Missing status in rules (#2284)

* add missing status
2021-11-19 22:32:26 +01:00
parent 0c61c444eb
commit 1cfca93354
144 changed files with 146 additions and 4 deletions
@@ -1,6 +1,7 @@
 title: JexBoss Command Sequence
 id: 8ec2c8b4-557a-4121-b87c-5dfb3a602fae
 description: Detects suspicious command sequence that JexBoss
+status: experimental
 author: Florian Roth
 date: 2017/08/24
 references:
@@ -1,6 +1,7 @@
 title: Install Root Certificate
 id: 78a80655-a51e-4669-bc6b-e9d206a462ee
 description: Detects installed new certificate
+status: experimental
 author: Ömer Günal, oscd.community
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md
@@ -1,6 +1,7 @@
 title: Equation Group C2 Communication
 id: 881834a4-6659-4773-821e-1c151789d873
 description: Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools
+status: experimental
 author: Florian Roth
 date: 2017/04/15
 references:
@@ -1,6 +1,7 @@
 title: MITRE BZAR Indicators for Execution
 id: b640c0b8-87f8-4daa-aef8-95a24261dd1d
 description: 'Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE'
+status: experimental
 author: '@neu5ron, SOC Prime'
 date: 2020/03/19
 references:
@@ -1,6 +1,7 @@
 title: MITRE BZAR Indicators for Persistence
 id: 53389db6-ba46-48e3-a94c-e0f2cefe1583
 description: 'Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.'
+status: experimental
 author: '@neu5ron, SOC Prime'
 date: 2020/03/19
 references:
@@ -5,6 +5,7 @@ description: |
    The usage of this RPC function should be rare if ever used at all.
    Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate.
     View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..'
+status: experimental
 author: '@neu5ron, @Antonlovesdnb, Mike Remen'
 date: 2021/08/17
 references:
@@ -1,6 +1,7 @@
 title: SMB Spoolss Name Piped Usage
 id: bae2865c-5565-470d-b505-9496c87d0c30
 description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
+status: experimental
 author: OTR (Open Threat Research), @neu5ron
 references:
    - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
@@ -1,6 +1,7 @@
 title: Default Cobalt Strike Certificate
 id: 7100f7e3-92ce-4584-b7b7-01b40d3d4118
 description: Detects the presence of default Cobalt Strike certificate in the HTTPS traffic
+status: experimental
 author: Bhabesh Raj
 date: 2021/06/23
 modified: 2021/08/24
@@ -1,6 +1,7 @@
 title: DNS Events Related To Mining Pools
 id: bf74135c-18e8-4a72-a926-0e4f47888c19
 description: Identifies clients that may be performing DNS lookups associated with common currency mining pools.
+status: experimental
 references:
  - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml
 date: 2021/08/19
@@ -1,6 +1,7 @@
 title: Suspicious DNS Z Flag Bit Set
 id: ede05abc-2c9e-4624-9944-9ff17fdc0bf5
 description: 'The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward. Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs'
+status: experimental
 date: 2021/05/04
 modified: 2021/05/24
 references:
@@ -1,6 +1,7 @@
 title: DNS TOR Proxies
 id: a8322756-015c-42e7-afb1-436e85ed3ff5
 description: Identifies IPs performing DNS lookups associated with common Tor proxies.
+status: experimental
 references:
  - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml
 date: 2021/08/15
@@ -1,6 +1,7 @@
 title: Remote Task Creation via ATSVC Named Pipe - Zeek
 id: dde85b37-40cd-4a94-b00c-0b8794f956b5
 description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
+status: experimental
 author: 'Samir Bousseaden, @neu5rn'
 date: 2020/04/03
 references:
@@ -1,6 +1,7 @@
 title: Possible Impacket SecretDump Remote Activity - Zeek
 id: 92dae1ed-1c9d-4eff-a567-33acbd95b00e
 description: 'Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml'
+status: experimental
 author: 'Samir Bousseaden, @neu5ron'
 date: 2020/03/19
 references:
@@ -1,6 +1,7 @@
 title: First Time Seen Remote Named Pipe - Zeek
 id: 021310d9-30a6-480a-84b7-eaa69aeb92bb
 description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
+status: experimental
 author: 'Samir Bousseaden, @neu5ron'
 date: 2020/04/02
 references:
@@ -1,6 +1,7 @@
 title: Suspicious PsExec Execution - Zeek
 id: f1b3a22a-45e6-4004-afb5-4291f9c21166
 description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
+status: experimental
 author: 'Samir Bousseaden, @neu5ron'
 date: 2020/04/02
 references:
@@ -1,6 +1,7 @@
 title: Suspicious Access to Sensitive File Extensions - Zeek
 id: 286b47ed-f6fe-40b3-b3a8-35129acd43bc
 description: Detects known sensitive file extensions via Zeek
+status: experimental
 author: 'Samir Bousseaden, @neu5ron'
 date: 2020/04/02
 references: 
@@ -1,6 +1,7 @@
 title: Apache Segmentation Fault
 id: 1da8ce0b-855d-4004-8860-7d64d42063b1
 description: Detects a segmentation fault error message caused by a creashing apache worker process
+status: experimental
 author: Florian Roth
 date: 2017/02/28
 modified: 2020/09/03
@@ -1,5 +1,6 @@
 title: Fortinet CVE-2018-13379 Exploitation
 description: Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs
+status: experimental
 id: a2e97350-4285-43f2-a63f-d0daff291738
 references:
    - https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/
@@ -1,6 +1,7 @@
 title: Nginx Core Dump
 id: 59ec40bb-322e-40ab-808d-84fa690d7e56
 description: Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.
+status: experimental
 author: Florian Roth
 date: 2021/05/31
 references:
@@ -1,6 +1,7 @@
 title: Enabled User Right in AD to Control User Objects
 id: 311b6ce2-7890-4383-a8c2-663a9f6b43cd
 description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.
+status: experimental
 tags:
    - attack.persistence
    - attack.t1098
@@ -1,6 +1,7 @@
 title: Active Directory User Backdoors
 id: 300bac00-e041-4ee2-9c36-e262656a6ecc
 description: Detects scenarios where one can control another users or computers account without having to use their credentials.
+status: experimental
 references:
    - https://msdn.microsoft.com/en-us/library/cc220234.aspx
    - https://adsecurity.org/?p=3466
@@ -1,6 +1,7 @@
 title: Weak Encryption Enabled and Kerberoast
 id: f6de9536-0441-4b3f-a646-f4e00f300ffd
 description: Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.
+status: experimental
 references:
    - https://adsecurity.org/?p=2053
    - https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
@@ -1,6 +1,7 @@
 title: Mimikatz Use
 id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8
 description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
+status: experimental
 author: Florian Roth
 date: 2017/01/10
 modified: 2021/08/26
@@ -1,6 +1,7 @@
 title: Hacktool Ruler
 id: 24549159-ac1b-479c-8175-d42aea947cae
 description: This events that are generated when using the hacktool Ruler by Sensepost
+status: experimental
 author: Florian Roth
 date: 2017/05/31
 modified: 2021/08/09
@@ -1,6 +1,7 @@
 title: Turla Service Install
 id: 1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4
 description: This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET
+status: experimental
 references:
    - https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
 tags:
@@ -4,6 +4,7 @@ related:
    - id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
      type: derived
 description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018
+status: experimental
 references:
    - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
 tags:
@@ -1,6 +1,7 @@
 title: Chafer Activity
 id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
 description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018
+status: experimental
 references:
    - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
 tags:
@@ -4,6 +4,7 @@ related:
    - id: 958d81aa-8566-4cea-a565-59ccd4df27b0
      type: derived
 description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
+status: experimental
 author: Florian Roth, Bartlomiej Czyz (@bczyz1)
 date: 2019/03/04
 modified: 2021/09/19
@@ -1,6 +1,7 @@
 title: StoneDrill Service Install
 id: 9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6
 description: This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky
+status: experimental
 author: Florian Roth
 date: 2017/03/07
 references:
@@ -1,6 +1,7 @@
 title: Turla PNG Dropper Service
 id: 1228f8e2-7e79-4dea-b0ad-c91f1d5016c1
 description: This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018
+status: experimental
 references:
    - https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/
 author: Florian Roth
@@ -1,6 +1,7 @@
 title: Arbitrary Shell Command Execution Via Settingcontent-Ms
 id: 24de4f3b-804c-4165-b442-5a06a2302c7e
 description: The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.
+status: experimental
 author: Sreeman
 date: 2020/03/13
 modified: 2021/08/09
@@ -1,6 +1,7 @@
 title: Remote Task Creation via ATSVC Named Pipe
 id: f6de6525-4509-495a-8a82-1f8b0ed73a00
 description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
+status: experimental
 author: Samir Bousseaden
 date: 2019/04/03
 references:
@@ -1,6 +1,7 @@
 title: Relevant Anti-Virus Event
 id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
 description: This detection method points out highly relevant Antivirus events
+status: experimental
 author: Florian Roth
 date: 2017/02/19
 modified: 2021/07/28
@@ -1,6 +1,7 @@
 title: CobaltStrike Service Installations
 id: 5a105d34-05fc-401e-8553-272b45c1522d
 description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
+status: experimental
 author: Florian Roth, Wojciech Lesicki
 references:
    - https://www.sans.org/webcasts/119395
@@ -1,6 +1,7 @@
 title: Disabling Windows Event Auditing
 id: 69aeb277-f15f-4d2d-b32a-55e883609563
 description: 'Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.'
+status: experimental
 references:
    - https://bit.ly/WinLogsZero2Hero
 tags:
@@ -1,5 +1,6 @@
 title: Enumeration via the Global Catalog 
 description: Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain width.
+status: experimental
 author: Chakib Gzenayi (@Chak092), Hosni Mribah
 id: 619b020f-0fd7-4f23-87db-3f51ef837a34
 date: 2020/05/11
@@ -1,6 +1,7 @@
 title: Persistence and Execution at Scale via GPO Scheduled Task
 id: a8f29a7b-b137-4446-80a0-b804272f3da2
 description: Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale
+status: experimental
 author: Samir Bousseaden
 date: 2019/04/03
 references:
@@ -1,6 +1,7 @@
 title: smbexec.py Service Installation
 id: 52a85084-6989-40c3-8f32-091e12e13f09
 description: Detects the use of smbexec.py tool by detecting a specific service installation
+status: experimental
 author: Omer Faruk Celik
 date: 2018/03/20
 modified: 2020/08/23
@@ -1,6 +1,7 @@
 title: Impacket PsExec Execution
 id: 32d56ea1-417f-44ff-822b-882873f5f43b
 description: Detects execution of Impacket's psexec.py.
+status: experimental
 author: Bhabesh Raj
 date: 2020/12/14
 references:
@@ -1,6 +1,7 @@
 title: Possible Impacket SecretDump Remote Activity
 id: 252902e3-5830-4cf6-bf21-c22083dfd5cf
 description: Detect AD credential dumping using impacket secretdump HKTL
+status: experimental
 author: Samir Bousseaden, wagga
 date: 2019/04/03
 modified: 2021/06/27
@@ -1,6 +1,7 @@
 title: First Time Seen Remote Named Pipe
 id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
 description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
+status: experimental
 author: Samir Bousseaden
 date: 2019/04/03
 references:
@@ -1,6 +1,7 @@
 title: Credential Dumping Tools Service Execution
 id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
 description: Detects well-known credential dumping tools execution via service execution events
+status: experimental
 author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
 date: 2017/03/05
 modified: 2021/09/21
@@ -1,5 +1,6 @@
 title: Metasploit SMB Authentication
 description: Alerts on Metasploit host's authentications on the domain.
+status: experimental
 id: 72124974-a68b-4366-b990-d30e0b2a190d
 author: Chakib Gzenayi (@Chak092), Hosni Mribah
 date: 2020/05/06
@@ -1,6 +1,7 @@
 title: Meterpreter or Cobalt Strike Getsystem Service Installation
 id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
 description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
+status: experimental
 author: Teymur Kheirkhabarov, Ecco, Florian Roth
 date: 2019/10/26
 modified: 2021/09/21
@@ -1,6 +1,7 @@
 title: MMC20 Lateral Movement
 id: f1f3bf22-deb2-418d-8cce-e1a45e46a5bd
 description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe
+status: experimental
 author: '@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)'
 date: 2020/03/04
 modified: 2020/08/23
@@ -4,6 +4,7 @@ related:
    - id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2
      type: derived
 description: Detects NetNTLM downgrade attack
+status: experimental
 references:
    - https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
 author: Florian Roth, wagga
@@ -1,6 +1,7 @@
 title: NTFS Vulnerability Exploitation
 id: f14719ce-d3ab-4e25-9ce6-2899092260b0
 description: This the exploitation of a NTFS vulnerability as reported without many details via Twitter
+status: experimental
 author: Florian Roth
 date: 2021/01/11
 modified: 2021/11/17
@@ -1,6 +1,7 @@
 title: Possible PetitPotam Coerce Authentication Attempt
 id: 1ce8c8a3-2723-48ed-8246-906ac91061a6
 description: Detect PetitPotam coerced authentication activity.
+status: experimental
 author: Mauricio Velazco, Michael Haag
 date: 2021/09/02
 references:
@@ -7,6 +7,7 @@ description: Detect suspicious Kerberos TGT requests. Once an attacer obtains a
  like Rubeus. This request will generate a 4768 event with some unusual fields depending
  on the environment. This analytic will require tuning, we recommend filtering Account_Name
  to the Domain Controller computer accounts.
+status: experimental
 author: Mauricio Velazco, Michael Haag
 date: 2021/09/02
 modified: 2021/09/07
@@ -1,6 +1,7 @@
 title: Scanner PoC for CVE-2019-0708 RDP RCE Vuln
 id: 8400629e-79a9-4737-b387-5db940ab2367
 description: Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to  CVE-2019-0708 RDP RCE aka BlueKeep
+status: experimental
 references:
    - https://twitter.com/AdamTheAnalyst/status/1134394070045003776
    - https://github.com/zerosum0x0/CVE-2019-0708
@@ -4,6 +4,7 @@ related:
    - id: 5a105d34-05fc-401e-8553-272b45c1522d
      type: derived
 description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
+status: experimental
 author: Florian Roth, Wojciech Lesicki
 references:
    - https://www.sans.org/webcasts/119395
@@ -4,6 +4,7 @@ related:
    - id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
      type: derived
 description: Detects well-known credential dumping tools execution via service execution events
+status: experimental
 author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
 date: 2017/03/05
 modified: 2021/09/21
@@ -4,6 +4,7 @@ related:
    - id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a
      type: derived
 description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.
+status: experimental
 author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update)
 date: 2017/03/27
 modified: 2021/09/21
@@ -4,6 +4,7 @@ related:
    - id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0
      type: derived
 description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation
+status: experimental
 author: Bartlomiej Czyz, Relativity
 date: 2021/01/21
 modified: 2021/07/23
@@ -4,6 +4,7 @@ related:
    - id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
      type: derived
 description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
+status: experimental
 author: Teymur Kheirkhabarov, Ecco, Florian Roth
 date: 2019/10/26
 modified: 2021/09/21
@@ -4,6 +4,7 @@ related:
    - id: f2f01843-e7b8-4f95-a35a-d23584476423
      type: obsoletes
 description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
+status: experimental
 references:
    - https://twitter.com/deviouspolack/status/832535435960209408
    - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
@@ -2,6 +2,7 @@ title: Account Tampering - Suspicious Failed Logon Reasons
 id: 9eb99343-d336-4020-a3cd-67f3819e68ee
 description: This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow
    restricted.
+status: experimental
 author: Florian Roth
 date: 2017/02/19
 modified: 2021/10/29
@@ -1,6 +1,7 @@
 title: Failed Logon From Public IP
 id: f88e112a-21aa-44bd-9b01-6ee2a2bbbed1
 description: A login from a public IP can indicate a misconfigured firewall or network boundary.
+status: experimental
 author: NVISO
 date: 2020/05/06
 tags:
@@ -1,6 +1,7 @@
 title: Multiple Users Attempting To Authenticate Using Explicit Credentials
 id: 196a29c2-e378-48d8-ba07-8a9e61f7fab9
 description: Detects a source user failing to authenticate with multiple users using explicit credentials on a host.
+status: experimental
 author: Mauricio Velazco
 date: 2021/06/01
 modified: 2021/08/09
@@ -1,6 +1,7 @@
 title: Multiple Users Failing to Authenticate from Single Process
 id: fe563ab6-ded4-4916-b49f-a3a8445fe280
 description: Detects failed logins with multiple accounts from a single process on the system.
+status: experimental
 author: Mauricio Velazco
 date: 2021/06/01
 modified: 2021/07/07
@@ -1,6 +1,7 @@
 title: Failed Logins with Different Accounts from Single Source System
 id: e98374a6-e2d9-4076-9b5c-11bdb2569995
 description: Detects suspicious failed logins with different user accounts from a single source system
+status: experimental
 author: Florian Roth
 date: 2017/01/10
 modified: 2021/09/21
@@ -4,6 +4,7 @@ related:
    - id: e98374a6-e2d9-4076-9b5c-11bdb2569995
      type: derived
 description: Detects suspicious failed logins with different user accounts from a single source system
+status: experimental
 author: Florian Roth
 date: 2017/01/10
 modified: 2021/09/21
@@ -1,6 +1,7 @@
 title: Valid Users Failing to Authenticate From Single Source Using Kerberos
 id: 5d1d946e-32e6-4d9a-a0dc-0ac022c7eb98
 description: Detects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol.
+status: experimental
 author: Mauricio Velazco, frack113
 date: 2021/06/01
 modified: 2021/07/06
@@ -1,6 +1,7 @@
 title: Disabled Users Failing To Authenticate From Source Using Kerberos
 id: 4b6fe998-b69c-46d8-901b-13677c9fb663
 description: Detects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol.
+status: experimental
 author: Mauricio Velazco, frack113
 date: 2021/06/01
 modified: 2021/07/06
@@ -1,6 +1,7 @@
 title: Invalid Users Failing To Authenticate From Source Using Kerberos
 id: bc93dfe6-8242-411e-a2dd-d16fa0cc8564
 description: Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol.
+status: experimental
 author: Mauricio Velazco, frack113
 date: 2021/06/01
 modified: 2021/07/06
@@ -1,6 +1,7 @@
 title: Valid Users Failing to Authenticate from Single Source Using NTLM
 id: f88bab7f-b1f4-41bb-bdb1-4b8af35b0470
 description: Detects failed logins with multiple valid domain accounts from a single source system using the NTLM protocol.
+status: experimental
 author: Mauricio Velazco
 date: 2021/06/01
 modified: 2021/07/07
@@ -1,6 +1,7 @@
 title: Invalid Users Failing To Authenticate From Single Source Using NTLM
 id: 56d62ef8-3462-4890-9859-7b41e541f8d5
 description: Detects failed logins with multiple invalid domain accounts from a single source system using the NTLM protocol.
+status: experimental
 author: Mauricio Velazco
 date: 2021/06/01
 modified: 2021/07/07
@@ -1,6 +1,7 @@
 title: Multiple Users Remotely Failing To Authenticate From Single Source
 id: add2ef8d-dc91-4002-9e7e-f2702369f53a
 description: Detects a source system failing to authenticate against a remote host with multiple users.
+status: experimental
 author: Mauricio Velazco
 references:
    - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
@@ -1,6 +1,7 @@
 title: Interactive Logon to Server Systems
 id: 3ff152b2-1388-4984-9cd9-a323323fdadf
 description: Detects interactive console logons to Server Systems
+status: experimental
 author: Florian Roth
 date: 2017/03/17
 tags:
@@ -1,6 +1,7 @@
 title: Kerberos Manipulation
 id: f7644214-0eb0-4ace-9455-331ec4c09253
 description: This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages
+status: experimental
 author: Florian Roth
 date: 2017/02/10
 tags:
@@ -1,7 +1,7 @@
 title: Suspicious Multiple File Rename Or Delete Occurred
 id: 97919310-06a7-482c-9639-92b67ed63cf8
-status: experimental
 description: Detects multiple file rename or delete events occurrence within a specified period of time by a same user (these events may signalize about ransomware activity).
+status: experimental
 tags:
    - attack.impact
    - attack.t1486
@@ -1,6 +1,7 @@
 title: ProcessHacker Privilege Elevation
 id: c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9
 description: Detects a ProcessHacker tool that elevated privileges to a very high level
+status: experimental
 references:
    - https://twitter.com/1kwpeter/status/1397816101455765504
 author: Florian Roth
@@ -1,6 +1,7 @@
 title: Suspicious PsExec Execution
 id: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82
 description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
+status: experimental
 author: Samir Bousseaden
 date: 2019/04/03
 references:
@@ -1,6 +1,7 @@
 title: Suspicious Access to Sensitive File Extensions
 id: 91c945bc-2ad1-4799-a591-4d00198a1215
 description: Detects known sensitive file extensions accessed on a network share
+status: experimental
 author: Samir Bousseaden
 date: 2019/04/03
 modified: 2021/08/09
@@ -2,6 +2,7 @@ title: Possible Remote Password Change Through SAMR
 id: 7818b381-5eb1-4641-bea5-ef9e4cfb5951
 description: Detects a possible remote NTLM hash change through SAMR API SamiChangePasswordUser() or SamSetInformationUser(). "Audit User Account Management" in "Advanced
    Audit Policy Configuration" has to be enabled in your local security policy / GPO to see this events.
+status: experimental
 author: Dimitrios Slamaris
 date: 2017/06/09
 tags:
@@ -1,6 +1,7 @@
 title: Remote Service Activity via SVCCTL Named Pipe
 id: 586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3
 description: Detects remote service activity via remote access to the svcctl named pipe
+status: experimental
 author: Samir Bousseaden
 date: 2019/04/03
 references:
@@ -6,6 +6,7 @@ related:
    - id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982
      type: derived
 description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
+status: experimental
 references:
    - https://twitter.com/deviouspolack/status/832535435960209408
    - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
@@ -1,6 +1,7 @@
 title: Transferring Files with Credential Data via Network Shares
 id: 910ab938-668b-401b-b08c-b596e80fdca5
 description: Transferring files with well-known filenames (sensitive files with credential data) using network shares
+status: experimental
 author: Teymur Kheirkhabarov, oscd.community
 date: 2019/10/22
 references:
@@ -30,4 +31,3 @@ detection:
 falsepositives:
    - Transferring sensitive files for legitimate administration work by legitimate administrator
 level: medium
-status: experimental
@@ -4,6 +4,7 @@ related:
    - id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
      type: derived
 description: Detects well-known credential dumping tools execution via service execution events
+status: experimental
 author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
 date: 2017/03/05
 modified: 2021/11/10
@@ -4,6 +4,7 @@ related:
    - id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
      type: derived
 description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
+status: experimental
 author: Teymur Kheirkhabarov, Ecco, Florian Roth
 date: 2019/10/26
 modified: 2021/09/21
@@ -1,6 +1,7 @@
 title: Suspicious Driver Load from Temp
 id: 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75
 description: Detects a driver load from a temporary directory
+status: experimental
 author: Florian Roth
 date: 2017/02/12
 modified: 2020/08/23
@@ -1,6 +1,7 @@
 title: Vulnerable Dell BIOS Update Driver Load
 id: 21b23707-60d6-41bb-96e3-0f0481b0fed9
 description: Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551
+status: experimental
 author: Florian Roth
 date: 2021/05/05
 references:
@@ -4,6 +4,7 @@ related:
    - id: db2110f3-479d-42a6-94fb-d35bc1e46492
      type: obsoletes
 description: Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials
+status: experimental
 author: Florian Roth
 references:
    - https://www.google.com/search?q=procdump+lsass
@@ -1,6 +1,7 @@
 title: RedMimicry Winnti Playbook Dropped File
 id: 130c9e58-28ac-4f83-8574-0a4cc913b97e
 description: Detects actions caused by the RedMimicry Winnti playbook
+status: experimental
 references:
    - https://redmimicry.com
 author: Alexander Rausch
@@ -1,7 +1,7 @@
 title: Suspicious Word Cab File Write CVE-2021-40444
 id: 60c0a111-787a-4e8a-9262-ee485f3ef9d5
-status: experimental
 description: Detects file creation patterns noticeable during the exploitation of CVE-2021-40444
+status: experimental
 references:
    - https://twitter.com/RonnyTNL/status/1436334640617373699?s=20
    - https://twitter.com/vanitasnk/status/1437329511142420483?s=21
@@ -1,6 +1,7 @@
 title: Antivirus Exploitation Framework Detection
 id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864
 description: Detects a highly relevant Antivirus alert that reports an exploitation framework
+status: experimental
 date: 2018/09/09
 modified: 2019/01/16
 author: Florian Roth
@@ -1,6 +1,7 @@
 title: Antivirus Hacktool Detection
 id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba
 description: Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool
+status: experimental
 date: 2021/08/16
 author: Florian Roth
 references:
@@ -1,6 +1,7 @@
 title: Antivirus Password Dumper Detection
 id: 78cc2dd2-7d20-4d32-93ff-057084c38b93
 description: Detects a highly relevant Antivirus alert that reports a password dumper
+status: experimental
 date: 2018/09/09
 modified: 2019/10/04
 author: Florian Roth
@@ -1,6 +1,7 @@
 title: Antivirus Relevant File Paths Alerts
 id: c9a88268-0047-4824-ba6e-4d81ce0b907c
 description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name
+status: experimental
 date: 2018/09/09
 modified: 2021/05/09
 author: Florian Roth, Arnim Rupp
@@ -1,6 +1,7 @@
 title: Antivirus Web Shell Detection
 id: fdf135a2-9241-4f96-a114-bb404948f736
 description: Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches.
+status: experimental
 date: 2018/09/09
 modified: 2021/05/08
 author: Florian Roth, Arnim Rupp
@@ -1,6 +1,7 @@
 title: Windows Defender Exclusion Set
 id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d
 description: 'Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender'
+status: experimental
 references:
    - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
 tags:
@@ -6,6 +6,7 @@ related:
    - id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299
      type: derived
 description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
+status: experimental
 references:
    - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
 author: 'Ensar Şamil, @sblmsrsn, OSCD Community'
@@ -1,6 +1,7 @@
 title: Change PowerShell Policies to a Unsecure Level
 id: 61d0475c-173f-4844-86f7-f3eebae1c66b
 description: Detects use of Set-ExecutionPolicy to set a unsecure policies
+status: experimental
 references:
    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1
    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1
@@ -6,6 +6,7 @@ related:
    - id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299
      type: derived
 description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
+status: experimental
 references:
    - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
 author: 'Ensar Şamil, @sblmsrsn, OSCD Community'
@@ -1,6 +1,7 @@
 title: SVCHOST Credential Dump
 id: 174afcfa-6e40-4ae9-af64-496546389294
 description: Detects when a process, such as mimikatz, accesses the memory of svchost to dump credentials
+status: experimental
 date: 2021/04/30
 author: Florent Labouyrie
 logsource:
@@ -1,6 +1,7 @@
 title: Defrag Deactivation
 id: 958d81aa-8566-4cea-a565-59ccd4df27b0
 description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
+status: experimental
 author: Florian Roth, Bartlomiej Czyz (@bczyz1)
 date: 2019/03/04
 modified: 2021/09/19
@@ -5,6 +5,7 @@ related:
      type: derived
 description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login
    screen
+status: experimental
 references:
    - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
 tags:
@@ -1,6 +1,7 @@
 title: Windows Credential Editor
 id: 7aa7009a-28b9-4344-8c1f-159489a390df
 description: Detects the use of Windows Credential Editor (WCE)
+status: experimental
 author: Florian Roth
 references:
    - https://www.ampliasecurity.com/research/windows-credentials-editor/
@@ -4,6 +4,7 @@ related:
    - id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
      type: derived
 description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018
+status: experimental
 references:
    - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
 tags:
@@ -1,6 +1,7 @@
 title: APT29
 id: 033fe7d6-66d1-4240-ac6b-28908009c71f
 description: This method detects a suspicious PowerShell command line combination as used by APT29 in a campaign against U.S. think tanks.
+status: experimental
 references:
    - https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
    - https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html
--- a/Show More
+++ b/Show More