From 1cfca93354d25e458db40f8d48403602b46bbf03 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 19 Nov 2021 22:32:26 +0100 Subject: [PATCH] Missing status in rules (#2284) * add missing status --- rules/linux/builtin/lnx_susp_jexboss.yml | 1 + rules/linux/process_creation/lnx_install_root_certificate.yml | 1 + rules/network/net_apt_equationgroup_c2.yml | 1 + rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml | 1 + rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml | 1 + .../zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml | 1 + rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml | 1 + rules/network/zeek/zeek_default_cobalt_strike_certificate.yml | 1 + rules/network/zeek/zeek_dns_mining_pools.yml | 1 + rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml | 1 + rules/network/zeek/zeek_dns_torproxy.yml | 1 + rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml | 1 + .../zeek/zeek_smb_converted_win_impacket_secretdump.yml | 1 + rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml | 1 + rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml | 1 + .../zeek_smb_converted_win_susp_raccess_sensitive_fext.yml | 1 + rules/web/web_apache_segfault.yml | 1 + .../web/web_fortinet_cve_2018_13379_preauth_read_exploit.yml | 1 + rules/web/web_nginx_core_dump.yml | 1 + .../builtin/win_alert_active_directory_user_control.yml | 1 + rules/windows/builtin/win_alert_ad_user_backdoors.yml | 1 + rules/windows/builtin/win_alert_enable_weak_encryption.yml | 1 + rules/windows/builtin/win_alert_mimikatz_keywords.yml | 1 + rules/windows/builtin/win_alert_ruler.yml | 1 + rules/windows/builtin/win_apt_carbonpaper_turla.yml | 1 + rules/windows/builtin/win_apt_chafer_mar18_security.yml | 1 + rules/windows/builtin/win_apt_chafer_mar18_system.yml | 1 + rules/windows/builtin/win_apt_slingshot.yml | 1 + rules/windows/builtin/win_apt_stonedrill.yml | 1 + rules/windows/builtin/win_apt_turla_service_png.yml | 1 + .../win_arbitrary_shell_execution_via_settingcontent.yml | 1 + rules/windows/builtin/win_atsvc_task.yml | 1 + rules/windows/builtin/win_av_relevant_match.yml | 1 + rules/windows/builtin/win_cobaltstrike_service_installs.yml | 1 + rules/windows/builtin/win_disable_event_logging.yml | 1 + rules/windows/builtin/win_global_catalog_enumeration.yml | 1 + rules/windows/builtin/win_gpo_scheduledtasks.yml | 1 + rules/windows/builtin/win_hack_smbexec.yml | 1 + rules/windows/builtin/win_impacket_psexec.yml | 1 + rules/windows/builtin/win_impacket_secretdump.yml | 1 + rules/windows/builtin/win_lm_namedpipe.yml | 1 + rules/windows/builtin/win_mal_creddumper.yml | 1 + rules/windows/builtin/win_metasploit_authentication.yml | 1 + ...rpreter_or_cobaltstrike_getsystem_service_installation.yml | 1 + rules/windows/builtin/win_mmc20_lateral_movement.yml | 1 + rules/windows/builtin/win_net_ntlm_downgrade.yml | 1 + rules/windows/builtin/win_ntfs_vuln_exploit.yml | 1 + rules/windows/builtin/win_petitpotam_network_share.yml | 1 + rules/windows/builtin/win_petitpotam_susp_tgt_request.yml | 1 + rules/windows/builtin/win_rdp_bluekeep_poc_scanner.yml | 1 + .../builtin/win_security_cobaltstrike_service_installs.yml | 1 + rules/windows/builtin/win_security_mal_creddumper.yml | 1 + rules/windows/builtin/win_security_mal_service_installs.yml | 1 + ...rity_metasploit_or_impacket_smb_psexec_service_install.yml | 1 + ..._meterpreter_or_cobaltstrike_getsystem_service_install.yml | 1 + rules/windows/builtin/win_susp_eventlog_cleared.yml | 1 + rules/windows/builtin/win_susp_failed_logon_reasons.yml | 1 + rules/windows/builtin/win_susp_failed_logon_source.yml | 1 + .../builtin/win_susp_failed_logons_explicit_credentials.yml | 1 + .../windows/builtin/win_susp_failed_logons_single_process.yml | 1 + .../windows/builtin/win_susp_failed_logons_single_source.yml | 1 + .../windows/builtin/win_susp_failed_logons_single_source2.yml | 1 + .../builtin/win_susp_failed_logons_single_source_kerberos.yml | 1 + .../win_susp_failed_logons_single_source_kerberos2.yml | 1 + .../win_susp_failed_logons_single_source_kerberos3.yml | 1 + .../builtin/win_susp_failed_logons_single_source_ntlm.yml | 1 + .../builtin/win_susp_failed_logons_single_source_ntlm2.yml | 1 + .../builtin/win_susp_failed_remote_logons_single_source.yml | 1 + rules/windows/builtin/win_susp_interactive_logons.yml | 1 + rules/windows/builtin/win_susp_kerberos_manipulation.yml | 1 + .../builtin/win_susp_multiple_files_renamed_or_deleted.yml | 2 +- rules/windows/builtin/win_susp_proceshacker.yml | 1 + rules/windows/builtin/win_susp_psexec.yml | 1 + rules/windows/builtin/win_susp_raccess_sensitive_fext.yml | 1 + rules/windows/builtin/win_susp_samr_pwset.yml | 1 + rules/windows/builtin/win_svcctl_remote_service.yml | 1 + rules/windows/builtin/win_system_susp_eventlog_cleared.yml | 1 + ...sferring_files_with_credential_data_via_network_shares.yml | 2 +- rules/windows/driver_load/driver_load_mal_creddumper.yml | 1 + ...rpreter_or_cobaltstrike_getsystem_service_installation.yml | 1 + rules/windows/driver_load/driver_load_susp_temp_use.yml | 1 + rules/windows/driver_load/driver_load_vuln_dell_driver.yml | 1 + rules/windows/file_event/file_event_lsass_dump.yml | 1 + .../windows/file_event/sysmon_redmimicry_winnti_filedrop.yml | 1 + rules/windows/file_event/win_file_winword_cve_2021_40444.yml | 2 +- rules/windows/malware/av_exploiting.yml | 1 + rules/windows/malware/av_hacktool.yml | 1 + rules/windows/malware/av_password_dumper.yml | 1 + rules/windows/malware/av_relevant_files.yml | 1 + rules/windows/malware/av_webshell.yml | 1 + rules/windows/other/win_defender_bypass.yml | 1 + ...powershell_syncappvpublishingserver_exe_in_contextinfo.yml | 1 + .../powershell_set_policies_to_unsecure_level.yml | 1 + ...rshell_syncappvpublishingserver_exe_in_scriptblocktext.yml | 1 + rules/windows/process_access/sysmon_svchost_cred_dump.yml | 1 + .../process_creation/process_creation_apt_slingshot.yml | 1 + .../process_creation_stickykey_like_backdoor.yml | 1 + rules/windows/process_creation/sysmon_hack_wce.yml | 1 + ...tionn_apt_chafer_mar18.yml => wim_pc_apt_chafer_mar18.yml} | 1 + rules/windows/process_creation/win_apt_apt29_thinktanks.yml | 1 + .../windows/process_creation/win_apt_bear_activity_gtr19.yml | 1 + rules/windows/process_creation/win_apt_cloudhopper.yml | 1 + rules/windows/process_creation/win_apt_empiremonkey.yml | 1 + .../process_creation/win_apt_equationgroup_dll_u_load.yml | 1 + .../process_creation/win_apt_judgement_panda_gtr19.yml | 1 + rules/windows/process_creation/win_apt_ta17_293a_ps.yml | 1 + rules/windows/process_creation/win_apt_unc2452_ps.yml | 1 + rules/windows/process_creation/win_apt_zxshell.yml | 1 + rules/windows/process_creation/win_exploit_cve_2017_8759.yml | 1 + rules/windows/process_creation/win_hack_adcspwn.yml | 1 + rules/windows/process_creation/win_hack_bloodhound.yml | 1 + rules/windows/process_creation/win_hack_rubeus.yml | 1 + rules/windows/process_creation/win_hack_secutyxploded.yml | 1 + .../process_creation/win_hiding_malware_in_fonts_folder.yml | 1 + rules/windows/process_creation/win_hktl_createminidump.yml | 1 + ...in_meterpreter_or_cobaltstrike_getsystem_service_start.yml | 1 + .../win_pc_set_policies_to_unsecure_level.yml | 1 + .../process_creation/win_pc_susp_schtasks_user_temp.yml | 1 + rules/windows/process_creation/win_psexesvc_start.yml | 1 + rules/windows/process_creation/win_redmimicry_winnti_proc.yml | 1 + rules/windows/process_creation/win_sus_auditpol_usage.yml | 1 + .../process_creation/win_susp_control_cve_2021_40444.yml | 4 +++- rules/windows/process_creation/win_susp_double_extension.yml | 1 + rules/windows/process_creation/win_susp_eventlog_clear.yml | 1 + rules/windows/process_creation/win_susp_finger_usage.yml | 1 + rules/windows/process_creation/win_susp_fsutil_usage.yml | 1 + rules/windows/process_creation/win_susp_ping_hex_ip.yml | 1 + .../process_creation/win_susp_regedit_trustedinstaller.yml | 1 + .../process_creation/win_vul_java_remote_debugging.yml | 1 + rules/windows/process_creation/win_webshell_detection.yml | 1 + .../registry_event/registry_event_apt_chafer_mar18.yml | 1 + .../registry_event/registry_event_net_ntlm_downgrade.yml | 1 + .../registry_event/registry_event_stickykey_like_backdoor.yml | 1 + rules/windows/registry_event/sysmon_hack_wce_reg.yml | 1 + rules/windows/registry_event/sysmon_rdp_settings_hijack.yml | 1 + rules/windows/registry_event/sysmon_redmimicry_winnti_reg.yml | 1 + rules/windows/registry_event/sysmon_reg_silentprocessexit.yml | 1 + .../registry_event/sysmon_reg_silentprocessexit_lsass.yml | 1 + rules/windows/registry_event/sysmon_runkey_winekey.yml | 1 + rules/windows/registry_event/sysmon_susp_atbroker_change.yml | 1 + rules/windows/registry_event/sysmon_susp_mic_cam_access.yml | 1 + .../registry_event/sysmon_suspicious_keyboard_layout_load.yml | 1 + rules/windows/registry_event/sysmon_taskcache_entry.yml | 1 + rules/windows/registry_event/sysmon_win_reg_persistence.yml | 1 + 144 files changed, 146 insertions(+), 4 deletions(-) rename rules/windows/process_creation/{process_creationn_apt_chafer_mar18.yml => wim_pc_apt_chafer_mar18.yml} (98%) diff --git a/rules/linux/builtin/lnx_susp_jexboss.yml b/rules/linux/builtin/lnx_susp_jexboss.yml index 599f6b062..b5234445d 100644 --- a/rules/linux/builtin/lnx_susp_jexboss.yml +++ b/rules/linux/builtin/lnx_susp_jexboss.yml @@ -1,6 +1,7 @@ title: JexBoss Command Sequence id: 8ec2c8b4-557a-4121-b87c-5dfb3a602fae description: Detects suspicious command sequence that JexBoss +status: experimental author: Florian Roth date: 2017/08/24 references: diff --git a/rules/linux/process_creation/lnx_install_root_certificate.yml b/rules/linux/process_creation/lnx_install_root_certificate.yml index b1a9f61ee..12af5d3d3 100644 --- a/rules/linux/process_creation/lnx_install_root_certificate.yml +++ b/rules/linux/process_creation/lnx_install_root_certificate.yml @@ -1,6 +1,7 @@ title: Install Root Certificate id: 78a80655-a51e-4669-bc6b-e9d206a462ee description: Detects installed new certificate +status: experimental author: Ömer Günal, oscd.community references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md diff --git a/rules/network/net_apt_equationgroup_c2.yml b/rules/network/net_apt_equationgroup_c2.yml index c32e4df05..ebd6b6085 100755 --- a/rules/network/net_apt_equationgroup_c2.yml +++ b/rules/network/net_apt_equationgroup_c2.yml @@ -1,6 +1,7 @@ title: Equation Group C2 Communication id: 881834a4-6659-4773-821e-1c151789d873 description: Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools +status: experimental author: Florian Roth date: 2017/04/15 references: diff --git a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml index bc4acfcbf..0cba260b8 100644 --- a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml +++ b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml @@ -1,6 +1,7 @@ title: MITRE BZAR Indicators for Execution id: b640c0b8-87f8-4daa-aef8-95a24261dd1d description: 'Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE' +status: experimental author: '@neu5ron, SOC Prime' date: 2020/03/19 references: diff --git a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml index ed57aacac..0fd11985f 100644 --- a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml +++ b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml @@ -1,6 +1,7 @@ title: MITRE BZAR Indicators for Persistence id: 53389db6-ba46-48e3-a94c-e0f2cefe1583 description: 'Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.' +status: experimental author: '@neu5ron, SOC Prime' date: 2020/03/19 references: diff --git a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml index 52cae5548..82bcef0f3 100644 --- a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml +++ b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml @@ -5,6 +5,7 @@ description: | The usage of this RPC function should be rare if ever used at all. Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..' +status: experimental author: '@neu5ron, @Antonlovesdnb, Mike Remen' date: 2021/08/17 references: diff --git a/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml b/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml index c4ee427d6..59b8daad8 100644 --- a/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml +++ b/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml @@ -1,6 +1,7 @@ title: SMB Spoolss Name Piped Usage id: bae2865c-5565-470d-b505-9496c87d0c30 description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled. +status: experimental author: OTR (Open Threat Research), @neu5ron references: - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 diff --git a/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml b/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml index ed328eebf..c637031d1 100644 --- a/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml +++ b/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml @@ -1,6 +1,7 @@ title: Default Cobalt Strike Certificate id: 7100f7e3-92ce-4584-b7b7-01b40d3d4118 description: Detects the presence of default Cobalt Strike certificate in the HTTPS traffic +status: experimental author: Bhabesh Raj date: 2021/06/23 modified: 2021/08/24 diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml index 7ca14a4f7..ec347448f 100644 --- a/rules/network/zeek/zeek_dns_mining_pools.yml +++ b/rules/network/zeek/zeek_dns_mining_pools.yml @@ -1,6 +1,7 @@ title: DNS Events Related To Mining Pools id: bf74135c-18e8-4a72-a926-0e4f47888c19 description: Identifies clients that may be performing DNS lookups associated with common currency mining pools. +status: experimental references: - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml date: 2021/08/19 diff --git a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml index 0b20b2bce..06b8a5801 100644 --- a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml +++ b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml @@ -1,6 +1,7 @@ title: Suspicious DNS Z Flag Bit Set id: ede05abc-2c9e-4624-9944-9ff17fdc0bf5 description: 'The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward. Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs' +status: experimental date: 2021/05/04 modified: 2021/05/24 references: diff --git a/rules/network/zeek/zeek_dns_torproxy.yml b/rules/network/zeek/zeek_dns_torproxy.yml index e073a15ec..7c6018e8d 100644 --- a/rules/network/zeek/zeek_dns_torproxy.yml +++ b/rules/network/zeek/zeek_dns_torproxy.yml @@ -1,6 +1,7 @@ title: DNS TOR Proxies id: a8322756-015c-42e7-afb1-436e85ed3ff5 description: Identifies IPs performing DNS lookups associated with common Tor proxies. +status: experimental references: - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml date: 2021/08/15 diff --git a/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml b/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml index 3c7d4a6ca..cd6236b45 100644 --- a/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml +++ b/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml @@ -1,6 +1,7 @@ title: Remote Task Creation via ATSVC Named Pipe - Zeek id: dde85b37-40cd-4a94-b00c-0b8794f956b5 description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe +status: experimental author: 'Samir Bousseaden, @neu5rn' date: 2020/04/03 references: diff --git a/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml b/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml index 44d812ee7..ad1cf11d4 100644 --- a/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml +++ b/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml @@ -1,6 +1,7 @@ title: Possible Impacket SecretDump Remote Activity - Zeek id: 92dae1ed-1c9d-4eff-a567-33acbd95b00e description: 'Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml' +status: experimental author: 'Samir Bousseaden, @neu5ron' date: 2020/03/19 references: diff --git a/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml b/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml index fa4a6fbd2..59ab04cef 100644 --- a/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml +++ b/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml @@ -1,6 +1,7 @@ title: First Time Seen Remote Named Pipe - Zeek id: 021310d9-30a6-480a-84b7-eaa69aeb92bb description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes +status: experimental author: 'Samir Bousseaden, @neu5ron' date: 2020/04/02 references: diff --git a/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml b/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml index 34da2addf..cfa97b269 100644 --- a/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml +++ b/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml @@ -1,6 +1,7 @@ title: Suspicious PsExec Execution - Zeek id: f1b3a22a-45e6-4004-afb5-4291f9c21166 description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one +status: experimental author: 'Samir Bousseaden, @neu5ron' date: 2020/04/02 references: diff --git a/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml b/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml index 5604b7171..f75bbce68 100644 --- a/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml +++ b/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml @@ -1,6 +1,7 @@ title: Suspicious Access to Sensitive File Extensions - Zeek id: 286b47ed-f6fe-40b3-b3a8-35129acd43bc description: Detects known sensitive file extensions via Zeek +status: experimental author: 'Samir Bousseaden, @neu5ron' date: 2020/04/02 references: diff --git a/rules/web/web_apache_segfault.yml b/rules/web/web_apache_segfault.yml index f0584e1a2..0bad3e2ec 100644 --- a/rules/web/web_apache_segfault.yml +++ b/rules/web/web_apache_segfault.yml @@ -1,6 +1,7 @@ title: Apache Segmentation Fault id: 1da8ce0b-855d-4004-8860-7d64d42063b1 description: Detects a segmentation fault error message caused by a creashing apache worker process +status: experimental author: Florian Roth date: 2017/02/28 modified: 2020/09/03 diff --git a/rules/web/web_fortinet_cve_2018_13379_preauth_read_exploit.yml b/rules/web/web_fortinet_cve_2018_13379_preauth_read_exploit.yml index 0e2c02518..9e46daa39 100644 --- a/rules/web/web_fortinet_cve_2018_13379_preauth_read_exploit.yml +++ b/rules/web/web_fortinet_cve_2018_13379_preauth_read_exploit.yml @@ -1,5 +1,6 @@ title: Fortinet CVE-2018-13379 Exploitation description: Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs +status: experimental id: a2e97350-4285-43f2-a63f-d0daff291738 references: - https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/ diff --git a/rules/web/web_nginx_core_dump.yml b/rules/web/web_nginx_core_dump.yml index ffc11bdf1..90dbfc960 100644 --- a/rules/web/web_nginx_core_dump.yml +++ b/rules/web/web_nginx_core_dump.yml @@ -1,6 +1,7 @@ title: Nginx Core Dump id: 59ec40bb-322e-40ab-808d-84fa690d7e56 description: Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts. +status: experimental author: Florian Roth date: 2021/05/31 references: diff --git a/rules/windows/builtin/win_alert_active_directory_user_control.yml b/rules/windows/builtin/win_alert_active_directory_user_control.yml index 8094f413c..3aac7b53b 100644 --- a/rules/windows/builtin/win_alert_active_directory_user_control.yml +++ b/rules/windows/builtin/win_alert_active_directory_user_control.yml @@ -1,6 +1,7 @@ title: Enabled User Right in AD to Control User Objects id: 311b6ce2-7890-4383-a8c2-663a9f6b43cd description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects. +status: experimental tags: - attack.persistence - attack.t1098 diff --git a/rules/windows/builtin/win_alert_ad_user_backdoors.yml b/rules/windows/builtin/win_alert_ad_user_backdoors.yml index ae751a6f8..a5b473bfb 100644 --- a/rules/windows/builtin/win_alert_ad_user_backdoors.yml +++ b/rules/windows/builtin/win_alert_ad_user_backdoors.yml @@ -1,6 +1,7 @@ title: Active Directory User Backdoors id: 300bac00-e041-4ee2-9c36-e262656a6ecc description: Detects scenarios where one can control another users or computers account without having to use their credentials. +status: experimental references: - https://msdn.microsoft.com/en-us/library/cc220234.aspx - https://adsecurity.org/?p=3466 diff --git a/rules/windows/builtin/win_alert_enable_weak_encryption.yml b/rules/windows/builtin/win_alert_enable_weak_encryption.yml index b1728cb41..4ec2fce0f 100644 --- a/rules/windows/builtin/win_alert_enable_weak_encryption.yml +++ b/rules/windows/builtin/win_alert_enable_weak_encryption.yml @@ -1,6 +1,7 @@ title: Weak Encryption Enabled and Kerberoast id: f6de9536-0441-4b3f-a646-f4e00f300ffd description: Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking. +status: experimental references: - https://adsecurity.org/?p=2053 - https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/ diff --git a/rules/windows/builtin/win_alert_mimikatz_keywords.yml b/rules/windows/builtin/win_alert_mimikatz_keywords.yml index 522a9f0a8..8e23f86f3 100644 --- a/rules/windows/builtin/win_alert_mimikatz_keywords.yml +++ b/rules/windows/builtin/win_alert_mimikatz_keywords.yml @@ -1,6 +1,7 @@ title: Mimikatz Use id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8 description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups) +status: experimental author: Florian Roth date: 2017/01/10 modified: 2021/08/26 diff --git a/rules/windows/builtin/win_alert_ruler.yml b/rules/windows/builtin/win_alert_ruler.yml index 4702434c2..071c57705 100644 --- a/rules/windows/builtin/win_alert_ruler.yml +++ b/rules/windows/builtin/win_alert_ruler.yml @@ -1,6 +1,7 @@ title: Hacktool Ruler id: 24549159-ac1b-479c-8175-d42aea947cae description: This events that are generated when using the hacktool Ruler by Sensepost +status: experimental author: Florian Roth date: 2017/05/31 modified: 2021/08/09 diff --git a/rules/windows/builtin/win_apt_carbonpaper_turla.yml b/rules/windows/builtin/win_apt_carbonpaper_turla.yml index b82692a58..3817449da 100755 --- a/rules/windows/builtin/win_apt_carbonpaper_turla.yml +++ b/rules/windows/builtin/win_apt_carbonpaper_turla.yml @@ -1,6 +1,7 @@ title: Turla Service Install id: 1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4 description: This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET +status: experimental references: - https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/ tags: diff --git a/rules/windows/builtin/win_apt_chafer_mar18_security.yml b/rules/windows/builtin/win_apt_chafer_mar18_security.yml index 370db0c54..b1b621bcf 100644 --- a/rules/windows/builtin/win_apt_chafer_mar18_security.yml +++ b/rules/windows/builtin/win_apt_chafer_mar18_security.yml @@ -4,6 +4,7 @@ related: - id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 type: derived description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018 +status: experimental references: - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/ tags: diff --git a/rules/windows/builtin/win_apt_chafer_mar18_system.yml b/rules/windows/builtin/win_apt_chafer_mar18_system.yml index c17e00d08..8eb58c4b5 100644 --- a/rules/windows/builtin/win_apt_chafer_mar18_system.yml +++ b/rules/windows/builtin/win_apt_chafer_mar18_system.yml @@ -1,6 +1,7 @@ title: Chafer Activity id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018 +status: experimental references: - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/ tags: diff --git a/rules/windows/builtin/win_apt_slingshot.yml b/rules/windows/builtin/win_apt_slingshot.yml index 520aa2e23..5ad58b130 100644 --- a/rules/windows/builtin/win_apt_slingshot.yml +++ b/rules/windows/builtin/win_apt_slingshot.yml @@ -4,6 +4,7 @@ related: - id: 958d81aa-8566-4cea-a565-59ccd4df27b0 type: derived description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group +status: experimental author: Florian Roth, Bartlomiej Czyz (@bczyz1) date: 2019/03/04 modified: 2021/09/19 diff --git a/rules/windows/builtin/win_apt_stonedrill.yml b/rules/windows/builtin/win_apt_stonedrill.yml index 1d61e8bfe..f0a829606 100755 --- a/rules/windows/builtin/win_apt_stonedrill.yml +++ b/rules/windows/builtin/win_apt_stonedrill.yml @@ -1,6 +1,7 @@ title: StoneDrill Service Install id: 9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6 description: This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky +status: experimental author: Florian Roth date: 2017/03/07 references: diff --git a/rules/windows/builtin/win_apt_turla_service_png.yml b/rules/windows/builtin/win_apt_turla_service_png.yml index c52079829..f8a5038a1 100644 --- a/rules/windows/builtin/win_apt_turla_service_png.yml +++ b/rules/windows/builtin/win_apt_turla_service_png.yml @@ -1,6 +1,7 @@ title: Turla PNG Dropper Service id: 1228f8e2-7e79-4dea-b0ad-c91f1d5016c1 description: This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018 +status: experimental references: - https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/ author: Florian Roth diff --git a/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml b/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml index 8ba7965c4..086feb2b2 100644 --- a/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml +++ b/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml @@ -1,6 +1,7 @@ title: Arbitrary Shell Command Execution Via Settingcontent-Ms id: 24de4f3b-804c-4165-b442-5a06a2302c7e description: The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries. +status: experimental author: Sreeman date: 2020/03/13 modified: 2021/08/09 diff --git a/rules/windows/builtin/win_atsvc_task.yml b/rules/windows/builtin/win_atsvc_task.yml index c0f68564f..b9d394901 100644 --- a/rules/windows/builtin/win_atsvc_task.yml +++ b/rules/windows/builtin/win_atsvc_task.yml @@ -1,6 +1,7 @@ title: Remote Task Creation via ATSVC Named Pipe id: f6de6525-4509-495a-8a82-1f8b0ed73a00 description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe +status: experimental author: Samir Bousseaden date: 2019/04/03 references: diff --git a/rules/windows/builtin/win_av_relevant_match.yml b/rules/windows/builtin/win_av_relevant_match.yml index da2e8dce9..e799e1e1a 100644 --- a/rules/windows/builtin/win_av_relevant_match.yml +++ b/rules/windows/builtin/win_av_relevant_match.yml @@ -1,6 +1,7 @@ title: Relevant Anti-Virus Event id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8 description: This detection method points out highly relevant Antivirus events +status: experimental author: Florian Roth date: 2017/02/19 modified: 2021/07/28 diff --git a/rules/windows/builtin/win_cobaltstrike_service_installs.yml b/rules/windows/builtin/win_cobaltstrike_service_installs.yml index 6dbf836f0..3e43af17a 100644 --- a/rules/windows/builtin/win_cobaltstrike_service_installs.yml +++ b/rules/windows/builtin/win_cobaltstrike_service_installs.yml @@ -1,6 +1,7 @@ title: CobaltStrike Service Installations id: 5a105d34-05fc-401e-8553-272b45c1522d description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement +status: experimental author: Florian Roth, Wojciech Lesicki references: - https://www.sans.org/webcasts/119395 diff --git a/rules/windows/builtin/win_disable_event_logging.yml b/rules/windows/builtin/win_disable_event_logging.yml index e1ea29ef1..bad6fabb1 100644 --- a/rules/windows/builtin/win_disable_event_logging.yml +++ b/rules/windows/builtin/win_disable_event_logging.yml @@ -1,6 +1,7 @@ title: Disabling Windows Event Auditing id: 69aeb277-f15f-4d2d-b32a-55e883609563 description: 'Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.' +status: experimental references: - https://bit.ly/WinLogsZero2Hero tags: diff --git a/rules/windows/builtin/win_global_catalog_enumeration.yml b/rules/windows/builtin/win_global_catalog_enumeration.yml index c87885a43..5bd709c7d 100644 --- a/rules/windows/builtin/win_global_catalog_enumeration.yml +++ b/rules/windows/builtin/win_global_catalog_enumeration.yml @@ -1,5 +1,6 @@ title: Enumeration via the Global Catalog description: Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain width. +status: experimental author: Chakib Gzenayi (@Chak092), Hosni Mribah id: 619b020f-0fd7-4f23-87db-3f51ef837a34 date: 2020/05/11 diff --git a/rules/windows/builtin/win_gpo_scheduledtasks.yml b/rules/windows/builtin/win_gpo_scheduledtasks.yml index 669bcdaa5..7bfc0539a 100644 --- a/rules/windows/builtin/win_gpo_scheduledtasks.yml +++ b/rules/windows/builtin/win_gpo_scheduledtasks.yml @@ -1,6 +1,7 @@ title: Persistence and Execution at Scale via GPO Scheduled Task id: a8f29a7b-b137-4446-80a0-b804272f3da2 description: Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale +status: experimental author: Samir Bousseaden date: 2019/04/03 references: diff --git a/rules/windows/builtin/win_hack_smbexec.yml b/rules/windows/builtin/win_hack_smbexec.yml index 9a1d9139f..17666ce74 100644 --- a/rules/windows/builtin/win_hack_smbexec.yml +++ b/rules/windows/builtin/win_hack_smbexec.yml @@ -1,6 +1,7 @@ title: smbexec.py Service Installation id: 52a85084-6989-40c3-8f32-091e12e13f09 description: Detects the use of smbexec.py tool by detecting a specific service installation +status: experimental author: Omer Faruk Celik date: 2018/03/20 modified: 2020/08/23 diff --git a/rules/windows/builtin/win_impacket_psexec.yml b/rules/windows/builtin/win_impacket_psexec.yml index bee036f20..e8549aa82 100644 --- a/rules/windows/builtin/win_impacket_psexec.yml +++ b/rules/windows/builtin/win_impacket_psexec.yml @@ -1,6 +1,7 @@ title: Impacket PsExec Execution id: 32d56ea1-417f-44ff-822b-882873f5f43b description: Detects execution of Impacket's psexec.py. +status: experimental author: Bhabesh Raj date: 2020/12/14 references: diff --git a/rules/windows/builtin/win_impacket_secretdump.yml b/rules/windows/builtin/win_impacket_secretdump.yml index 7706d4ee1..5117535db 100644 --- a/rules/windows/builtin/win_impacket_secretdump.yml +++ b/rules/windows/builtin/win_impacket_secretdump.yml @@ -1,6 +1,7 @@ title: Possible Impacket SecretDump Remote Activity id: 252902e3-5830-4cf6-bf21-c22083dfd5cf description: Detect AD credential dumping using impacket secretdump HKTL +status: experimental author: Samir Bousseaden, wagga date: 2019/04/03 modified: 2021/06/27 diff --git a/rules/windows/builtin/win_lm_namedpipe.yml b/rules/windows/builtin/win_lm_namedpipe.yml index 8cf5bd1fe..df3a87181 100644 --- a/rules/windows/builtin/win_lm_namedpipe.yml +++ b/rules/windows/builtin/win_lm_namedpipe.yml @@ -1,6 +1,7 @@ title: First Time Seen Remote Named Pipe id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes +status: experimental author: Samir Bousseaden date: 2019/04/03 references: diff --git a/rules/windows/builtin/win_mal_creddumper.yml b/rules/windows/builtin/win_mal_creddumper.yml index e7dd86a02..b2a16a3af 100644 --- a/rules/windows/builtin/win_mal_creddumper.yml +++ b/rules/windows/builtin/win_mal_creddumper.yml @@ -1,6 +1,7 @@ title: Credential Dumping Tools Service Execution id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed description: Detects well-known credential dumping tools execution via service execution events +status: experimental author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community date: 2017/03/05 modified: 2021/09/21 diff --git a/rules/windows/builtin/win_metasploit_authentication.yml b/rules/windows/builtin/win_metasploit_authentication.yml index d2b256786..7e66523c3 100644 --- a/rules/windows/builtin/win_metasploit_authentication.yml +++ b/rules/windows/builtin/win_metasploit_authentication.yml @@ -1,5 +1,6 @@ title: Metasploit SMB Authentication description: Alerts on Metasploit host's authentications on the domain. +status: experimental id: 72124974-a68b-4366-b990-d30e0b2a190d author: Chakib Gzenayi (@Chak092), Hosni Mribah date: 2020/05/06 diff --git a/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index 3ce6bc05d..cc967c73c 100644 --- a/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -1,6 +1,7 @@ title: Meterpreter or Cobalt Strike Getsystem Service Installation id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6 description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation +status: experimental author: Teymur Kheirkhabarov, Ecco, Florian Roth date: 2019/10/26 modified: 2021/09/21 diff --git a/rules/windows/builtin/win_mmc20_lateral_movement.yml b/rules/windows/builtin/win_mmc20_lateral_movement.yml index 190dc1057..a25b0ce0c 100644 --- a/rules/windows/builtin/win_mmc20_lateral_movement.yml +++ b/rules/windows/builtin/win_mmc20_lateral_movement.yml @@ -1,6 +1,7 @@ title: MMC20 Lateral Movement id: f1f3bf22-deb2-418d-8cce-e1a45e46a5bd description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe +status: experimental author: '@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)' date: 2020/03/04 modified: 2020/08/23 diff --git a/rules/windows/builtin/win_net_ntlm_downgrade.yml b/rules/windows/builtin/win_net_ntlm_downgrade.yml index e0d1ad8d7..5fc1af96f 100644 --- a/rules/windows/builtin/win_net_ntlm_downgrade.yml +++ b/rules/windows/builtin/win_net_ntlm_downgrade.yml @@ -4,6 +4,7 @@ related: - id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2 type: derived description: Detects NetNTLM downgrade attack +status: experimental references: - https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks author: Florian Roth, wagga diff --git a/rules/windows/builtin/win_ntfs_vuln_exploit.yml b/rules/windows/builtin/win_ntfs_vuln_exploit.yml index 43936df5b..ae03199f2 100644 --- a/rules/windows/builtin/win_ntfs_vuln_exploit.yml +++ b/rules/windows/builtin/win_ntfs_vuln_exploit.yml @@ -1,6 +1,7 @@ title: NTFS Vulnerability Exploitation id: f14719ce-d3ab-4e25-9ce6-2899092260b0 description: This the exploitation of a NTFS vulnerability as reported without many details via Twitter +status: experimental author: Florian Roth date: 2021/01/11 modified: 2021/11/17 diff --git a/rules/windows/builtin/win_petitpotam_network_share.yml b/rules/windows/builtin/win_petitpotam_network_share.yml index ca5ff7c24..f6966cf10 100644 --- a/rules/windows/builtin/win_petitpotam_network_share.yml +++ b/rules/windows/builtin/win_petitpotam_network_share.yml @@ -1,6 +1,7 @@ title: Possible PetitPotam Coerce Authentication Attempt id: 1ce8c8a3-2723-48ed-8246-906ac91061a6 description: Detect PetitPotam coerced authentication activity. +status: experimental author: Mauricio Velazco, Michael Haag date: 2021/09/02 references: diff --git a/rules/windows/builtin/win_petitpotam_susp_tgt_request.yml b/rules/windows/builtin/win_petitpotam_susp_tgt_request.yml index 0ae4cb94b..7898c30c0 100644 --- a/rules/windows/builtin/win_petitpotam_susp_tgt_request.yml +++ b/rules/windows/builtin/win_petitpotam_susp_tgt_request.yml @@ -7,6 +7,7 @@ description: Detect suspicious Kerberos TGT requests. Once an attacer obtains a like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts. +status: experimental author: Mauricio Velazco, Michael Haag date: 2021/09/02 modified: 2021/09/07 diff --git a/rules/windows/builtin/win_rdp_bluekeep_poc_scanner.yml b/rules/windows/builtin/win_rdp_bluekeep_poc_scanner.yml index 49ec46136..b19f45340 100644 --- a/rules/windows/builtin/win_rdp_bluekeep_poc_scanner.yml +++ b/rules/windows/builtin/win_rdp_bluekeep_poc_scanner.yml @@ -1,6 +1,7 @@ title: Scanner PoC for CVE-2019-0708 RDP RCE Vuln id: 8400629e-79a9-4737-b387-5db940ab2367 description: Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep +status: experimental references: - https://twitter.com/AdamTheAnalyst/status/1134394070045003776 - https://github.com/zerosum0x0/CVE-2019-0708 diff --git a/rules/windows/builtin/win_security_cobaltstrike_service_installs.yml b/rules/windows/builtin/win_security_cobaltstrike_service_installs.yml index 859a9d208..4aa03bf6f 100644 --- a/rules/windows/builtin/win_security_cobaltstrike_service_installs.yml +++ b/rules/windows/builtin/win_security_cobaltstrike_service_installs.yml @@ -4,6 +4,7 @@ related: - id: 5a105d34-05fc-401e-8553-272b45c1522d type: derived description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement +status: experimental author: Florian Roth, Wojciech Lesicki references: - https://www.sans.org/webcasts/119395 diff --git a/rules/windows/builtin/win_security_mal_creddumper.yml b/rules/windows/builtin/win_security_mal_creddumper.yml index d6d823e61..d311d40f9 100644 --- a/rules/windows/builtin/win_security_mal_creddumper.yml +++ b/rules/windows/builtin/win_security_mal_creddumper.yml @@ -4,6 +4,7 @@ related: - id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed type: derived description: Detects well-known credential dumping tools execution via service execution events +status: experimental author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community date: 2017/03/05 modified: 2021/09/21 diff --git a/rules/windows/builtin/win_security_mal_service_installs.yml b/rules/windows/builtin/win_security_mal_service_installs.yml index 9071ed8d3..3f798a692 100644 --- a/rules/windows/builtin/win_security_mal_service_installs.yml +++ b/rules/windows/builtin/win_security_mal_service_installs.yml @@ -4,6 +4,7 @@ related: - id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a type: derived description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities. +status: experimental author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update) date: 2017/03/27 modified: 2021/09/21 diff --git a/rules/windows/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml b/rules/windows/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml index e76b4c2eb..e73ae86d4 100644 --- a/rules/windows/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml +++ b/rules/windows/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml @@ -4,6 +4,7 @@ related: - id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0 type: derived description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation +status: experimental author: Bartlomiej Czyz, Relativity date: 2021/01/21 modified: 2021/07/23 diff --git a/rules/windows/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml b/rules/windows/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml index 6fd722d3e..17df9ffed 100644 --- a/rules/windows/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml +++ b/rules/windows/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml @@ -4,6 +4,7 @@ related: - id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6 type: derived description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation +status: experimental author: Teymur Kheirkhabarov, Ecco, Florian Roth date: 2019/10/26 modified: 2021/09/21 diff --git a/rules/windows/builtin/win_susp_eventlog_cleared.yml b/rules/windows/builtin/win_susp_eventlog_cleared.yml index 17d5e4b96..310044b97 100644 --- a/rules/windows/builtin/win_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/win_susp_eventlog_cleared.yml @@ -4,6 +4,7 @@ related: - id: f2f01843-e7b8-4f95-a35a-d23584476423 type: obsoletes description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution +status: experimental references: - https://twitter.com/deviouspolack/status/832535435960209408 - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 diff --git a/rules/windows/builtin/win_susp_failed_logon_reasons.yml b/rules/windows/builtin/win_susp_failed_logon_reasons.yml index c5b66905d..7bb60a5bd 100644 --- a/rules/windows/builtin/win_susp_failed_logon_reasons.yml +++ b/rules/windows/builtin/win_susp_failed_logon_reasons.yml @@ -2,6 +2,7 @@ title: Account Tampering - Suspicious Failed Logon Reasons id: 9eb99343-d336-4020-a3cd-67f3819e68ee description: This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted. +status: experimental author: Florian Roth date: 2017/02/19 modified: 2021/10/29 diff --git a/rules/windows/builtin/win_susp_failed_logon_source.yml b/rules/windows/builtin/win_susp_failed_logon_source.yml index f522ea5ed..05d2a5b6d 100644 --- a/rules/windows/builtin/win_susp_failed_logon_source.yml +++ b/rules/windows/builtin/win_susp_failed_logon_source.yml @@ -1,6 +1,7 @@ title: Failed Logon From Public IP id: f88e112a-21aa-44bd-9b01-6ee2a2bbbed1 description: A login from a public IP can indicate a misconfigured firewall or network boundary. +status: experimental author: NVISO date: 2020/05/06 tags: diff --git a/rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml b/rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml index 95efe7d80..8a9e41c67 100644 --- a/rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml +++ b/rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml @@ -1,6 +1,7 @@ title: Multiple Users Attempting To Authenticate Using Explicit Credentials id: 196a29c2-e378-48d8-ba07-8a9e61f7fab9 description: Detects a source user failing to authenticate with multiple users using explicit credentials on a host. +status: experimental author: Mauricio Velazco date: 2021/06/01 modified: 2021/08/09 diff --git a/rules/windows/builtin/win_susp_failed_logons_single_process.yml b/rules/windows/builtin/win_susp_failed_logons_single_process.yml index f6f8ce856..793601100 100644 --- a/rules/windows/builtin/win_susp_failed_logons_single_process.yml +++ b/rules/windows/builtin/win_susp_failed_logons_single_process.yml @@ -1,6 +1,7 @@ title: Multiple Users Failing to Authenticate from Single Process id: fe563ab6-ded4-4916-b49f-a3a8445fe280 description: Detects failed logins with multiple accounts from a single process on the system. +status: experimental author: Mauricio Velazco date: 2021/06/01 modified: 2021/07/07 diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source.yml b/rules/windows/builtin/win_susp_failed_logons_single_source.yml index e3e971c53..3070617f2 100644 --- a/rules/windows/builtin/win_susp_failed_logons_single_source.yml +++ b/rules/windows/builtin/win_susp_failed_logons_single_source.yml @@ -1,6 +1,7 @@ title: Failed Logins with Different Accounts from Single Source System id: e98374a6-e2d9-4076-9b5c-11bdb2569995 description: Detects suspicious failed logins with different user accounts from a single source system +status: experimental author: Florian Roth date: 2017/01/10 modified: 2021/09/21 diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source2.yml b/rules/windows/builtin/win_susp_failed_logons_single_source2.yml index 9a85a45b3..2ecadc8de 100644 --- a/rules/windows/builtin/win_susp_failed_logons_single_source2.yml +++ b/rules/windows/builtin/win_susp_failed_logons_single_source2.yml @@ -4,6 +4,7 @@ related: - id: e98374a6-e2d9-4076-9b5c-11bdb2569995 type: derived description: Detects suspicious failed logins with different user accounts from a single source system +status: experimental author: Florian Roth date: 2017/01/10 modified: 2021/09/21 diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml index 71c939ef0..6f196b4bd 100644 --- a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml +++ b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml @@ -1,6 +1,7 @@ title: Valid Users Failing to Authenticate From Single Source Using Kerberos id: 5d1d946e-32e6-4d9a-a0dc-0ac022c7eb98 description: Detects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol. +status: experimental author: Mauricio Velazco, frack113 date: 2021/06/01 modified: 2021/07/06 diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml index 1d45f289e..514d19b8a 100644 --- a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml +++ b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml @@ -1,6 +1,7 @@ title: Disabled Users Failing To Authenticate From Source Using Kerberos id: 4b6fe998-b69c-46d8-901b-13677c9fb663 description: Detects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol. +status: experimental author: Mauricio Velazco, frack113 date: 2021/06/01 modified: 2021/07/06 diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml index 98f6e1d7c..c291444a9 100644 --- a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml +++ b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml @@ -1,6 +1,7 @@ title: Invalid Users Failing To Authenticate From Source Using Kerberos id: bc93dfe6-8242-411e-a2dd-d16fa0cc8564 description: Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol. +status: experimental author: Mauricio Velazco, frack113 date: 2021/06/01 modified: 2021/07/06 diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml index 7932c0fec..f7cde74cc 100644 --- a/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml +++ b/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml @@ -1,6 +1,7 @@ title: Valid Users Failing to Authenticate from Single Source Using NTLM id: f88bab7f-b1f4-41bb-bdb1-4b8af35b0470 description: Detects failed logins with multiple valid domain accounts from a single source system using the NTLM protocol. +status: experimental author: Mauricio Velazco date: 2021/06/01 modified: 2021/07/07 diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm2.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm2.yml index 05f5742a1..7ccd33f7c 100644 --- a/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm2.yml +++ b/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm2.yml @@ -1,6 +1,7 @@ title: Invalid Users Failing To Authenticate From Single Source Using NTLM id: 56d62ef8-3462-4890-9859-7b41e541f8d5 description: Detects failed logins with multiple invalid domain accounts from a single source system using the NTLM protocol. +status: experimental author: Mauricio Velazco date: 2021/06/01 modified: 2021/07/07 diff --git a/rules/windows/builtin/win_susp_failed_remote_logons_single_source.yml b/rules/windows/builtin/win_susp_failed_remote_logons_single_source.yml index c7905c43b..960b853af 100644 --- a/rules/windows/builtin/win_susp_failed_remote_logons_single_source.yml +++ b/rules/windows/builtin/win_susp_failed_remote_logons_single_source.yml @@ -1,6 +1,7 @@ title: Multiple Users Remotely Failing To Authenticate From Single Source id: add2ef8d-dc91-4002-9e7e-f2702369f53a description: Detects a source system failing to authenticate against a remote host with multiple users. +status: experimental author: Mauricio Velazco references: - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying diff --git a/rules/windows/builtin/win_susp_interactive_logons.yml b/rules/windows/builtin/win_susp_interactive_logons.yml index ef684633d..b3238bfb3 100644 --- a/rules/windows/builtin/win_susp_interactive_logons.yml +++ b/rules/windows/builtin/win_susp_interactive_logons.yml @@ -1,6 +1,7 @@ title: Interactive Logon to Server Systems id: 3ff152b2-1388-4984-9cd9-a323323fdadf description: Detects interactive console logons to Server Systems +status: experimental author: Florian Roth date: 2017/03/17 tags: diff --git a/rules/windows/builtin/win_susp_kerberos_manipulation.yml b/rules/windows/builtin/win_susp_kerberos_manipulation.yml index 0edd7c679..dcca0e261 100644 --- a/rules/windows/builtin/win_susp_kerberos_manipulation.yml +++ b/rules/windows/builtin/win_susp_kerberos_manipulation.yml @@ -1,6 +1,7 @@ title: Kerberos Manipulation id: f7644214-0eb0-4ace-9455-331ec4c09253 description: This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages +status: experimental author: Florian Roth date: 2017/02/10 tags: diff --git a/rules/windows/builtin/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/builtin/win_susp_multiple_files_renamed_or_deleted.yml index 6304043ad..0bc1a547a 100644 --- a/rules/windows/builtin/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/windows/builtin/win_susp_multiple_files_renamed_or_deleted.yml @@ -1,7 +1,7 @@ title: Suspicious Multiple File Rename Or Delete Occurred id: 97919310-06a7-482c-9639-92b67ed63cf8 -status: experimental description: Detects multiple file rename or delete events occurrence within a specified period of time by a same user (these events may signalize about ransomware activity). +status: experimental tags: - attack.impact - attack.t1486 diff --git a/rules/windows/builtin/win_susp_proceshacker.yml b/rules/windows/builtin/win_susp_proceshacker.yml index e67638118..aa59623eb 100644 --- a/rules/windows/builtin/win_susp_proceshacker.yml +++ b/rules/windows/builtin/win_susp_proceshacker.yml @@ -1,6 +1,7 @@ title: ProcessHacker Privilege Elevation id: c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9 description: Detects a ProcessHacker tool that elevated privileges to a very high level +status: experimental references: - https://twitter.com/1kwpeter/status/1397816101455765504 author: Florian Roth diff --git a/rules/windows/builtin/win_susp_psexec.yml b/rules/windows/builtin/win_susp_psexec.yml index f64f235f7..f82a1ee68 100644 --- a/rules/windows/builtin/win_susp_psexec.yml +++ b/rules/windows/builtin/win_susp_psexec.yml @@ -1,6 +1,7 @@ title: Suspicious PsExec Execution id: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82 description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one +status: experimental author: Samir Bousseaden date: 2019/04/03 references: diff --git a/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml b/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml index cb04f62af..61b204cab 100644 --- a/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml +++ b/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml @@ -1,6 +1,7 @@ title: Suspicious Access to Sensitive File Extensions id: 91c945bc-2ad1-4799-a591-4d00198a1215 description: Detects known sensitive file extensions accessed on a network share +status: experimental author: Samir Bousseaden date: 2019/04/03 modified: 2021/08/09 diff --git a/rules/windows/builtin/win_susp_samr_pwset.yml b/rules/windows/builtin/win_susp_samr_pwset.yml index e1b6cc39e..0eeed1c10 100644 --- a/rules/windows/builtin/win_susp_samr_pwset.yml +++ b/rules/windows/builtin/win_susp_samr_pwset.yml @@ -2,6 +2,7 @@ title: Possible Remote Password Change Through SAMR id: 7818b381-5eb1-4641-bea5-ef9e4cfb5951 description: Detects a possible remote NTLM hash change through SAMR API SamiChangePasswordUser() or SamSetInformationUser(). "Audit User Account Management" in "Advanced Audit Policy Configuration" has to be enabled in your local security policy / GPO to see this events. +status: experimental author: Dimitrios Slamaris date: 2017/06/09 tags: diff --git a/rules/windows/builtin/win_svcctl_remote_service.yml b/rules/windows/builtin/win_svcctl_remote_service.yml index be19e9ffb..9ca27223a 100644 --- a/rules/windows/builtin/win_svcctl_remote_service.yml +++ b/rules/windows/builtin/win_svcctl_remote_service.yml @@ -1,6 +1,7 @@ title: Remote Service Activity via SVCCTL Named Pipe id: 586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3 description: Detects remote service activity via remote access to the svcctl named pipe +status: experimental author: Samir Bousseaden date: 2019/04/03 references: diff --git a/rules/windows/builtin/win_system_susp_eventlog_cleared.yml b/rules/windows/builtin/win_system_susp_eventlog_cleared.yml index be029b51a..e5be5a61d 100644 --- a/rules/windows/builtin/win_system_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/win_system_susp_eventlog_cleared.yml @@ -6,6 +6,7 @@ related: - id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982 type: derived description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution +status: experimental references: - https://twitter.com/deviouspolack/status/832535435960209408 - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 diff --git a/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml b/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml index 693ad831f..b611a04cd 100644 --- a/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml +++ b/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml @@ -1,6 +1,7 @@ title: Transferring Files with Credential Data via Network Shares id: 910ab938-668b-401b-b08c-b596e80fdca5 description: Transferring files with well-known filenames (sensitive files with credential data) using network shares +status: experimental author: Teymur Kheirkhabarov, oscd.community date: 2019/10/22 references: @@ -30,4 +31,3 @@ detection: falsepositives: - Transferring sensitive files for legitimate administration work by legitimate administrator level: medium -status: experimental diff --git a/rules/windows/driver_load/driver_load_mal_creddumper.yml b/rules/windows/driver_load/driver_load_mal_creddumper.yml index 3803a7313..2817cc600 100644 --- a/rules/windows/driver_load/driver_load_mal_creddumper.yml +++ b/rules/windows/driver_load/driver_load_mal_creddumper.yml @@ -4,6 +4,7 @@ related: - id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed type: derived description: Detects well-known credential dumping tools execution via service execution events +status: experimental author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community date: 2017/03/05 modified: 2021/11/10 diff --git a/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index b45519cbe..9593302ff 100644 --- a/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -4,6 +4,7 @@ related: - id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6 type: derived description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation +status: experimental author: Teymur Kheirkhabarov, Ecco, Florian Roth date: 2019/10/26 modified: 2021/09/21 diff --git a/rules/windows/driver_load/driver_load_susp_temp_use.yml b/rules/windows/driver_load/driver_load_susp_temp_use.yml index 083b9f7f5..e61045ae8 100755 --- a/rules/windows/driver_load/driver_load_susp_temp_use.yml +++ b/rules/windows/driver_load/driver_load_susp_temp_use.yml @@ -1,6 +1,7 @@ title: Suspicious Driver Load from Temp id: 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75 description: Detects a driver load from a temporary directory +status: experimental author: Florian Roth date: 2017/02/12 modified: 2020/08/23 diff --git a/rules/windows/driver_load/driver_load_vuln_dell_driver.yml b/rules/windows/driver_load/driver_load_vuln_dell_driver.yml index 1e361bd9b..4a64d8dab 100644 --- a/rules/windows/driver_load/driver_load_vuln_dell_driver.yml +++ b/rules/windows/driver_load/driver_load_vuln_dell_driver.yml @@ -1,6 +1,7 @@ title: Vulnerable Dell BIOS Update Driver Load id: 21b23707-60d6-41bb-96e3-0f0481b0fed9 description: Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551 +status: experimental author: Florian Roth date: 2021/05/05 references: diff --git a/rules/windows/file_event/file_event_lsass_dump.yml b/rules/windows/file_event/file_event_lsass_dump.yml index 86008a310..ed105ff68 100644 --- a/rules/windows/file_event/file_event_lsass_dump.yml +++ b/rules/windows/file_event/file_event_lsass_dump.yml @@ -4,6 +4,7 @@ related: - id: db2110f3-479d-42a6-94fb-d35bc1e46492 type: obsoletes description: Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials +status: experimental author: Florian Roth references: - https://www.google.com/search?q=procdump+lsass diff --git a/rules/windows/file_event/sysmon_redmimicry_winnti_filedrop.yml b/rules/windows/file_event/sysmon_redmimicry_winnti_filedrop.yml index 00e042ace..bb2d14f70 100644 --- a/rules/windows/file_event/sysmon_redmimicry_winnti_filedrop.yml +++ b/rules/windows/file_event/sysmon_redmimicry_winnti_filedrop.yml @@ -1,6 +1,7 @@ title: RedMimicry Winnti Playbook Dropped File id: 130c9e58-28ac-4f83-8574-0a4cc913b97e description: Detects actions caused by the RedMimicry Winnti playbook +status: experimental references: - https://redmimicry.com author: Alexander Rausch diff --git a/rules/windows/file_event/win_file_winword_cve_2021_40444.yml b/rules/windows/file_event/win_file_winword_cve_2021_40444.yml index 1787a6c1a..ca52a1a02 100644 --- a/rules/windows/file_event/win_file_winword_cve_2021_40444.yml +++ b/rules/windows/file_event/win_file_winword_cve_2021_40444.yml @@ -1,7 +1,7 @@ title: Suspicious Word Cab File Write CVE-2021-40444 id: 60c0a111-787a-4e8a-9262-ee485f3ef9d5 -status: experimental description: Detects file creation patterns noticeable during the exploitation of CVE-2021-40444 +status: experimental references: - https://twitter.com/RonnyTNL/status/1436334640617373699?s=20 - https://twitter.com/vanitasnk/status/1437329511142420483?s=21 diff --git a/rules/windows/malware/av_exploiting.yml b/rules/windows/malware/av_exploiting.yml index 94ec45d72..eed623163 100644 --- a/rules/windows/malware/av_exploiting.yml +++ b/rules/windows/malware/av_exploiting.yml @@ -1,6 +1,7 @@ title: Antivirus Exploitation Framework Detection id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864 description: Detects a highly relevant Antivirus alert that reports an exploitation framework +status: experimental date: 2018/09/09 modified: 2019/01/16 author: Florian Roth diff --git a/rules/windows/malware/av_hacktool.yml b/rules/windows/malware/av_hacktool.yml index e074241ff..e3427bf99 100644 --- a/rules/windows/malware/av_hacktool.yml +++ b/rules/windows/malware/av_hacktool.yml @@ -1,6 +1,7 @@ title: Antivirus Hacktool Detection id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba description: Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool +status: experimental date: 2021/08/16 author: Florian Roth references: diff --git a/rules/windows/malware/av_password_dumper.yml b/rules/windows/malware/av_password_dumper.yml index dc75de349..34a4314f7 100644 --- a/rules/windows/malware/av_password_dumper.yml +++ b/rules/windows/malware/av_password_dumper.yml @@ -1,6 +1,7 @@ title: Antivirus Password Dumper Detection id: 78cc2dd2-7d20-4d32-93ff-057084c38b93 description: Detects a highly relevant Antivirus alert that reports a password dumper +status: experimental date: 2018/09/09 modified: 2019/10/04 author: Florian Roth diff --git a/rules/windows/malware/av_relevant_files.yml b/rules/windows/malware/av_relevant_files.yml index fb82c3138..0f2b3ace8 100644 --- a/rules/windows/malware/av_relevant_files.yml +++ b/rules/windows/malware/av_relevant_files.yml @@ -1,6 +1,7 @@ title: Antivirus Relevant File Paths Alerts id: c9a88268-0047-4824-ba6e-4d81ce0b907c description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name +status: experimental date: 2018/09/09 modified: 2021/05/09 author: Florian Roth, Arnim Rupp diff --git a/rules/windows/malware/av_webshell.yml b/rules/windows/malware/av_webshell.yml index 39960e1d2..4f0a63aaa 100644 --- a/rules/windows/malware/av_webshell.yml +++ b/rules/windows/malware/av_webshell.yml @@ -1,6 +1,7 @@ title: Antivirus Web Shell Detection id: fdf135a2-9241-4f96-a114-bb404948f736 description: Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches. +status: experimental date: 2018/09/09 modified: 2021/05/08 author: Florian Roth, Arnim Rupp diff --git a/rules/windows/other/win_defender_bypass.yml b/rules/windows/other/win_defender_bypass.yml index d14592fbc..d4fd592a3 100644 --- a/rules/windows/other/win_defender_bypass.yml +++ b/rules/windows/other/win_defender_bypass.yml @@ -1,6 +1,7 @@ title: Windows Defender Exclusion Set id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d description: 'Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender' +status: experimental references: - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ tags: diff --git a/rules/windows/powershell/powershell_module/powershell_syncappvpublishingserver_exe_in_contextinfo.yml b/rules/windows/powershell/powershell_module/powershell_syncappvpublishingserver_exe_in_contextinfo.yml index 50adcdf3c..11dae35ce 100644 --- a/rules/windows/powershell/powershell_module/powershell_syncappvpublishingserver_exe_in_contextinfo.yml +++ b/rules/windows/powershell/powershell_module/powershell_syncappvpublishingserver_exe_in_contextinfo.yml @@ -6,6 +6,7 @@ related: - id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299 type: derived description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. +status: experimental references: - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ author: 'Ensar Şamil, @sblmsrsn, OSCD Community' diff --git a/rules/windows/powershell/powershell_script/powershell_set_policies_to_unsecure_level.yml b/rules/windows/powershell/powershell_script/powershell_set_policies_to_unsecure_level.yml index 3c53354eb..c1b7275ad 100644 --- a/rules/windows/powershell/powershell_script/powershell_set_policies_to_unsecure_level.yml +++ b/rules/windows/powershell/powershell_script/powershell_set_policies_to_unsecure_level.yml @@ -1,6 +1,7 @@ title: Change PowerShell Policies to a Unsecure Level id: 61d0475c-173f-4844-86f7-f3eebae1c66b description: Detects use of Set-ExecutionPolicy to set a unsecure policies +status: experimental references: - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1 - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1 diff --git a/rules/windows/powershell/powershell_script/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml index 7dfbaa608..49bfae4ab 100644 --- a/rules/windows/powershell/powershell_script/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml +++ b/rules/windows/powershell/powershell_script/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml @@ -6,6 +6,7 @@ related: - id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299 type: derived description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. +status: experimental references: - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ author: 'Ensar Şamil, @sblmsrsn, OSCD Community' diff --git a/rules/windows/process_access/sysmon_svchost_cred_dump.yml b/rules/windows/process_access/sysmon_svchost_cred_dump.yml index f8d286354..abfab2e52 100644 --- a/rules/windows/process_access/sysmon_svchost_cred_dump.yml +++ b/rules/windows/process_access/sysmon_svchost_cred_dump.yml @@ -1,6 +1,7 @@ title: SVCHOST Credential Dump id: 174afcfa-6e40-4ae9-af64-496546389294 description: Detects when a process, such as mimikatz, accesses the memory of svchost to dump credentials +status: experimental date: 2021/04/30 author: Florent Labouyrie logsource: diff --git a/rules/windows/process_creation/process_creation_apt_slingshot.yml b/rules/windows/process_creation/process_creation_apt_slingshot.yml index b726d27be..7daf55bc5 100755 --- a/rules/windows/process_creation/process_creation_apt_slingshot.yml +++ b/rules/windows/process_creation/process_creation_apt_slingshot.yml @@ -1,6 +1,7 @@ title: Defrag Deactivation id: 958d81aa-8566-4cea-a565-59ccd4df27b0 description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group +status: experimental author: Florian Roth, Bartlomiej Czyz (@bczyz1) date: 2019/03/04 modified: 2021/09/19 diff --git a/rules/windows/process_creation/process_creation_stickykey_like_backdoor.yml b/rules/windows/process_creation/process_creation_stickykey_like_backdoor.yml index 6e9c71ef5..6d8556cff 100644 --- a/rules/windows/process_creation/process_creation_stickykey_like_backdoor.yml +++ b/rules/windows/process_creation/process_creation_stickykey_like_backdoor.yml @@ -5,6 +5,7 @@ related: type: derived description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen +status: experimental references: - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/ tags: diff --git a/rules/windows/process_creation/sysmon_hack_wce.yml b/rules/windows/process_creation/sysmon_hack_wce.yml index f4b181354..6acf0e58f 100644 --- a/rules/windows/process_creation/sysmon_hack_wce.yml +++ b/rules/windows/process_creation/sysmon_hack_wce.yml @@ -1,6 +1,7 @@ title: Windows Credential Editor id: 7aa7009a-28b9-4344-8c1f-159489a390df description: Detects the use of Windows Credential Editor (WCE) +status: experimental author: Florian Roth references: - https://www.ampliasecurity.com/research/windows-credentials-editor/ diff --git a/rules/windows/process_creation/process_creationn_apt_chafer_mar18.yml b/rules/windows/process_creation/wim_pc_apt_chafer_mar18.yml similarity index 98% rename from rules/windows/process_creation/process_creationn_apt_chafer_mar18.yml rename to rules/windows/process_creation/wim_pc_apt_chafer_mar18.yml index 39d28e4af..63c8dd1b8 100644 --- a/rules/windows/process_creation/process_creationn_apt_chafer_mar18.yml +++ b/rules/windows/process_creation/wim_pc_apt_chafer_mar18.yml @@ -4,6 +4,7 @@ related: - id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 type: derived description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018 +status: experimental references: - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/ tags: diff --git a/rules/windows/process_creation/win_apt_apt29_thinktanks.yml b/rules/windows/process_creation/win_apt_apt29_thinktanks.yml index 770ad56b1..20c216949 100644 --- a/rules/windows/process_creation/win_apt_apt29_thinktanks.yml +++ b/rules/windows/process_creation/win_apt_apt29_thinktanks.yml @@ -1,6 +1,7 @@ title: APT29 id: 033fe7d6-66d1-4240-ac6b-28908009c71f description: This method detects a suspicious PowerShell command line combination as used by APT29 in a campaign against U.S. think tanks. +status: experimental references: - https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/ - https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html diff --git a/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml b/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml index 248e3d652..f13e874d2 100644 --- a/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml +++ b/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml @@ -1,6 +1,7 @@ title: Judgement Panda Credential Access Activity id: b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike +status: experimental references: - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ author: Florian Roth diff --git a/rules/windows/process_creation/win_apt_cloudhopper.yml b/rules/windows/process_creation/win_apt_cloudhopper.yml index 8c6538e18..b277ea9d7 100755 --- a/rules/windows/process_creation/win_apt_cloudhopper.yml +++ b/rules/windows/process_creation/win_apt_cloudhopper.yml @@ -1,6 +1,7 @@ title: WMIExec VBS Script id: 966e4016-627f-44f7-8341-f394905c361f description: Detects suspicious file execution by wscript and cscript +status: experimental author: Florian Roth date: 2017/04/07 references: diff --git a/rules/windows/process_creation/win_apt_empiremonkey.yml b/rules/windows/process_creation/win_apt_empiremonkey.yml index 93b94f147..5ced1c076 100644 --- a/rules/windows/process_creation/win_apt_empiremonkey.yml +++ b/rules/windows/process_creation/win_apt_empiremonkey.yml @@ -1,6 +1,7 @@ title: Empire Monkey id: 10152a7b-b566-438f-a33c-390b607d1c8d description: Detects EmpireMonkey APT reported Activity +status: experimental references: - https://app.any.run/tasks/a4107649-8cb0-41af-ad75-113152d4d57b tags: diff --git a/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml b/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml index 78748faa4..92aa1e508 100755 --- a/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml +++ b/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml @@ -4,6 +4,7 @@ author: Florian Roth date: 2019/03/04 modified: 2020/08/27 description: Detects a specific tool and export used by EquationGroup +status: experimental references: - https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type= - https://securelist.com/apt-slingshot/84312/ diff --git a/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml b/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml index c1fb93db5..0eb8742d9 100644 --- a/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml +++ b/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml @@ -1,6 +1,7 @@ title: Judgement Panda Exfil Activity id: 03e2746e-2b31-42f1-ab7a-eb39365b2422 description: Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike +status: experimental references: - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ author: Florian Roth diff --git a/rules/windows/process_creation/win_apt_ta17_293a_ps.yml b/rules/windows/process_creation/win_apt_ta17_293a_ps.yml index 1fa44f000..56823a59e 100755 --- a/rules/windows/process_creation/win_apt_ta17_293a_ps.yml +++ b/rules/windows/process_creation/win_apt_ta17_293a_ps.yml @@ -1,6 +1,7 @@ title: Ps.exe Renamed SysInternals Tool id: 18da1007-3f26-470f-875d-f77faf1cab31 description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report +status: experimental references: - https://www.us-cert.gov/ncas/alerts/TA17-293A tags: diff --git a/rules/windows/process_creation/win_apt_unc2452_ps.yml b/rules/windows/process_creation/win_apt_unc2452_ps.yml index 5575f09f4..27dc40646 100644 --- a/rules/windows/process_creation/win_apt_unc2452_ps.yml +++ b/rules/windows/process_creation/win_apt_unc2452_ps.yml @@ -1,6 +1,7 @@ title: UNC2452 PowerShell Pattern id: b7155193-8a81-4d8f-805d-88de864ca50c description: Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports +status: experimental references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware - https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/ diff --git a/rules/windows/process_creation/win_apt_zxshell.yml b/rules/windows/process_creation/win_apt_zxshell.yml index 515d541e7..9aeb6d8c3 100755 --- a/rules/windows/process_creation/win_apt_zxshell.yml +++ b/rules/windows/process_creation/win_apt_zxshell.yml @@ -1,6 +1,7 @@ title: ZxShell Malware id: f0b70adb-0075-43b0-9745-e82a1c608fcc description: Detects a ZxShell start by the called and well-known function name +status: experimental author: Florian Roth, oscd.community, Jonhnathan Ribeiro date: 2017/07/20 modified: 2020/08/26 diff --git a/rules/windows/process_creation/win_exploit_cve_2017_8759.yml b/rules/windows/process_creation/win_exploit_cve_2017_8759.yml index 03801e753..7d6cd971e 100644 --- a/rules/windows/process_creation/win_exploit_cve_2017_8759.yml +++ b/rules/windows/process_creation/win_exploit_cve_2017_8759.yml @@ -1,6 +1,7 @@ title: Exploit for CVE-2017-8759 id: fdd84c68-a1f6-47c9-9477-920584f94905 description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759 +status: experimental references: - https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 - https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 diff --git a/rules/windows/process_creation/win_hack_adcspwn.yml b/rules/windows/process_creation/win_hack_adcspwn.yml index fcaa5c41b..c1ad6a218 100644 --- a/rules/windows/process_creation/win_hack_adcspwn.yml +++ b/rules/windows/process_creation/win_hack_adcspwn.yml @@ -1,6 +1,7 @@ title: ADCSPwn Hack Tool id: cd8c163e-a19b-402e-bdd5-419ff5859f12 description: Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service +status: experimental author: Florian Roth references: - https://github.com/bats3c/ADCSPwn diff --git a/rules/windows/process_creation/win_hack_bloodhound.yml b/rules/windows/process_creation/win_hack_bloodhound.yml index 27501397b..800a2ae7a 100644 --- a/rules/windows/process_creation/win_hack_bloodhound.yml +++ b/rules/windows/process_creation/win_hack_bloodhound.yml @@ -1,6 +1,7 @@ title: Bloodhound and Sharphound Hack Tool id: f376c8a7-a2d0-4ddc-aa0c-16c17236d962 description: Detects command line parameters used by Bloodhound and Sharphound hack tools +status: experimental author: Florian Roth references: - https://github.com/BloodHoundAD/BloodHound diff --git a/rules/windows/process_creation/win_hack_rubeus.yml b/rules/windows/process_creation/win_hack_rubeus.yml index 4ce04049b..b0f6bb699 100644 --- a/rules/windows/process_creation/win_hack_rubeus.yml +++ b/rules/windows/process_creation/win_hack_rubeus.yml @@ -1,6 +1,7 @@ title: Rubeus Hack Tool id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18 description: Detects command line parameters used by Rubeus hack tool +status: experimental author: Florian Roth references: - https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/ diff --git a/rules/windows/process_creation/win_hack_secutyxploded.yml b/rules/windows/process_creation/win_hack_secutyxploded.yml index d8899df42..8b29ea34b 100644 --- a/rules/windows/process_creation/win_hack_secutyxploded.yml +++ b/rules/windows/process_creation/win_hack_secutyxploded.yml @@ -1,6 +1,7 @@ title: SecurityXploded Tool id: 7679d464-4f74-45e2-9e01-ac66c5eb041a description: Detects the execution of SecurityXploded Tools +status: experimental author: Florian Roth references: - https://securityxploded.com/ diff --git a/rules/windows/process_creation/win_hiding_malware_in_fonts_folder.yml b/rules/windows/process_creation/win_hiding_malware_in_fonts_folder.yml index 4c44ae87b..04c9f49ab 100644 --- a/rules/windows/process_creation/win_hiding_malware_in_fonts_folder.yml +++ b/rules/windows/process_creation/win_hiding_malware_in_fonts_folder.yml @@ -1,6 +1,7 @@ title: Writing Of Malicious Files To The Fonts Folder id: ae9b0bd7-8888-4606-b444-0ed7410cb728 description: Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from. +status: experimental references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ date: 2020/21/04 diff --git a/rules/windows/process_creation/win_hktl_createminidump.yml b/rules/windows/process_creation/win_hktl_createminidump.yml index c56459257..ea76cc39e 100644 --- a/rules/windows/process_creation/win_hktl_createminidump.yml +++ b/rules/windows/process_creation/win_hktl_createminidump.yml @@ -1,6 +1,7 @@ title: CreateMiniDump Hacktool id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine +status: experimental author: Florian Roth references: - https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass diff --git a/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml b/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml index cb775d882..f7fe4b4bf 100644 --- a/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml +++ b/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml @@ -1,6 +1,7 @@ title: Meterpreter or Cobalt Strike Getsystem Service Start id: 15619216-e993-4721-b590-4c520615a67d description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting +status: experimental author: Teymur Kheirkhabarov, Ecco, Florian Roth date: 2019/10/26 modified: 2021/05/20 diff --git a/rules/windows/process_creation/win_pc_set_policies_to_unsecure_level.yml b/rules/windows/process_creation/win_pc_set_policies_to_unsecure_level.yml index 7bc3f6a2f..cf3fd63ce 100644 --- a/rules/windows/process_creation/win_pc_set_policies_to_unsecure_level.yml +++ b/rules/windows/process_creation/win_pc_set_policies_to_unsecure_level.yml @@ -1,6 +1,7 @@ title: Change PowerShell Policies to a Unsecure Level id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 description: Detects use of executionpolicy option to set a unsecure policies +status: experimental references: - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1 - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1 diff --git a/rules/windows/process_creation/win_pc_susp_schtasks_user_temp.yml b/rules/windows/process_creation/win_pc_susp_schtasks_user_temp.yml index 38d1e3c3e..6a00bbb64 100644 --- a/rules/windows/process_creation/win_pc_susp_schtasks_user_temp.yml +++ b/rules/windows/process_creation/win_pc_susp_schtasks_user_temp.yml @@ -1,6 +1,7 @@ title: Suspicius Add Task From User AppData Temp id: 43f487f0-755f-4c2a-bce7-d6d2eec2fcf8 description: schtasks.exe create task from user AppData\Local\Temp +status: experimental references: - malware analyse https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04 tags: diff --git a/rules/windows/process_creation/win_psexesvc_start.yml b/rules/windows/process_creation/win_psexesvc_start.yml index a0125bc7d..2594a7efc 100644 --- a/rules/windows/process_creation/win_psexesvc_start.yml +++ b/rules/windows/process_creation/win_psexesvc_start.yml @@ -1,6 +1,7 @@ title: PsExec Service Start id: 3ede524d-21cc-472d-a3ce-d21b568d8db7 description: Detects a PsExec service start +status: experimental author: Florian Roth date: 2018/03/13 modified: 2012/12/11 diff --git a/rules/windows/process_creation/win_redmimicry_winnti_proc.yml b/rules/windows/process_creation/win_redmimicry_winnti_proc.yml index 1106fcd3c..a9ca7e3e8 100644 --- a/rules/windows/process_creation/win_redmimicry_winnti_proc.yml +++ b/rules/windows/process_creation/win_redmimicry_winnti_proc.yml @@ -1,6 +1,7 @@ title: RedMimicry Winnti Playbook Execute id: 95022b85-ff2a-49fa-939a-d7b8f56eeb9b description: Detects actions caused by the RedMimicry Winnti playbook +status: experimental references: - https://redmimicry.com author: Alexander Rausch diff --git a/rules/windows/process_creation/win_sus_auditpol_usage.yml b/rules/windows/process_creation/win_sus_auditpol_usage.yml index e3ca336ed..2eeba8dcf 100644 --- a/rules/windows/process_creation/win_sus_auditpol_usage.yml +++ b/rules/windows/process_creation/win_sus_auditpol_usage.yml @@ -1,6 +1,7 @@ title: Suspicious Auditpol Usage id: 0a13e132-651d-11eb-ae93-0242ac130002 description: Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. +status: experimental author: Janantha Marasinghe (https://github.com/blueteam0ps) references: - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ diff --git a/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml b/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml index 312b047b7..1d9edc2f7 100644 --- a/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml +++ b/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml @@ -25,4 +25,6 @@ detection: falsepositives: - Unknown level: critical - +tags: + - attack.execution + - attack.t1059 diff --git a/rules/windows/process_creation/win_susp_double_extension.yml b/rules/windows/process_creation/win_susp_double_extension.yml index 0bd70927f..cdc88f34e 100644 --- a/rules/windows/process_creation/win_susp_double_extension.yml +++ b/rules/windows/process_creation/win_susp_double_extension.yml @@ -1,6 +1,7 @@ title: Suspicious Double Extension id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8 description: Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns +status: experimental references: - https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html - https://twitter.com/blackorbird/status/1140519090961825792 diff --git a/rules/windows/process_creation/win_susp_eventlog_clear.yml b/rules/windows/process_creation/win_susp_eventlog_clear.yml index 7046f941a..92f50bd32 100644 --- a/rules/windows/process_creation/win_susp_eventlog_clear.yml +++ b/rules/windows/process_creation/win_susp_eventlog_clear.yml @@ -1,6 +1,7 @@ title: Suspicious Eventlog Clear or Configuration Using Wevtutil id: cc36992a-4671-4f21-a91d-6c2b72a2edf5 description: Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others). +status: experimental author: Ecco, Daniil Yugoslavskiy, oscd.community references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md diff --git a/rules/windows/process_creation/win_susp_finger_usage.yml b/rules/windows/process_creation/win_susp_finger_usage.yml index 87fd5ff30..e82c9ff8b 100644 --- a/rules/windows/process_creation/win_susp_finger_usage.yml +++ b/rules/windows/process_creation/win_susp_finger_usage.yml @@ -1,6 +1,7 @@ title: Finger.exe Suspicious Invocation id: af491bca-e752-4b44-9c86-df5680533dbc description: Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays +status: experimental author: Florian Roth, omkar72, oscd.community date: 2021/02/24 references: diff --git a/rules/windows/process_creation/win_susp_fsutil_usage.yml b/rules/windows/process_creation/win_susp_fsutil_usage.yml index 1b76d1091..ba4774fa5 100644 --- a/rules/windows/process_creation/win_susp_fsutil_usage.yml +++ b/rules/windows/process_creation/win_susp_fsutil_usage.yml @@ -1,6 +1,7 @@ title: Fsutil Suspicious Invocation id: add64136-62e5-48ea-807e-88638d02df1e description: Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others). +status: experimental author: Ecco, E.M. Anhaus, oscd.community date: 2019/09/26 modified: 2019/11/11 diff --git a/rules/windows/process_creation/win_susp_ping_hex_ip.yml b/rules/windows/process_creation/win_susp_ping_hex_ip.yml index 9d9cf2862..ea917bea4 100644 --- a/rules/windows/process_creation/win_susp_ping_hex_ip.yml +++ b/rules/windows/process_creation/win_susp_ping_hex_ip.yml @@ -1,6 +1,7 @@ title: Ping Hex IP id: 1a0d4aba-7668-4365-9ce4-6d79ab088dfd description: Detects a ping command that uses a hex encoded IP address +status: experimental references: - https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.can - https://twitter.com/vysecurity/status/977198418354491392 diff --git a/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml b/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml index 4861f0dc7..b210e6045 100644 --- a/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml +++ b/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml @@ -1,6 +1,7 @@ title: Regedit as Trusted Installer id: 883835a7-df45-43e4-bf1d-4268768afda4 description: Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe +status: experimental references: - https://twitter.com/1kwpeter/status/1397816101455765504 author: Florian Roth diff --git a/rules/windows/process_creation/win_vul_java_remote_debugging.yml b/rules/windows/process_creation/win_vul_java_remote_debugging.yml index 03448ef35..57908d8fb 100644 --- a/rules/windows/process_creation/win_vul_java_remote_debugging.yml +++ b/rules/windows/process_creation/win_vul_java_remote_debugging.yml @@ -1,6 +1,7 @@ title: Java Running with Remote Debugging id: 8f88e3f6-2a49-48f5-a5c4-2f7eedf78710 description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect +status: experimental author: Florian Roth date: 2019/01/16 modified: 2020/08/29 diff --git a/rules/windows/process_creation/win_webshell_detection.yml b/rules/windows/process_creation/win_webshell_detection.yml index 09d432656..5b06496a8 100644 --- a/rules/windows/process_creation/win_webshell_detection.yml +++ b/rules/windows/process_creation/win_webshell_detection.yml @@ -2,6 +2,7 @@ title: Webshell Detection With Command Line Keywords id: bed2a484-9348-4143-8a8a-b801c979301c description: Detects certain command line parameters often used during reconnaissance activity via web shells author: Florian Roth, Jonhnathan Ribeiro, Anton Kutepov, oscd.community +status: experimental references: - https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html - https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/ diff --git a/rules/windows/registry_event/registry_event_apt_chafer_mar18.yml b/rules/windows/registry_event/registry_event_apt_chafer_mar18.yml index a1ee3e874..7378e096c 100644 --- a/rules/windows/registry_event/registry_event_apt_chafer_mar18.yml +++ b/rules/windows/registry_event/registry_event_apt_chafer_mar18.yml @@ -4,6 +4,7 @@ related: - id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 type: derived description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018 +status: experimental references: - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/ tags: diff --git a/rules/windows/registry_event/registry_event_net_ntlm_downgrade.yml b/rules/windows/registry_event/registry_event_net_ntlm_downgrade.yml index ab26594b2..8f5c2b1bf 100644 --- a/rules/windows/registry_event/registry_event_net_ntlm_downgrade.yml +++ b/rules/windows/registry_event/registry_event_net_ntlm_downgrade.yml @@ -1,6 +1,7 @@ title: NetNTLM Downgrade Attack id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2 description: Detects NetNTLM downgrade attack +status: experimental references: - https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks author: Florian Roth, wagga diff --git a/rules/windows/registry_event/registry_event_stickykey_like_backdoor.yml b/rules/windows/registry_event/registry_event_stickykey_like_backdoor.yml index 2ec90b7c1..595145857 100755 --- a/rules/windows/registry_event/registry_event_stickykey_like_backdoor.yml +++ b/rules/windows/registry_event/registry_event_stickykey_like_backdoor.yml @@ -2,6 +2,7 @@ title: Sticky Key Like Backdoor Usage id: baca5663-583c-45f9-b5dc-ea96a22ce542 description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen +status: experimental references: - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/ tags: diff --git a/rules/windows/registry_event/sysmon_hack_wce_reg.yml b/rules/windows/registry_event/sysmon_hack_wce_reg.yml index e3f50de16..474dbecb6 100755 --- a/rules/windows/registry_event/sysmon_hack_wce_reg.yml +++ b/rules/windows/registry_event/sysmon_hack_wce_reg.yml @@ -1,6 +1,7 @@ title: Windows Credential Editor Registry id: a6b33c02-8305-488f-8585-03cb2a7763f2 description: Detects the use of Windows Credential Editor (WCE) +status: experimental author: Florian Roth references: - https://www.ampliasecurity.com/research/windows-credentials-editor/ diff --git a/rules/windows/registry_event/sysmon_rdp_settings_hijack.yml b/rules/windows/registry_event/sysmon_rdp_settings_hijack.yml index 4a9041570..f14fcbfe0 100755 --- a/rules/windows/registry_event/sysmon_rdp_settings_hijack.yml +++ b/rules/windows/registry_event/sysmon_rdp_settings_hijack.yml @@ -1,6 +1,7 @@ title: RDP Sensitive Settings Changed id: 171b67e1-74b4-460e-8d55-b331f3e32d67 description: Detects changes to RDP terminal service sensitive settings +status: experimental references: - https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html date: 2019/04/03 diff --git a/rules/windows/registry_event/sysmon_redmimicry_winnti_reg.yml b/rules/windows/registry_event/sysmon_redmimicry_winnti_reg.yml index e1a83679b..13b192848 100644 --- a/rules/windows/registry_event/sysmon_redmimicry_winnti_reg.yml +++ b/rules/windows/registry_event/sysmon_redmimicry_winnti_reg.yml @@ -1,6 +1,7 @@ title: RedMimicry Winnti Playbook Registry Manipulation id: 5b175490-b652-4b02-b1de-5b5b4083c5f8 description: Detects actions caused by the RedMimicry Winnti playbook +status: experimental references: - https://redmimicry.com author: Alexander Rausch diff --git a/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml b/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml index c8404f2cc..190f33f2c 100644 --- a/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml +++ b/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml @@ -1,6 +1,7 @@ title: SilentProcessExit Monitor Registrytion id: c81fe886-cac0-4913-a511-2822d72ff505 description: Detects changes to the Registry in which a monitor program gets registered to monitor the exit of another process +status: experimental author: Florian Roth references: - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ diff --git a/rules/windows/registry_event/sysmon_reg_silentprocessexit_lsass.yml b/rules/windows/registry_event/sysmon_reg_silentprocessexit_lsass.yml index 66a5dc12a..18f83195a 100644 --- a/rules/windows/registry_event/sysmon_reg_silentprocessexit_lsass.yml +++ b/rules/windows/registry_event/sysmon_reg_silentprocessexit_lsass.yml @@ -1,6 +1,7 @@ title: SilentProcessExit Monitor Registrytion for LSASS id: 55e29995-75e7-451a-bef0-6225e2f13597 description: Detects changes to the Registry in which a monitor program gets registered to dump process memory of the lsass.exe process memory +status: experimental author: Florian Roth references: - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/ diff --git a/rules/windows/registry_event/sysmon_runkey_winekey.yml b/rules/windows/registry_event/sysmon_runkey_winekey.yml index 636015fce..f6367545d 100644 --- a/rules/windows/registry_event/sysmon_runkey_winekey.yml +++ b/rules/windows/registry_event/sysmon_runkey_winekey.yml @@ -1,6 +1,7 @@ title: WINEKEY Registry Modification id: b98968aa-dbc0-4a9c-ac35-108363cbf8d5 description: Detects potential malicious modification of run keys by winekey or team9 backdoor +status: experimental date: 2020/10/30 author: omkar72 references: diff --git a/rules/windows/registry_event/sysmon_susp_atbroker_change.yml b/rules/windows/registry_event/sysmon_susp_atbroker_change.yml index 2800e4ee6..964609701 100644 --- a/rules/windows/registry_event/sysmon_susp_atbroker_change.yml +++ b/rules/windows/registry_event/sysmon_susp_atbroker_change.yml @@ -1,6 +1,7 @@ title: Atbroker Registry Change id: 9577edbb-851f-4243-8c91-1d5b50c1a39b description: Detects creation/modification of Assisitive Technology applications and persistence with usage of ATs +status: experimental author: Mateusz Wydra, oscd.community references: - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ diff --git a/rules/windows/registry_event/sysmon_susp_mic_cam_access.yml b/rules/windows/registry_event/sysmon_susp_mic_cam_access.yml index 77400edbc..d68b3dfef 100644 --- a/rules/windows/registry_event/sysmon_susp_mic_cam_access.yml +++ b/rules/windows/registry_event/sysmon_susp_mic_cam_access.yml @@ -1,6 +1,7 @@ title: Suspicious Camera and Microphone Access id: 62120148-6b7a-42be-8b91-271c04e281a3 description: Detects Processes accessing the camera and microphone from suspicious folder +status: experimental author: Den Iuzvyk date: 2020/06/07 modified: 2021/09/17 diff --git a/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml b/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml index a7842bbee..6c26c7786 100755 --- a/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml +++ b/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml @@ -1,5 +1,6 @@ title: Suspicious Keyboard Layout Load id: 34aa0252-6039-40ff-951f-939fd6ce47d8 +status: experimental description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only references: diff --git a/rules/windows/registry_event/sysmon_taskcache_entry.yml b/rules/windows/registry_event/sysmon_taskcache_entry.yml index a4b72df0d..f149e51cc 100644 --- a/rules/windows/registry_event/sysmon_taskcache_entry.yml +++ b/rules/windows/registry_event/sysmon_taskcache_entry.yml @@ -1,6 +1,7 @@ title: New TaskCache Entry id: 4720b7df-40c3-48fd-bbdf-fd4b3c464f0d description: Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered +status: experimental tags: - attack.persistence - attack.t1053 diff --git a/rules/windows/registry_event/sysmon_win_reg_persistence.yml b/rules/windows/registry_event/sysmon_win_reg_persistence.yml index 883c5863a..cd7301c71 100755 --- a/rules/windows/registry_event/sysmon_win_reg_persistence.yml +++ b/rules/windows/registry_event/sysmon_win_reg_persistence.yml @@ -1,6 +1,7 @@ title: Registry Persistence Mechanisms id: 36803969-5421-41ec-b92f-8500f79c23b0 description: Detects persistence registry keys +status: experimental references: - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ date: 2018/04/11