors of a specific disk. This technique was seen in some ransomware to make it impossible to forensically recover deleted files. diff --git a/dist/ssa/srs/ssa___delete_a_net_user.yml b/dist/ssa/srs/ssa___delete_a_net_user.yml index 43cca85a0b..20dacd8ad4 100644 --- a/dist/ssa/srs/ssa___delete_a_net_user.yml +++ b/dist/ssa/srs/ssa___delete_a_net_user.yml @@ -2,6 +2,7 @@ name: Delete A Net User id: 8776d79c-d26e-11eb-9a56-acde48001122 version: 5 status: production +detection_type: STREAMING description: This analytic will detect a suspicious net.exe/net1.exe command-line to delete a user on a system. This technique may be use by an administrator for legitimate purposes, however this behavior has been used in the wild to impair some diff --git a/dist/ssa/srs/ssa___deleting_shadow_copies.yml b/dist/ssa/srs/ssa___deleting_shadow_copies.yml index f60fe6bbeb..ebc5ae85ad 100644 --- a/dist/ssa/srs/ssa___deleting_shadow_copies.yml +++ b/dist/ssa/srs/ssa___deleting_shadow_copies.yml @@ -2,6 +2,7 @@ name: Deleting Shadow Copies id: fd40c537-53d0-4c28-9b7e-77cfd28a49c8 version: 2 status: validation +detection_type: STREAMING description: The vssadmin.exe utility is used to interact with the Volume Shadow Copy Service. Wmic is an interface to the Windows Management Instrumentation. This search looks for either of these tools being used to delete shadow copies. diff --git a/dist/ssa/srs/ssa___deny_permission_using_cacls_utility.yml b/dist/ssa/srs/ssa___deny_permission_using_cacls_utility.yml index 34e201d3a6..80960bf2ba 100644 --- a/dist/ssa/srs/ssa___deny_permission_using_cacls_utility.yml +++ b/dist/ssa/srs/ssa___deny_permission_using_cacls_utility.yml @@ -2,6 +2,7 @@ name: Deny Permission using Cacls Utility id: b76eae28-cd25-11eb-9c92-acde48001122 version: 4 status: production +detection_type: STREAMING description: The following analytic identifies the use of `cacls.exe`, `icacls.exe` or `xcacls.exe` placing the deny permission on a file or directory. Adversaries perform this behavior to prevent responders from reviewing or gaining access to diff --git a/dist/ssa/srs/ssa___detect_prohibited_applications_spawning_cmd_exe.yml b/dist/ssa/srs/ssa___detect_prohibited_applications_spawning_cmd_exe.yml index 2c4c0ce388..17e70d09f5 100644 --- a/dist/ssa/srs/ssa___detect_prohibited_applications_spawning_cmd_exe.yml +++ b/dist/ssa/srs/ssa___detect_prohibited_applications_spawning_cmd_exe.yml @@ -2,6 +2,7 @@ name: Detect Prohibited Applications Spawning cmd exe id: c10a18cb-fd80-4ffa-a844-25026e0a0c94 version: 5 status: production +detection_type: STREAMING description: The following analytic identifies parent processes, browsers, Windows terminal applications, Office Products and Java spawning cmd.exe. By its very nature, many applications spawn cmd.exe natively or built into macros. Much of this will diff --git a/dist/ssa/srs/ssa___detect_prohibited_applications_spawning_cmd_exe_browsers.yml b/dist/ssa/srs/ssa___detect_prohibited_applications_spawning_cmd_exe_browsers.yml index b6f0f1de94..61ad1f5a17 100644 --- a/dist/ssa/srs/ssa___detect_prohibited_applications_spawning_cmd_exe_browsers.yml +++ b/dist/ssa/srs/ssa___detect_prohibited_applications_spawning_cmd_exe_browsers.yml @@ -2,6 +2,7 @@ name: Detect Prohibited Applications Spawning cmd exe browsers id: c10a18cb-fd70-4ffa-a844-25026e0a0c94 version: 2 status: validation +detection_type: STREAMING description: The following analytic identifies parent processes that are browsers, spawning cmd.exe. By its very nature, many applications spawn cmd.exe natively or built into macros. Much of this will need to be tuned to further enhance the risk. diff --git a/dist/ssa/srs/ssa___detect_prohibited_applications_spawning_cmd_exe_office.yml b/dist/ssa/srs/ssa___detect_prohibited_applications_spawning_cmd_exe_office.yml index 096265eac5..6d315598a2 100644 --- a/dist/ssa/srs/ssa___detect_prohibited_applications_spawning_cmd_exe_office.yml +++ b/dist/ssa/srs/ssa___detect_prohibited_applications_spawning_cmd_exe_office.yml @@ -2,6 +2,7 @@ name: Detect Prohibited Applications Spawning cmd exe office id: c10a18cb-fd70-4ffa-a844-25026e0b0c94 version: 2 status: validation +detection_type: STREAMING description: The following analytic identifies parent processes that are office/productivity applications, spawning cmd.exe. By its very nature, many applications spawn cmd.exe natively or built into macros. Much of this will need to be tuned to further enhance diff --git a/dist/ssa/srs/ssa___detect_prohibited_applications_spawning_cmd_exe_powershell.yml b/dist/ssa/srs/ssa___detect_prohibited_applications_spawning_cmd_exe_powershell.yml index a15529b874..9f9da272a7 100644 --- a/dist/ssa/srs/ssa___detect_prohibited_applications_spawning_cmd_exe_powershell.yml +++ b/dist/ssa/srs/ssa___detect_prohibited_applications_spawning_cmd_exe_powershell.yml @@ -2,6 +2,7 @@ name: Detect Prohibited Applications Spawning cmd exe powershell id: c10a18cb-fd70-4ffa-a844-25126e0b0d94 version: 2 status: validation +detection_type: STREAMING description: The following analytic identifies parent processes that are powershell, spawning cmd.exe. By its very nature, many applications spawn cmd.exe natively or built into macros. Much of this will need to be tuned to further enhance the risk. diff --git a/dist/ssa/srs/ssa___detect_rclone_command_line_usage.yml b/dist/ssa/srs/ssa___detect_rclone_command_line_usage.yml index a24f856e92..1666d0342d 100644 --- a/dist/ssa/srs/ssa___detect_rclone_command_line_usage.yml +++ b/dist/ssa/srs/ssa___detect_rclone_command_line_usage.yml @@ -2,6 +2,7 @@ name: Detect RClone Command-Line Usage id: e8b74268-5454-11ec-a799-acde48001122 version: 1 status: production +detection_type: STREAMING description: This analytic identifies commonly used command-line arguments used by `rclone.exe` to initiate a file transfer. Some arguments were negated as they are specific to the configuration used by adversaries. In particular, an adversary may diff --git a/dist/ssa/srs/ssa___disable_net_user_account.yml b/dist/ssa/srs/ssa___disable_net_user_account.yml index 7494b2d583..58f5ce5123 100644 --- a/dist/ssa/srs/ssa___disable_net_user_account.yml +++ b/dist/ssa/srs/ssa___disable_net_user_account.yml @@ -2,6 +2,7 @@ name: Disable Net User Account id: ba858b08-d26c-11eb-af9b-acde48001122 version: 4 status: production +detection_type: STREAMING description: This analytic will identify a suspicious command-line that disables a user account using the native `net.exe` or `net1.exe` utility to Windows. This technique may used by the adversaries to interrupt availability of accounts and continue the diff --git a/dist/ssa/srs/ssa___dns_exfiltration_using_nslookup_app.yml b/dist/ssa/srs/ssa___dns_exfiltration_using_nslookup_app.yml index 447be04af1..ae830c2034 100644 --- a/dist/ssa/srs/ssa___dns_exfiltration_using_nslookup_app.yml +++ b/dist/ssa/srs/ssa___dns_exfiltration_using_nslookup_app.yml @@ -2,6 +2,7 @@ name: DNS Exfiltration Using Nslookup App id: 2452e632-9e0d-11eb-34ba-acde48001122 version: 1 status: production +detection_type: STREAMING description: This search is to detect potential DNS exfiltration using nslookup application. This technique are seen in couple of malware and APT group to exfiltrated collected data in a infected machine or infected network. This detection is looking for unique diff --git a/dist/ssa/srs/ssa___fsutil_zeroing_file.yml b/dist/ssa/srs/ssa___fsutil_zeroing_file.yml index f5c7c8c8e1..f5bb63d7f3 100644 --- a/dist/ssa/srs/ssa___fsutil_zeroing_file.yml +++ b/dist/ssa/srs/ssa___fsutil_zeroing_file.yml @@ -2,6 +2,7 @@ name: Fsutil Zeroing File id: f792cdc9-43ee-4429-a3c0-ffce4fed1a85 version: 1 status: production +detection_type: STREAMING description: This search is to detect a suspicious fsutil process to zeroing a target file. This technique was seen in lockbit ransomware where it tries to zero out its malware path as part of its defense evasion after encrypting the compromised host. diff --git a/dist/ssa/srs/ssa___grant_permission_using_cacls_utility.yml b/dist/ssa/srs/ssa___grant_permission_using_cacls_utility.yml index 42f7d65e13..f82b64c176 100644 --- a/dist/ssa/srs/ssa___grant_permission_using_cacls_utility.yml +++ b/dist/ssa/srs/ssa___grant_permission_using_cacls_utility.yml @@ -2,6 +2,7 @@ name: Grant Permission Using Cacls Utility id: c6da561a-cd29-11eb-ae65-acde48001122 version: 4 status: production +detection_type: STREAMING description: The following analytic identifies the use of `cacls.exe`, `icacls.exe` or `xcacls.exe` placing the grant permission on a file or directory. Adversaries perform this behavior to allow components of their files to run, however it allows diff --git a/dist/ssa/srs/ssa___hiding_files_and_directories_with_attrib_exe.yml b/dist/ssa/srs/ssa___hiding_files_and_directories_with_attrib_exe.yml index b74336bbc9..09c27e5096 100644 --- a/dist/ssa/srs/ssa___hiding_files_and_directories_with_attrib_exe.yml +++ b/dist/ssa/srs/ssa___hiding_files_and_directories_with_attrib_exe.yml @@ -2,6 +2,7 @@ name: Hiding Files And Directories With Attrib exe id: 028e4406-6176-11ec-aec2-acde48001122 version: 1 status: production +detection_type: STREAMING description: Attackers leverage an existing Windows binary, attrib.exe, to mark specific as hidden by using specific flags so that the victim does not see the file. The search looks for specific command-line arguments to detect the use of attrib.exe diff --git a/dist/ssa/srs/ssa___modify_acls_permission_of_files_or_folders.yml b/dist/ssa/srs/ssa___modify_acls_permission_of_files_or_folders.yml index e099a71035..9224e5cccb 100644 --- a/dist/ssa/srs/ssa___modify_acls_permission_of_files_or_folders.yml +++ b/dist/ssa/srs/ssa___modify_acls_permission_of_files_or_folders.yml @@ -2,6 +2,7 @@ name: Modify ACLs Permission Of Files Or Folders id: 9ae9a48a-cdbe-11eb-875a-acde48001122 version: 4 status: production +detection_type: STREAMING description: This analytic identifies suspicious modification of ACL permission to a files or folder to make it available to everyone or to a specific user. This technique may be used by the adversary to evade ACLs or protected files access. This changes diff --git a/dist/ssa/srs/ssa___office_product_spawning_windows_script_host.yml b/dist/ssa/srs/ssa___office_product_spawning_windows_script_host.yml index 738304a284..44eec2745d 100644 --- a/dist/ssa/srs/ssa___office_product_spawning_windows_script_host.yml +++ b/dist/ssa/srs/ssa___office_product_spawning_windows_script_host.yml @@ -2,6 +2,7 @@ name: Office Product Spawning Windows Script Host id: 3ea3851a-8736-41a0-bc09-7e4485b48fa6 version: 2 status: production +detection_type: STREAMING description: The following analytic will identify a Windows Office Product spawning WScript.exe or CScript.exe. Tuning may be required based on legitimate application usage that may spawn scripts from an Office product. diff --git a/dist/ssa/srs/ssa___resize_shadowstorage_volume.yml b/dist/ssa/srs/ssa___resize_shadowstorage_volume.yml index f0ff163e08..3fc874ce4b 100644 --- a/dist/ssa/srs/ssa___resize_shadowstorage_volume.yml +++ b/dist/ssa/srs/ssa___resize_shadowstorage_volume.yml @@ -2,6 +2,7 @@ name: Resize Shadowstorage Volume id: dbc30554-d27e-11eb-9e5e-acde48001122 version: 3 status: production +detection_type: STREAMING description: The following analytic identifies the resizing of shadowstorage using vssadmin.exe to avoid the shadow volumes being made again. This technique is typically found used by adversaries during a ransomware event and a precursor to deleting diff --git a/dist/ssa/srs/ssa___sdelete_application_execution.yml b/dist/ssa/srs/ssa___sdelete_application_execution.yml index 1e3399496e..267ebbeb8e 100644 --- a/dist/ssa/srs/ssa___sdelete_application_execution.yml +++ b/dist/ssa/srs/ssa___sdelete_application_execution.yml @@ -2,6 +2,7 @@ name: Sdelete Application Execution id: fcc52b9a-4616-11ec-8454-acde48001122 version: 1 status: production +detection_type: STREAMING description: This analytic will detect the execution of sdelete.exe attempting to delete potentially important files that may related to adversary or insider threats to destroy evidence or information sabotage. Sdelete is a SysInternals utility meant diff --git a/dist/ssa/srs/ssa___services_lolbas_execution_process_spawn.yml b/dist/ssa/srs/ssa___services_lolbas_execution_process_spawn.yml index c313b60d51..6882b835ec 100644 --- a/dist/ssa/srs/ssa___services_lolbas_execution_process_spawn.yml +++ b/dist/ssa/srs/ssa___services_lolbas_execution_process_spawn.yml @@ -2,6 +2,7 @@ name: Services lolbas Execution Process Spawn id: 0d85fde3-0de9-4eec-b386-6a8ba70f3935 version: 2 status: validation +detection_type: STREAMING description: The following analytic identifies services.exe spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Service Control Manager and creating a remote malicious service, the executed command is spawned diff --git a/dist/ssa/srs/ssa___system_process_running_from_unexpected_location.yml b/dist/ssa/srs/ssa___system_process_running_from_unexpected_location.yml index 658b307fd3..5e46aeb87f 100644 --- a/dist/ssa/srs/ssa___system_process_running_from_unexpected_location.yml +++ b/dist/ssa/srs/ssa___system_process_running_from_unexpected_location.yml @@ -2,6 +2,7 @@ name: System Process Running from Unexpected Location id: 28179107-099a-464a-94d3-08301e6c055f version: 5 status: production +detection_type: STREAMING description: An attacker tries might try to use different version of a system command without overriding original, or they might try to avoid some detection running the process from a different folder. This detection checks that a list of system processes diff --git a/dist/ssa/srs/ssa___wbadmin_delete_system_backups.yml b/dist/ssa/srs/ssa___wbadmin_delete_system_backups.yml index b8e6875b6a..82a54698c1 100644 --- a/dist/ssa/srs/ssa___wbadmin_delete_system_backups.yml +++ b/dist/ssa/srs/ssa___wbadmin_delete_system_backups.yml @@ -2,6 +2,7 @@ name: WBAdmin Delete System Backups id: 71efbf52-4dbb-4c00-a520-306aa546cbb7 version: 1 status: production +detection_type: STREAMING description: This search looks for flags passed to wbadmin.exe (Windows Backup Administrator Tool) that delete backup files. This is typically used by ransomware to prevent recovery. diff --git a/dist/ssa/srs/ssa___wevtutil_usage_to_clear_logs.yml b/dist/ssa/srs/ssa___wevtutil_usage_to_clear_logs.yml index 7c5ecbba38..622d803bc6 100644 --- a/dist/ssa/srs/ssa___wevtutil_usage_to_clear_logs.yml +++ b/dist/ssa/srs/ssa___wevtutil_usage_to_clear_logs.yml @@ -2,6 +2,7 @@ name: WevtUtil Usage To Clear Logs id: 5438113c-cdd9-11eb-93b8-acde48001122 version: 2 status: production +detection_type: STREAMING description: The wevtutil.exe application is the windows event log utility. This searches for wevtutil.exe with parameters for clearing the application, security, setup, powershell, sysmon, or system event logs. diff --git a/dist/ssa/srs/ssa___wevtutil_usage_to_disable_logs.yml b/dist/ssa/srs/ssa___wevtutil_usage_to_disable_logs.yml index 1218b570b4..0e70ff0a99 100644 --- a/dist/ssa/srs/ssa___wevtutil_usage_to_disable_logs.yml +++ b/dist/ssa/srs/ssa___wevtutil_usage_to_disable_logs.yml @@ -2,6 +2,7 @@ name: Wevtutil Usage To Disable Logs id: a4bdc944-cdd9-11eb-ac97-acde48001122 version: 2 status: production +detection_type: STREAMING description: This search is to detect execution of wevtutil.exe to disable logs. This technique was seen in several ransomware to disable the event logs to evade alerts and detections in compromised host. diff --git a/dist/ssa/srs/ssa___windows_bits_job_persistence.yml b/dist/ssa/srs/ssa___windows_bits_job_persistence.yml index bd757f4a35..f84e26d77b 100644 --- a/dist/ssa/srs/ssa___windows_bits_job_persistence.yml +++ b/dist/ssa/srs/ssa___windows_bits_job_persistence.yml @@ -2,6 +2,7 @@ name: Windows Bits Job Persistence id: 1e25e97a-8ea4-11ec-9767-acde48001122 version: 1 status: production +detection_type: STREAMING description: The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` scheduling a BITS job to persist on an endpoint. The query identifies the parameters used to create, resume or add a file to a BITS diff --git a/dist/ssa/srs/ssa___windows_bitsadmin_download_file.yml b/dist/ssa/srs/ssa___windows_bitsadmin_download_file.yml index 9e27d07757..fb2d658b0d 100644 --- a/dist/ssa/srs/ssa___windows_bitsadmin_download_file.yml +++ b/dist/ssa/srs/ssa___windows_bitsadmin_download_file.yml @@ -2,6 +2,7 @@ name: Windows Bitsadmin Download File id: d76e8188-8f5a-11ec-ace4-acde48001122 version: 1 status: production +detection_type: STREAMING description: The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` using the `transfer` parameter to download a remote object. In addition, look for `download` or `upload` on the command-line, the switches diff --git a/dist/ssa/srs/ssa___windows_certutil_decode_file.yml b/dist/ssa/srs/ssa___windows_certutil_decode_file.yml index 645bc5a4f4..6d5f83bece 100644 --- a/dist/ssa/srs/ssa___windows_certutil_decode_file.yml +++ b/dist/ssa/srs/ssa___windows_certutil_decode_file.yml @@ -2,6 +2,7 @@ name: Windows CertUtil Decode File id: b06983f4-8f72-11ec-ab50-acde48001122 version: 1 status: production +detection_type: STREAMING description: CertUtil.exe may be used to `encode` and `decode` a file, including PE and script code. Encoding will convert a file to base64 with `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` tags. Malicious usage will include decoding a encoded diff --git a/dist/ssa/srs/ssa___windows_certutil_urlcache_download.yml b/dist/ssa/srs/ssa___windows_certutil_urlcache_download.yml index ca8d9209b8..86fa996603 100644 --- a/dist/ssa/srs/ssa___windows_certutil_urlcache_download.yml +++ b/dist/ssa/srs/ssa___windows_certutil_urlcache_download.yml @@ -2,6 +2,7 @@ name: Windows CertUtil URLCache Download id: 8cb1ad38-8f6d-11ec-87a3-acde48001122 version: 1 status: production +detection_type: STREAMING description: Certutil.exe may download a file from a remote destination using `-urlcache`. This behavior does require a URL to be passed on the command-line. In addition, `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will diff --git a/dist/ssa/srs/ssa___windows_certutil_verifyctl_download.yml b/dist/ssa/srs/ssa___windows_certutil_verifyctl_download.yml index 3ec4703683..fe72738320 100644 --- a/dist/ssa/srs/ssa___windows_certutil_verifyctl_download.yml +++ b/dist/ssa/srs/ssa___windows_certutil_verifyctl_download.yml @@ -2,6 +2,7 @@ name: Windows CertUtil VerifyCtl Download id: 9ac29c40-8f6b-11ec-b19a-acde48001122 version: 1 status: production +detection_type: STREAMING description: 'Certutil.exe may download a file from a remote destination using `-VerifyCtl`. This behavior does require a URL to be passed on the command-line. In addition, `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will diff --git a/dist/ssa/srs/ssa___windows_com_hijacking_inprocserver32_modification.yml b/dist/ssa/srs/ssa___windows_com_hijacking_inprocserver32_modification.yml index eae5217871..21669f2355 100644 --- a/dist/ssa/srs/ssa___windows_com_hijacking_inprocserver32_modification.yml +++ b/dist/ssa/srs/ssa___windows_com_hijacking_inprocserver32_modification.yml @@ -2,6 +2,7 @@ name: Windows COM Hijacking InprocServer32 Modification id: 0ae05a0f-bc84-456b-822a-a5b9c081c7ca version: 1 status: production +detection_type: STREAMING description: The following analytic identifies the use of reg.exe performing an add to the InProcServer32, which may be related to COM hijacking. Adversaries can use the COM system to insert malicious code that can be executed in place of legitimate diff --git a/dist/ssa/srs/ssa___windows_curl_upload_to_remote_destination.yml b/dist/ssa/srs/ssa___windows_curl_upload_to_remote_destination.yml index 130bf7f690..dcc83cd7a2 100644 --- a/dist/ssa/srs/ssa___windows_curl_upload_to_remote_destination.yml +++ b/dist/ssa/srs/ssa___windows_curl_upload_to_remote_destination.yml @@ -2,6 +2,7 @@ name: Windows Curl Upload to Remote Destination id: cc8d046a-543b-11ec-b864-acde48001122 version: 1 status: production +detection_type: STREAMING description: 'The following analytic identifies the use of Windows Curl.exe uploading a file to a remote destination. \ diff --git a/dist/ssa/srs/ssa___windows_default_group_policy_object_modified_with_gpme.yml b/dist/ssa/srs/ssa___windows_default_group_policy_object_modified_with_gpme.yml index 4dcd9136c4..9b56dd0940 100644 --- a/dist/ssa/srs/ssa___windows_default_group_policy_object_modified_with_gpme.yml +++ b/dist/ssa/srs/ssa___windows_default_group_policy_object_modified_with_gpme.yml @@ -2,6 +2,7 @@ name: Windows Default Group Policy Object Modified with GPME id: bcb55c13-067b-4648-98f3-627010f72520 version: 1 status: production +detection_type: STREAMING description: The following analytic identifies the potential edition of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain two default group policy objects `Default Domain Controllers Policy` and diff --git a/dist/ssa/srs/ssa___windows_defender_tools_in_non_standard_path.yml b/dist/ssa/srs/ssa___windows_defender_tools_in_non_standard_path.yml index b8b6d5feed..64138a01c5 100644 --- a/dist/ssa/srs/ssa___windows_defender_tools_in_non_standard_path.yml +++ b/dist/ssa/srs/ssa___windows_defender_tools_in_non_standard_path.yml @@ -2,6 +2,7 @@ name: Windows Defender Tools in Non Standard Path id: c205bd2e-cd5b-4224-8510-578a2a1f83d7 version: 1 status: production +detection_type: STREAMING description: The following analytic identifies usage of the MPCmdRun utility that can be abused by adversaries by moving it to a new directory. search: ' $main = from source | eval timestamp = time | eval metadata_uid = metadata.uid | diff --git a/dist/ssa/srs/ssa___windows_diskshadow_proxy_execution.yml b/dist/ssa/srs/ssa___windows_diskshadow_proxy_execution.yml index 089704fd97..d17e916a96 100644 --- a/dist/ssa/srs/ssa___windows_diskshadow_proxy_execution.yml +++ b/dist/ssa/srs/ssa___windows_diskshadow_proxy_execution.yml @@ -2,6 +2,7 @@ name: Windows Diskshadow Proxy Execution id: aa502688-9037-11ec-842d-acde48001122 version: 1 status: production +detection_type: STREAMING description: DiskShadow.exe is a Microsoft Signed binary present on Windows Server. It has a scripting mode intended for complex scripted backup operations. This feature also allows for execution of arbitrary unsigned code. This analytic looks for the diff --git a/dist/ssa/srs/ssa___windows_dotnet_binary_in_non_standard_path.yml b/dist/ssa/srs/ssa___windows_dotnet_binary_in_non_standard_path.yml index d7a4cee9ab..c86a499fb5 100644 --- a/dist/ssa/srs/ssa___windows_dotnet_binary_in_non_standard_path.yml +++ b/dist/ssa/srs/ssa___windows_dotnet_binary_in_non_standard_path.yml @@ -2,6 +2,7 @@ name: Windows DotNet Binary in Non Standard Path id: 21179107-099a-324a-94d3-08301e6c065f version: 1 status: production +detection_type: STREAMING description: The following analytic identifies native .net binaries within the Windows operating system that may be abused by adversaries by moving it to a new directory. The analytic identifies the .net binary by using a list. If one or the other matches diff --git a/dist/ssa/srs/ssa___windows_exchange_powershell_module_usage.yml b/dist/ssa/srs/ssa___windows_exchange_powershell_module_usage.yml index 0f9d9ef5dd..0ef956b027 100644 --- a/dist/ssa/srs/ssa___windows_exchange_powershell_module_usage.yml +++ b/dist/ssa/srs/ssa___windows_exchange_powershell_module_usage.yml @@ -2,6 +2,7 @@ name: Windows Exchange PowerShell Module Usage id: 1118bc65-b0c7-4589-bc2f-ad6802fd0909 version: 1 status: production +detection_type: STREAMING description: 'The following analytic identifies the usage of Exchange PowerShell modules that were recently used for a proof of concept related to ProxyShell. Currently, there is no active data shared or data we could re-produce relate to this part of diff --git a/dist/ssa/srs/ssa___windows_execute_arbitrary_commands_with_msdt.yml b/dist/ssa/srs/ssa___windows_execute_arbitrary_commands_with_msdt.yml index 67f05ee014..fc5672c022 100644 --- a/dist/ssa/srs/ssa___windows_execute_arbitrary_commands_with_msdt.yml +++ b/dist/ssa/srs/ssa___windows_execute_arbitrary_commands_with_msdt.yml @@ -2,6 +2,7 @@ name: Windows Execute Arbitrary Commands with MSDT id: f253f9c2-10f0-4cc8-b469-f505ba8c2038 version: 1 status: production +detection_type: STREAMING description: The following analytic identifies a recently disclosed arbitraty command execution using Windows msdt.exe - a Diagnostics Troubleshooting Wizard. The sample identified will use the ms-msdt:/ protocol handler to load msdt.exe to retrieve diff --git a/dist/ssa/srs/ssa___windows_file_share_discovery_with_powerview.yml b/dist/ssa/srs/ssa___windows_file_share_discovery_with_powerview.yml index 6a512ff924..f2ed45681c 100644 --- a/dist/ssa/srs/ssa___windows_file_share_discovery_with_powerview.yml +++ b/dist/ssa/srs/ssa___windows_file_share_discovery_with_powerview.yml @@ -2,6 +2,7 @@ name: Windows File Share Discovery With Powerview id: ec4f671e-c736-4f78-a4c0-8fe809e952e5 version: 1 status: production +detection_type: STREAMING description: The following analytic identifies the use of the Invoke-ShareFinder PowerShell commandlet part of PowerView. This module obtains the list of all active domain computers and lists the active shares on each computer. Network file shares in Active diff --git a/dist/ssa/srs/ssa___windows_findstr_gpp_discovery.yml b/dist/ssa/srs/ssa___windows_findstr_gpp_discovery.yml index 486d9164a0..76f23b7b36 100644 --- a/dist/ssa/srs/ssa___windows_findstr_gpp_discovery.yml +++ b/dist/ssa/srs/ssa___windows_findstr_gpp_discovery.yml @@ -2,6 +2,7 @@ name: Windows Findstr GPP Discovery id: 73ed0f19-080e-4917-b7c6-56e1760a50d4 version: 1 status: production +detection_type: STREAMING description: The following analytic identifies the use of the findstr command employed to search for unsecured credentials Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These diff --git a/dist/ssa/srs/ssa___windows_ingress_tool_transfer_using_explorer.yml b/dist/ssa/srs/ssa___windows_ingress_tool_transfer_using_explorer.yml index 3454e0debc..a3f6a5842f 100644 --- a/dist/ssa/srs/ssa___windows_ingress_tool_transfer_using_explorer.yml +++ b/dist/ssa/srs/ssa___windows_ingress_tool_transfer_using_explorer.yml @@ -2,6 +2,7 @@ name: Windows Ingress Tool Transfer Using Explorer id: 695bfad6-9662-4f9e-a576-bf02a951aa60 version: 1 status: production +detection_type: STREAMING description: The following analytic identifies the Windows Explorer process with a URL within the command-line. Explorer.exe is known Windows process that handles start menu, taskbar, desktop and file manager. Many adversaries abuse this process, diff --git a/dist/ssa/srs/ssa___windows_lolbin_binary_in_non_standard_path.yml b/dist/ssa/srs/ssa___windows_lolbin_binary_in_non_standard_path.yml index 0c3757873c..ba8aa5fb5f 100644 --- a/dist/ssa/srs/ssa___windows_lolbin_binary_in_non_standard_path.yml +++ b/dist/ssa/srs/ssa___windows_lolbin_binary_in_non_standard_path.yml @@ -2,6 +2,7 @@ name: Windows LOLBin Binary in Non Standard Path id: 25689101-012a-324a-94d3-08301e6c065a version: 5 status: production +detection_type: STREAMING description: The following analytic identifies native living off the land binaries within the Windows operating system that may be abused by adversaries by moving it to a new directory. The list of binaries was derived from the https://lolbas-project.github.io diff --git a/dist/ssa/srs/ssa___windows_mshta_child_process.yml b/dist/ssa/srs/ssa___windows_mshta_child_process.yml index caf9f23967..5e4ec573eb 100644 --- a/dist/ssa/srs/ssa___windows_mshta_child_process.yml +++ b/dist/ssa/srs/ssa___windows_mshta_child_process.yml @@ -2,6 +2,7 @@ name: Windows MSHTA Child Process id: f63f7e9c-9526-11ec-9fc7-acde48001122 version: 3 status: production +detection_type: STREAMING description: The following analytic identifies child processes spawning from "mshta.exe". The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, parent process diff --git a/dist/ssa/srs/ssa___windows_mshta_command_line_url.yml b/dist/ssa/srs/ssa___windows_mshta_command_line_url.yml index ebd7a6e4c6..475e87eefb 100644 --- a/dist/ssa/srs/ssa___windows_mshta_command_line_url.yml +++ b/dist/ssa/srs/ssa___windows_mshta_command_line_url.yml @@ -2,6 +2,7 @@ name: Windows MSHTA Command-Line URL id: 9b35c538-94ef-11ec-9439-acde48001122 version: 1 status: production +detection_type: STREAMING description: This analytic identifies when Microsoft HTML Application Host (mshta.exe) utility is used to make remote http connections. Adversaries may use mshta.exe to proxy the download and execution of remote .hta files. The analytic identifies command diff --git a/dist/ssa/srs/ssa___windows_mshta_inline_hta_execution.yml b/dist/ssa/srs/ssa___windows_mshta_inline_hta_execution.yml index 67e386cc07..6c348ffd91 100644 --- a/dist/ssa/srs/ssa___windows_mshta_inline_hta_execution.yml +++ b/dist/ssa/srs/ssa___windows_mshta_inline_hta_execution.yml @@ -2,6 +2,7 @@ name: Windows MSHTA Inline HTA Execution id: 24962154-9524-11ec-9333-acde48001122 version: 1 status: production +detection_type: STREAMING description: The following analytic identifies "mshta.exe" execution with inline protocol handlers. "JavaScript", "VBScript", and "About" are the only supported options when invoking HTA content directly on the command-line. The search will return the first diff --git a/dist/ssa/srs/ssa___windows_odbcconf_load_response_file.yml b/dist/ssa/srs/ssa___windows_odbcconf_load_response_file.yml index 93bc0319d8..abf2e88d88 100644 --- a/dist/ssa/srs/ssa___windows_odbcconf_load_response_file.yml +++ b/dist/ssa/srs/ssa___windows_odbcconf_load_response_file.yml @@ -2,6 +2,7 @@ name: Windows Odbcconf Load Response File id: 7b6c3fac-0c37-4efc-a85e-de88f42b6763 version: 1 status: production +detection_type: STREAMING description: The following analytic identifies the odbcconf.exe, Windows Open Database Connectivity utility, loading up a resource file. The file extension is arbitrary and may be named anything. The resource file itself may have different commands diff --git a/dist/ssa/srs/ssa___windows_os_credential_dumping_with_ntdsutil_export_ntds.yml b/dist/ssa/srs/ssa___windows_os_credential_dumping_with_ntdsutil_export_ntds.yml index bbd76b1863..70db7befab 100644 --- a/dist/ssa/srs/ssa___windows_os_credential_dumping_with_ntdsutil_export_ntds.yml +++ b/dist/ssa/srs/ssa___windows_os_credential_dumping_with_ntdsutil_export_ntds.yml @@ -2,6 +2,7 @@ name: Windows OS Credential Dumping with Ntdsutil Export NTDS id: dad9ddec-a72a-47be-87b6-a0f7ba98ed6e version: 1 status: production +detection_type: STREAMING description: 'Monitor for signs that Ntdsutil is being used to Extract Active Directory database - NTDS.dit, typically used for offline password cracking. It may be used in normal circumstances with no command line arguments or shorthand variations of diff --git a/dist/ssa/srs/ssa___windows_os_credential_dumping_with_procdump.yml b/dist/ssa/srs/ssa___windows_os_credential_dumping_with_procdump.yml index 933cd148c4..a945bd2635 100644 --- a/dist/ssa/srs/ssa___windows_os_credential_dumping_with_procdump.yml +++ b/dist/ssa/srs/ssa___windows_os_credential_dumping_with_procdump.yml @@ -2,6 +2,7 @@ name: Windows OS Credential Dumping with Procdump id: e102e297-dbe6-4a19-b319-5c08f4c19a06 version: 2 status: production +detection_type: STREAMING description: 'Detect procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. This diff --git a/dist/ssa/srs/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml b/dist/ssa/srs/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml index c467660ed4..54022d1834 100644 --- a/dist/ssa/srs/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml +++ b/dist/ssa/srs/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml @@ -2,6 +2,7 @@ name: Windows Powershell Connect to Internet With Hidden Window id: 477e068e-8b6d-11ec-b6c1-81af21670352 version: 3 status: production +detection_type: STREAMING description: The following hunting analytic identifies PowerShell commands utilizing the WindowStyle parameter to hide the window on the compromised endpoint. This combination of command-line options is suspicious because it is overriding the default PowerShell diff --git a/dist/ssa/srs/ssa___windows_powershell_disabled_kerberos_pre_authentication_discovery_get_aduser.yml b/dist/ssa/srs/ssa___windows_powershell_disabled_kerberos_pre_authentication_discovery_get_aduser.yml index 5757bfbe53..8eea63a253 100644 --- a/dist/ssa/srs/ssa___windows_powershell_disabled_kerberos_pre_authentication_discovery_get_aduser.yml +++ b/dist/ssa/srs/ssa___windows_powershell_disabled_kerberos_pre_authentication_discovery_get_aduser.yml @@ -2,6 +2,7 @@ name: Windows PowerShell Disabled Kerberos Pre-Authentication Discovery Get-ADUs id: d57b4d91-fc91-4482-a325-47693cced1eb version: 1 status: production +detection_type: STREAMING description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADUser` commandlet with specific parameters. `Get-ADUser` is part of the Active Directory PowerShell module used to manage Windows diff --git a/dist/ssa/srs/ssa___windows_powershell_disabled_kerberos_pre_authentication_discovery_with_powerview.yml b/dist/ssa/srs/ssa___windows_powershell_disabled_kerberos_pre_authentication_discovery_with_powerview.yml index e973d4069b..60c49043bd 100644 --- a/dist/ssa/srs/ssa___windows_powershell_disabled_kerberos_pre_authentication_discovery_with_powerview.yml +++ b/dist/ssa/srs/ssa___windows_powershell_disabled_kerberos_pre_authentication_discovery_with_powerview.yml @@ -2,6 +2,7 @@ name: Windows PowerShell Disabled Kerberos Pre-Authentication Discovery With Pow id: dc3f2af7-ca69-47ce-a122-9f9787e19417 version: 1 status: production +detection_type: STREAMING description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainUser` commandlet with specific parameters. `Get-DomainUser` is part of PowerView, a PowerShell tool used to perform enumeration diff --git a/dist/ssa/srs/ssa___windows_powershell_downloadfile.yml b/dist/ssa/srs/ssa___windows_powershell_downloadfile.yml index afaa2110f1..90473334bd 100644 --- a/dist/ssa/srs/ssa___windows_powershell_downloadfile.yml +++ b/dist/ssa/srs/ssa___windows_powershell_downloadfile.yml @@ -2,6 +2,7 @@ name: Windows Powershell DownloadFile id: 46440222-81d5-44b1-a376-19dcd70d1b08 version: 2 status: production +detection_type: STREAMING description: The following analytic identifies the use of PowerShell downloading a file using `DownloadFile` method. This particular method is utilized in many different PowerShell frameworks to download files and output to disk. Identify the source diff --git a/dist/ssa/srs/ssa___windows_powershell_start_bitstransfer.yml b/dist/ssa/srs/ssa___windows_powershell_start_bitstransfer.yml index ac7e3b9c04..6a401d3f79 100644 --- a/dist/ssa/srs/ssa___windows_powershell_start_bitstransfer.yml +++ b/dist/ssa/srs/ssa___windows_powershell_start_bitstransfer.yml @@ -2,6 +2,7 @@ name: Windows PowerShell Start-BitsTransfer id: 0bafd086-8f61-11ec-996e-acde48001122 version: 2 status: production +detection_type: STREAMING description: Start-BitsTransfer is the PowerShell "version" of BitsAdmin.exe. Similar functionality is present. This technique variation is not as commonly used by adversaries, but has been abused in the past. Lesser known uses include the ability to set the diff --git a/dist/ssa/srs/ssa___windows_powersploit_gpp_discovery.yml b/dist/ssa/srs/ssa___windows_powersploit_gpp_discovery.yml index 1896d9cede..85a1f3e7e9 100644 --- a/dist/ssa/srs/ssa___windows_powersploit_gpp_discovery.yml +++ b/dist/ssa/srs/ssa___windows_powersploit_gpp_discovery.yml @@ -2,6 +2,7 @@ name: Windows PowerSploit GPP Discovery id: fdef746e-71fb-41ce-8ab2-b4a5a6b50ca2 version: 1 status: production +detection_type: STREAMING description: The following analytic identifies the use of the Get-GPPPassword PowerShell commandlet employed to search for unsecured credentials Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded diff --git a/dist/ssa/srs/ssa___windows_rasautou_dll_execution.yml b/dist/ssa/srs/ssa___windows_rasautou_dll_execution.yml index bf234cffa1..e7f9718aac 100644 --- a/dist/ssa/srs/ssa___windows_rasautou_dll_execution.yml +++ b/dist/ssa/srs/ssa___windows_rasautou_dll_execution.yml @@ -2,6 +2,7 @@ name: Windows Rasautou DLL Execution id: 6f42b8ce-1e15-11ec-ad5a-acde48001122 version: 1 status: production +detection_type: STREAMING description: The following analytic identifies the Windows Windows Remote Auto Dialer, rasautou.exe executing an arbitrary DLL. This technique is used to execute arbitrary shellcode or DLLs via the rasautou.exe LOLBin capability. During triage, review diff --git a/dist/ssa/srs/ssa___windows_rename_system_utilities_acccheckconsole_exe_lolbas_in_non_standard_path.yml b/dist/ssa/srs/ssa___windows_rename_system_utilities_acccheckconsole_exe_lolbas_in_non_standard_path.yml index 5232c6c747..1ccb30ac0c 100644 --- a/dist/ssa/srs/ssa___windows_rename_system_utilities_acccheckconsole_exe_lolbas_in_non_standard_path.yml +++ b/dist/ssa/srs/ssa___windows_rename_system_utilities_acccheckconsole_exe_lolbas_in_non_standard_path.yml @@ -2,6 +2,7 @@ name: Windows Rename System Utilities Acccheckconsole exe LOLBAS in Non Standard id: c842931e-661f-42bc-a4df-0460d93cfb69 version: 1 status: production +detection_type: STREAMING description: The following analytic identifies AccCheckConsole.exe which is a native living off the land binary or script (LOLBAS) within the Windows operating system that may be abused by adversaries by moving it to a new directory. The list of binaries diff --git a/dist/ssa/srs/ssa___windows_rename_system_utilities_adplus_exe_lolbas_in_non_standard_path.yml b/dist/ssa/srs/ssa___windows_rename_system_utilities_adplus_exe_lolbas_in_non_standard_path.yml index aa1cc78fb5..363eea23a1 100644 --- a/dist/ssa/srs/ssa___windows_rename_system_utilities_adplus_exe_lolbas_in_non_standard_path.yml +++ b/dist/ssa/srs/ssa___windows_rename_system_utilities_adplus_exe_lolbas_in_non_standard_path.yml @@ -2,6 +2,7 @@ name: Windows Rename System Utilities Adplus exe LOLBAS in Non Standard Path id: ecaaf956-c516-4980-b08e-8c01c19614ca version: 1 status: production +detection_type: STREAMING description: The following analytic identifies adplus.exe which is a native living off the land binary or script (LOLBAS) within the Windows operating system that may be abused by adversaries by moving it to a new directory. The list of binaries diff --git a/dist/ssa/srs/ssa___windows_rename_system_utilities_advpack_dll_lolbas_in_non_standard_path.yml b/dist/ssa/srs/ssa___windows_rename_system_utilities_advpack_dll_lolbas_in_non_standard_path.yml index d25b0b0107..0dac7a30a4 100644 --- a/dist/ssa/srs/ssa___windows_rename_system_utilities_advpack_dll_lolbas_in_non_standard_path.yml +++ b/dist/ssa/srs/ssa___windows_rename_system_utilities_advpack_dll_lolbas_in_non_standard_path.yml @@ -2,6 +2,7 @@ name: Windows Rename System Utilities Advpack dll LOLBAS in Non Standard Path id: 3284e4f4-67f7-49b6-ad5e-a8fcead2eef8 version: 1 status: production +detection_type: STREAMING description: The following analytic identifies Advpack.dll which is a native living off the land binary or script (LOLBAS) within the Windows operating system that may be abused by adversaries by moving it to a new directory. The list of binaries diff --git a/dist/ssa/srs/ssa___windows_rename_system_utilities_agentexecutor_exe_lolbas_in_non_standard_path.yml b/dist/ssa/srs/ssa___windows_rename_system_utilities_agentexecutor_exe_lolbas_in_non_standard_path.yml index 1353ded9f4..6551859260 100644 --- a/dist/ssa/srs/ssa___windows_rename_system_utilities_agentexecutor_exe_lolbas_in_non_standard_path.yml +++ b/dist/ssa/srs/ssa___windows_rename_system_utilities_agentexecutor_exe_lolbas_in_non_standard_path.yml @@ -2,6 +2,7 @@ name: Windows Rename System Utilities Agentexecutor exe LOLBAS in Non Standard P id: e124f71f-11bc-47e4-9931-6046d256005d version: 1 status: production +detection_type: STREAMING description: The following analytic identifies AgentExecutor.exe which is a native living off the land binary or script (LOLBAS) within the Windows operating system that may be abused by adversaries by moving it to a new directory. The list of binaries diff --git a/dist/ssa/srs/ssa___windows_rename_system_utilities_appinstaller_exe_lolbas_in_non_standard_path.yml b/dist/ssa/srs/ssa___windows_rename_system_utilities_appinstaller_exe_lolbas_in_non_standard_path.yml index 603c5e7d67..5b794062d4 100644 --- a/dist/ssa/srs/ssa___windows_rename_system_utilities_appinstaller_exe_lolbas_in_non_standard_path.yml +++ b/dist/ssa/srs/ssa___windows_rename_system_utilities_appinstaller_exe_lolbas_in_non_standard_path.yml @@ -2,6 +2,7 @@ name: Windows Rename System Utilities Appinstaller exe LOLBAS in Non Standard Pa id: 057c06c7-ef31-4749-b5c9-199152e53a06 version: 1 status: production +detection_type: STREAMING description: The following analytic identifies AppInstaller.exe which is a native living off the land binary or script (LOLBAS) within the Windows operating system that may be abused by adversaries by moving it to a new directory. The list of binaries diff --git a/dist/ssa/srs/ssa___windows_rename_system_utilities_appvlp_exe_lolbas_in_non_standard_path.yml b/dist/ssa/srs/ssa___windows_rename_system_utilities_appvlp_exe_lolbas_in_non_standard_path.yml index 58a419f8a9..f384bc9491 100644 --- a/dist/ssa/srs/ssa___windows_rename_system_utilities_appvlp_exe_lolbas_in_non_standard_path.yml +++ b/dist/ssa/srs/ssa___windows_rename_system_utilities_appvlp_exe_lolbas_in_non_standard_path.yml @@ -2,6 +2,7 @@ name: Windows Rename System Utilities Appvlp exe LOLBAS in Non Standard Path id: 93862a89-abe0-4094-909a-08ec390aa5e3 version: 1 status: production +detection_type: STREAMING description: The following analytic identifies Appvlp.exe which is a native living off the land binary or script (LOLBAS) within the Windows operating system that may be abused by adversaries by moving it to a new directory. The list of binaries diff --git a/dist/ssa/srs/ssa___windows_rename_system_utilities_aspnet_compiler_exe_lolbas_in_non_standard_path.yml b/dist/ssa/srs/ssa___windows_rename_system_utilities_aspnet_compiler_exe_lolbas_in_non_standard_path.yml index 51e8a660a6..ad7cd781ee 100644 --- a/dist/ssa/srs/ssa___windows_rename_system_utilities_aspnet_compiler_exe_lolbas_in_non_standard_path.yml +++ b/dist/ssa/srs/ssa___windows_rename_system_utilities_aspnet_compiler_exe_lolbas_in_non_standard_path.yml @@ -2,6 +2,7 @@ name: Windows Rename System Utilities Aspnet compiler exe LOLBAS in Non Standard id: d75cc561-3828-4d0a-92c4-0eb93bfe0929 version: 1 status: production +detection_type: STREAMING description: The following analytic identifies Aspnet_Compiler.exe which is a native living off the land binary or script (LOLBAS) within the Windows operating system that may be abused by adversaries by moving it to a new directory. The list of binaries diff --git a/dist/ssa/srs/ssa___windows_rename_system_utilities_at_exe_lolbas_in_non_standard_path.yml b/dist/ssa/srs/ssa___windows_rename_system_utilities_at_exe_lolbas_in_non_standard_path.yml index abc16eaed7..39ef337c09 100644 --- a/dist/ssa/srs/ssa___windows_rename_system_utilities_at_exe_lolbas_in_non_standard_path.yml +++ b/dist/ssa/srs/ssa___windows_rename_system_utilities_at_exe_lolbas_in_non_standard_path.yml @@ -2,6 +2,7 @@ name: Windows Rename System Utilities At exe LOLBAS in Non Standard Path id: 6401d583-0052-4dc5-a713-68b510826d2b version: 1 status: production +detection_type: STREAMING description: The following analytic identifies At.exe which is a native living off the land binary or script (LOLBAS) within the Windows operating system that may be abused by adversaries by moving it to a new directory. The list of binaries was diff --git a/dist/ssa/srs/ssa___windows_rename_system_utilities_atbroker_exe_lolbas_in_non_standard_path.yml b/dist/ssa/srs/ssa___windows_rename_system_utilities_atbroker_exe_lolbas_in_non_standard_path.yml index cf25105969..a19584ef04 100644 --- a/dist/ssa/srs/ssa___windows_rename_system_utilities_atbroker_exe_lolbas_in_non_standard_path.yml +++ b/dist/ssa/srs/ssa___windows_rename_system_utilities_atbroker_exe_lolbas_in_non_standard_path.yml @@ -2,6 +2,7 @@ name: Windows Rename System Utilities Atbroker exe LOLBAS in Non Standard Path id: b8da7ea5-8c16-4eff-9787-54ec271159e0 version: 1 status: production +detection_type: STREAMING description: The following analytic identifies Atbroker.exe which is a native living off the land binary or script (LOLBAS) within the Windows operating system that may be abused by adversaries by moving it to a new directory. The list of binaries diff --git a/dist/ssa/srs/ssa___windows_rundll32_comsvcs_memory_dump.yml b/dist/ssa/srs/ssa___windows_rundll32_comsvcs_memory_dump.yml index 0cfff4c653..c3aeb9d093 100644 --- a/dist/ssa/srs/ssa___windows_rundll32_comsvcs_memory_dump.yml +++ b/dist/ssa/srs/ssa___windows_rundll32_comsvcs_memory_dump.yml @@ -2,6 +2,7 @@ name: Windows Rundll32 Comsvcs Memory Dump id: 76bb9e35-f314-4c3d-a385-83c72a13ce4e version: 5 status: production +detection_type: STREAMING description: The following analytic identifies memory dumping using comsvcs.dll with the minidump function with `rundll32.exe`. This technique is common with adversaries who would like to dump the memory of lsass.exe. diff --git a/dist/ssa/srs/ssa___windows_rundll32_inline_hta_execution.yml b/dist/ssa/srs/ssa___windows_rundll32_inline_hta_execution.yml index 348e13190e..32ebca11f9 100644 --- a/dist/ssa/srs/ssa___windows_rundll32_inline_hta_execution.yml +++ b/dist/ssa/srs/ssa___windows_rundll32_inline_hta_execution.yml @@ -2,6 +2,7 @@ name: Windows Rundll32 Inline HTA Execution id: 0caa1dd6-94f5-11ec-9786-acde48001122 version: 1 status: production +detection_type: STREAMING description: The following analytic identifies "rundll32.exe" execution with inline protocol handlers. "JavaScript", "VBScript", and "About" are the only supported options when invoking HTA content directly on the command-line. This type of behavior diff --git a/dist/ssa/srs/ssa___windows_script_host_spawn_msbuild.yml b/dist/ssa/srs/ssa___windows_script_host_spawn_msbuild.yml index 12c25f8df6..4fbeb3ad1b 100644 --- a/dist/ssa/srs/ssa___windows_script_host_spawn_msbuild.yml +++ b/dist/ssa/srs/ssa___windows_script_host_spawn_msbuild.yml @@ -2,6 +2,7 @@ name: Windows Script Host Spawn MSBuild id: 92886f1c-9b11-11ec-848a-acde48001122 version: 1 status: production +detection_type: STREAMING description: This analytic is to detect a suspicious child process of MSBuild spawned by Windows Script Host - cscript or wscript. This behavior or event are commonly seen and used by malware or adversaries to execute malicious msbuild process using diff --git a/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_compiled_html_file_decompile.yml b/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_compiled_html_file_decompile.yml index 6a084a79b8..922360ff51 100644 --- a/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_compiled_html_file_decompile.yml +++ b/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_compiled_html_file_decompile.yml @@ -2,6 +2,7 @@ name: Windows System Binary Proxy Execution Compiled HTML File Decompile id: 11c32b19-05a6-48a8-ab28-18dbd9ec5d50 version: 1 status: production +detection_type: STREAMING description: The following analytic identifies the decompile parameter with the HTML Help application, HH.exe. This is a uncommon command to see ran and behavior. Most recently this was seen in a APT41 campaign where a CHM file was delivered and a diff --git a/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_compiled_html_file_url_in_command_line.yml b/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_compiled_html_file_url_in_command_line.yml index 269accebd5..e649fb822c 100644 --- a/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_compiled_html_file_url_in_command_line.yml +++ b/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_compiled_html_file_url_in_command_line.yml @@ -2,6 +2,7 @@ name: Windows System Binary Proxy Execution Compiled HTML File URL In Command Li id: 0fec631a-7c9b-4e4c-b28b-93260953e25f version: 1 status: production +detection_type: STREAMING description: The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file from a remote url. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type diff --git a/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_compiled_html_file_using_infotech_storage_handlers.yml b/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_compiled_html_file_using_infotech_storage_handlers.yml index 6865d6942e..df27c5dc75 100644 --- a/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_compiled_html_file_using_infotech_storage_handlers.yml +++ b/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_compiled_html_file_using_infotech_storage_handlers.yml @@ -3,6 +3,7 @@ name: Windows System Binary Proxy Execution Compiled HTML File Using InfoTech St id: ba0c2450-caea-4086-ac3a-a71e2659754b version: 1 status: production +detection_type: STREAMING description: The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file using InfoTech Storage Handlers. This particular technique will load Windows script code from a compiled help file, using InfoTech Storage diff --git a/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_msiexec_dllregisterserver.yml b/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_msiexec_dllregisterserver.yml index 515c50f772..0186662399 100644 --- a/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_msiexec_dllregisterserver.yml +++ b/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_msiexec_dllregisterserver.yml @@ -2,6 +2,7 @@ name: Windows System Binary Proxy Execution MSIExec DLLRegisterServer id: 8d1d5570-722c-49a3-996c-2e2cceef5163 version: 1 status: production +detection_type: STREAMING description: The following analytic identifies the usage of msiexec.exe using the /y switch parameter, which grants the ability for msiexec to load DLLRegisterServer. Upon triage, review parent process and capture any artifacts for further review. diff --git a/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_msiexec_remote_download.yml b/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_msiexec_remote_download.yml index b172049f20..ae8b09ad0b 100644 --- a/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_msiexec_remote_download.yml +++ b/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_msiexec_remote_download.yml @@ -2,6 +2,7 @@ name: Windows System Binary Proxy Execution MSIExec Remote Download id: 92cbbf0f-9a6b-4e9d-8c35-cc9244a4e3d5 version: 1 status: production +detection_type: STREAMING description: The following analytic identifies msiexec.exe with http in the command-line. This procedure will utilize msiexec.exe to download a remote file and load it. During triage, review parallel processes and capture any artifacts on disk for review. diff --git a/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_msiexec_unregister_dll.yml b/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_msiexec_unregister_dll.yml index 506eed26f1..e2d9012350 100644 --- a/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_msiexec_unregister_dll.yml +++ b/dist/ssa/srs/ssa___windows_system_binary_proxy_execution_msiexec_unregister_dll.yml @@ -2,6 +2,7 @@ name: Windows System Binary Proxy Execution MSIExec Unregister DLL id: df76a8d1-92e1-4ec9-b8f7-695b5838703e version: 1 status: production +detection_type: STREAMING description: The following analytic identifies the usage of msiexec.exe using the /z switch parameter, which grants the ability for msiexec to unload DLLRegisterServer. Upon triage, review parent process and capture any artifacts for further review. diff --git a/dist/ssa/srs/ssa___windows_wmiprvse_spawn_msbuild.yml b/dist/ssa/srs/ssa___windows_wmiprvse_spawn_msbuild.yml index 156ccb0238..8a668142ee 100644 --- a/dist/ssa/srs/ssa___windows_wmiprvse_spawn_msbuild.yml +++ b/dist/ssa/srs/ssa___windows_wmiprvse_spawn_msbuild.yml @@ -2,6 +2,7 @@ name: Windows WMIPrvse Spawn MSBuild id: 76b3b290-9b31-11ec-a934-acde48001122 version: 1 status: production +detection_type: STREAMING description: The following analytic identifies wmiprvse.exe spawning msbuild.exe. This behavior is indicative of a COM object being utilized to spawn msbuild from wmiprvse.exe. It is common for MSBuild.exe to be spawned from devenv.exe while using