diff --git a/rules/cloud/aws_cloudtrail_disable_logging.yml b/rules/cloud/aws_cloudtrail_disable_logging.yml index 61b4cdb26..e7df801db 100644 --- a/rules/cloud/aws_cloudtrail_disable_logging.yml +++ b/rules/cloud/aws_cloudtrail_disable_logging.yml @@ -5,20 +5,21 @@ author: vitaliy0x1 date: 2020/01/21 description: Detects disabling, deleting and updating of a Trail references: - - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html + - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html logsource: - service: cloudtrail + service: cloudtrail detection: - selection_source: - - eventSource: cloudtrail.amazonaws.com - events: - - eventName: - - StopLogging - - UpdateTrail - - DeleteTrail - condition: selection_source AND events + selection_source: + - eventSource: cloudtrail.amazonaws.com + events: + - eventName: + - StopLogging + - UpdateTrail + - DeleteTrail + condition: selection_source AND events level: medium falsepositives: - Valid change in a Trail tags: - - attack.t1089 + - attack.t1089 + - attack.t1562.001 diff --git a/rules/cloud/aws_config_disable_recording.yml b/rules/cloud/aws_config_disable_recording.yml index cb0fc0a79..8eebaa67f 100644 --- a/rules/cloud/aws_config_disable_recording.yml +++ b/rules/cloud/aws_config_disable_recording.yml @@ -5,17 +5,18 @@ author: vitaliy0x1 date: 2020/01/21 description: Detects AWS Config Service disabling logsource: - service: cloudtrail + service: cloudtrail detection: - selection_source: - - eventSource: config.amazonaws.com - events: - - eventName: - - DeleteDeliveryChannel - - StopConfigurationRecorder - condition: selection_source AND events + selection_source: + - eventSource: config.amazonaws.com + events: + - eventName: + - DeleteDeliveryChannel + - StopConfigurationRecorder + condition: selection_source AND events level: high falsepositives: - Valid change in AWS Config Service tags: - - attack.t1089 + - attack.t1089 + - attack.t1562.001 diff --git a/rules/cloud/aws_ec2_startup_script_change.yml b/rules/cloud/aws_ec2_startup_script_change.yml index dccb22f00..7edcff0bc 100644 --- a/rules/cloud/aws_ec2_startup_script_change.yml +++ b/rules/cloud/aws_ec2_startup_script_change.yml @@ -21,3 +21,4 @@ falsepositives: - Valid changes to the startup script tags: - attack.t1064 + - attack.t1059 diff --git a/rules/cloud/aws_guardduty_disruption.yml b/rules/cloud/aws_guardduty_disruption.yml index 616646624..7491d4b24 100644 --- a/rules/cloud/aws_guardduty_disruption.yml +++ b/rules/cloud/aws_guardduty_disruption.yml @@ -19,3 +19,4 @@ falsepositives: - Valid change in the GuardDuty (e.g. to ignore internal scanners) tags: - attack.t1089 + - attack.t1562.001 diff --git a/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml b/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml index 9094ded86..dff6bbf3e 100644 --- a/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml +++ b/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml @@ -9,6 +9,7 @@ tags: - attack.s0003 - attack.t1156 - attack.persistence + - attack.t1546.004 author: Peter Matkovski logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_auditing_config_change.yml b/rules/linux/auditd/lnx_auditd_auditing_config_change.yml index 1aaa844e6..d9fb2e403 100644 --- a/rules/linux/auditd/lnx_auditd_auditing_config_change.yml +++ b/rules/linux/auditd/lnx_auditd_auditing_config_change.yml @@ -11,6 +11,7 @@ references: tags: - attack.defense_evasion - attack.t1054 + - attack.t1562.006 author: Mikhail Larin, oscd.community status: experimental date: 2019/10/25 diff --git a/rules/linux/auditd/lnx_auditd_logging_config_change.yml b/rules/linux/auditd/lnx_auditd_logging_config_change.yml index 4140aca78..b456805b1 100644 --- a/rules/linux/auditd/lnx_auditd_logging_config_change.yml +++ b/rules/linux/auditd/lnx_auditd_logging_config_change.yml @@ -10,6 +10,7 @@ references: tags: - attack.defense_evasion - attack.t1054 + - attack.t1562.006 author: Mikhail Larin, oscd.community status: experimental date: 2019/10/25 diff --git a/rules/linux/auditd/lnx_auditd_web_rce.yml b/rules/linux/auditd/lnx_auditd_web_rce.yml index 28068f7ab..2c537ddfb 100644 --- a/rules/linux/auditd/lnx_auditd_web_rce.yml +++ b/rules/linux/auditd/lnx_auditd_web_rce.yml @@ -5,6 +5,7 @@ description: Detects posible command execution by web application/web shell tags: - attack.persistence - attack.t1100 + - attack.t1505.003 references: - personal experience author: Ilyas Ochkov, Beyu Denis, oscd.community diff --git a/rules/linux/auditd/lnx_data_compressed.yml b/rules/linux/auditd/lnx_data_compressed.yml index e22fc0d4b..e923e8ec7 100644 --- a/rules/linux/auditd/lnx_data_compressed.yml +++ b/rules/linux/auditd/lnx_data_compressed.yml @@ -1,8 +1,7 @@ title: Data Compressed id: a3b5e3e9-1b49-4119-8b8e-0344a01f21ee status: experimental -description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount - of data sent over the network +description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network author: Timur Zinniatullin, oscd.community date: 2019/10/21 modified: 2019/11/04 @@ -30,3 +29,4 @@ level: low tags: - attack.exfiltration - attack.t1002 + - attack.t1560 diff --git a/rules/linux/lnx_pers_systemd_reload.yml b/rules/linux/lnx_pers_systemd_reload.yml index 3cb5c9168..326b28b30 100644 --- a/rules/linux/lnx_pers_systemd_reload.yml +++ b/rules/linux/lnx_pers_systemd_reload.yml @@ -5,6 +5,7 @@ status: experimental tags: - attack.persistence - attack.t1501 + - attack.t1543.002 author: Jakob Weinzettl, oscd.community date: 2019/09/23 logsource: diff --git a/rules/linux/lnx_shell_clear_cmd_history.yml b/rules/linux/lnx_shell_clear_cmd_history.yml index 97379f6aa..68e9773c2 100644 --- a/rules/linux/lnx_shell_clear_cmd_history.yml +++ b/rules/linux/lnx_shell_clear_cmd_history.yml @@ -22,7 +22,7 @@ detection: keywords: - 'rm *bash_history' - 'echo "" > *bash_history' - - 'cat /dev/null > *bash_history' + - 'cat /dev/null > *bash_history' - 'ln -sf /dev/null *bash_history' - 'truncate -s0 *bash_history' # - 'unset HISTFILE' # prone to false positives @@ -38,3 +38,4 @@ level: high tags: - attack.defense_evasion - attack.t1146 + - attack.t1551.003 diff --git a/rules/network/cisco/aaa/cisco_cli_clear_logs.yml b/rules/network/cisco/aaa/cisco_cli_clear_logs.yml index 457744c35..244bdeade 100644 --- a/rules/network/cisco/aaa/cisco_cli_clear_logs.yml +++ b/rules/network/cisco/aaa/cisco_cli_clear_logs.yml @@ -11,6 +11,8 @@ tags: - attack.defense_evasion - attack.t1146 - attack.t1070 + - attack.t1551.003 + - attack.t1551 logsource: product: cisco service: aaa diff --git a/rules/network/cisco/aaa/cisco_cli_collect_data.yml b/rules/network/cisco/aaa/cisco_cli_collect_data.yml index 99a6378a0..9944274b8 100644 --- a/rules/network/cisco/aaa/cisco_cli_collect_data.yml +++ b/rules/network/cisco/aaa/cisco_cli_collect_data.yml @@ -17,6 +17,7 @@ tags: - attack.t1003 - attack.t1081 - attack.t1005 + - attack.t1552.001 logsource: product: cisco service: aaa diff --git a/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml b/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml index a032c9d48..81e1a3a19 100644 --- a/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml +++ b/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml @@ -12,6 +12,8 @@ tags: - attack.defense_evasion - attack.t1130 - attack.t1145 + - attack.t1553.004 + - attack.t1552.004 logsource: product: cisco service: aaa diff --git a/rules/network/cisco/aaa/cisco_cli_disable_logging.yml b/rules/network/cisco/aaa/cisco_cli_disable_logging.yml index b81e265ba..4bc95584a 100644 --- a/rules/network/cisco/aaa/cisco_cli_disable_logging.yml +++ b/rules/network/cisco/aaa/cisco_cli_disable_logging.yml @@ -9,6 +9,7 @@ date: 2019/08/11 tags: - attack.defense_evasion - attack.t1089 + - attack.t1562.001 logsource: product: cisco service: aaa diff --git a/rules/network/cisco/aaa/cisco_cli_file_deletion.yml b/rules/network/cisco/aaa/cisco_cli_file_deletion.yml index cc6155e1b..ec6b4e1ef 100644 --- a/rules/network/cisco/aaa/cisco_cli_file_deletion.yml +++ b/rules/network/cisco/aaa/cisco_cli_file_deletion.yml @@ -14,6 +14,9 @@ tags: - attack.t1107 - attack.t1488 - attack.t1487 + - attack.t1561.002 + - attack.t1551.004 + - attack.t1561.001 logsource: product: cisco service: aaa diff --git a/rules/network/cisco/aaa/cisco_cli_input_capture.yml b/rules/network/cisco/aaa/cisco_cli_input_capture.yml index 51467f579..d1bc266a7 100644 --- a/rules/network/cisco/aaa/cisco_cli_input_capture.yml +++ b/rules/network/cisco/aaa/cisco_cli_input_capture.yml @@ -12,6 +12,7 @@ tags: - attack.credential_access - attack.t1139 - attack.t1056 + - attack.t1552.003 logsource: product: cisco service: aaa diff --git a/rules/network/cisco/aaa/cisco_cli_modify_config.yml b/rules/network/cisco/aaa/cisco_cli_modify_config.yml index bc11ecafc..6f98513ed 100644 --- a/rules/network/cisco/aaa/cisco_cli_modify_config.yml +++ b/rules/network/cisco/aaa/cisco_cli_modify_config.yml @@ -16,6 +16,9 @@ tags: - attack.t1100 - attack.t1168 - attack.t1490 + - attack.t1565.002 + - attack.t1505 + - attack.t1053 logsource: product: cisco service: aaa diff --git a/rules/network/cisco/aaa/cisco_cli_moving_data.yml b/rules/network/cisco/aaa/cisco_cli_moving_data.yml index f9aa4c847..924588a68 100644 --- a/rules/network/cisco/aaa/cisco_cli_moving_data.yml +++ b/rules/network/cisco/aaa/cisco_cli_moving_data.yml @@ -19,6 +19,8 @@ tags: - attack.t1105 - attack.t1492 - attack.t1002 + - attack.t1560 + - attack.t1565.001 logsource: product: cisco service: aaa diff --git a/rules/network/net_susp_dns_txt_exec_strings.yml b/rules/network/net_susp_dns_txt_exec_strings.yml index 42ee5e22f..95492f1b2 100644 --- a/rules/network/net_susp_dns_txt_exec_strings.yml +++ b/rules/network/net_susp_dns_txt_exec_strings.yml @@ -7,17 +7,18 @@ references: - https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1 tags: - attack.t1071 + - attack.t1071.004 author: Markus Neis date: 2018/08/08 logsource: category: dns detection: selection: - record_type: 'TXT' - answer: - - '*IEX*' - - '*Invoke-Expression*' - - '*cmd.exe*' + record_type: 'TXT' + answer: + - '*IEX*' + - '*Invoke-Expression*' + - '*cmd.exe*' condition: selection falsepositives: - Unknown diff --git a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml index 4e79ed023..141a67ddc 100644 --- a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml +++ b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml @@ -6,46 +6,48 @@ date: 2020/03/19 references: - https://github.com/mitre-attack/bzar#indicators-for-attck-execution tags: - - attack.execution - - attack.t1035 - - attack.t1047 - - attack.t1053 + - attack.execution + - attack.t1035 + - attack.t1047 + - attack.t1053 + - attack.t1053.002 + - attack.t1569.002 logsource: - product: zeek - service: dce_rpc + product: zeek + service: dce_rpc detection: - op1: - endpoint: 'JobAdd' - operation: 'atsvc' - op2: - endpoint: 'ITaskSchedulerService' - operation: 'SchRpcEnableTask' - op3: - endpoint: 'ITaskSchedulerService' - operation: 'SchRpcRegisterTask' - op4: - endpoint: 'ITaskSchedulerService' - operation: 'SchRpcRun' - op5: - endpoint: 'IWbemServices' - operation: 'ExecMethod' - op6: - endpoint: 'IWbemServices' - operation: 'ExecMethodAsync' - op7: - endpoint: 'svcctl' - operation: 'CreateServiceA' - op8: - endpoint: 'svcctl' - operation: 'CreateServiceW' - op9: - endpoint: 'svcctl' - operation: 'StartServiceA' - op10: - endpoint: 'svcctl' - operation: 'StartServiceW' - condition: 1 of them + op1: + endpoint: 'JobAdd' + operation: 'atsvc' + op2: + endpoint: 'ITaskSchedulerService' + operation: 'SchRpcEnableTask' + op3: + endpoint: 'ITaskSchedulerService' + operation: 'SchRpcRegisterTask' + op4: + endpoint: 'ITaskSchedulerService' + operation: 'SchRpcRun' + op5: + endpoint: 'IWbemServices' + operation: 'ExecMethod' + op6: + endpoint: 'IWbemServices' + operation: 'ExecMethodAsync' + op7: + endpoint: 'svcctl' + operation: 'CreateServiceA' + op8: + endpoint: 'svcctl' + operation: 'CreateServiceW' + op9: + endpoint: 'svcctl' + operation: 'StartServiceA' + op10: + endpoint: 'svcctl' + operation: 'StartServiceW' + condition: 1 of them falsepositives: - 'Windows administrator tasks or troubleshooting' - 'Windows management scripts or software' -level: medium \ No newline at end of file +level: medium diff --git a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml index 3cce80d46..4dd5fc5d4 100644 --- a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml +++ b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml @@ -8,30 +8,31 @@ references: tags: - attack.persistence - attack.t1004 + - attack.t1547.004 logsource: - product: zeek - service: dce_rpc + product: zeek + service: dce_rpc detection: - op1: - endpoint: 'spoolss' - operation: 'RpcAddMonitor' - op2: - endpoint: 'spoolss' - operation: 'RpcAddPrintProcessor' - op3: - endpoint: 'IRemoteWinspool' - operation: 'RpcAsyncAddMonitor' - op4: - endpoint: 'IRemoteWinspool' - operation: 'RpcAsyncAddPrintProcessor' - op5: - endpoint: 'ISecLogon' - operation: 'SeclCreateProcessWithLogonW' - op6: - endpoint: 'ISecLogon' - operation: 'SeclCreateProcessWithLogonExW' - condition: 1 of them + op1: + endpoint: 'spoolss' + operation: 'RpcAddMonitor' + op2: + endpoint: 'spoolss' + operation: 'RpcAddPrintProcessor' + op3: + endpoint: 'IRemoteWinspool' + operation: 'RpcAsyncAddMonitor' + op4: + endpoint: 'IRemoteWinspool' + operation: 'RpcAsyncAddPrintProcessor' + op5: + endpoint: 'ISecLogon' + operation: 'SeclCreateProcessWithLogonW' + op6: + endpoint: 'ISecLogon' + operation: 'SeclCreateProcessWithLogonExW' + condition: 1 of them falsepositives: - 'Windows administrator tasks or troubleshooting' - 'Windows management scripts or software' -level: medium \ No newline at end of file +level: medium diff --git a/rules/network/zeek/zeek_http_executable_download_from_webdav.yml b/rules/network/zeek/zeek_http_executable_download_from_webdav.yml index 47cfdcbf2..55bc7898e 100644 --- a/rules/network/zeek/zeek_http_executable_download_from_webdav.yml +++ b/rules/network/zeek/zeek_http_executable_download_from_webdav.yml @@ -8,9 +8,10 @@ references: tags: - attack.command_and_control - attack.t1043 + - attack.t1571 logsource: - product: zeek - service: http + product: zeek + service: http date: 2020/05/01 detection: selection_webdav: @@ -23,4 +24,4 @@ detection: falsepositives: - unknown level: medium -status: experimental \ No newline at end of file +status: experimental diff --git a/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml b/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml index 17a3704f5..12e1eb4d9 100644 --- a/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml +++ b/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml @@ -11,6 +11,7 @@ tags: - attack.t1053 - car.2013-05-004 - car.2015-04-001 + - attack.t1053.002 logsource: product: zeek service: smb_files diff --git a/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml b/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml index 16e2f3188..4a7fe93ad 100644 --- a/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml +++ b/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml @@ -8,14 +8,17 @@ references: tags: - attack.credential_access - attack.t1003 + - attack.t1003.002 + - attack.t1003.004 + - attack.t1003.003 logsource: product: zeek service: smb_files detection: - selection: - path: '\\*ADMIN$' - name: '*SYSTEM32\\*.tmp' - condition: selection + selection: + path: '\\*ADMIN$' + name: '*SYSTEM32\\*.tmp' + condition: selection falsepositives: - 'unknown' level: high diff --git a/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml b/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml index eecef7a99..34b90aa1e 100644 --- a/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml +++ b/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml @@ -1,14 +1,14 @@ title: First Time Seen Remote Named Pipe - Zeek id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad -description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec - using named pipes +description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes author: 'Samir Bousseaden, @neu5ron' date: 2020/04/02 references: - https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_lm_namedpipe.yml -tags: +tags: - attack.lateral_movement - attack.t1077 + - attack.t1021.002 logsource: product: zeek service: smb_files @@ -18,23 +18,23 @@ detection: selection2: path: \\*\IPC$ name: - - 'atsvc' - - 'samr' - - 'lsarpc' - - 'winreg' - - 'netlogon' - - 'srvsvc' - - 'protected_storage' - - 'wkssvc' - - 'browser' - - 'netdfs' - - 'svcctl' - - 'spoolss' - - 'ntsvcs' - - 'LSM_API_service' - - 'HydraLsPipe' - - 'TermSrv_API_service' - - 'MsFteWds' + - 'atsvc' + - 'samr' + - 'lsarpc' + - 'winreg' + - 'netlogon' + - 'srvsvc' + - 'protected_storage' + - 'wkssvc' + - 'browser' + - 'netdfs' + - 'svcctl' + - 'spoolss' + - 'ntsvcs' + - 'LSM_API_service' + - 'HydraLsPipe' + - 'TermSrv_API_service' + - 'MsFteWds' condition: selection1 and not selection2 falsepositives: - update the excluded named pipe to filter out any newly observed legit named pipe diff --git a/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml b/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml index 044d6f966..79bd51153 100644 --- a/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml +++ b/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml @@ -8,6 +8,7 @@ references: tags: - attack.lateral_movement - attack.t1077 + - attack.t1021.002 logsource: product: zeek service: smb_files @@ -15,9 +16,9 @@ detection: selection1: path: \\*\IPC$ name: - - '*-stdin' - - '*-stdout' - - '*-stderr' + - '*-stdin' + - '*-stdout' + - '*-stderr' selection2: name: \\*\IPC$ path: 'PSEXESVC*' diff --git a/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml b/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml index 060189f40..503c9c8f8 100644 --- a/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml +++ b/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml @@ -4,26 +4,29 @@ description: Transferring files with well-known filenames (sensitive files with author: '@neu5ron, Teymur Kheirkhabarov, oscd.community' date: 2020/04/02 references: - - https://github.com/neo23x0/sigma/blob/373424f14574facf9e261d5c822345a282b91479/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml + - https://github.com/neo23x0/sigma/blob/373424f14574facf9e261d5c822345a282b91479/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml tags: - - attack.credential_access - - attack.t1003 + - attack.credential_access + - attack.t1003 + - attack.t1003.002 + - attack.t1003.001 + - attack.t1003.003 logsource: - product: zeek - service: smb_files + product: zeek + service: smb_files detection: - selection: - name: - - '\mimidrv' - - '\lsass' - - '\windows\minidump\' - - '\hiberfil' - - '\sqldmpr' - - '\sam' - - '\ntds.dit' - - '\security' - condition: selection + selection: + name: + - '\mimidrv' + - '\lsass' + - '\windows\minidump\' + - '\hiberfil' + - '\sqldmpr' + - '\sam' + - '\ntds.dit' + - '\security' + condition: selection falsepositives: - Transferring sensitive files for legitimate administration work by legitimate administrator level: medium -status: experimental \ No newline at end of file +status: experimental diff --git a/rules/network/zeek/zeek_susp_kerberos_rc4.yml b/rules/network/zeek/zeek_susp_kerberos_rc4.yml index 456f82786..30b134ff7 100644 --- a/rules/network/zeek/zeek_susp_kerberos_rc4.yml +++ b/rules/network/zeek/zeek_susp_kerberos_rc4.yml @@ -8,6 +8,7 @@ references: tags: - attack.credential_access - attack.t1208 + - attack.t1558.003 logsource: product: zeek service: kerberos diff --git a/rules/web/web_cve_2018_2894_weblogic_exploit.yml b/rules/web/web_cve_2018_2894_weblogic_exploit.yml index 5bc8b193e..d086a2c45 100644 --- a/rules/web/web_cve_2018_2894_weblogic_exploit.yml +++ b/rules/web/web_cve_2018_2894_weblogic_exploit.yml @@ -13,7 +13,7 @@ logsource: category: webserver detection: selection: - c-uri: + c-uri: - '*/config/keystore/*.js*' condition: selection fields: @@ -28,5 +28,6 @@ tags: - attack.persistence - attack.privilege_escalation - cve.2018-2894 + - attack.t1505 level: critical diff --git a/rules/windows/builtin/win_GPO_scheduledtasks.yml b/rules/windows/builtin/win_GPO_scheduledtasks.yml index 6403ab720..75dfa1b0c 100644 --- a/rules/windows/builtin/win_GPO_scheduledtasks.yml +++ b/rules/windows/builtin/win_GPO_scheduledtasks.yml @@ -10,6 +10,7 @@ tags: - attack.persistence - attack.lateral_movement - attack.t1053 + - attack.t1053.005 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_admin_share_access.yml b/rules/windows/builtin/win_admin_share_access.yml index e489b78f6..a922e0e01 100644 --- a/rules/windows/builtin/win_admin_share_access.yml +++ b/rules/windows/builtin/win_admin_share_access.yml @@ -4,6 +4,7 @@ description: Detects access to $ADMIN share tags: - attack.lateral_movement - attack.t1077 + - attack.t1021.002 status: experimental author: Florian Roth date: 2017/03/04 diff --git a/rules/windows/builtin/win_alert_enable_weak_encryption.yml b/rules/windows/builtin/win_alert_enable_weak_encryption.yml index 906ac89bb..5f77c7776 100644 --- a/rules/windows/builtin/win_alert_enable_weak_encryption.yml +++ b/rules/windows/builtin/win_alert_enable_weak_encryption.yml @@ -9,6 +9,7 @@ date: 2017/07/30 tags: - attack.defense_evasion - attack.t1089 + - attack.t1562.001 logsource: product: windows service: security @@ -18,9 +19,9 @@ detection: EventID: 4738 keywords: Message: - - '*DES*' - - '*Preauth*' - - '*Encrypted*' + - '*DES*' + - '*Preauth*' + - '*Encrypted*' filters: Message: - '*Enabled*' diff --git a/rules/windows/builtin/win_alert_lsass_access.yml b/rules/windows/builtin/win_alert_lsass_access.yml index bcd7eae7a..3ffde491a 100644 --- a/rules/windows/builtin/win_alert_lsass_access.yml +++ b/rules/windows/builtin/win_alert_lsass_access.yml @@ -10,6 +10,7 @@ tags: - attack.credential_access - attack.t1003 # Defender Attack Surface Reduction + - attack.t1003.001 logsource: product: windows_defender definition: 'Requirements:Enabled Block credential stealing from the Windows local security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)' diff --git a/rules/windows/builtin/win_alert_mimikatz_keywords.yml b/rules/windows/builtin/win_alert_mimikatz_keywords.yml index f6ad95c8c..5a0783fdc 100644 --- a/rules/windows/builtin/win_alert_mimikatz_keywords.yml +++ b/rules/windows/builtin/win_alert_mimikatz_keywords.yml @@ -1,7 +1,6 @@ title: Mimikatz Use id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8 -description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different - threat groups) +description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups) author: Florian Roth date: 2017/01/10 modified: 2019/10/11 @@ -12,21 +11,25 @@ tags: - attack.credential_access - car.2013-07-001 - car.2019-04-004 + - attack.t1003.002 + - attack.t1003.004 + - attack.t1003.001 + - attack.t1003.006 logsource: product: windows detection: keywords: Message: - - "* mimikatz *" - - "* mimilib *" - - "* <3 eo.oe *" - - "* eo.oe.kiwi *" - - "* privilege::debug *" - - "* sekurlsa::logonpasswords *" - - "* lsadump::sam *" - - "* mimidrv.sys *" - - "* p::d *" - - "* s::l *" + - "* mimikatz *" + - "* mimilib *" + - "* <3 eo.oe *" + - "* eo.oe.kiwi *" + - "* privilege::debug *" + - "* sekurlsa::logonpasswords *" + - "* lsadump::sam *" + - "* mimidrv.sys *" + - "* p::d *" + - "* s::l *" condition: keywords falsepositives: - Naughty administrators diff --git a/rules/windows/builtin/win_alert_ruler.yml b/rules/windows/builtin/win_alert_ruler.yml index 21a85472a..603904ca8 100644 --- a/rules/windows/builtin/win_alert_ruler.yml +++ b/rules/windows/builtin/win_alert_ruler.yml @@ -17,18 +17,19 @@ tags: - attack.t1075 - attack.t1114 - attack.t1059 + - attack.t1550.002 logsource: product: windows service: security detection: selection1: - EventID: - - 4776 + EventID: + - 4776 Workstation: 'RULER' selection2: EventID: - - 4624 - - 4625 + - 4624 + - 4625 WorkstationName: 'RULER' condition: (1 of selection*) falsepositives: diff --git a/rules/windows/builtin/win_apt_carbonpaper_turla.yml b/rules/windows/builtin/win_apt_carbonpaper_turla.yml index b16c0733b..b819affb4 100755 --- a/rules/windows/builtin/win_apt_carbonpaper_turla.yml +++ b/rules/windows/builtin/win_apt_carbonpaper_turla.yml @@ -7,6 +7,7 @@ tags: - attack.persistence - attack.g0010 - attack.t1050 + - attack.t1543.003 date: 2017/03/31 author: Florian Roth logsource: diff --git a/rules/windows/builtin/win_apt_stonedrill.yml b/rules/windows/builtin/win_apt_stonedrill.yml index 3db1bfe6b..5ffa75289 100755 --- a/rules/windows/builtin/win_apt_stonedrill.yml +++ b/rules/windows/builtin/win_apt_stonedrill.yml @@ -9,6 +9,7 @@ tags: - attack.persistence - attack.g0064 - attack.t1050 + - attack.t1543.003 logsource: product: windows service: system diff --git a/rules/windows/builtin/win_apt_turla_service_png.yml b/rules/windows/builtin/win_apt_turla_service_png.yml index 642809a5c..467abba2e 100644 --- a/rules/windows/builtin/win_apt_turla_service_png.yml +++ b/rules/windows/builtin/win_apt_turla_service_png.yml @@ -9,6 +9,7 @@ tags: - attack.persistence - attack.g0010 - attack.t1050 + - attack.t1543.003 logsource: product: windows service: system diff --git a/rules/windows/builtin/win_atsvc_task.yml b/rules/windows/builtin/win_atsvc_task.yml index e896b3bc4..bb4ce41a7 100644 --- a/rules/windows/builtin/win_atsvc_task.yml +++ b/rules/windows/builtin/win_atsvc_task.yml @@ -11,6 +11,7 @@ tags: - attack.t1053 - car.2013-05-004 - car.2015-04-001 + - attack.t1053.002 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_dcsync.yml b/rules/windows/builtin/win_dcsync.yml index f29e9a5fe..1181f0e18 100644 --- a/rules/windows/builtin/win_dcsync.yml +++ b/rules/windows/builtin/win_dcsync.yml @@ -12,18 +12,19 @@ tags: - attack.credential_access - attack.s0002 - attack.t1003 + - attack.t1003.006 logsource: product: windows service: security detection: selection: EventID: 4662 - Properties: + Properties: - '*Replicating Directory Changes All*' - '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*' filter1: SubjectDomainName: 'Window Manager' - filter2: + filter2: SubjectUserName: - 'NT AUTHORITY*' - '*$' diff --git a/rules/windows/builtin/win_disable_event_logging.yml b/rules/windows/builtin/win_disable_event_logging.yml index 20463e6a8..788ac8544 100644 --- a/rules/windows/builtin/win_disable_event_logging.yml +++ b/rules/windows/builtin/win_disable_event_logging.yml @@ -1,15 +1,12 @@ title: Disabling Windows Event Auditing id: 69aeb277-f15f-4d2d-b32a-55e883609563 -description: 'Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass - local logging to evade detection when windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" - via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, - that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform - these modifications in Active Directory anyways.' +description: 'Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.' references: - https://bit.ly/WinLogsZero2Hero tags: - attack.defense_evasion - attack.t1054 + - attack.t1562.006 author: '@neu5ron' date: 2017/11/19 logsource: diff --git a/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml b/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml index 3093a0864..fc70f3b1f 100644 --- a/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml +++ b/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml @@ -9,11 +9,12 @@ references: tags: - attack.credential_access - attack.t1003 + - attack.t1003.004 logsource: product: windows service: security detection: - selection: + selection: EventID: 4662 ObjectType: 'SecretObject' AccessMask: '0x2' @@ -21,4 +22,4 @@ detection: condition: selection falsepositives: - Unknown -level: critical \ No newline at end of file +level: critical diff --git a/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml b/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml index f488f98a3..47ec4686c 100644 --- a/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml +++ b/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml @@ -9,11 +9,12 @@ references: tags: - attack.credential_access - attack.t1003 + - attack.t1003.004 logsource: product: windows service: security detection: - selection: + selection: EventID: 4692 condition: selection fields: diff --git a/rules/windows/builtin/win_hack_smbexec.yml b/rules/windows/builtin/win_hack_smbexec.yml index bf335fbeb..270419c1b 100644 --- a/rules/windows/builtin/win_hack_smbexec.yml +++ b/rules/windows/builtin/win_hack_smbexec.yml @@ -10,6 +10,8 @@ tags: - attack.execution - attack.t1077 - attack.t1035 + - attack.t1021 + - attack.t1569.002 logsource: product: windows service: system @@ -25,4 +27,4 @@ fields: falsepositives: - Penetration Test - Unknown -level: critical \ No newline at end of file +level: critical diff --git a/rules/windows/builtin/win_impacket_secretdump.yml b/rules/windows/builtin/win_impacket_secretdump.yml index 14d5060e0..ca4effe5b 100644 --- a/rules/windows/builtin/win_impacket_secretdump.yml +++ b/rules/windows/builtin/win_impacket_secretdump.yml @@ -8,6 +8,9 @@ references: tags: - attack.credential_access - attack.t1003 + - attack.t1003.002 + - attack.t1003.004 + - attack.t1003.003 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_lm_namedpipe.yml b/rules/windows/builtin/win_lm_namedpipe.yml index 90dca9c10..8bbbbc1a2 100644 --- a/rules/windows/builtin/win_lm_namedpipe.yml +++ b/rules/windows/builtin/win_lm_namedpipe.yml @@ -1,7 +1,6 @@ title: First Time Seen Remote Named Pipe id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad -description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec - using named pipes +description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes author: Samir Bousseaden date: 2019/04/03 references: @@ -9,6 +8,7 @@ references: tags: - attack.lateral_movement - attack.t1077 + - attack.t1021.002 logsource: product: windows service: security @@ -21,23 +21,23 @@ detection: EventID: 5145 ShareName: \\*\IPC$ RelativeTargetName: - - 'atsvc' - - 'samr' - - 'lsarpc' - - 'winreg' - - 'netlogon' - - 'srvsvc' - - 'protected_storage' - - 'wkssvc' - - 'browser' - - 'netdfs' - - 'svcctl' - - 'spoolss' - - 'ntsvcs' - - 'LSM_API_service' - - 'HydraLsPipe' - - 'TermSrv_API_service' - - 'MsFteWds' + - 'atsvc' + - 'samr' + - 'lsarpc' + - 'winreg' + - 'netlogon' + - 'srvsvc' + - 'protected_storage' + - 'wkssvc' + - 'browser' + - 'netdfs' + - 'svcctl' + - 'spoolss' + - 'ntsvcs' + - 'LSM_API_service' + - 'HydraLsPipe' + - 'TermSrv_API_service' + - 'MsFteWds' condition: selection1 and not selection2 falsepositives: - update the excluded named pipe to filter out any newly observed legit named pipe diff --git a/rules/windows/builtin/win_lsass_access_non_system_account.yml b/rules/windows/builtin/win_lsass_access_non_system_account.yml index adb3f7a62..9f0bd07fb 100644 --- a/rules/windows/builtin/win_lsass_access_non_system_account.yml +++ b/rules/windows/builtin/win_lsass_access_non_system_account.yml @@ -10,11 +10,12 @@ references: tags: - attack.credential_access - attack.t1003 + - attack.t1003.001 logsource: product: windows service: security detection: - selection: + selection: EventID: - 4663 - 4656 diff --git a/rules/windows/builtin/win_mal_service_installs.yml b/rules/windows/builtin/win_mal_service_installs.yml index d2bb06fe9..8fe191511 100644 --- a/rules/windows/builtin/win_mal_service_installs.yml +++ b/rules/windows/builtin/win_mal_service_installs.yml @@ -11,6 +11,8 @@ tags: - attack.t1035 - attack.t1050 - car.2013-09-005 + - attack.t1543.003 + - attack.t1569.002 logsource: product: windows service: system @@ -24,6 +26,6 @@ detection: malsvc_persistence: ServiceFileName|contains: 'net user' condition: selection and 1 of malsvc_* -falsepositives: +falsepositives: - Penetration testing level: critical diff --git a/rules/windows/builtin/win_mmc20_lateral_movement.yml b/rules/windows/builtin/win_mmc20_lateral_movement.yml index baaaca7f9..b6ee82fbc 100644 --- a/rules/windows/builtin/win_mmc20_lateral_movement.yml +++ b/rules/windows/builtin/win_mmc20_lateral_movement.yml @@ -1,23 +1,25 @@ title: MMC20 Lateral Movement id: f1f3bf22-deb2-418d-8cce-e1a45e46a5bd -description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe +description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe author: '@2xxeformyshirt (Security Risk Advisors)' date: 2020/03/04 references: - - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ - - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing + - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ + - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing tags: - - attack.execution - - attack.t1175 + - attack.execution + - attack.t1175 + - attack.t1021.003 + - attack.t1559.001 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage: '*\svchost.exe' - Image: '*\mmc.exe' - CommandLine: '*-Embedding*' - condition: selection + selection: + ParentImage: '*\svchost.exe' + Image: '*\mmc.exe' + CommandLine: '*-Embedding*' + condition: selection falsepositives: - - Unlikely + - Unlikely level: high diff --git a/rules/windows/builtin/win_overpass_the_hash.yml b/rules/windows/builtin/win_overpass_the_hash.yml index f909666e5..11f2afb8f 100644 --- a/rules/windows/builtin/win_overpass_the_hash.yml +++ b/rules/windows/builtin/win_overpass_the_hash.yml @@ -10,6 +10,7 @@ tags: - attack.lateral_movement - attack.t1075 - attack.s0002 + - attack.t1550.002 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_pass_the_hash.yml b/rules/windows/builtin/win_pass_the_hash.yml index 582a77b97..1fa07af1d 100644 --- a/rules/windows/builtin/win_pass_the_hash.yml +++ b/rules/windows/builtin/win_pass_the_hash.yml @@ -10,6 +10,7 @@ tags: - attack.lateral_movement - attack.t1075 - car.2016-04-004 + - attack.t1550.002 logsource: product: windows service: security @@ -17,15 +18,15 @@ logsource: detection: selection: - EventID: 4624 - LogonType: '3' - LogonProcessName: 'NtLmSsp' - WorkstationName: '%Workstations%' - ComputerName: '%Workstations%' + LogonType: '3' + LogonProcessName: 'NtLmSsp' + WorkstationName: '%Workstations%' + ComputerName: '%Workstations%' - EventID: 4625 - LogonType: '3' - LogonProcessName: 'NtLmSsp' - WorkstationName: '%Workstations%' - ComputerName: '%Workstations%' + LogonType: '3' + LogonProcessName: 'NtLmSsp' + WorkstationName: '%Workstations%' + ComputerName: '%Workstations%' filter: AccountName: 'ANONYMOUS LOGON' condition: selection and not filter diff --git a/rules/windows/builtin/win_pass_the_hash_2.yml b/rules/windows/builtin/win_pass_the_hash_2.yml index 6930ee9c2..82f26131c 100644 --- a/rules/windows/builtin/win_pass_the_hash_2.yml +++ b/rules/windows/builtin/win_pass_the_hash_2.yml @@ -11,6 +11,7 @@ date: 2019/06/14 tags: - attack.lateral_movement - attack.t1075 + - attack.t1550.002 logsource: product: windows service: security @@ -18,13 +19,13 @@ logsource: detection: selection: - EventID: 4624 - SubjectUserSid: 'S-1-0-0' - LogonType: '3' - LogonProcessName: 'NtLmSsp' - KeyLength: '0' + SubjectUserSid: 'S-1-0-0' + LogonType: '3' + LogonProcessName: 'NtLmSsp' + KeyLength: '0' - EventID: 4624 - LogonType: '9' - LogonProcessName: 'seclogo' + LogonType: '9' + LogonProcessName: 'seclogo' filter: AccountName: 'ANONYMOUS LOGON' condition: selection and not filter diff --git a/rules/windows/builtin/win_quarkspwdump_clearing_hive_access_history.yml b/rules/windows/builtin/win_quarkspwdump_clearing_hive_access_history.yml index 8484a1f3e..b20672adb 100644 --- a/rules/windows/builtin/win_quarkspwdump_clearing_hive_access_history.yml +++ b/rules/windows/builtin/win_quarkspwdump_clearing_hive_access_history.yml @@ -8,6 +8,7 @@ modified: 2019/11/13 tags: - attack.credential_access - attack.t1003 + - attack.t1003.002 level: critical logsource: product: windows diff --git a/rules/windows/builtin/win_rare_schtasks_creations.yml b/rules/windows/builtin/win_rare_schtasks_creations.yml index bbd45c502..de8a93f87 100644 --- a/rules/windows/builtin/win_rare_schtasks_creations.yml +++ b/rules/windows/builtin/win_rare_schtasks_creations.yml @@ -10,6 +10,7 @@ tags: - attack.persistence - attack.t1053 - car.2013-08-001 + - attack.t1053.005 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_rare_service_installs.yml b/rules/windows/builtin/win_rare_service_installs.yml index acd55cb60..14b4ecf8a 100644 --- a/rules/windows/builtin/win_rare_service_installs.yml +++ b/rules/windows/builtin/win_rare_service_installs.yml @@ -9,6 +9,7 @@ tags: - attack.privilege_escalation - attack.t1050 - car.2013-09-005 + - attack.t1543.003 logsource: product: windows service: system diff --git a/rules/windows/builtin/win_rdp_localhost_login.yml b/rules/windows/builtin/win_rdp_localhost_login.yml index 3f269fe72..165bd12f7 100644 --- a/rules/windows/builtin/win_rdp_localhost_login.yml +++ b/rules/windows/builtin/win_rdp_localhost_login.yml @@ -9,6 +9,7 @@ tags: - attack.lateral_movement - attack.t1076 - car.2013-07-002 + - attack.t1021 status: experimental author: Thomas Patzke logsource: diff --git a/rules/windows/builtin/win_rdp_reverse_tunnel.yml b/rules/windows/builtin/win_rdp_reverse_tunnel.yml index d18e52004..a68d57454 100644 --- a/rules/windows/builtin/win_rdp_reverse_tunnel.yml +++ b/rules/windows/builtin/win_rdp_reverse_tunnel.yml @@ -14,6 +14,7 @@ tags: - attack.t1076 - attack.t1090 - car.2013-07-002 + - attack.t1021 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml b/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml index 9fb4e6447..c1d677ee6 100644 --- a/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml +++ b/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml @@ -8,6 +8,7 @@ tags: - attack.lateral_movement - attack.privilege_escalation - attack.t1208 + - attack.t1558.003 author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community date: 2019/10/24 logsource: @@ -16,7 +17,7 @@ logsource: detection: selection: - EventID: 4611 - LogonProcessName: 'User32LogonProcesss' + LogonProcessName: 'User32LogonProcesss' condition: selection falsepositives: - Unkown diff --git a/rules/windows/builtin/win_remote_powershell_session.yml b/rules/windows/builtin/win_remote_powershell_session.yml index d0e395e4f..1167c97fb 100644 --- a/rules/windows/builtin/win_remote_powershell_session.yml +++ b/rules/windows/builtin/win_remote_powershell_session.yml @@ -9,11 +9,12 @@ references: tags: - attack.execution - attack.t1086 + - attack.t1059.001 logsource: product: windows service: security detection: - selection: + selection: EventID: 5156 DestPort: - 5985 diff --git a/rules/windows/builtin/win_susp_add_sid_history.yml b/rules/windows/builtin/win_susp_add_sid_history.yml index 0a407a6e0..1eb679dc0 100644 --- a/rules/windows/builtin/win_susp_add_sid_history.yml +++ b/rules/windows/builtin/win_susp_add_sid_history.yml @@ -10,6 +10,7 @@ tags: - attack.persistence - attack.privilege_escalation - attack.t1178 + - attack.t1134.005 logsource: product: windows service: security @@ -25,7 +26,7 @@ detection: - '-' - '%%1793' filter_null: - SidHistory: null + SidHistory: condition: selection1 or (selection2 and not selection3 and not filter_null) falsepositives: - Migration of an account into a new domain diff --git a/rules/windows/builtin/win_susp_backup_delete.yml b/rules/windows/builtin/win_susp_backup_delete.yml index 32dfb5d00..332b6c806 100644 --- a/rules/windows/builtin/win_susp_backup_delete.yml +++ b/rules/windows/builtin/win_susp_backup_delete.yml @@ -10,6 +10,7 @@ date: 2017/05/12 tags: - attack.defense_evasion - attack.t1107 + - attack.t1551.004 logsource: product: windows service: application diff --git a/rules/windows/builtin/win_susp_codeintegrity_check_failure.yml b/rules/windows/builtin/win_susp_codeintegrity_check_failure.yml index 34331edc5..e5afc8f7c 100644 --- a/rules/windows/builtin/win_susp_codeintegrity_check_failure.yml +++ b/rules/windows/builtin/win_susp_codeintegrity_check_failure.yml @@ -7,6 +7,7 @@ date: 2019/12/03 tags: - attack.defense_evasion - attack.t1009 + - attack.t1027 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_susp_dhcp_config.yml b/rules/windows/builtin/win_susp_dhcp_config.yml index a7090b8df..0c357fc92 100644 --- a/rules/windows/builtin/win_susp_dhcp_config.yml +++ b/rules/windows/builtin/win_susp_dhcp_config.yml @@ -11,6 +11,7 @@ author: Dimitrios Slamaris tags: - attack.defense_evasion - attack.t1073 + - attack.t1574.002 logsource: product: windows service: system @@ -19,6 +20,6 @@ detection: EventID: 1033 Source: Microsoft-Windows-DHCP-Server condition: selection -falsepositives: +falsepositives: - Unknown level: critical diff --git a/rules/windows/builtin/win_susp_dhcp_config_failed.yml b/rules/windows/builtin/win_susp_dhcp_config_failed.yml index f3c4f36ec..8dc62e800 100644 --- a/rules/windows/builtin/win_susp_dhcp_config_failed.yml +++ b/rules/windows/builtin/win_susp_dhcp_config_failed.yml @@ -11,18 +11,19 @@ modified: 2019/07/17 tags: - attack.defense_evasion - attack.t1073 + - attack.t1574.002 author: "Dimitrios Slamaris, @atc_project (fix)" logsource: product: windows service: system detection: selection: - EventID: + EventID: - 1031 - 1032 - 1034 - Source: Microsoft-Windows-DHCP-Server + Source: Microsoft-Windows-DHCP-Server condition: selection -falsepositives: +falsepositives: - Unknown level: critical diff --git a/rules/windows/builtin/win_susp_dns_config.yml b/rules/windows/builtin/win_susp_dns_config.yml index df7ffe3f9..8ef63d9ca 100644 --- a/rules/windows/builtin/win_susp_dns_config.yml +++ b/rules/windows/builtin/win_susp_dns_config.yml @@ -10,17 +10,18 @@ references: tags: - attack.defense_evasion - attack.t1073 + - attack.t1574.002 author: Florian Roth logsource: product: windows service: dns-server detection: selection: - EventID: + EventID: - 150 - 770 condition: selection -falsepositives: +falsepositives: - Unknown level: critical diff --git a/rules/windows/builtin/win_susp_eventlog_cleared.yml b/rules/windows/builtin/win_susp_eventlog_cleared.yml index ec1981f54..b0698a1cb 100644 --- a/rules/windows/builtin/win_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/win_susp_eventlog_cleared.yml @@ -10,6 +10,7 @@ tags: - attack.defense_evasion - attack.t1070 - car.2016-04-002 + - attack.t1551 logsource: product: windows service: system diff --git a/rules/windows/builtin/win_susp_lsass_dump.yml b/rules/windows/builtin/win_susp_lsass_dump.yml index 52921441c..b3b39f7b6 100644 --- a/rules/windows/builtin/win_susp_lsass_dump.yml +++ b/rules/windows/builtin/win_susp_lsass_dump.yml @@ -8,6 +8,7 @@ references: tags: - attack.credential_access - attack.t1003 + - attack.t1003.001 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_susp_lsass_dump_generic.yml b/rules/windows/builtin/win_susp_lsass_dump_generic.yml index 604c2f415..fa536e26b 100644 --- a/rules/windows/builtin/win_susp_lsass_dump_generic.yml +++ b/rules/windows/builtin/win_susp_lsass_dump_generic.yml @@ -12,6 +12,7 @@ tags: - attack.credential_access - attack.t1003 - car.2019-04-004 + - attack.t1003.001 logsource: product: windows service: security @@ -40,7 +41,7 @@ detection: - '4484' - '4416' filter: - ProcessName|endswith: + ProcessName|endswith: - '\wmiprvse.exe' - '\taskmgr.exe' - '\procexp64.exe' diff --git a/rules/windows/builtin/win_susp_msmpeng_crash.yml b/rules/windows/builtin/win_susp_msmpeng_crash.yml index 3e6f6fcba..4ce48ead3 100644 --- a/rules/windows/builtin/win_susp_msmpeng_crash.yml +++ b/rules/windows/builtin/win_susp_msmpeng_crash.yml @@ -5,6 +5,7 @@ tags: - attack.defense_evasion - attack.t1089 - attack.t1211 + - attack.t1562.001 status: experimental date: 2017/05/09 references: diff --git a/rules/windows/builtin/win_susp_ntlm_auth.yml b/rules/windows/builtin/win_susp_ntlm_auth.yml index f8ea778c0..3e4a2fb96 100644 --- a/rules/windows/builtin/win_susp_ntlm_auth.yml +++ b/rules/windows/builtin/win_susp_ntlm_auth.yml @@ -10,6 +10,7 @@ date: 2018/06/08 tags: - attack.lateral_movement - attack.t1075 + - attack.t1550.002 logsource: product: windows service: ntlm diff --git a/rules/windows/builtin/win_susp_psexec.yml b/rules/windows/builtin/win_susp_psexec.yml index f48f593b6..62216f2e9 100644 --- a/rules/windows/builtin/win_susp_psexec.yml +++ b/rules/windows/builtin/win_susp_psexec.yml @@ -1,7 +1,6 @@ title: Suspicious PsExec Execution id: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82 -description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker - uses a different psexec client other than sysinternal one +description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one author: Samir Bousseaden date: 2019/04/03 references: @@ -9,6 +8,7 @@ references: tags: - attack.lateral_movement - attack.t1077 + - attack.t1021.002 logsource: product: windows service: security @@ -18,9 +18,9 @@ detection: EventID: 5145 ShareName: \\*\IPC$ RelativeTargetName: - - '*-stdin' - - '*-stdout' - - '*-stderr' + - '*-stdin' + - '*-stdout' + - '*-stderr' selection2: EventID: 5145 ShareName: \\*\IPC$ diff --git a/rules/windows/builtin/win_susp_rc4_kerberos.yml b/rules/windows/builtin/win_susp_rc4_kerberos.yml index 534151c45..56bea540b 100644 --- a/rules/windows/builtin/win_susp_rc4_kerberos.yml +++ b/rules/windows/builtin/win_susp_rc4_kerberos.yml @@ -7,6 +7,7 @@ references: tags: - attack.credential_access - attack.t1208 + - attack.t1558.003 description: Detects service ticket requests using RC4 encryption type author: Florian Roth date: 2017/02/06 diff --git a/rules/windows/builtin/win_susp_rottenpotato.yml b/rules/windows/builtin/win_susp_rottenpotato.yml index 1e7d58b28..c6df34101 100644 --- a/rules/windows/builtin/win_susp_rottenpotato.yml +++ b/rules/windows/builtin/win_susp_rottenpotato.yml @@ -10,6 +10,7 @@ tags: - attack.privilege_escalation - attack.credential_access - attack.t1171 + - attack.t1557.001 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_susp_sam_dump.yml b/rules/windows/builtin/win_susp_sam_dump.yml index 930531db2..117fa49b8 100644 --- a/rules/windows/builtin/win_susp_sam_dump.yml +++ b/rules/windows/builtin/win_susp_sam_dump.yml @@ -5,6 +5,7 @@ description: Detects suspicious SAM dump activity as cause by QuarksPwDump and o tags: - attack.credential_access - attack.t1003 + - attack.t1003.002 author: Florian Roth date: 2018/01/27 logsource: diff --git a/rules/windows/builtin/win_susp_sdelete.yml b/rules/windows/builtin/win_susp_sdelete.yml index 5f8df21e5..8483f0265 100644 --- a/rules/windows/builtin/win_susp_sdelete.yml +++ b/rules/windows/builtin/win_susp_sdelete.yml @@ -13,6 +13,8 @@ tags: - attack.t1107 - attack.t1066 - attack.s0195 + - attack.t1551.004 + - attack.t1027 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_susp_security_eventlog_cleared.yml b/rules/windows/builtin/win_susp_security_eventlog_cleared.yml index 7b0b7dccf..d31a49b42 100644 --- a/rules/windows/builtin/win_susp_security_eventlog_cleared.yml +++ b/rules/windows/builtin/win_susp_security_eventlog_cleared.yml @@ -5,6 +5,7 @@ tags: - attack.defense_evasion - attack.t1070 - car.2016-04-002 + - attack.t1551 author: Florian Roth date: 2017/02/19 logsource: diff --git a/rules/windows/builtin/win_susp_time_modification.yml b/rules/windows/builtin/win_susp_time_modification.yml index 628f4a7fb..c457b28e5 100644 --- a/rules/windows/builtin/win_susp_time_modification.yml +++ b/rules/windows/builtin/win_susp_time_modification.yml @@ -11,6 +11,7 @@ midified: 2020/01/27 tags: - attack.defense_evasion - attack.t1099 + - attack.t1551.006 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml b/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml index 7eca151e2..921c558eb 100644 --- a/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml +++ b/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml @@ -10,6 +10,7 @@ modified: 2019/11/13 tags: - attack.lateral_movement - attack.t1208 + - attack.t1558.003 logsource: product: windows service: security @@ -23,7 +24,7 @@ detection: - '\opera.exe' - '\chrome.exe' - '\firefox.exe' - condition: selection and not filter + condition: selection and not filter falsepositives: - Other browsers level: high diff --git a/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml b/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml index 15a918845..9084a2cb6 100644 --- a/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml +++ b/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml @@ -8,6 +8,9 @@ references: tags: - attack.credential_access - attack.t1003 + - attack.t1003.002 + - attack.t1003.001 + - attack.t1003.003 logsource: product: windows service: security diff --git a/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml b/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml index 319250a10..59ee3b4bc 100644 --- a/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml +++ b/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml @@ -1,7 +1,6 @@ title: User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess' id: 6daac7fc-77d1-449a-a71a-e6b4d59a0e54 -description: The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege - privilege set. Possible Rubeus tries to get a handle to LSA. +description: The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA. status: experimental references: - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 @@ -9,6 +8,7 @@ tags: - attack.lateral_movement - attack.privilege_escalation - attack.t1208 + - attack.t1558.003 author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community date: 2019/10/24 logsource: @@ -17,8 +17,8 @@ logsource: detection: selection: - EventID: 4673 - Service: 'LsaRegisterLogonProcess()' - Keywords: '0x8010000000000000' #failure + Service: 'LsaRegisterLogonProcess()' + Keywords: '0x8010000000000000' #failure condition: selection falsepositives: - Unkown diff --git a/rules/windows/builtin/win_user_driver_loaded.yml b/rules/windows/builtin/win_user_driver_loaded.yml index e993a8d4f..9d3ae187f 100644 --- a/rules/windows/builtin/win_user_driver_loaded.yml +++ b/rules/windows/builtin/win_user_driver_loaded.yml @@ -8,6 +8,7 @@ references: tags: - attack.t1089 - attack.defense_evasion + - attack.t1562.001 date: 2019/04/08 author: xknow (@xknow_infosec), xorxes (@xor_xes) logsource: diff --git a/rules/windows/malware/av_password_dumper.yml b/rules/windows/malware/av_password_dumper.yml index 528548545..168d357ee 100644 --- a/rules/windows/malware/av_password_dumper.yml +++ b/rules/windows/malware/av_password_dumper.yml @@ -9,11 +9,14 @@ references: tags: - attack.credential_access - attack.t1003 + - attack.t1558 + - attack.t1003.001 + - attack.t1003.002 logsource: product: antivirus detection: selection: - Signature: + Signature: - "*DumpCreds*" - "*Mimikatz*" - "*PWCrack*" diff --git a/rules/windows/malware/av_webshell.yml b/rules/windows/malware/av_webshell.yml index b041fda85..11f8eb0ba 100644 --- a/rules/windows/malware/av_webshell.yml +++ b/rules/windows/malware/av_webshell.yml @@ -9,11 +9,12 @@ references: tags: - attack.persistence - attack.t1100 + - attack.t1505.003 logsource: product: antivirus detection: selection: - Signature: + Signature: - "PHP/Backdoor*" - "JSP/Backdoor*" - "ASP/Backdoor*" diff --git a/rules/windows/other/win_defender_bypass.yml b/rules/windows/other/win_defender_bypass.yml index cc4fb5b86..f70b847e8 100644 --- a/rules/windows/other/win_defender_bypass.yml +++ b/rules/windows/other/win_defender_bypass.yml @@ -6,6 +6,7 @@ references: tags: - attack.defense_evasion - attack.t1089 + - attack.t1562.001 author: "@BarryShooshooga" date: 2019/10/26 logsource: @@ -14,13 +15,13 @@ logsource: definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User' detection: selection: - EventID: + EventID: - 4657 - 4656 - 4660 - 4663 ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\' condition: selection -falsepositives: +falsepositives: - Intended inclusions by administrator level: high diff --git a/rules/windows/other/win_rare_schtask_creation.yml b/rules/windows/other/win_rare_schtask_creation.yml index 2992ab30c..1329e32f0 100644 --- a/rules/windows/other/win_rare_schtask_creation.yml +++ b/rules/windows/other/win_rare_schtask_creation.yml @@ -1,12 +1,12 @@ title: Rare Scheduled Task Creations id: b20f6158-9438-41be-83da-a5a16ac90c2b status: experimental -description: This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count - function selects tasks with rare names. +description: This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names. tags: - attack.persistence - attack.t1053 - attack.s0111 + - attack.t1053.005 author: Florian Roth date: 2017/03/17 logsource: diff --git a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml index 37f108274..07b87d019 100644 --- a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml @@ -10,11 +10,12 @@ references: tags: - attack.execution - attack.t1086 + - attack.t1059.001 logsource: product: windows service: powershell detection: - selection: + selection: EventID: - 4103 - 400 diff --git a/rules/windows/powershell/powershell_clear_powershell_history.yml b/rules/windows/powershell/powershell_clear_powershell_history.yml index d6c42d039..4f52faecf 100644 --- a/rules/windows/powershell/powershell_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_clear_powershell_history.yml @@ -9,6 +9,7 @@ references: tags: - attack.defense_evasion - attack.t1146 + - attack.t1551.003 logsource: product: windows service: powershell diff --git a/rules/windows/powershell/powershell_create_local_user.yml b/rules/windows/powershell/powershell_create_local_user.yml index 279826f96..d479cb488 100644 --- a/rules/windows/powershell/powershell_create_local_user.yml +++ b/rules/windows/powershell/powershell_create_local_user.yml @@ -1,6 +1,6 @@ title: PowerShell Create Local User id: 243de76f-4725-4f2e-8225-a8a69b15ad61 -status: experimental +status: experimental description: Detects creation of a local user via PowerShell references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md @@ -9,8 +9,9 @@ tags: - attack.t1086 - attack.persistence - attack.t1136 -author: '@ROxPinTeddy' -date: 2020/04/11 + - attack.t1059.001 +author: '@ROxPinTeddy' +date: 2020/04/11 logsource: product: windows service: powershell @@ -19,7 +20,7 @@ detection: EventID: 4104 Message|contains: - 'New-LocalUser' - condition: selection + condition: selection falsepositives: - - Legitimate user creation + - Legitimate user creation level: medium diff --git a/rules/windows/powershell/powershell_data_compressed.yml b/rules/windows/powershell/powershell_data_compressed.yml index 9af0feff2..ebd3a1c0c 100644 --- a/rules/windows/powershell/powershell_data_compressed.yml +++ b/rules/windows/powershell/powershell_data_compressed.yml @@ -1,8 +1,7 @@ title: Data Compressed - Powershell id: 6dc5d284-69ea-42cf-9311-fb1c3932a69a status: experimental -description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount - of data sent over the network +description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network author: Timur Zinniatullin, oscd.community date: 2019/10/21 modified: 2019/11/04 @@ -15,7 +14,7 @@ logsource: detection: selection: EventID: 4104 - keywords|contains|all: + keywords|contains|all: - '-Recurse' - '|' - 'Compress-Archive' @@ -26,3 +25,4 @@ level: low tags: - attack.exfiltration - attack.t1002 + - attack.t1560 diff --git a/rules/windows/powershell/powershell_downgrade_attack.yml b/rules/windows/powershell/powershell_downgrade_attack.yml index 8071fcb46..d14ef31af 100644 --- a/rules/windows/powershell/powershell_downgrade_attack.yml +++ b/rules/windows/powershell/powershell_downgrade_attack.yml @@ -8,6 +8,7 @@ tags: - attack.defense_evasion - attack.execution - attack.t1086 + - attack.t1059.001 author: Florian Roth (rule), Lee Holmes (idea), Harish Segar (improvements) date: 2017/03/22 modified: 2020/03/20 @@ -24,4 +25,4 @@ detection: falsepositives: - Penetration Test - Unknown -level: medium \ No newline at end of file +level: medium diff --git a/rules/windows/powershell/powershell_exe_calling_ps.yml b/rules/windows/powershell/powershell_exe_calling_ps.yml index 28448cc58..9a921aa8c 100644 --- a/rules/windows/powershell/powershell_exe_calling_ps.yml +++ b/rules/windows/powershell/powershell_exe_calling_ps.yml @@ -8,6 +8,7 @@ tags: - attack.defense_evasion - attack.execution - attack.t1086 + - attack.t1059.001 author: Sean Metcalf (source), Florian Roth (rule) date: 2017/03/05 logsource: diff --git a/rules/windows/powershell/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_malicious_commandlets.yml index 04c495efe..e232d1bf4 100644 --- a/rules/windows/powershell/powershell_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_malicious_commandlets.yml @@ -8,6 +8,7 @@ references: tags: - attack.execution - attack.t1086 + - attack.t1059.001 author: Sean Metcalf (source), Florian Roth (rule) date: 2017/03/05 logsource: diff --git a/rules/windows/powershell/powershell_malicious_keywords.yml b/rules/windows/powershell/powershell_malicious_keywords.yml index 1fb45807c..a0131ff6d 100644 --- a/rules/windows/powershell/powershell_malicious_keywords.yml +++ b/rules/windows/powershell/powershell_malicious_keywords.yml @@ -8,6 +8,7 @@ references: tags: - attack.execution - attack.t1086 + - attack.t1059.001 author: Sean Metcalf (source), Florian Roth (rule) date: 2017/03/05 logsource: diff --git a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml index 26074603a..e7d075a56 100644 --- a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml @@ -8,6 +8,7 @@ references: tags: - attack.execution - attack.t1086 + - attack.t1059.001 author: Alec Costello logsource: product: windows diff --git a/rules/windows/powershell/powershell_ntfs_ads_access.yml b/rules/windows/powershell/powershell_ntfs_ads_access.yml index e2c531b76..bf4c81ea0 100644 --- a/rules/windows/powershell/powershell_ntfs_ads_access.yml +++ b/rules/windows/powershell/powershell_ntfs_ads_access.yml @@ -7,6 +7,7 @@ references: tags: - attack.defense_evasion - attack.t1096 + - attack.t1564.004 author: Sami Ruohonen date: 2018/07/24 logsource: diff --git a/rules/windows/powershell/powershell_prompt_credentials.yml b/rules/windows/powershell/powershell_prompt_credentials.yml index 9b810c4b6..c4c4d5f26 100644 --- a/rules/windows/powershell/powershell_prompt_credentials.yml +++ b/rules/windows/powershell/powershell_prompt_credentials.yml @@ -9,6 +9,7 @@ tags: - attack.execution - attack.credential_access - attack.t1086 + - attack.t1059.001 author: John Lambert (idea), Florian Roth (rule) date: 2017/04/09 logsource: diff --git a/rules/windows/powershell/powershell_psattack.yml b/rules/windows/powershell/powershell_psattack.yml index c955031d0..9ca1ffa51 100644 --- a/rules/windows/powershell/powershell_psattack.yml +++ b/rules/windows/powershell/powershell_psattack.yml @@ -7,6 +7,7 @@ references: tags: - attack.execution - attack.t1086 + - attack.t1059.001 author: Sean Metcalf (source), Florian Roth (rule) date: 2017/03/05 logsource: diff --git a/rules/windows/powershell/powershell_remote_powershell_session.yml b/rules/windows/powershell/powershell_remote_powershell_session.yml index 2da0f0f34..c5b9e3cf2 100644 --- a/rules/windows/powershell/powershell_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_remote_powershell_session.yml @@ -10,11 +10,12 @@ references: tags: - attack.execution - attack.t1086 + - attack.t1059.001 logsource: product: windows service: powershell detection: - selection: + selection: EventID: - 4103 - 400 diff --git a/rules/windows/powershell/powershell_shellcode_b64.yml b/rules/windows/powershell/powershell_shellcode_b64.yml index f705329d0..fabff88ac 100644 --- a/rules/windows/powershell/powershell_shellcode_b64.yml +++ b/rules/windows/powershell/powershell_shellcode_b64.yml @@ -9,6 +9,7 @@ tags: - attack.execution - attack.t1055 - attack.t1086 + - attack.t1059 author: David Ledbetter (shellcode), Florian Roth (rule) date: 2018/11/17 logsource: @@ -18,9 +19,9 @@ logsource: detection: selection: EventID: 4104 - keyword1: + keyword1: - '*AAAAYInlM*' - keyword2: + keyword2: - '*OiCAAAAYInlM*' - '*OiJAAAAYInlM*' condition: selection and keyword1 and keyword2 diff --git a/rules/windows/powershell/powershell_suspicious_download.yml b/rules/windows/powershell/powershell_suspicious_download.yml index cc7351864..6d8fe1b13 100644 --- a/rules/windows/powershell/powershell_suspicious_download.yml +++ b/rules/windows/powershell/powershell_suspicious_download.yml @@ -5,6 +5,7 @@ description: Detects suspicious PowerShell download command tags: - attack.execution - attack.t1086 + - attack.t1059.001 author: Florian Roth date: 2017/03/05 modified: 2020/03/25 diff --git a/rules/windows/powershell/powershell_suspicious_invocation_generic.yml b/rules/windows/powershell/powershell_suspicious_invocation_generic.yml index 6127e1f76..8f6637ccf 100644 --- a/rules/windows/powershell/powershell_suspicious_invocation_generic.yml +++ b/rules/windows/powershell/powershell_suspicious_invocation_generic.yml @@ -5,6 +5,7 @@ description: Detects suspicious PowerShell invocation command parameters tags: - attack.execution - attack.t1086 + - attack.t1059.001 author: Florian Roth (rule) date: 2017/03/12 logsource: diff --git a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml index 41b6f78bc..bfdbad36f 100644 --- a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml +++ b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml @@ -5,6 +5,7 @@ description: Detects suspicious PowerShell invocation command parameters tags: - attack.execution - attack.t1086 + - attack.t1059.001 author: Florian Roth (rule) date: 2017/03/05 logsource: diff --git a/rules/windows/powershell/powershell_suspicious_keywords.yml b/rules/windows/powershell/powershell_suspicious_keywords.yml index fa90f0eb5..0f2b8c497 100644 --- a/rules/windows/powershell/powershell_suspicious_keywords.yml +++ b/rules/windows/powershell/powershell_suspicious_keywords.yml @@ -11,6 +11,7 @@ references: tags: - attack.execution - attack.t1086 + - attack.t1059.001 logsource: product: windows service: powershell diff --git a/rules/windows/powershell/powershell_winlogon_helper_dll.yml b/rules/windows/powershell/powershell_winlogon_helper_dll.yml index fd1378f49..bc5c334e0 100644 --- a/rules/windows/powershell/powershell_winlogon_helper_dll.yml +++ b/rules/windows/powershell/powershell_winlogon_helper_dll.yml @@ -1,10 +1,7 @@ title: Winlogon Helper DLL id: 851c506b-6b7c-4ce2-8802-c703009d03c0 status: experimental -description: Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. - Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are - used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load - and execute malicious DLLs and/or executables. +description: Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. author: Timur Zinniatullin, oscd.community date: 2019/10/21 modified: 2019/11/04 @@ -17,10 +14,10 @@ logsource: detection: selection: EventID: 4104 - keyword1: + keyword1: - '*Set-ItemProperty*' - '*New-Item*' - keyword2: + keyword2: - '*CurrentVersion\Winlogon*' condition: selection and ( keyword1 and keyword2 ) falsepositives: @@ -29,3 +26,4 @@ level: medium tags: - attack.persistence - attack.t1004 + - attack.t1547.004 diff --git a/rules/windows/process_creation/win_apt_apt29_thinktanks.yml b/rules/windows/process_creation/win_apt_apt29_thinktanks.yml index fe907c490..d4f122923 100644 --- a/rules/windows/process_creation/win_apt_apt29_thinktanks.yml +++ b/rules/windows/process_creation/win_apt_apt29_thinktanks.yml @@ -7,8 +7,9 @@ tags: - attack.execution - attack.g0016 - attack.t1086 + - attack.t1059.001 author: Florian Roth -date: 2018/12/04 +date: 2018/12/04 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_apt_babyshark.yml b/rules/windows/process_creation/win_apt_babyshark.yml index fe7bc28c5..cf40e92fd 100644 --- a/rules/windows/process_creation/win_apt_babyshark.yml +++ b/rules/windows/process_creation/win_apt_babyshark.yml @@ -12,6 +12,9 @@ tags: - attack.t1012 - attack.defense_evasion - attack.t1170 + - attack.t1218 + - attack.t1059.003 + - attack.t1059.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml b/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml index d3d160ee3..d629b4913 100644 --- a/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml +++ b/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml @@ -9,6 +9,7 @@ tags: - attack.credential_access - attack.t1081 - attack.t1003 + - attack.t1552.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_apt_bluemashroom.yml b/rules/windows/process_creation/win_apt_bluemashroom.yml index 231f2bb8b..ab58aaff7 100644 --- a/rules/windows/process_creation/win_apt_bluemashroom.yml +++ b/rules/windows/process_creation/win_apt_bluemashroom.yml @@ -7,6 +7,7 @@ references: tags: - attack.defense_evasion - attack.t1117 + - attack.t1218.010 author: Florian Roth date: 2019/10/02 logsource: @@ -14,7 +15,7 @@ logsource: product: windows detection: selection: - CommandLine: + CommandLine: - '*\regsvr32*\AppData\Local\\*' - '*\AppData\Local\\*,DllEntry*' condition: selection diff --git a/rules/windows/process_creation/win_apt_cloudhopper.yml b/rules/windows/process_creation/win_apt_cloudhopper.yml index 3e94043ff..51a72fe6e 100755 --- a/rules/windows/process_creation/win_apt_cloudhopper.yml +++ b/rules/windows/process_creation/win_apt_cloudhopper.yml @@ -9,6 +9,7 @@ tags: - attack.execution - attack.g0045 - attack.t1064 + - attack.t1059.005 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml b/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml index 8cfc979a5..2cb176b29 100755 --- a/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml +++ b/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml @@ -13,6 +13,7 @@ tags: - attack.t1059 - attack.defense_evasion - attack.t1085 + - attack.t1218.011 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml b/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml index a9924f6e8..e781f65bb 100644 --- a/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml +++ b/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml @@ -12,6 +12,7 @@ tags: - attack.t1098 - attack.exfiltration - attack.t1002 + - attack.t1560 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_apt_sofacy.yml b/rules/windows/process_creation/win_apt_sofacy.yml index 15963070d..2124e236e 100755 --- a/rules/windows/process_creation/win_apt_sofacy.yml +++ b/rules/windows/process_creation/win_apt_sofacy.yml @@ -15,6 +15,7 @@ tags: - attack.defense_evasion - attack.t1085 - car.2013-10-002 + - attack.t1218.011 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_apt_tropictrooper.yml b/rules/windows/process_creation/win_apt_tropictrooper.yml index 696975115..7bf80dfb5 100644 --- a/rules/windows/process_creation/win_apt_tropictrooper.yml +++ b/rules/windows/process_creation/win_apt_tropictrooper.yml @@ -9,6 +9,7 @@ references: tags: - attack.execution - attack.t1085 + - attack.t1218.011 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_apt_turla_comrat_may20.yml b/rules/windows/process_creation/win_apt_turla_comrat_may20.yml index c2b7bf877..23bfc1823 100644 --- a/rules/windows/process_creation/win_apt_turla_comrat_may20.yml +++ b/rules/windows/process_creation/win_apt_turla_comrat_may20.yml @@ -12,6 +12,7 @@ tags: - attack.t1027 - attack.discovery - attack.t1016 + - attack.t1059.001 author: Florian Roth date: 2020/05/26 logsource: diff --git a/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml b/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml index ed6e7b42e..ef29cd989 100644 --- a/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml +++ b/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml @@ -8,6 +8,7 @@ tags: - attack.defense_evasion - attack.t1073 - attack.g0044 + - attack.t1574.002 author: Florian Roth, Markus Neis date: 2020/02/01 logsource: @@ -15,9 +16,9 @@ logsource: product: windows detection: selection1: - ParentImage|contains: - - 'C:\Windows\Temp' - - '\hpqhvind.exe' + ParentImage|contains: + - 'C:\Windows\Temp' + - '\hpqhvind.exe' Image|startswith: 'C:\ProgramData\DRM' selection2: ParentImage|startswith: 'C:\ProgramData\DRM' diff --git a/rules/windows/process_creation/win_apt_zxshell.yml b/rules/windows/process_creation/win_apt_zxshell.yml index af5e61227..47a5b4f76 100755 --- a/rules/windows/process_creation/win_apt_zxshell.yml +++ b/rules/windows/process_creation/win_apt_zxshell.yml @@ -11,6 +11,7 @@ tags: - attack.t1059 - attack.defense_evasion - attack.t1085 + - attack.t1218.011 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_attrib_hiding_files.yml b/rules/windows/process_creation/win_attrib_hiding_files.yml index ec753dcfd..048ae4358 100644 --- a/rules/windows/process_creation/win_attrib_hiding_files.yml +++ b/rules/windows/process_creation/win_attrib_hiding_files.yml @@ -26,6 +26,7 @@ tags: - attack.defense_evasion - attack.persistence - attack.t1158 + - attack.t1564.001 falsepositives: - igfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe) - msiexec.exe hiding desktop.ini diff --git a/rules/windows/process_creation/win_change_default_file_association.yml b/rules/windows/process_creation/win_change_default_file_association.yml index c01a933cc..db1a6be52 100644 --- a/rules/windows/process_creation/win_change_default_file_association.yml +++ b/rules/windows/process_creation/win_change_default_file_association.yml @@ -1,9 +1,7 @@ title: Change Default File Association id: 3d3aa6cd-6272-44d6-8afc-7e88dfef7061 status: experimental -description: When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections - are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc - utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. +description: When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. author: Timur Zinniatullin, oscd.community date: 2019/10/21 modified: 2019/11/04 @@ -15,9 +13,9 @@ logsource: detection: selection: CommandLine|contains|all: - - 'cmd' - - '/c' - - 'assoc' + - 'cmd' + - '/c' + - 'assoc' condition: selection falsepositives: - Admin activity @@ -33,3 +31,4 @@ level: low tags: - attack.persistence - attack.t1042 + - attack.t1546.001 diff --git a/rules/windows/process_creation/win_cmdkey_recon.yml b/rules/windows/process_creation/win_cmdkey_recon.yml index 9a880199a..86b9126f0 100644 --- a/rules/windows/process_creation/win_cmdkey_recon.yml +++ b/rules/windows/process_creation/win_cmdkey_recon.yml @@ -10,6 +10,7 @@ date: 2019/01/16 tags: - attack.credential_access - attack.t1003 + - attack.t1003.005 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_cmstp_com_object_access.yml b/rules/windows/process_creation/win_cmstp_com_object_access.yml index 67f9fe097..ffa1d6f5c 100644 --- a/rules/windows/process_creation/win_cmstp_com_object_access.yml +++ b/rules/windows/process_creation/win_cmstp_com_object_access.yml @@ -10,6 +10,8 @@ tags: - attack.t1191 - attack.g0069 - car.2019-04-001 + - attack.t1548.002 + - attack.t1218 author: Nik Seetharaman modified: 2019/07/31 date: 2019/01/16 diff --git a/rules/windows/process_creation/win_control_panel_item.yml b/rules/windows/process_creation/win_control_panel_item.yml index ead8d17ae..f1b50d7e4 100644 --- a/rules/windows/process_creation/win_control_panel_item.yml +++ b/rules/windows/process_creation/win_control_panel_item.yml @@ -8,6 +8,7 @@ tags: - attack.execution - attack.t1196 - attack.defense_evasion + - attack.t1218 author: Kyaw Min Thein date: 2019/08/27 level: critical diff --git a/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml b/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml index f7b43d2da..50f341af3 100644 --- a/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml +++ b/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml @@ -13,13 +13,15 @@ tags: - attack.credential_access - attack.t1003 - car.2013-07-001 + - attack.t1003.002 + - attack.t1003.003 logsource: category: process_creation product: windows detection: selection: - Image|endswith: '\esentutl.exe' - CommandLine|contains: + CommandLine|contains: - 'vss' - ' /m ' - ' /y ' diff --git a/rules/windows/process_creation/win_crime_fireball.yml b/rules/windows/process_creation/win_crime_fireball.yml index 8c714f371..3fca41312 100755 --- a/rules/windows/process_creation/win_crime_fireball.yml +++ b/rules/windows/process_creation/win_crime_fireball.yml @@ -12,6 +12,7 @@ tags: - attack.t1059 - attack.defense_evasion - attack.t1085 + - attack.t1218.011 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_data_compressed_with_rar.yml b/rules/windows/process_creation/win_data_compressed_with_rar.yml index b499999d8..b7ed701ee 100644 --- a/rules/windows/process_creation/win_data_compressed_with_rar.yml +++ b/rules/windows/process_creation/win_data_compressed_with_rar.yml @@ -29,4 +29,5 @@ falsepositives: level: low tags: - attack.exfiltration - - attack.t1002 \ No newline at end of file + - attack.t1002 + - attack.t1560 diff --git a/rules/windows/process_creation/win_encoded_frombase64string.yml b/rules/windows/process_creation/win_encoded_frombase64string.yml index 9a480ec0c..92087ad25 100644 --- a/rules/windows/process_creation/win_encoded_frombase64string.yml +++ b/rules/windows/process_creation/win_encoded_frombase64string.yml @@ -9,6 +9,7 @@ tags: - attack.t1140 - attack.execution - attack.defense_evasion + - attack.t1059.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_encoded_iex.yml b/rules/windows/process_creation/win_encoded_iex.yml index 61bff8ab3..e3740b9b8 100644 --- a/rules/windows/process_creation/win_encoded_iex.yml +++ b/rules/windows/process_creation/win_encoded_iex.yml @@ -8,16 +8,17 @@ tags: - attack.t1086 - attack.t1140 - attack.execution + - attack.t1059.003 logsource: category: process_creation product: windows detection: selection: - CommandLine|base64offset|contains: - - 'IEX ([' - - 'iex ([' - - 'iex (New' - - 'IEX (New' + CommandLine|base64offset|contains: + - 'IEX ([' + - 'iex ([' + - 'iex (New' + - 'IEX (New' condition: selection fields: - CommandLine diff --git a/rules/windows/process_creation/win_etw_trace_evasion.yml b/rules/windows/process_creation/win_etw_trace_evasion.yml index 1a04a8dda..6b6e182fa 100644 --- a/rules/windows/process_creation/win_etw_trace_evasion.yml +++ b/rules/windows/process_creation/win_etw_trace_evasion.yml @@ -10,8 +10,9 @@ author: '@neu5ron, Florian Roth' date: 2019/03/22 tags: - attack.execution - - attack.t1070 - - car.2016-04-002 + - attack.t1070 + - car.2016-04-002 + - attack.t1551 level: high logsource: category: process_creation diff --git a/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml b/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml index a8377a19c..c7a4b6019 100644 --- a/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml +++ b/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml @@ -11,17 +11,18 @@ tags: - attack.credential_access - attack.t1003 - car.2013-07-001 + - attack.t1003.002 logsource: category: process_creation product: windows detection: selection_1: Image: '*\reg.exe' - CommandLine|contains: + CommandLine|contains: - 'save' - 'export' selection_2: - CommandLine|contains: + CommandLine|contains: - 'hklm' - 'hkey_local_machine' selection_3: diff --git a/rules/windows/process_creation/win_hack_koadic.yml b/rules/windows/process_creation/win_hack_koadic.yml index 9e8b46fa8..a012eb576 100644 --- a/rules/windows/process_creation/win_hack_koadic.yml +++ b/rules/windows/process_creation/win_hack_koadic.yml @@ -1,7 +1,7 @@ title: Koadic Execution id: 5cddf373-ef00-4112-ad72-960ac29bac34 status: experimental -description: Detects command line parameters used by Koadic hack tool +description: Detects command line parameters used by Koadic hack tool references: - https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/ - https://github.com/zerosum0x0/koadic/blob/master/data/stager/js/stdlib.js#L955 @@ -9,6 +9,7 @@ references: tags: - attack.execution - attack.t1170 + - attack.t1218.005 date: 2020/01/12 author: wagga logsource: diff --git a/rules/windows/process_creation/win_hack_rubeus.yml b/rules/windows/process_creation/win_hack_rubeus.yml index 9c63c07dd..df77011c8 100644 --- a/rules/windows/process_creation/win_hack_rubeus.yml +++ b/rules/windows/process_creation/win_hack_rubeus.yml @@ -9,6 +9,8 @@ tags: - attack.credential_access - attack.t1003 - attack.s0005 + - attack.t1558 + - attack.t1558.003 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_hh_chm.yml b/rules/windows/process_creation/win_hh_chm.yml index bbc690682..82d1791d7 100644 --- a/rules/windows/process_creation/win_hh_chm.yml +++ b/rules/windows/process_creation/win_hh_chm.yml @@ -12,6 +12,7 @@ tags: - attack.defense_evasion - attack.execution - attack.t1223 + - attack.t1218.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_html_help_spawn.yml b/rules/windows/process_creation/win_html_help_spawn.yml index ed18c5c0f..ce8413120 100644 --- a/rules/windows/process_creation/win_html_help_spawn.yml +++ b/rules/windows/process_creation/win_html_help_spawn.yml @@ -11,6 +11,7 @@ tags: - attack.execution - attack.defense_evasion - attack.t1223 + - attack.t1218.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_hwp_exploits.yml b/rules/windows/process_creation/win_hwp_exploits.yml index d9002353e..24a96f3e6 100644 --- a/rules/windows/process_creation/win_hwp_exploits.yml +++ b/rules/windows/process_creation/win_hwp_exploits.yml @@ -16,6 +16,7 @@ tags: - attack.t1202 - attack.t1193 - attack.g0032 + - attack.t1566.001 author: Florian Roth date: 2019/10/24 logsource: diff --git a/rules/windows/process_creation/win_impacket_lateralization.yml b/rules/windows/process_creation/win_impacket_lateralization.yml index 52149935e..c56855d69 100644 --- a/rules/windows/process_creation/win_impacket_lateralization.yml +++ b/rules/windows/process_creation/win_impacket_lateralization.yml @@ -53,6 +53,7 @@ tags: - attack.lateral_movement - attack.t1047 - attack.t1175 + - attack.t1021 falsepositives: - pentesters level: critical diff --git a/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml b/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml index e04fb3128..34f7d6092 100644 --- a/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml +++ b/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml @@ -8,6 +8,7 @@ tags: - attack.persistence - attack.privilege_escalation - attack.t1015 + - attack.t1546.008 author: Florian Roth date: 2019/09/06 logsource: @@ -27,4 +28,4 @@ detection: falsepositives: - Penetration Tests level: high - + diff --git a/rules/windows/process_creation/win_interactive_at.yml b/rules/windows/process_creation/win_interactive_at.yml index 3c7e0009d..b28ba32e2 100644 --- a/rules/windows/process_creation/win_interactive_at.yml +++ b/rules/windows/process_creation/win_interactive_at.yml @@ -11,6 +11,7 @@ modified: 2019/11/11 tags: - attack.privilege_escalation - attack.t1053 + - attack.t1053.002 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_lethalhta.yml b/rules/windows/process_creation/win_lethalhta.yml index 80496bc9c..331c64c0b 100644 --- a/rules/windows/process_creation/win_lethalhta.yml +++ b/rules/windows/process_creation/win_lethalhta.yml @@ -8,6 +8,7 @@ tags: - attack.defense_evasion - attack.execution - attack.t1170 + - attack.t1218.005 author: Markus Neis date: 2018/06/07 logsource: diff --git a/rules/windows/process_creation/win_lsass_dump.yml b/rules/windows/process_creation/win_lsass_dump.yml index 7514fe9c4..de0ee64e4 100644 --- a/rules/windows/process_creation/win_lsass_dump.yml +++ b/rules/windows/process_creation/win_lsass_dump.yml @@ -1,7 +1,6 @@ title: LSASS Memory Dumping id: ffa6861c-4461-4f59-8a41-578c39f3f23e -description: Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe - to export the memory space of lsass.exe which contains sensitive credentials. +description: Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials. status: experimental author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community date: 2019/10/24 @@ -13,6 +12,7 @@ references: tags: - attack.credential_access - attack.t1003 + - attack.t1003.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_malware_notpetya.yml b/rules/windows/process_creation/win_malware_notpetya.yml index d294395c6..10ecc8a76 100644 --- a/rules/windows/process_creation/win_malware_notpetya.yml +++ b/rules/windows/process_creation/win_malware_notpetya.yml @@ -1,8 +1,7 @@ title: NotPetya Ransomware Activity id: 79aeeb41-8156-4fac-a0cd-076495ab82a1 status: experimental -description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive - C is deleted and windows eventlogs are cleared using wevtutil +description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil author: Florian Roth, Tom Ueltschi date: 2019/01/16 references: @@ -16,6 +15,8 @@ tags: - attack.t1070 - attack.t1003 - car.2016-04-002 + - attack.t1218.011 + - attack.t1551 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_malware_script_dropper.yml b/rules/windows/process_creation/win_malware_script_dropper.yml index 251a3a0a6..0dda13608 100644 --- a/rules/windows/process_creation/win_malware_script_dropper.yml +++ b/rules/windows/process_creation/win_malware_script_dropper.yml @@ -8,6 +8,7 @@ tags: - attack.defense_evasion - attack.execution - attack.t1064 + - attack.t1059.005 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_mimikatz_command_line.yml b/rules/windows/process_creation/win_mimikatz_command_line.yml index 11b6aa84d..90ab52457 100644 --- a/rules/windows/process_creation/win_mimikatz_command_line.yml +++ b/rules/windows/process_creation/win_mimikatz_command_line.yml @@ -8,6 +8,10 @@ references: tags: - attack.credential_access - attack.t1003 + - attack.t1003.002 + - attack.t1003.004 + - attack.t1003.001 + - attack.t1003.006 logsource: category: process_creation product: windows @@ -30,8 +34,7 @@ detection: selection_3: CommandLine|contains: - '::' - condition: selection_1 or - selection_2 and selection_3 + condition: selection_1 or selection_2 and selection_3 falsepositives: - Legitimate Administrator using tool for password recovery level: medium diff --git a/rules/windows/process_creation/win_mmc_spawn_shell.yml b/rules/windows/process_creation/win_mmc_spawn_shell.yml index bf207bebf..dc0dfb5a4 100644 --- a/rules/windows/process_creation/win_mmc_spawn_shell.yml +++ b/rules/windows/process_creation/win_mmc_spawn_shell.yml @@ -7,6 +7,10 @@ date: 2019/08/05 tags: - attack.lateral_movement - attack.t1175 + - attack.t1059.004 + - attack.t1059.005 + - attack.t1059.003 + - attack.t1059.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_mshta_javascript.yml b/rules/windows/process_creation/win_mshta_javascript.yml index a52c88d11..62b7d6084 100644 --- a/rules/windows/process_creation/win_mshta_javascript.yml +++ b/rules/windows/process_creation/win_mshta_javascript.yml @@ -12,6 +12,7 @@ tags: - attack.execution - attack.defense_evasion - attack.t1170 + - attack.t1218.005 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_mshta_spawn_shell.yml b/rules/windows/process_creation/win_mshta_spawn_shell.yml index 3909f7213..f6900f532 100644 --- a/rules/windows/process_creation/win_mshta_spawn_shell.yml +++ b/rules/windows/process_creation/win_mshta_spawn_shell.yml @@ -33,6 +33,7 @@ tags: - car.2013-02-003 - car.2013-03-001 - car.2014-04-003 + - attack.t1218 falsepositives: - Printer software / driver installations - HP software diff --git a/rules/windows/process_creation/win_netsh_allow_port_rdp.yml b/rules/windows/process_creation/win_netsh_allow_port_rdp.yml index f2fc0607c..def36dc73 100644 --- a/rules/windows/process_creation/win_netsh_allow_port_rdp.yml +++ b/rules/windows/process_creation/win_netsh_allow_port_rdp.yml @@ -1,5 +1,5 @@ title: Netsh RDP Port Opening -id: 01aeb693-138d-49d2-9403-c4f52d7d3d62 +id: 01aeb693-138d-49d2-9403-c4f52d7d3d62 description: Detects netsh commands that opens the port 3389 used for RDP, used in Sarwent Malware references: - https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/ @@ -7,6 +7,7 @@ date: 2020/05/23 tags: - attack.command_and_control - attack.t1076 + - attack.t1021.001 status: experimental author: Sander Wiebing logsource: diff --git a/rules/windows/process_creation/win_new_service_creation.yml b/rules/windows/process_creation/win_new_service_creation.yml index 67d6ae36f..e8a3c4bbb 100644 --- a/rules/windows/process_creation/win_new_service_creation.yml +++ b/rules/windows/process_creation/win_new_service_creation.yml @@ -9,6 +9,7 @@ tags: - attack.persistence - attack.privilege_escalation - attack.t1050 + - attack.t1543.003 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1050/T1050.yaml logsource: @@ -16,11 +17,11 @@ logsource: product: windows detection: selection: - - Image|endswith: '\sc.exe' + - Image|endswith: '\sc.exe' CommandLine|contains|all: - 'create' - 'binpath' - - Image|endswith: '\powershell.exe' + - Image|endswith: '\powershell.exe' CommandLine|contains: 'new-service' condition: selection falsepositives: diff --git a/rules/windows/process_creation/win_non_interactive_powershell.yml b/rules/windows/process_creation/win_non_interactive_powershell.yml index 0333dde00..7855ea3a8 100644 --- a/rules/windows/process_creation/win_non_interactive_powershell.yml +++ b/rules/windows/process_creation/win_non_interactive_powershell.yml @@ -10,11 +10,12 @@ references: tags: - attack.execution - attack.t1086 + - attack.t1059.001 logsource: category: process_creation product: windows detection: - selection: + selection: Image|endswith: '\powershell.exe' filter: ParentImage|endswith: '\explorer.exe' diff --git a/rules/windows/process_creation/win_office_shell.yml b/rules/windows/process_creation/win_office_shell.yml index aa29383e9..537def033 100644 --- a/rules/windows/process_creation/win_office_shell.yml +++ b/rules/windows/process_creation/win_office_shell.yml @@ -12,6 +12,7 @@ tags: - attack.t1202 - car.2013-02-003 - car.2014-04-003 + - attack.t1059.003 author: Michael Haag, Florian Roth, Markus Neis date: 2018/04/06 logsource: diff --git a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml index 5d8a80358..64c87d034 100644 --- a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml +++ b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml @@ -11,6 +11,7 @@ tags: - attack.s0013 - attack.defense_evasion - attack.t1073 + - attack.t1574.002 logsource: category: process_creation product: windows @@ -84,10 +85,7 @@ detection: - '*\Windows Kit*' - '*\Windows Resource Kit\\*' - '*\Microsoft.NET\\*' - condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) - or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc - ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview - and not filter_oleview ) or ( selection_rc and not filter_rc ) + condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview and not filter_oleview ) or ( selection_rc and not filter_rc ) fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/win_possible_applocker_bypass.yml b/rules/windows/process_creation/win_possible_applocker_bypass.yml index 65b988f85..b0b0853a4 100644 --- a/rules/windows/process_creation/win_possible_applocker_bypass.yml +++ b/rules/windows/process_creation/win_possible_applocker_bypass.yml @@ -13,6 +13,7 @@ tags: - attack.t1121 - attack.t1127 - attack.t1170 + - attack.t1218 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_powershell_amsi_bypass.yml b/rules/windows/process_creation/win_powershell_amsi_bypass.yml index 0211555b7..335aadc3a 100644 --- a/rules/windows/process_creation/win_powershell_amsi_bypass.yml +++ b/rules/windows/process_creation/win_powershell_amsi_bypass.yml @@ -9,6 +9,7 @@ tags: - attack.execution - attack.defense_evasion - attack.t1086 + - attack.t1059.001 author: Markus Neis date: 2018/08/17 logsource: diff --git a/rules/windows/process_creation/win_powershell_dll_execution.yml b/rules/windows/process_creation/win_powershell_dll_execution.yml index 4cb036d60..1e8ff007c 100644 --- a/rules/windows/process_creation/win_powershell_dll_execution.yml +++ b/rules/windows/process_creation/win_powershell_dll_execution.yml @@ -8,6 +8,7 @@ tags: - attack.execution - attack.t1086 - car.2014-04-003 + - attack.t1059.001 author: Markus Neis date: 2018/08/25 logsource: diff --git a/rules/windows/process_creation/win_powershell_downgrade_attack.yml b/rules/windows/process_creation/win_powershell_downgrade_attack.yml index d9781724a..3d6c063f7 100644 --- a/rules/windows/process_creation/win_powershell_downgrade_attack.yml +++ b/rules/windows/process_creation/win_powershell_downgrade_attack.yml @@ -1,7 +1,7 @@ title: PowerShell Downgrade Attack id: b3512211-c67e-4707-bedc-66efc7848863 related: - - id: 6331d09b-4785-4c13-980f-f96661356249 + - id: 6331d09b-4785-4c13-980f-f96661356249 type: derived status: experimental description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 @@ -11,6 +11,7 @@ tags: - attack.defense_evasion - attack.execution - attack.t1086 + - attack.t1059.001 author: Harish Segar (rule) date: 2020/03/20 falsepositives: @@ -22,12 +23,12 @@ logsource: product: windows detection: selection: - CommandLine|contains: + CommandLine|contains: - ' -version 2 ' - ' -versio 2 ' - ' -versi 2 ' - ' -vers 2 ' - ' -ver 2 ' - - ' -ve 2 ' + - ' -ve 2 ' Image|endswith: '\powershell.exe' condition: selection diff --git a/rules/windows/process_creation/win_powershell_download.yml b/rules/windows/process_creation/win_powershell_download.yml index 83b93e133..813a45bfd 100644 --- a/rules/windows/process_creation/win_powershell_download.yml +++ b/rules/windows/process_creation/win_powershell_download.yml @@ -7,6 +7,7 @@ date: 2019/01/16 tags: - attack.t1086 - attack.execution + - attack.t1059.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml b/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml index 41a0f1cdc..141000599 100644 --- a/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml +++ b/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml @@ -7,6 +7,7 @@ references: tags: - attack.execution - attack.t1086 + - attack.t1059.001 author: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix) date: 2019/01/16 logsource: diff --git a/rules/windows/process_creation/win_powershell_xor_commandline.yml b/rules/windows/process_creation/win_powershell_xor_commandline.yml index c7d39c952..150a13e78 100644 --- a/rules/windows/process_creation/win_powershell_xor_commandline.yml +++ b/rules/windows/process_creation/win_powershell_xor_commandline.yml @@ -7,6 +7,7 @@ date: 2018/09/05 tags: - attack.execution - attack.t1086 + - attack.t1059.001 detection: selection: CommandLine: diff --git a/rules/windows/process_creation/win_powersploit_empire_schtasks.yml b/rules/windows/process_creation/win_powersploit_empire_schtasks.yml index e6f689cac..a3094b5bf 100644 --- a/rules/windows/process_creation/win_powersploit_empire_schtasks.yml +++ b/rules/windows/process_creation/win_powersploit_empire_schtasks.yml @@ -31,6 +31,8 @@ tags: - attack.g0022 - attack.g0060 - car.2013-08-001 + - attack.t1053.005 + - attack.t1059.001 falsepositives: - False positives are possible, depends on organisation and processes level: high diff --git a/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml b/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml index 88e15976c..5d85fbdf7 100644 --- a/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml +++ b/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml @@ -12,6 +12,7 @@ tags: - attack.credential_access - attack.t1003 - car.2013-05-009 + - attack.t1003.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_psexesvc_start.yml b/rules/windows/process_creation/win_psexesvc_start.yml index 5c77a450e..a2c3dbf17 100644 --- a/rules/windows/process_creation/win_psexesvc_start.yml +++ b/rules/windows/process_creation/win_psexesvc_start.yml @@ -8,12 +8,13 @@ tags: - attack.execution - attack.t1035 - attack.s0029 + - attack.t1569.002 logsource: category: process_creation product: windows detection: selection: - CommandLine: C:\Windows\PSEXESVC.exe + CommandLine: C:\Windows\PSEXESVC.exe condition: selection falsepositives: - Administrative activity diff --git a/rules/windows/process_creation/win_remote_powershell_session_process.yml b/rules/windows/process_creation/win_remote_powershell_session_process.yml index cdd0ce0d5..5509721e2 100644 --- a/rules/windows/process_creation/win_remote_powershell_session_process.yml +++ b/rules/windows/process_creation/win_remote_powershell_session_process.yml @@ -10,6 +10,7 @@ references: tags: - attack.execution - attack.t1086 + - attack.t1059.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_run_powershell_script_from_ads.yml b/rules/windows/process_creation/win_run_powershell_script_from_ads.yml index b4a03177c..eaa76e6c7 100644 --- a/rules/windows/process_creation/win_run_powershell_script_from_ads.yml +++ b/rules/windows/process_creation/win_run_powershell_script_from_ads.yml @@ -9,6 +9,7 @@ date: 2019/10/30 tags: - attack.defense_evasion - attack.t1096 + - attack.t1564.004 logsource: category: process_creation product: windows @@ -16,9 +17,9 @@ detection: selection: ParentImage|endswith: '\powershell.exe' Image|endswith: '\powershell.exe' - CommandLine|contains|all: - - 'Get-Content' - - '-Stream' + CommandLine|contains|all: + - 'Get-Content' + - '-Stream' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_sdbinst_shim_persistence.yml b/rules/windows/process_creation/win_sdbinst_shim_persistence.yml index 1509516e8..b98a0c866 100644 --- a/rules/windows/process_creation/win_sdbinst_shim_persistence.yml +++ b/rules/windows/process_creation/win_sdbinst_shim_persistence.yml @@ -7,6 +7,7 @@ references: tags: - attack.persistence - attack.t1138 + - attack.t1546.011 author: Markus Neis date: 2019/01/16 logsource: diff --git a/rules/windows/process_creation/win_service_execution.yml b/rules/windows/process_creation/win_service_execution.yml index 865e7a226..72b3903f6 100644 --- a/rules/windows/process_creation/win_service_execution.yml +++ b/rules/windows/process_creation/win_service_execution.yml @@ -12,7 +12,7 @@ logsource: product: windows detection: selection: - Image|endswith: + Image|endswith: - '\net.exe' - '\net1.exe' CommandLine|contains: ' start ' # space character after the 'start' keyword indicates that a service name follows, in contrast to `net start` discovery expression @@ -23,3 +23,4 @@ level: low tags: - attack.execution - attack.t1035 + - attack.t1569.002 diff --git a/rules/windows/process_creation/win_shadow_copies_access_symlink.yml b/rules/windows/process_creation/win_shadow_copies_access_symlink.yml index 17c6d56d9..45149619b 100644 --- a/rules/windows/process_creation/win_shadow_copies_access_symlink.yml +++ b/rules/windows/process_creation/win_shadow_copies_access_symlink.yml @@ -8,14 +8,16 @@ references: tags: - attack.credential_access - attack.t1003 + - attack.t1003.002 + - attack.t1003.003 logsource: category: process_creation product: windows detection: selection: - CommandLine|contains|all: - - mklink - - HarddiskVolumeShadowCopy + CommandLine|contains|all: + - mklink + - HarddiskVolumeShadowCopy condition: selection falsepositives: - Legitimate administrator working with shadow copies, access for backup purposes diff --git a/rules/windows/process_creation/win_shadow_copies_creation.yml b/rules/windows/process_creation/win_shadow_copies_creation.yml index 828c54a5a..578c1ba11 100644 --- a/rules/windows/process_creation/win_shadow_copies_creation.yml +++ b/rules/windows/process_creation/win_shadow_copies_creation.yml @@ -9,6 +9,8 @@ references: tags: - attack.credential_access - attack.t1003 + - attack.t1003.002 + - attack.t1003.003 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_shadow_copies_deletion.yml b/rules/windows/process_creation/win_shadow_copies_deletion.yml index 43bdfd90c..d017b3596 100644 --- a/rules/windows/process_creation/win_shadow_copies_deletion.yml +++ b/rules/windows/process_creation/win_shadow_copies_deletion.yml @@ -15,6 +15,7 @@ tags: - attack.impact - attack.t1070 - attack.t1490 + - attack.t1551 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_shell_spawn_susp_program.yml b/rules/windows/process_creation/win_shell_spawn_susp_program.yml index 1a77be480..17968c3b4 100644 --- a/rules/windows/process_creation/win_shell_spawn_susp_program.yml +++ b/rules/windows/process_creation/win_shell_spawn_susp_program.yml @@ -11,6 +11,8 @@ tags: - attack.execution - attack.defense_evasion - attack.t1064 + - attack.t1059.005 + - attack.t1059.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_spn_enum.yml b/rules/windows/process_creation/win_spn_enum.yml index 21638ae35..7bc875688 100644 --- a/rules/windows/process_creation/win_spn_enum.yml +++ b/rules/windows/process_creation/win_spn_enum.yml @@ -9,6 +9,7 @@ date: 2018/11/14 tags: - attack.credential_access - attack.t1208 + - attack.t1558.003 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_bcdedit.yml b/rules/windows/process_creation/win_susp_bcdedit.yml index 47b527132..7b74bef44 100644 --- a/rules/windows/process_creation/win_susp_bcdedit.yml +++ b/rules/windows/process_creation/win_susp_bcdedit.yml @@ -11,6 +11,8 @@ tags: - attack.t1070 - attack.persistence - attack.t1067 + - attack.t1551 + - attack.t1542.003 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_cmd_http_appdata.yml b/rules/windows/process_creation/win_susp_cmd_http_appdata.yml index 92445f877..64efc023a 100644 --- a/rules/windows/process_creation/win_susp_cmd_http_appdata.yml +++ b/rules/windows/process_creation/win_susp_cmd_http_appdata.yml @@ -1,8 +1,7 @@ title: Command Line Execution with Suspicious URL and AppData Strings id: 1ac8666b-046f-4201-8aba-1951aaec03a3 status: experimental -description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs - > powershell) +description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell) references: - https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100 - https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100 @@ -11,6 +10,8 @@ date: 2019/01/16 tags: - attack.execution - attack.t1059 + - attack.t1059.005 + - attack.t1059.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_compression_params.yml b/rules/windows/process_creation/win_susp_compression_params.yml index e3e5c9809..cb5a3cc9b 100644 --- a/rules/windows/process_creation/win_susp_compression_params.yml +++ b/rules/windows/process_creation/win_susp_compression_params.yml @@ -8,6 +8,7 @@ tags: - attack.exfiltration - attack.t1020 - attack.t1002 + - attack.t1560 author: Florian Roth, Samir Bousseaden date: 2019/10/15 logsource: diff --git a/rules/windows/process_creation/win_susp_comsvcs_procdump.yml b/rules/windows/process_creation/win_susp_comsvcs_procdump.yml index bcab5a8ec..be58a43a7 100644 --- a/rules/windows/process_creation/win_susp_comsvcs_procdump.yml +++ b/rules/windows/process_creation/win_susp_comsvcs_procdump.yml @@ -26,6 +26,7 @@ fields: tags: - attack.credential_access - attack.t1003 + - attack.t1003.001 falsepositives: - unknown level: medium diff --git a/rules/windows/process_creation/win_susp_control_dll_load.yml b/rules/windows/process_creation/win_susp_control_dll_load.yml index 00eaf7a64..cc0490313 100644 --- a/rules/windows/process_creation/win_susp_control_dll_load.yml +++ b/rules/windows/process_creation/win_susp_control_dll_load.yml @@ -11,6 +11,8 @@ tags: - attack.t1073 - attack.t1085 - car.2013-10-002 + - attack.t1218 + - attack.t1574.002 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_copy_lateral_movement.yml b/rules/windows/process_creation/win_susp_copy_lateral_movement.yml index 6d56fec2f..10b566132 100644 --- a/rules/windows/process_creation/win_susp_copy_lateral_movement.yml +++ b/rules/windows/process_creation/win_susp_copy_lateral_movement.yml @@ -2,22 +2,23 @@ title: Copy from Admin Share id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900 status: experimental description: Detects a suspicious copy command from a remote C$ or ADMIN$ share -references: - - https://twitter.com/SBousseaden/status/1211636381086339073 +references: + - https://twitter.com/SBousseaden/status/1211636381086339073 author: Florian Roth date: 2019/12/30 tags: - attack.lateral_movement - attack.t1077 - attack.t1105 + - attack.t1021 logsource: category: process_creation product: windows detection: selection: - CommandLine|contains: - - 'copy *\c$' - - 'copy *\ADMIN$' + CommandLine|contains: + - 'copy *\c$' + - 'copy *\ADMIN$' condition: selection fields: - CommandLine diff --git a/rules/windows/process_creation/win_susp_crackmapexec_execution.yml b/rules/windows/process_creation/win_susp_crackmapexec_execution.yml index ed8904ba2..98071a310 100644 --- a/rules/windows/process_creation/win_susp_crackmapexec_execution.yml +++ b/rules/windows/process_creation/win_susp_crackmapexec_execution.yml @@ -9,6 +9,8 @@ tags: - attack.t1047 - attack.t1053 - attack.t1086 + - attack.t1059.003 + - attack.t1059.001 author: Thomas Patzke date: 2020/05/22 logsource: diff --git a/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml b/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml index 0d9437038..20bb2c132 100644 --- a/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml +++ b/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml @@ -10,6 +10,7 @@ tags: - attack.t1086 - attack.defense_evasion - attack.t1027 + - attack.t1059.001 author: Thomas Patzke date: 2020/05/22 logsource: diff --git a/rules/windows/process_creation/win_susp_csc_folder.yml b/rules/windows/process_creation/win_susp_csc_folder.yml index fb2a5fdf2..9752e5ffa 100644 --- a/rules/windows/process_creation/win_susp_csc_folder.yml +++ b/rules/windows/process_creation/win_susp_csc_folder.yml @@ -13,17 +13,18 @@ modified: 2019/12/17 tags: - attack.defense_evasion - attack.t1500 + - attack.t1027 logsource: category: process_creation product: windows detection: selection: Image: '*\csc.exe' - CommandLine: + CommandLine: - '*\AppData\\*' - '*\Windows\Temp\\*' filter: - ParentImage: + ParentImage: - 'C:\Program Files*' # https://twitter.com/gN3mes1s/status/1206874118282448897 - '*\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897 - '*\w3wp.exe' # https://twitter.com/gabriele_pippi/status/1206907900268072962 diff --git a/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml b/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml index 3a6bf7561..490884fec 100644 --- a/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml +++ b/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml @@ -7,6 +7,7 @@ references: tags: - attack.persistence - attack.t1060 + - attack.t1547.001 date: 2019/10/25 modified: 2019/11/10 author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community diff --git a/rules/windows/process_creation/win_susp_double_extension.yml b/rules/windows/process_creation/win_susp_double_extension.yml index 95a5a0e3c..8b6ca56aa 100644 --- a/rules/windows/process_creation/win_susp_double_extension.yml +++ b/rules/windows/process_creation/win_susp_double_extension.yml @@ -1,7 +1,6 @@ title: Suspicious Double Extension id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8 -description: Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable - file in spear phishing campaigns +description: Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns references: - https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html - https://twitter.com/blackorbird/status/1140519090961825792 @@ -10,12 +9,13 @@ date: 2019/06/26 tags: - attack.initial_access - attack.t1193 + - attack.t1566.001 logsource: category: process_creation product: windows detection: selection: - Image: + Image: - '*.doc.exe' - '*.docx.exe' - '*.xls.exe' @@ -28,6 +28,6 @@ detection: - '* .exe' - '*______.exe' condition: selection -falsepositives: +falsepositives: - Unknown level: critical diff --git a/rules/windows/process_creation/win_susp_eventlog_clear.yml b/rules/windows/process_creation/win_susp_eventlog_clear.yml index 8100a2e4c..b0e27546a 100644 --- a/rules/windows/process_creation/win_susp_eventlog_clear.yml +++ b/rules/windows/process_creation/win_susp_eventlog_clear.yml @@ -11,6 +11,7 @@ tags: - attack.defense_evasion - attack.t1070 - car.2016-04-002 + - attack.t1551 level: high logsource: category: process_creation @@ -19,14 +20,14 @@ detection: selection_wevtutil_binary: Image|endswith: '\wevtutil.exe' selection_wevtutil_command: - CommandLine|contains: + CommandLine|contains: - 'clear-log' # clears specified log - ' cl ' # short version of 'clear-log' - 'set-log' # modifies config of specified log. could be uset to set it to a tiny size - ' sl ' # short version of 'set-log' selection_other_ps: Image|endswith: '\powershell.exe' - CommandLine|contains: + CommandLine|contains: - 'Clear-EventLog' - 'Remove-EventLog' - 'Limit-EventLog' diff --git a/rules/windows/process_creation/win_susp_execution_path_webserver.yml b/rules/windows/process_creation/win_susp_execution_path_webserver.yml index be5af6256..8398dc4ca 100644 --- a/rules/windows/process_creation/win_susp_execution_path_webserver.yml +++ b/rules/windows/process_creation/win_susp_execution_path_webserver.yml @@ -7,6 +7,7 @@ date: 2019/01/16 tags: - attack.persistence - attack.t1100 + - attack.t1505.003 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_file_characteristics.yml b/rules/windows/process_creation/win_susp_file_characteristics.yml index 8243fe887..cb900eee1 100644 --- a/rules/windows/process_creation/win_susp_file_characteristics.yml +++ b/rules/windows/process_creation/win_susp_file_characteristics.yml @@ -12,6 +12,7 @@ tags: - attack.defense_evasion - attack.execution - attack.t1064 + - attack.t1059.006 logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/win_susp_fsutil_usage.yml b/rules/windows/process_creation/win_susp_fsutil_usage.yml index e204a9d7e..e7a3d0c9a 100644 --- a/rules/windows/process_creation/win_susp_fsutil_usage.yml +++ b/rules/windows/process_creation/win_susp_fsutil_usage.yml @@ -12,6 +12,7 @@ references: tags: - attack.defense_evasion - attack.t1070 + - attack.t1551 logsource: category: process_creation product: windows @@ -21,7 +22,7 @@ detection: binary_2: OriginalFileName: 'fsutil.exe' selection: - CommandLine|contains: + CommandLine|contains: - 'deletejournal' # usn deletejournal ==> generally ransomware or attacker - 'createjournal' # usn createjournal ==> can modify config to set it to a tiny size condition: (1 of binary_*) and selection diff --git a/rules/windows/process_creation/win_susp_gup.yml b/rules/windows/process_creation/win_susp_gup.yml index e9fbbc954..1fd195029 100644 --- a/rules/windows/process_creation/win_susp_gup.yml +++ b/rules/windows/process_creation/win_susp_gup.yml @@ -7,6 +7,7 @@ references: tags: - attack.defense_evasion - attack.t1073 + - attack.t1574.002 author: Florian Roth date: 2019/02/06 logsource: diff --git a/rules/windows/process_creation/win_susp_iss_module_install.yml b/rules/windows/process_creation/win_susp_iss_module_install.yml index d9b0a18e9..7970eaf4e 100644 --- a/rules/windows/process_creation/win_susp_iss_module_install.yml +++ b/rules/windows/process_creation/win_susp_iss_module_install.yml @@ -9,6 +9,7 @@ date: 2012/12/11 tags: - attack.persistence - attack.t1100 + - attack.t1505.003 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_net_execution.yml b/rules/windows/process_creation/win_susp_net_execution.yml index fa11306c4..21f8f346b 100644 --- a/rules/windows/process_creation/win_susp_net_execution.yml +++ b/rules/windows/process_creation/win_susp_net_execution.yml @@ -18,6 +18,7 @@ tags: - attack.lateral_movement - attack.discovery - attack.defense_evasion + - attack.t1021 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml b/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml index 885268c50..102e607b9 100644 --- a/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml +++ b/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml @@ -7,12 +7,13 @@ references: tags: - attack.persistence - attack.t1128 + - attack.t1546.007 date: 2019/10/25 modified: 2019/10/25 author: Victor Sergeev, oscd.community logsource: category: process_creation - product: windows + product: windows detection: selection: Image|endswith: '\netsh.exe' diff --git a/rules/windows/process_creation/win_susp_ntdsutil.yml b/rules/windows/process_creation/win_susp_ntdsutil.yml index a8c2f6fd3..ba0e49e3b 100644 --- a/rules/windows/process_creation/win_susp_ntdsutil.yml +++ b/rules/windows/process_creation/win_susp_ntdsutil.yml @@ -9,6 +9,7 @@ date: 2019/01/16 tags: - attack.credential_access - attack.t1003 + - attack.t1003.003 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_outlook_temp.yml b/rules/windows/process_creation/win_susp_outlook_temp.yml index b841940b7..19a110045 100644 --- a/rules/windows/process_creation/win_susp_outlook_temp.yml +++ b/rules/windows/process_creation/win_susp_outlook_temp.yml @@ -7,6 +7,7 @@ date: 2019/10/01 tags: - attack.initial_access - attack.t1193 + - attack.t1566.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_powershell_empire_launch.yml b/rules/windows/process_creation/win_susp_powershell_empire_launch.yml index a45c48015..1097603f8 100644 --- a/rules/windows/process_creation/win_susp_powershell_empire_launch.yml +++ b/rules/windows/process_creation/win_susp_powershell_empire_launch.yml @@ -10,8 +10,9 @@ references: author: Florian Roth date: 2019/04/20 tags: - - attack.execution - - attack.t1086 + - attack.execution + - attack.t1086 + - attack.t1059.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml b/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml index 0d662e28c..493e7220d 100644 --- a/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml +++ b/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml @@ -24,6 +24,7 @@ tags: - attack.privilege_escalation - attack.t1088 - car.2019-04-001 + - attack.t1548.002 falsepositives: - unknown level: critical diff --git a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml index e6ccc632f..feb5a72dc 100644 --- a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml +++ b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml @@ -8,8 +8,9 @@ author: Florian Roth, Markus Neis date: 2018/09/03 modified: 2019/12/16 tags: - - attack.execution - - attack.t1086 + - attack.execution + - attack.t1086 + - attack.t1059.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml b/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml index 7da4d36d5..417c37dcf 100644 --- a/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml +++ b/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml @@ -7,6 +7,7 @@ references: tags: - attack.execution - attack.t1086 + - attack.t1059.001 author: John Lambert (rule) date: 2019/01/16 logsource: diff --git a/rules/windows/process_creation/win_susp_powershell_parent_combo.yml b/rules/windows/process_creation/win_susp_powershell_parent_combo.yml index 32e9e2969..dfb15868a 100644 --- a/rules/windows/process_creation/win_susp_powershell_parent_combo.yml +++ b/rules/windows/process_creation/win_susp_powershell_parent_combo.yml @@ -9,6 +9,7 @@ references: tags: - attack.execution - attack.t1086 + - attack.t1059.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_procdump.yml b/rules/windows/process_creation/win_susp_procdump.yml index a450ce4b3..bfa3d6ff1 100644 --- a/rules/windows/process_creation/win_susp_procdump.yml +++ b/rules/windows/process_creation/win_susp_procdump.yml @@ -13,6 +13,7 @@ tags: - attack.credential_access - attack.t1003 - car.2013-05-009 + - attack.t1003.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_ps_appdata.yml b/rules/windows/process_creation/win_susp_ps_appdata.yml index b4663c8f7..13c16b3ac 100644 --- a/rules/windows/process_creation/win_susp_ps_appdata.yml +++ b/rules/windows/process_creation/win_susp_ps_appdata.yml @@ -8,6 +8,7 @@ references: tags: - attack.execution - attack.t1086 + - attack.t1059.001 author: Florian Roth date: 2019/01/09 logsource: diff --git a/rules/windows/process_creation/win_susp_ps_downloadfile.yml b/rules/windows/process_creation/win_susp_ps_downloadfile.yml index 5fe3001d2..f2440a8ae 100644 --- a/rules/windows/process_creation/win_susp_ps_downloadfile.yml +++ b/rules/windows/process_creation/win_susp_ps_downloadfile.yml @@ -9,12 +9,13 @@ date: 2020/03/25 tags: - attack.execution - attack.t1086 + - attack.t1059.001 logsource: category: process_creation product: windows detection: selection: - CommandLine|contains|all: + CommandLine|contains|all: - 'powershell' - '.DownloadFile' - 'System.Net.WebClient' diff --git a/rules/windows/process_creation/win_susp_rasdial_activity.yml b/rules/windows/process_creation/win_susp_rasdial_activity.yml index 6a4b02334..e99596287 100644 --- a/rules/windows/process_creation/win_susp_rasdial_activity.yml +++ b/rules/windows/process_creation/win_susp_rasdial_activity.yml @@ -10,6 +10,7 @@ tags: - attack.defense_evasion - attack.execution - attack.t1064 + - attack.t1059 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml index ce51e4b7b..a19bdbf7d 100644 --- a/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml +++ b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml @@ -12,6 +12,7 @@ tags: - attack.execution - car.2019-04-002 - car.2019-04-003 + - attack.t1218 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_rundll32_activity.yml b/rules/windows/process_creation/win_susp_rundll32_activity.yml index c388da171..a7dedd202 100644 --- a/rules/windows/process_creation/win_susp_rundll32_activity.yml +++ b/rules/windows/process_creation/win_susp_rundll32_activity.yml @@ -10,6 +10,7 @@ tags: - attack.defense_evasion - attack.execution - attack.t1085 + - attack.t1218.011 author: juju4 date: 2019/01/16 logsource: diff --git a/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml b/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml index 44f830c92..0867f34b8 100644 --- a/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml +++ b/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml @@ -10,6 +10,7 @@ tags: - attack.defense_evasion - attack.execution - attack.t1085 + - attack.t1218.011 author: Florian Roth date: 2019/10/22 logsource: diff --git a/rules/windows/process_creation/win_susp_schtask_creation.yml b/rules/windows/process_creation/win_susp_schtask_creation.yml index 7c2d3fa6e..9a33912af 100644 --- a/rules/windows/process_creation/win_susp_schtask_creation.yml +++ b/rules/windows/process_creation/win_susp_schtask_creation.yml @@ -24,6 +24,7 @@ tags: - attack.t1053 - attack.s0111 - car.2013-08-001 + - attack.t1053.005 falsepositives: - Administrative activity - Software installation diff --git a/rules/windows/process_creation/win_susp_script_execution.yml b/rules/windows/process_creation/win_susp_script_execution.yml index 2404edc44..2e7ad48da 100644 --- a/rules/windows/process_creation/win_susp_script_execution.yml +++ b/rules/windows/process_creation/win_susp_script_execution.yml @@ -7,6 +7,7 @@ date: 2019/01/16 tags: - attack.execution - attack.t1064 + - attack.t1059.005 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_service_path_modification.yml b/rules/windows/process_creation/win_susp_service_path_modification.yml index 6a3dbabd4..6e6504ba3 100644 --- a/rules/windows/process_creation/win_susp_service_path_modification.yml +++ b/rules/windows/process_creation/win_susp_service_path_modification.yml @@ -7,6 +7,7 @@ references: tags: - attack.persistence - attack.t1031 + - attack.t1543.003 date: 2019/10/21 modified: 2019/11/10 author: Victor Sergeev, oscd.community diff --git a/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml b/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml index dceac89d8..fb2f5d65e 100644 --- a/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml +++ b/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml @@ -10,6 +10,7 @@ tags: - attack.privilege_escalation - attack.t1076 - car.2013-07-002 + - attack.t1021 author: Florian Roth date: 2018/03/17 modified: 2018/12/11 diff --git a/rules/windows/process_creation/win_task_folder_evasion.yml b/rules/windows/process_creation/win_task_folder_evasion.yml index dfe043a89..e7844c4fe 100644 --- a/rules/windows/process_creation/win_task_folder_evasion.yml +++ b/rules/windows/process_creation/win_task_folder_evasion.yml @@ -1,8 +1,8 @@ title: Tasks Folder Evasion id: cc4e02ba-9c06-48e2-b09e-2500cace9ae0 status: experimental -description: The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr -references: +description: The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr +references: - https://twitter.com/subTee/status/1216465628946563073 - https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26 date: 2020/01/13 @@ -13,6 +13,7 @@ tags: - attack.t1059 - attack.defense_evasion - attack.persistence + - attack.t1059.005 logsource: product: Windows detection: diff --git a/rules/windows/process_creation/win_uac_cmstp.yml b/rules/windows/process_creation/win_uac_cmstp.yml index b10c9195b..1c234bfeb 100644 --- a/rules/windows/process_creation/win_uac_cmstp.yml +++ b/rules/windows/process_creation/win_uac_cmstp.yml @@ -13,13 +13,15 @@ tags: - attack.execution - attack.t1191 - attack.t1088 + - attack.t1548.002 + - attack.t1218 logsource: category: process_creation product: windows detection: selection: Image|endswith: '\cmstp.exe' - CommandLine|contains: + CommandLine|contains: - '/s' - '/au' condition: selection diff --git a/rules/windows/process_creation/win_uac_fodhelper.yml b/rules/windows/process_creation/win_uac_fodhelper.yml index d3ce1690a..31f1181da 100644 --- a/rules/windows/process_creation/win_uac_fodhelper.yml +++ b/rules/windows/process_creation/win_uac_fodhelper.yml @@ -11,6 +11,7 @@ references: tags: - attack.privilege_escalation - attack.t1088 + - attack.t1548.002 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_uac_wsreset.yml b/rules/windows/process_creation/win_uac_wsreset.yml index 1296b8e47..ff41e342f 100644 --- a/rules/windows/process_creation/win_uac_wsreset.yml +++ b/rules/windows/process_creation/win_uac_wsreset.yml @@ -10,6 +10,7 @@ references: tags: - attack.privilege_escalation - attack.t1088 + - attack.t1548.002 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_webshell_detection.yml b/rules/windows/process_creation/win_webshell_detection.yml index fc41f0f55..1437d0a68 100644 --- a/rules/windows/process_creation/win_webshell_detection.yml +++ b/rules/windows/process_creation/win_webshell_detection.yml @@ -10,6 +10,7 @@ tags: - attack.privilege_escalation - attack.persistence - attack.t1100 + - attack.t1505.003 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_webshell_spawn.yml b/rules/windows/process_creation/win_webshell_spawn.yml index 0f1192625..3d5888fe1 100644 --- a/rules/windows/process_creation/win_webshell_spawn.yml +++ b/rules/windows/process_creation/win_webshell_spawn.yml @@ -30,6 +30,7 @@ tags: - attack.privilege_escalation - attack.persistence - attack.t1100 + - attack.t1505.003 falsepositives: - Particular web applications may spawn a shell process legitimately level: high diff --git a/rules/windows/process_creation/win_win10_sched_task_0day.yml b/rules/windows/process_creation/win_win10_sched_task_0day.yml index 555c71325..312fb4cd4 100644 --- a/rules/windows/process_creation/win_win10_sched_task_0day.yml +++ b/rules/windows/process_creation/win_win10_sched_task_0day.yml @@ -21,4 +21,5 @@ tags: - attack.execution - attack.t1053 - car.2013-08-001 + - attack.t1053.005 level: high diff --git a/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml b/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml index 0d5761e9c..b5fa97cb7 100644 --- a/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml +++ b/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml @@ -13,8 +13,9 @@ logsource: tags: - attack.persistence - attack.t1084 + - attack.t1546.003 detection: - selection: + selection: ParentImage: '*\EdgeTransport.exe' condition: selection falsepositives: diff --git a/rules/windows/process_creation/win_wmi_spwns_powershell.yml b/rules/windows/process_creation/win_wmi_spwns_powershell.yml index abe55079f..91a69ec67 100644 --- a/rules/windows/process_creation/win_wmi_spwns_powershell.yml +++ b/rules/windows/process_creation/win_wmi_spwns_powershell.yml @@ -11,6 +11,7 @@ tags: - attack.execution - attack.defense_evasion - attack.t1064 + - attack.t1059.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_wsreset_uac_bypass.yml b/rules/windows/process_creation/win_wsreset_uac_bypass.yml index 02d0398ed..61622933d 100644 --- a/rules/windows/process_creation/win_wsreset_uac_bypass.yml +++ b/rules/windows/process_creation/win_wsreset_uac_bypass.yml @@ -1,7 +1,7 @@ title: Wsreset UAC Bypass id: bdc8918e-a1d5-49d1-9db7-ea0fd91aa2ae status: experimental -description: Detects a method that uses Wsreset.exe tool that can be used to reset the Windows Store to bypass UAC +description: Detects a method that uses Wsreset.exe tool that can be used to reset the Windows Store to bypass UAC references: - https://lolbas-project.github.io/lolbas/Binaries/Wsreset/ - https://www.activecyber.us/activelabs/windows-uac-bypass @@ -12,6 +12,7 @@ tags: - attack.defense_evasion - attack.execution - attack.t1088 + - attack.t1548.002 logsource: category: process_creation product: windows diff --git a/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml b/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml index 067cd3709..da710320d 100644 --- a/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml +++ b/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml @@ -10,17 +10,18 @@ references: tags: - attack.execution - attack.t1086 + - attack.t1059.001 logsource: product: windows service: sysmon detection: - selection: + selection: EventID: 17 PipeName|startswith: '\PSHost' filter: Image|endswith: - - '\powershell.exe' - - '\powershell_ise.exe' + - '\powershell.exe' + - '\powershell_ise.exe' condition: selection and not filter fields: - ComputerName diff --git a/rules/windows/sysmon/sysmon_asep_reg_keys_modification.yml b/rules/windows/sysmon/sysmon_asep_reg_keys_modification.yml index 09e94d156..72f08c5ed 100644 --- a/rules/windows/sysmon/sysmon_asep_reg_keys_modification.yml +++ b/rules/windows/sysmon/sysmon_asep_reg_keys_modification.yml @@ -7,6 +7,7 @@ references: tags: - attack.persistence - attack.t1060 + - attack.t1547.001 date: 2019/10/21 modified: 2019/11/10 author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community diff --git a/rules/windows/sysmon/sysmon_cred_dump_lsass_access.yml b/rules/windows/sysmon/sysmon_cred_dump_lsass_access.yml index f91ffabce..5e05ea71b 100644 --- a/rules/windows/sysmon/sysmon_cred_dump_lsass_access.yml +++ b/rules/windows/sysmon/sysmon_cred_dump_lsass_access.yml @@ -2,8 +2,7 @@ title: Credentials Dumping Tools Accessing LSASS Memory id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d status: experimental description: Detects process access LSASS memory which is typical for credentials dumping tools -author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, - oscd.community (update) +author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update) date: 2017/02/16 modified: 2019/11/08 references: @@ -16,6 +15,7 @@ tags: - attack.s0002 - attack.credential_access - car.2019-04-004 + - attack.t1003.001 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml b/rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml index 4ea0955c9..6a76bfa6e 100644 --- a/rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml +++ b/rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml @@ -9,20 +9,23 @@ references: tags: - attack.credential_access - attack.t1003 + - attack.t1003.002 + - attack.t1003.001 + - attack.t1003.003 logsource: product: windows service: sysmon detection: selection: EventID: 11 - TargetFilename|contains: + TargetFilename|contains: - '\pwdump' - '\kirbi' - '\pwhashes' - '\wce_ccache' - '\wce_krbtkts' - '\fgdump-log' - TargetFilename|endswith: + TargetFilename|endswith: - '\test.pwd' - '\lsremora64.dll' - '\lsremora.dll' diff --git a/rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml b/rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml index f00361180..78c45714f 100644 --- a/rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml +++ b/rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml @@ -8,6 +8,9 @@ references: tags: - attack.credential_access - attack.t1003 + - attack.t1003.002 + - attack.t1003.004 + - attack.t1003.006 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml b/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml index 3432e7c23..0375f2679 100644 --- a/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml +++ b/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml @@ -1,8 +1,7 @@ title: DHCP Callout DLL Installation id: 9d3436ef-9476-4c43-acca-90ce06bdf33a status: experimental -description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the - DHCP server (restart required) +description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required) references: - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx @@ -13,6 +12,7 @@ tags: - attack.defense_evasion - attack.t1073 - attack.t1112 + - attack.t1574.002 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml b/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml index ea7a4ea47..b363db33e 100644 --- a/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml +++ b/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml @@ -7,6 +7,7 @@ references: tags: - attack.defense_evasion - attack.t1089 + - attack.t1562.001 author: Ilyas Ochkov, oscd.community date: 2019/10/25 modified: 2019/11/13 @@ -15,11 +16,11 @@ logsource: service: sysmon detection: selection: - - EventID: 12 # key create + - EventID: 12 # key create # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt' EventType: 'CreateKey' # we don't want deletekey - - EventID: 14 # key rename + - EventID: 14 # key rename NewName: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt' condition: selection fields: diff --git a/rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml b/rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml index cfa37cb81..1dc20497a 100644 --- a/rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml +++ b/rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml @@ -7,6 +7,7 @@ references: tags: - attack.credential_access - attack.t1003 + - attack.t1003.001 author: Markus Neis date: 2018/07/24 logsource: diff --git a/rules/windows/sysmon/sysmon_in_memory_powershell.yml b/rules/windows/sysmon/sysmon_in_memory_powershell.yml index 56e6e4530..55b1f0582 100644 --- a/rules/windows/sysmon/sysmon_in_memory_powershell.yml +++ b/rules/windows/sysmon/sysmon_in_memory_powershell.yml @@ -11,6 +11,7 @@ references: tags: - attack.t1086 - attack.execution + - attack.t1059.001 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_invoke_phantom.yml b/rules/windows/sysmon/sysmon_invoke_phantom.yml index 5ed1498c8..9dda2195b 100644 --- a/rules/windows/sysmon/sysmon_invoke_phantom.yml +++ b/rules/windows/sysmon/sysmon_invoke_phantom.yml @@ -10,6 +10,7 @@ references: tags: - attack.t1089 - attack.defense_evasion + - attack.t1562.001 logsource: product: windows service: sysmon @@ -19,7 +20,7 @@ detection: TargetImage: '*\windows\system32\svchost.exe' GrantedAccess: '0x1f3fff' CallTrace: - - '*unknown*' + - '*unknown*' condition: selection falsepositives: - unknown diff --git a/rules/windows/sysmon/sysmon_lsass_memdump.yml b/rules/windows/sysmon/sysmon_lsass_memdump.yml index d6e7d045a..2a59dc1a1 100644 --- a/rules/windows/sysmon/sysmon_lsass_memdump.yml +++ b/rules/windows/sysmon/sysmon_lsass_memdump.yml @@ -10,6 +10,7 @@ tags: - attack.t1003 - attack.s0002 - attack.credential_access + - attack.t1003.001 logsource: product: windows service: sysmon @@ -19,8 +20,8 @@ detection: TargetImage: 'C:\windows\system32\lsass.exe' GrantedAccess: '0x1fffff' CallTrace: - - '*dbghelp.dll*' - - '*dbgcore.dll*' + - '*dbghelp.dll*' + - '*dbgcore.dll*' condition: selection falsepositives: - unknown diff --git a/rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml b/rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml index 54f7e04fe..f5d8963fe 100644 --- a/rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml +++ b/rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml @@ -9,6 +9,7 @@ modified: 2019/11/13 tags: - attack.credential_access - attack.t1003 + - attack.t1003.001 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml b/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml index 953c86104..a69294b3b 100644 --- a/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml +++ b/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml @@ -9,6 +9,7 @@ date: 2017/03/19 tags: - attack.command_and_control - attack.t1043 + - attack.t1571 logsource: product: windows service: sysmon @@ -71,7 +72,7 @@ detection: filter1: Image: '*\Program Files*' filter2: - DestinationIp: + DestinationIp: - '10.*' - '192.168.*' - '172.16.*' diff --git a/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml b/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml index 58f1cf585..a98325060 100644 --- a/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml +++ b/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml @@ -10,6 +10,10 @@ tags: - attack.lateral_movement - attack.credential_access - car.2019-04-004 + - attack.t1003.002 + - attack.t1003.004 + - attack.t1003.001 + - attack.t1003.006 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_mimikatz_trough_winrm.yml b/rules/windows/sysmon/sysmon_mimikatz_trough_winrm.yml index 871724ab2..693cdeef5 100644 --- a/rules/windows/sysmon/sysmon_mimikatz_trough_winrm.yml +++ b/rules/windows/sysmon/sysmon_mimikatz_trough_winrm.yml @@ -21,6 +21,8 @@ tags: - attack.t1003 - attack.t1028 - attack.s0005 + - attack.t1003.001 + - attack.t1021.006 falsepositives: - low level: high diff --git a/rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml b/rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml index 44389267a..7c88604c0 100644 --- a/rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml +++ b/rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml @@ -6,6 +6,7 @@ references: tags: - attack.persistence - attack.t1060 + - attack.t1547.001 author: Dmitriy Lifanov, oscd.community status: experimental date: 2019/10/25 diff --git a/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml b/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml index 79202088d..b88b0a87d 100644 --- a/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml +++ b/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml @@ -1,14 +1,14 @@ title: New DLL Added to AppCertDlls Registry Key id: 6aa1d992-5925-4e9f-a49b-845e51d1de01 status: experimental -description: Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation - by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. +description: Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. references: - http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ - https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html tags: - attack.persistence - attack.t1182 + - attack.t1546.009 author: Ilyas Ochkov, oscd.community date: 2019/10/25 modified: 2019/11/13 @@ -17,12 +17,12 @@ logsource: service: sysmon detection: selection: - - EventID: + - EventID: - 12 # key create - 13 # value set # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls' - - EventID: 14 # key rename + - EventID: 14 # key rename NewName: 'HKLM\SYSTEM\CurentControlSet\Control\Session Manager\AppCertDlls' condition: selection fields: diff --git a/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml index 604cc1eb9..f7cfcd8e2 100644 --- a/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml +++ b/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml @@ -7,6 +7,7 @@ references: tags: - attack.persistence - attack.t1103 + - attack.t1546.010 author: Ilyas Ochkov, oscd.community date: 2019/10/25 modified: 2019/11/13 @@ -15,16 +16,16 @@ logsource: service: sysmon detection: selection: - - EventID: + - EventID: - 12 # key create - 13 # value set TargetObject: - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' - - '*\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' - - EventID: 14 # key rename + - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' + - '*\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' + - EventID: 14 # key rename NewName: - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' - - '*\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' + - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' + - '*\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' condition: selection fields: - EventID diff --git a/rules/windows/sysmon/sysmon_password_dumper_lsass.yml b/rules/windows/sysmon/sysmon_password_dumper_lsass.yml index 70a4246e7..f5632f4dc 100644 --- a/rules/windows/sysmon/sysmon_password_dumper_lsass.yml +++ b/rules/windows/sysmon/sysmon_password_dumper_lsass.yml @@ -1,7 +1,6 @@ title: Password Dumper Remote Thread in LSASS id: f239b326-2f41-4d6b-9dfa-c846a60ef505 -description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process - in field Process is the malicious program. A single execution can lead to hundreds of events. +description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events. references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm status: stable @@ -14,12 +13,13 @@ detection: selection: EventID: 8 TargetImage: 'C:\Windows\System32\lsass.exe' - StartModule: null + StartModule: condition: selection tags: - attack.credential_access - attack.t1003 - attack.s0005 + - attack.t1003.001 falsepositives: - unknown level: high diff --git a/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml b/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml index 9845263a0..6070a6738 100644 --- a/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml +++ b/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml @@ -1,8 +1,7 @@ title: Possible DNS Rebinding id: eb07e747-2552-44cd-af36-b659ae0958e4 status: experimental -description: Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record - will saved in host cache for a while TTL). +description: Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL). date: 2019/10/25 modified: 2019/11/13 author: Ilyas Ochkov, oscd.community @@ -11,6 +10,7 @@ references: tags: - attack.command_and_control - attack.t1043 + - attack.t1571 logsource: product: windows service: sysmon @@ -18,9 +18,9 @@ detection: dns_answer: EventID: 22 QueryName: '*' - QueryStatus: '0' + QueryStatus: '0' filter_int_ip: - QueryResults|startswith: + QueryResults|startswith: - '(::ffff:)?10.' - '(::ffff:)?192.168.' - '(::ffff:)?172.16.' @@ -39,7 +39,7 @@ detection: - '(::ffff:)?172.29.' - '(::ffff:)?172.30.' - '(::ffff:)?172.31.' - - '(::ffff:)?127.' + - '(::ffff:)?127.' timeframe: 30s condition: (dns_answer and filter_int_ip) and (dns_answer and not filter_int_ip) | count(QueryName) by ComputerName > 3 level: medium diff --git a/rules/windows/sysmon/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml b/rules/windows/sysmon/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml index 6251dd07c..89ab52975 100644 --- a/rules/windows/sysmon/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml +++ b/rules/windows/sysmon/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml @@ -7,6 +7,7 @@ references: tags: - attack.privilege_escalation - attack.t1058 + - attack.t1574.011 status: experimental author: Teymur Kheirkhabarov date: 2019/10/26 diff --git a/rules/windows/sysmon/sysmon_powershell_execution_moduleload.yml b/rules/windows/sysmon/sysmon_powershell_execution_moduleload.yml index 124c8312b..9d93c4c0e 100644 --- a/rules/windows/sysmon/sysmon_powershell_execution_moduleload.yml +++ b/rules/windows/sysmon/sysmon_powershell_execution_moduleload.yml @@ -13,8 +13,9 @@ logsource: tags: - attack.execution - attack.t1086 + - attack.t1059.001 detection: - selection: + selection: EventID: 7 Description: 'system.management.automation' ImageLoaded|contains: 'system.management.automation' diff --git a/rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml b/rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml index d7a6df7a6..60028363e 100644 --- a/rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml +++ b/rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml @@ -7,6 +7,7 @@ references: tags: - attack.execution - attack.t1086 + - attack.t1059.001 author: Markus Neis date: 2018/04/07 logsource: @@ -16,7 +17,7 @@ detection: selection: EventID: 11 TargetFilename: - - '*\Invoke-DllInjection.ps1' + - '*\Invoke-DllInjection.ps1' - '*\Invoke-WmiCommand.ps1' - '*\Get-GPPPassword.ps1' - '*\Get-Keystrokes.ps1' @@ -115,4 +116,4 @@ detection: falsepositives: - Penetration Tests level: high - + diff --git a/rules/windows/sysmon/sysmon_powershell_network_connection.yml b/rules/windows/sysmon/sysmon_powershell_network_connection.yml index 55f834625..0dd645877 100644 --- a/rules/windows/sysmon/sysmon_powershell_network_connection.yml +++ b/rules/windows/sysmon/sysmon_powershell_network_connection.yml @@ -1,8 +1,7 @@ title: PowerShell Network Connections id: 1f21ec3f-810d-4b0e-8045-322202e22b4b status: experimental -description: Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. - extend filters with company's ip range') +description: Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range') author: Florian Roth date: 2017/03/13 references: @@ -10,6 +9,7 @@ references: tags: - attack.execution - attack.t1086 + - attack.t1059.001 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_quarkspw_filedump.yml b/rules/windows/sysmon/sysmon_quarkspw_filedump.yml index 5b712d9ce..135b66b99 100644 --- a/rules/windows/sysmon/sysmon_quarkspw_filedump.yml +++ b/rules/windows/sysmon/sysmon_quarkspw_filedump.yml @@ -7,8 +7,9 @@ references: author: Florian Roth date: 2018/02/10 tags: - - attack.credential_access - - attack.t1003 + - attack.credential_access + - attack.t1003 + - attack.t1003.002 level: critical logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml b/rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml index ee2e85eac..f7979bd6a 100644 --- a/rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml +++ b/rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml @@ -11,6 +11,7 @@ tags: - attack.command_and_control - attack.t1076 - car.2013-07-002 + - attack.t1021 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml b/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml index e0131f927..e4087c051 100644 --- a/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml +++ b/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml @@ -10,6 +10,7 @@ modified: 2019/11/07 tags: - attack.persistence - attack.t1122 + - attack.t1546.015 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_registry_persistence_search_order.yml b/rules/windows/sysmon/sysmon_registry_persistence_search_order.yml index 6e8aae234..5d6a6e8e5 100644 --- a/rules/windows/sysmon/sysmon_registry_persistence_search_order.yml +++ b/rules/windows/sysmon/sysmon_registry_persistence_search_order.yml @@ -9,6 +9,7 @@ date: 2020/04/14 tags: - attack.persistence - attack.t1038 + - attack.t1574.001 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_registry_trust_record_modification.yml b/rules/windows/sysmon/sysmon_registry_trust_record_modification.yml index eec9375ae..22b7bc790 100644 --- a/rules/windows/sysmon/sysmon_registry_trust_record_modification.yml +++ b/rules/windows/sysmon/sysmon_registry_trust_record_modification.yml @@ -11,6 +11,7 @@ modified: 2020/02/19 tags: - attack.initial_access - attack.t1193 + - attack.t1566.001 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_regsvr32_network_activity.yml b/rules/windows/sysmon/sysmon_regsvr32_network_activity.yml index 9722b7a7e..71c7903c3 100644 --- a/rules/windows/sysmon/sysmon_regsvr32_network_activity.yml +++ b/rules/windows/sysmon/sysmon_regsvr32_network_activity.yml @@ -9,6 +9,7 @@ tags: - attack.execution - attack.defense_evasion - attack.t1117 + - attack.t1218.010 author: Dmitriy Lifanov, oscd.community status: experimental date: 2019/10/25 @@ -19,8 +20,8 @@ logsource: detection: selection: EventID: - - 3 - - 22 + - 3 + - 22 Image|endswith: '\regsvr32.exe' condition: selection fields: diff --git a/rules/windows/sysmon/sysmon_remote_powershell_session_network.yml b/rules/windows/sysmon/sysmon_remote_powershell_session_network.yml index 805f7db56..b0695d7a0 100644 --- a/rules/windows/sysmon/sysmon_remote_powershell_session_network.yml +++ b/rules/windows/sysmon/sysmon_remote_powershell_session_network.yml @@ -9,11 +9,12 @@ references: tags: - attack.execution - attack.t1086 + - attack.t1059.001 logsource: product: windows service: sysmon detection: - selection: + selection: EventID: 3 DestinationPort: - 5985 diff --git a/rules/windows/sysmon/sysmon_rundll32_net_connections.yml b/rules/windows/sysmon/sysmon_rundll32_net_connections.yml index c02164f31..c7f6e7b9a 100644 --- a/rules/windows/sysmon/sysmon_rundll32_net_connections.yml +++ b/rules/windows/sysmon/sysmon_rundll32_net_connections.yml @@ -10,6 +10,7 @@ tags: - attack.t1085 - attack.defense_evasion - attack.execution + - attack.t1218 logsource: product: windows service: sysmon @@ -19,7 +20,7 @@ detection: Image: '*\rundll32.exe' Initiated: 'true' filter: - DestinationIp: + DestinationIp: - '10.*' - '192.168.*' - '172.16.*' diff --git a/rules/windows/sysmon/sysmon_susp_desktop_ini.yml b/rules/windows/sysmon/sysmon_susp_desktop_ini.yml index 606076a29..ec1df92c1 100644 --- a/rules/windows/sysmon/sysmon_susp_desktop_ini.yml +++ b/rules/windows/sysmon/sysmon_susp_desktop_ini.yml @@ -9,6 +9,7 @@ date: 2020/03/19 tags: - attack.persistence - attack.t1023 + - attack.t1547.009 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_susp_download_run_key.yml b/rules/windows/sysmon/sysmon_susp_download_run_key.yml index 5f1bad949..14f5d5ca0 100644 --- a/rules/windows/sysmon/sysmon_susp_download_run_key.yml +++ b/rules/windows/sysmon/sysmon_susp_download_run_key.yml @@ -9,13 +9,14 @@ date: 2019/10/01 tags: - attack.persistence - attack.t1060 + - attack.t1547.001 logsource: product: windows service: sysmon detection: selection: EventID: 13 - Image: + Image: - '*\Downloads\\*' - '*\Temporary Internet Files\Content.Outlook\\*' - '*\Local Settings\Temporary Internet Files\\*' @@ -23,4 +24,4 @@ detection: condition: selection falsepositives: - Software installers downloaded and used by users -level: high \ No newline at end of file +level: high diff --git a/rules/windows/sysmon/sysmon_susp_driver_load.yml b/rules/windows/sysmon/sysmon_susp_driver_load.yml index 1bfec5e13..c353d7e93 100644 --- a/rules/windows/sysmon/sysmon_susp_driver_load.yml +++ b/rules/windows/sysmon/sysmon_susp_driver_load.yml @@ -6,6 +6,7 @@ date: 2017/02/12 tags: - attack.persistence - attack.t1050 + - attack.t1543.003 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_susp_image_load.yml b/rules/windows/sysmon/sysmon_susp_image_load.yml index 577f96108..11a696b09 100644 --- a/rules/windows/sysmon/sysmon_susp_image_load.yml +++ b/rules/windows/sysmon/sysmon_susp_image_load.yml @@ -9,6 +9,7 @@ date: 2018/01/07 tags: - attack.defense_evasion - attack.t1073 + - attack.t1574.002 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_susp_lsass_dll_load.yml b/rules/windows/sysmon/sysmon_susp_lsass_dll_load.yml index 78cf4bf7c..44a1020dc 100644 --- a/rules/windows/sysmon/sysmon_susp_lsass_dll_load.yml +++ b/rules/windows/sysmon/sysmon_susp_lsass_dll_load.yml @@ -13,15 +13,16 @@ logsource: detection: selection: EventID: - - 12 + - 12 - 13 - TargetObject: + TargetObject: - '*\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt*' - '*\CurrentControlSet\Services\NTDS\LsaDbExtPt*' condition: selection tags: - attack.execution - attack.t1177 + - attack.t1547.008 falsepositives: - Unknown level: high diff --git a/rules/windows/sysmon/sysmon_susp_office_dotnet_assembly_dll_load.yml b/rules/windows/sysmon/sysmon_susp_office_dotnet_assembly_dll_load.yml index 47036525d..f3d5acd92 100644 --- a/rules/windows/sysmon/sysmon_susp_office_dotnet_assembly_dll_load.yml +++ b/rules/windows/sysmon/sysmon_susp_office_dotnet_assembly_dll_load.yml @@ -9,6 +9,7 @@ date: 2020/02/19 tags: - attack.initial_access - attack.t1193 + - attack.t1566.001 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_susp_office_dotnet_clr_dll_load.yml b/rules/windows/sysmon/sysmon_susp_office_dotnet_clr_dll_load.yml index bd58c23b1..e76e29d5f 100644 --- a/rules/windows/sysmon/sysmon_susp_office_dotnet_clr_dll_load.yml +++ b/rules/windows/sysmon/sysmon_susp_office_dotnet_clr_dll_load.yml @@ -9,6 +9,7 @@ date: 2020/02/19 tags: - attack.initial_access - attack.t1193 + - attack.t1566.001 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_susp_office_dotnet_gac_dll_load.yml b/rules/windows/sysmon/sysmon_susp_office_dotnet_gac_dll_load.yml index 354d7e8a4..670a55525 100644 --- a/rules/windows/sysmon/sysmon_susp_office_dotnet_gac_dll_load.yml +++ b/rules/windows/sysmon/sysmon_susp_office_dotnet_gac_dll_load.yml @@ -9,6 +9,7 @@ date: 2020/02/19 tags: - attack.initial_access - attack.t1193 + - attack.t1566.001 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_susp_office_dsparse_dll_load.yml b/rules/windows/sysmon/sysmon_susp_office_dsparse_dll_load.yml index e46824e6d..24afa4ca8 100644 --- a/rules/windows/sysmon/sysmon_susp_office_dsparse_dll_load.yml +++ b/rules/windows/sysmon/sysmon_susp_office_dsparse_dll_load.yml @@ -9,6 +9,7 @@ date: 2020/02/19 tags: - attack.initial_access - attack.t1193 + - attack.t1566.001 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_susp_office_kerberos_dll_load.yml b/rules/windows/sysmon/sysmon_susp_office_kerberos_dll_load.yml index 77aaf3262..d55fe9947 100644 --- a/rules/windows/sysmon/sysmon_susp_office_kerberos_dll_load.yml +++ b/rules/windows/sysmon/sysmon_susp_office_kerberos_dll_load.yml @@ -9,6 +9,7 @@ date: 2020/02/19 tags: - attack.initial_access - attack.t1193 + - attack.t1566.001 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml b/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml index 58ec943cf..d989a010e 100644 --- a/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml +++ b/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml @@ -20,6 +20,8 @@ tags: - attack.execution - attack.t1085 - attack.t1086 + - attack.t1218.011 + - attack.t1059.001 falsepositives: - Unkown level: high diff --git a/rules/windows/sysmon/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml b/rules/windows/sysmon/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml index b73320b38..25ee0df76 100644 --- a/rules/windows/sysmon/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml +++ b/rules/windows/sysmon/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml @@ -9,6 +9,7 @@ references: tags: - attack.t1089 - attack.defense_evasion + - attack.t1562.001 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml b/rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml index e57863951..0dc20e161 100644 --- a/rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml +++ b/rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml @@ -13,7 +13,7 @@ detection: selection: EventID: 13 TargetObject: '*\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' - Details: + Details: - 'C:\Windows\Temp\\*' - 'C:\ProgramData\\*' - '*\AppData\\*' @@ -26,6 +26,7 @@ tags: - attack.persistence - attack.t1060 - capec.270 + - attack.t1547.001 fields: - Image - ParentImage diff --git a/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml b/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml index 43c5990a1..7798f5525 100644 --- a/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml +++ b/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml @@ -8,6 +8,7 @@ author: Florian Roth, Markus Neis, Sander Wiebing tags: - attack.persistence - attack.t1060 + - attack.t1547.001 date: 2018/08/25 modified: 2020/05/24 logsource: @@ -16,7 +17,7 @@ logsource: detection: selection: EventID: 13 - TargetObject: + TargetObject: - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*' - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\*' Details: diff --git a/rules/windows/sysmon/sysmon_susp_service_installed.yml b/rules/windows/sysmon/sysmon_susp_service_installed.yml index 39efbfaa4..c15a8c948 100644 --- a/rules/windows/sysmon/sysmon_susp_service_installed.yml +++ b/rules/windows/sysmon/sysmon_susp_service_installed.yml @@ -9,6 +9,7 @@ references: tags: - attack.t1089 - attack.defense_evasion + - attack.t1562.001 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_susp_winword_vbadll_load.yml b/rules/windows/sysmon/sysmon_susp_winword_vbadll_load.yml index c792c8c21..1006e8459 100644 --- a/rules/windows/sysmon/sysmon_susp_winword_vbadll_load.yml +++ b/rules/windows/sysmon/sysmon_susp_winword_vbadll_load.yml @@ -9,6 +9,7 @@ date: 2020/02/19 tags: - attack.initial_access - attack.t1193 + - attack.t1566.001 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_suspicious_dbghelp_dbgcore_load.yml b/rules/windows/sysmon/sysmon_suspicious_dbghelp_dbgcore_load.yml index b5f36b4e4..09cb9dfb4 100644 --- a/rules/windows/sysmon/sysmon_suspicious_dbghelp_dbgcore_load.yml +++ b/rules/windows/sysmon/sysmon_suspicious_dbghelp_dbgcore_load.yml @@ -1,9 +1,7 @@ title: Load of dbghelp/dbgcore DLL from Suspicious Process id: 0e277796-5f23-4e49-a490-483131d4f6e1 status: experimental -description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump - API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and - transfer it over the network back to the attacker's machine. +description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. date: 2019/10/27 modified: 2020/05/23 author: Perez Diego (@darkquassar), oscd.community, Ecco @@ -14,6 +12,7 @@ references: tags: - attack.credential_access - attack.t1003 + - attack.t1003.001 logsource: product: windows service: sysmon @@ -23,7 +22,7 @@ detection: ImageLoaded|endswith: - '\dbghelp.dll' - '\dbgcore.dll' - Image|endswith: + Image|endswith: - '\msbuild.exe' - '\cmd.exe' - '\svchost.exe' diff --git a/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml b/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml index 353034a74..3b1fd52bc 100644 --- a/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml +++ b/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml @@ -10,6 +10,7 @@ modified: 2019/11/13 tags: - attack.lateral_movement - attack.t1208 + - attack.t1558.003 logsource: product: windows service: sysmon @@ -24,7 +25,7 @@ detection: - '\opera.exe' - '\chrome.exe' - '\firefox.exe' - condition: selection and not filter + condition: selection and not filter falsepositives: - Other browsers level: high diff --git a/rules/windows/sysmon/sysmon_svchost_dll_search_order_hijack.yml b/rules/windows/sysmon/sysmon_svchost_dll_search_order_hijack.yml index f06a1e208..1773855c8 100644 --- a/rules/windows/sysmon/sysmon_svchost_dll_search_order_hijack.yml +++ b/rules/windows/sysmon/sysmon_svchost_dll_search_order_hijack.yml @@ -1,9 +1,7 @@ title: Svchost DLL Search Order Hijack id: 602a1f13-c640-4d73-b053-be9a2fa58b77 status: experimental -description: IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their - malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a - remote machine. +description: IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine. references: - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 author: SBousseaden @@ -14,6 +12,8 @@ tags: - attack.t1073 - attack.t1038 - attack.t1112 + - attack.t1574.002 + - attack.t1574.001 logsource: product: windows service: sysmon @@ -28,7 +28,7 @@ detection: - '*\wlbsctrl.dll' filter: ImageLoaded: - - 'C:\Windows\WinSxS\\*' + - 'C:\Windows\WinSxS\\*' condition: selection and not filter falsepositives: - Pentest diff --git a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml b/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml index c91f0abdb..ded431bf6 100644 --- a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml +++ b/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml @@ -28,6 +28,7 @@ tags: - attack.privilege_escalation - attack.t1088 - car.2019-04-001 + - attack.t1548.002 falsepositives: - unknown level: critical diff --git a/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml b/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml index 042c1477e..2e8f8c363 100644 --- a/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml +++ b/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml @@ -20,6 +20,7 @@ tags: - attack.privilege_escalation - attack.t1088 - car.2019-04-001 + - attack.t1548.002 falsepositives: - unknown level: high diff --git a/rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml b/rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml index c88a6d4cf..cba4a5e0d 100644 --- a/rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml +++ b/rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml @@ -9,6 +9,7 @@ references: tags: - attack.credential_access - attack.t1003 + - attack.t1003.001 logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_webshell_creation_detect.yml b/rules/windows/sysmon/sysmon_webshell_creation_detect.yml index 7f94a4259..64a99889d 100644 --- a/rules/windows/sysmon/sysmon_webshell_creation_detect.yml +++ b/rules/windows/sysmon/sysmon_webshell_creation_detect.yml @@ -10,6 +10,7 @@ modified: 2020/05/18 tags: - attack.persistence - attack.t1100 + - attack.t1505.003 level: critical logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_win_reg_persistence.yml b/rules/windows/sysmon/sysmon_win_reg_persistence.yml index 06a18db8b..a2d5512cf 100644 --- a/rules/windows/sysmon/sysmon_win_reg_persistence.yml +++ b/rules/windows/sysmon/sysmon_win_reg_persistence.yml @@ -23,6 +23,7 @@ tags: - attack.defense_evasion - attack.t1183 - car.2013-01-002 + - attack.t1546.012 falsepositives: - unknown level: critical diff --git a/rules/windows/sysmon/sysmon_wmi_event_subscription.yml b/rules/windows/sysmon/sysmon_wmi_event_subscription.yml index 34db9562c..6862faf3e 100644 --- a/rules/windows/sysmon/sysmon_wmi_event_subscription.yml +++ b/rules/windows/sysmon/sysmon_wmi_event_subscription.yml @@ -7,6 +7,7 @@ references: tags: - attack.t1084 - attack.persistence + - attack.t1546.003 author: Tom Ueltschi (@c_APT_ure) date: 2019/01/12 logsource: diff --git a/rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml b/rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml index c87d2af65..52672a953 100644 --- a/rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml +++ b/rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml @@ -9,6 +9,7 @@ date: 2018/03/07 tags: - attack.t1084 - attack.persistence + - attack.t1546.003 logsource: product: windows service: sysmon @@ -18,6 +19,6 @@ detection: Image: 'C:\Windows\System32\wbem\WmiPrvSE.exe' ImageLoaded|endswith: '\wbemcons.dll' condition: selection -falsepositives: +falsepositives: - Unknown (data set is too small; further testing needed) level: high diff --git a/rules/windows/sysmon/sysmon_wmi_persistence_script_event_consumer_write.yml b/rules/windows/sysmon/sysmon_wmi_persistence_script_event_consumer_write.yml index 907a28738..7095ec855 100644 --- a/rules/windows/sysmon/sysmon_wmi_persistence_script_event_consumer_write.yml +++ b/rules/windows/sysmon/sysmon_wmi_persistence_script_event_consumer_write.yml @@ -9,6 +9,7 @@ date: 2018/03/07 tags: - attack.t1084 - attack.persistence + - attack.t1546.003 logsource: product: windows service: sysmon @@ -17,6 +18,6 @@ detection: EventID: 11 Image: 'C:\WINDOWS\system32\wbem\scrcons.exe' condition: selection -falsepositives: +falsepositives: - Unknown (data set is too small; further testing needed) level: high diff --git a/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml b/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml index d6d059861..ad5c41329 100644 --- a/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml +++ b/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml @@ -10,9 +10,10 @@ date: 2019/04/15 tags: - attack.t1086 - attack.execution + - attack.t1059.005 logsource: - product: windows - service: sysmon + product: windows + service: sysmon detection: selection: EventID: 20