From 1d40f1d20be77f4b19ff0bd373e17b05ec5ca22a Mon Sep 17 00:00:00 2001 From: Ryan Plas Date: Tue, 2 Jul 2024 06:00:11 -0400 Subject: [PATCH] Merge PR #4893 from @ryanplasma - Update Microsoft references URLS chore: update Microsoft references link to use the "learn" subdomain instead of "docs". --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> Thanks: @ryanplasma --- .../rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml | 2 +- .../application/rpc_firewall/rpc_firewall_atsvc_recon.yml | 2 +- .../rpc_firewall/rpc_firewall_dcsync_attack.yml | 2 +- ...pc_firewall_itaskschedulerservice_lateral_movement.yml | 2 +- .../rpc_firewall_itaskschedulerservice_recon.yml | 2 +- .../rpc_firewall_printing_lateral_movement.yml | 4 ++-- .../rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml | 2 +- .../rpc_firewall_remote_registry_lateral_movement.yml | 2 +- .../rpc_firewall/rpc_firewall_remote_registry_recon.yml | 2 +- .../rpc_firewall_remote_server_service_abuse.yml | 2 +- .../rpc_firewall_remote_service_lateral_movement.yml | 2 +- .../rpc_firewall/rpc_firewall_sasec_lateral_movement.yml | 2 +- .../application/rpc_firewall/rpc_firewall_sasec_recon.yml | 2 +- .../rpc_firewall_sharphound_recon_account.yml | 2 +- .../rpc_firewall_sharphound_recon_sessions.yml | 2 +- .../azure/activity_logs/azure_application_deleted.yml | 2 +- .../azure_application_gateway_modified_or_deleted.yml | 2 +- ...ure_application_security_group_modified_or_deleted.yml | 2 +- .../azure_container_registry_created_or_deleted.yml | 2 +- .../azure_device_no_longer_managed_or_compliant.yml | 2 +- .../azure_device_or_configuration_modified_or_deleted.yml | 2 +- .../activity_logs/azure_dns_zone_modified_or_deleted.yml | 2 +- .../activity_logs/azure_firewall_modified_or_deleted.yml | 2 +- ...azure_firewall_rule_collection_modified_or_deleted.yml | 2 +- .../azure_keyvault_key_modified_or_deleted.yml | 2 +- .../activity_logs/azure_keyvault_modified_or_deleted.yml | 2 +- .../azure_keyvault_secrets_modified_or_deleted.yml | 2 +- .../azure_kubernetes_admission_controller.yml | 2 +- .../azure_kubernetes_cluster_created_or_deleted.yml | 2 +- .../azure/activity_logs/azure_kubernetes_cronjob.yml | 2 +- .../activity_logs/azure_kubernetes_events_deleted.yml | 2 +- .../azure_kubernetes_network_policy_change.yml | 2 +- .../azure/activity_logs/azure_kubernetes_pods_deleted.yml | 2 +- .../azure/activity_logs/azure_kubernetes_role_access.yml | 2 +- .../azure_kubernetes_rolebinding_modified_or_deleted.yml | 2 +- .../azure_kubernetes_secret_or_config_object_access.yml | 2 +- ...ure_kubernetes_service_account_modified_or_deleted.yml | 2 +- rules/cloud/azure/activity_logs/azure_mfa_disabled.yml | 2 +- .../azure_network_firewall_policy_modified_or_deleted.yml | 2 +- .../azure_network_firewall_rule_modified_or_deleted.yml | 2 +- .../azure_network_p2s_vpn_modified_or_deleted.yml | 2 +- .../azure_network_security_modified_or_deleted.yml | 2 +- .../azure_network_virtual_device_modified_or_deleted.yml | 2 +- .../azure/activity_logs/azure_new_cloudshell_created.yml | 2 +- ...wner_removed_from_application_or_service_principal.yml | 2 +- .../activity_logs/azure_service_principal_created.yml | 2 +- .../activity_logs/azure_service_principal_removed.yml | 2 +- ...ubscription_permissions_elevation_via_activitylogs.yml | 2 +- .../activity_logs/azure_suppression_rule_created.yml | 2 +- .../azure_virtual_network_modified_or_deleted.yml | 2 +- .../azure_vpn_connection_modified_or_deleted.yml | 2 +- .../azure_aad_secops_ca_policy_removedby_bad_actor.yml | 2 +- .../azure_aad_secops_ca_policy_updatedby_bad_actor.yml | 2 +- .../azure_aad_secops_new_ca_policy_addedby_bad_actor.yml | 2 +- .../azure/audit_logs/azure_ad_account_created_deleted.yml | 2 +- .../azure/audit_logs/azure_ad_bitlocker_key_retrieval.yml | 2 +- .../azure_ad_device_registration_policy_changes.yml | 2 +- ...t_users_invited_to_tenant_by_non_approved_inviters.yml | 2 +- .../azure_ad_users_added_to_device_admin_roles.yml | 2 +- .../azure/audit_logs/azure_app_appid_uri_changes.yml | 2 +- .../cloud/azure/audit_logs/azure_app_credential_added.yml | 2 +- .../azure_app_delegated_permissions_all_users.yml | 2 +- .../cloud/azure/audit_logs/azure_app_end_user_consent.yml | 2 +- .../audit_logs/azure_app_end_user_consent_blocked.yml | 2 +- rules/cloud/azure/audit_logs/azure_app_owner_added.yml | 2 +- .../cloud/azure/audit_logs/azure_app_permissions_msft.yml | 2 +- .../azure/audit_logs/azure_app_privileged_permissions.yml | 2 +- rules/cloud/azure/audit_logs/azure_app_role_added.yml | 2 +- .../azure/audit_logs/azure_app_uri_modifications.yml | 2 +- .../audit_logs/azure_change_to_authentication_method.yml | 2 +- .../cloud/azure/audit_logs/azure_federation_modified.yml | 2 +- .../azure_group_user_addition_ca_modification.yml | 2 +- .../azure_group_user_removal_ca_modification.yml | 2 +- .../cloud/azure/audit_logs/azure_guest_invite_failure.yml | 2 +- rules/cloud/azure/audit_logs/azure_guest_to_member.yml | 2 +- .../audit_logs/azure_pim_activation_approve_deny.yml | 2 +- .../cloud/azure/audit_logs/azure_pim_alerts_disabled.yml | 2 +- .../cloud/azure/audit_logs/azure_pim_change_settings.yml | 2 +- .../audit_logs/azure_priviledged_role_assignment_add.yml | 2 +- .../azure_priviledged_role_assignment_bulk_change.yml | 2 +- .../audit_logs/azure_privileged_account_creation.yml | 2 +- ...e_subscription_permissions_elevation_via_auditlogs.yml | 2 +- rules/cloud/azure/audit_logs/azure_tap_added.yml | 2 +- .../cloud/azure/audit_logs/azure_user_password_change.yml | 2 +- .../azure_identity_protection_anomalous_token.yml | 4 ++-- .../azure_identity_protection_anomalous_user.yml | 4 ++-- .../azure_identity_protection_anonymous_ip_activity.yml | 4 ++-- .../azure_identity_protection_anonymous_ip_address.yml | 2 +- .../azure_identity_protection_atypical_travel.yml | 4 ++-- .../azure_identity_protection_impossible_travel.yml | 4 ++-- .../azure_identity_protection_inbox_forwarding_rule.yml | 4 ++-- .../azure_identity_protection_inbox_manipulation.yml | 4 ++-- .../azure_identity_protection_leaked_credentials.yml | 4 ++-- .../azure_identity_protection_malicious_ip_address.yml | 4 ++-- ...dentity_protection_malicious_ip_address_suspicious.yml | 4 ++-- .../azure_identity_protection_malware_linked_ip.yml | 4 ++-- .../azure_identity_protection_new_coutry_region.yml | 4 ++-- .../azure_identity_protection_password_spray.yml | 4 ++-- .../azure_identity_protection_prt_access.yml | 4 ++-- .../azure_identity_protection_suspicious_browser.yml | 4 ++-- .../azure_identity_protection_threat_intel.yml | 6 +++--- .../azure_identity_protection_token_issuer_anomaly.yml | 4 ++-- .../azure_identity_protection_unfamilar_sign_in.yml | 4 ++-- .../azure_pim_account_stale.yml | 2 +- .../azure_pim_invalid_license.yml | 2 +- .../azure_pim_role_assigned_outside_of_pim.yml | 2 +- .../azure_pim_role_frequent_activation.yml | 2 +- .../azure_pim_role_no_mfa_required.yml | 2 +- .../azure_pim_role_not_used.yml | 2 +- .../azure_pim_too_many_global_admins.yml | 2 +- rules/cloud/azure/signin_logs/azure_account_lockout.yml | 2 +- .../azure/signin_logs/azure_ad_auth_failure_increase.yml | 2 +- .../azure/signin_logs/azure_ad_auth_sucess_increase.yml | 2 +- ...ad_auth_to_important_apps_using_single_factor_auth.yml | 2 +- ...tications_from_countries_you_do_not_operate_out_of.yml | 2 +- .../azure_ad_device_registration_or_join_without_mfa.yml | 2 +- ...iled_auth_from_countries_you_do_not_operate_out_of.yml | 2 +- .../azure_ad_only_single_factor_auth_required.yml | 2 +- ...ign_ins_with_singlefactorauth_from_unknown_devices.yml | 2 +- .../azure_ad_sign_ins_from_noncompliant_devices.yml | 2 +- .../azure_ad_sign_ins_from_unknown_devices.yml | 2 +- .../signin_logs/azure_app_device_code_authentication.yml | 2 +- .../azure/signin_logs/azure_app_ropc_authentication.yml | 2 +- .../azure/signin_logs/azure_blocked_account_attempt.yml | 2 +- .../signin_logs/azure_conditional_access_failure.yml | 2 +- .../signin_logs/azure_legacy_authentication_protocols.yml | 2 +- .../azure/signin_logs/azure_login_to_disabled_account.yml | 2 +- rules/cloud/azure/signin_logs/azure_mfa_interrupted.yml | 2 +- .../azure_unusual_authentication_interruption.yml | 2 +- .../azure_user_login_blocked_by_conditional_access.yml | 2 +- ...ure_users_authenticating_to_other_azure_ad_tenants.yml | 2 +- .../microsoft365_from_susp_ip_addresses.yml | 4 ++-- .../microsoft365_activity_by_terminated_user.yml | 4 ++-- .../microsoft365_activity_from_anonymous_ip_addresses.yml | 4 ++-- .../microsoft365_activity_from_infrequent_country.yml | 4 ++-- ...microsoft365_data_exfiltration_to_unsanctioned_app.yml | 4 ++-- .../microsoft365_impossible_travel_activity.yml | 4 ++-- .../microsoft365_logon_from_risky_ip_address.yml | 4 ++-- .../microsoft365_potential_ransomware_activity.yml | 4 ++-- .../microsoft365_susp_inbox_forwarding.yml | 4 ++-- ...crosoft365_susp_oauth_app_file_download_activities.yml | 4 ++-- .../microsoft365_unusual_volume_of_file_deletion.yml | 4 ++-- .../microsoft365_user_restricted_from_sending_email.yml | 4 ++-- .../proc_creation_lnx_susp_sensitive_file_access.yml | 2 +- .../zeek_dce_rpc_printnightmare_print_driver_install.yml | 2 +- .../application/esent/win_esent_ntdsutil_abuse.yml | 2 +- .../esent/win_esent_ntdsutil_abuse_susp_location.yml | 2 +- .../mssqlserver/win_mssql_disable_audit_settings.yml | 4 ++-- .../mssqlserver/win_mssql_sp_procoption_set.yml | 2 +- .../win_applocker_file_was_not_allowed_to_run.yml | 4 ++-- .../win_codeintegrity_attempted_dll_load.yml | 4 ++-- .../win_codeintegrity_blocked_protected_process_file.yml | 4 ++-- .../win_codeintegrity_enforced_policy_block.yml | 2 +- .../win_codeintegrity_revoked_driver_blocked.yml | 4 ++-- .../win_codeintegrity_revoked_driver_loaded.yml | 4 ++-- .../win_codeintegrity_revoked_image_blocked.yml | 4 ++-- .../win_codeintegrity_revoked_image_loaded.yml | 4 ++-- .../win_codeintegrity_unsigned_driver_loaded.yml | 4 ++-- .../win_codeintegrity_unsigned_image_loaded.yml | 4 ++-- .../code_integrity/win_codeintegrity_whql_failure.yml | 4 ++-- .../builtin/firewall_as/win_firewall_as_add_rule.yml | 2 +- .../firewall_as/win_firewall_as_add_rule_susp_folder.yml | 2 +- .../firewall_as/win_firewall_as_delete_all_rules.yml | 2 +- .../builtin/firewall_as/win_firewall_as_delete_rule.yml | 2 +- .../firewall_as/win_firewall_as_failed_load_gpo.yml | 2 +- .../builtin/firewall_as/win_firewall_as_reset_config.yml | 2 +- .../firewall_as/win_firewall_as_setting_change.yml | 2 +- .../win_sshd_openssh_server_listening_on_socket.yml | 2 +- .../win_security_susp_failed_logon_source.yml | 2 +- .../win_security_ad_replication_non_machine_account.yml | 2 +- .../builtin/security/win_security_ad_user_enumeration.yml | 8 ++++---- .../builtin/security/win_security_add_remove_computer.yml | 4 ++-- .../builtin/security/win_security_admin_share_access.yml | 2 +- .../win_security_alert_enable_weak_encryption.yml | 4 ++-- .../windows/builtin/security/win_security_alert_ruler.yml | 4 ++-- .../security/win_security_codeintegrity_check_failure.yml | 4 ++-- rules/windows/builtin/security/win_security_dcsync.yml | 2 +- .../security/win_security_device_installation_blocked.yml | 2 +- .../builtin/security/win_security_external_device.yml | 2 +- .../security/win_security_password_policy_enumerated.yml | 2 +- .../security/win_security_replay_attack_detected.yml | 2 +- .../security/win_security_susp_add_domain_trust.yml | 2 +- .../security/win_security_susp_failed_logon_reasons.yml | 2 +- .../security/win_security_susp_kerberos_manipulation.yml | 2 +- .../win_security_susp_scheduled_task_creation.yml | 2 +- ...win_security_susp_scheduled_task_delete_or_disable.yml | 4 ++-- .../security/win_security_susp_scheduled_task_update.yml | 2 +- .../builtin/security/win_security_susp_sdelete.yml | 2 +- .../security/win_security_susp_time_modification.yml | 2 +- .../win_security_user_added_to_local_administrators.yml | 2 +- .../builtin/security/win_security_user_driver_loaded.yml | 2 +- .../windows/builtin/security/win_security_user_logoff.yml | 4 ++-- .../win_system_defender_disabled.yml | 2 +- .../win_defender_antimalware_platform_expired.yml | 2 +- .../builtin/windefend/win_defender_asr_lsass_access.yml | 2 +- .../builtin/windefend/win_defender_asr_psexec_wmi.yml | 2 +- ...n_defender_config_change_sample_submission_consent.yml | 2 +- .../builtin/windefend/win_defender_history_delete.yml | 2 +- .../win_defender_malware_and_pua_scan_disabled.yml | 2 +- .../win_defender_malware_detected_amsi_source.yml | 2 +- .../win_defender_real_time_protection_disabled.yml | 2 +- .../windefend/win_defender_restored_quarantine_file.yml | 2 +- .../win_defender_suspicious_features_tampering.yml | 2 +- .../windefend/win_defender_tamper_protection_trigger.yml | 2 +- rules/windows/builtin/windefend/win_defender_threat.yml | 2 +- .../windefend/win_defender_virus_scan_disabled.yml | 2 +- .../file_event_win_office_macro_files_created.yml | 2 +- .../file_event_win_office_macro_files_downloaded.yml | 2 +- ...ile_event_win_office_macro_files_from_susp_process.yml | 2 +- .../file_event_win_susp_vscode_powershell_profile.yml | 2 +- .../image_load_dll_credui_uncommon_process_load.yml | 2 +- .../image_load_dll_dbghelp_dbgcore_unsigned_load.yml | 2 +- .../image_load/image_load_wsman_provider_image_load.yml | 2 +- .../net_connection_win_certutil_initiated_connection.yml | 2 +- .../net_connection_win_msiexec_http.yml | 2 +- .../posh_pm_susp_reset_computermachinepassword.yml | 2 +- .../powershell_script/posh_ps_add_dnsclient_rule.yml | 2 +- .../posh_ps_create_volume_shadow_copy.yml | 2 +- .../posh_ps_directoryservices_accountmanagement.yml | 2 +- .../posh_ps_disable_windows_optional_feature.yml | 2 +- .../powershell_script/posh_ps_enable_psremoting.yml | 2 +- .../posh_ps_enable_susp_windows_optional_feature.yml | 2 +- .../powershell_script/posh_ps_export_certificate.yml | 2 +- .../powershell_script/posh_ps_get_acl_service.yml | 2 +- .../powershell_script/posh_ps_invoke_command_remote.yml | 2 +- .../powershell/powershell_script/posh_ps_localuser.yml | 2 +- .../posh_ps_memorydump_getstoragediagnosticinfo.yml | 2 +- .../powershell/powershell_script/posh_ps_msxml_com.yml | 2 +- .../powershell_script/posh_ps_remote_session_creation.yml | 2 +- .../posh_ps_run_from_mount_diskimage.yml | 2 +- .../posh_ps_script_with_upload_capabilities.yml | 2 +- .../powershell_script/posh_ps_send_mailmessage.yml | 2 +- .../posh_ps_set_policies_to_unsecure_level.yml | 4 ++-- .../posh_ps_susp_get_addefaultdomainpasswordpolicy.yml | 2 +- .../powershell/powershell_script/posh_ps_susp_get_gpo.yml | 2 +- .../powershell_script/posh_ps_susp_get_process.yml | 2 +- .../powershell_script/posh_ps_susp_hyper_v_condlet.yml | 2 +- .../powershell_script/posh_ps_susp_mount_diskimage.yml | 2 +- .../powershell_script/posh_ps_susp_new_psdrive.yml | 2 +- .../powershell_script/posh_ps_susp_start_process.yml | 2 +- .../powershell_script/posh_ps_susp_unblock_file.yml | 2 +- .../posh_ps_tamper_windows_defender_set_mp.yml | 2 +- .../powershell_script/posh_ps_test_netconnection.yml | 2 +- .../posh_ps_windows_firewall_profile_disabled.yml | 2 +- .../proc_access_win_lsass_susp_access_flag.yml | 2 +- .../proc_creation_win_agentexecutor_potential_abuse.yml | 2 +- .../proc_creation_win_agentexecutor_susp_usage.yml | 2 +- .../proc_creation_win_bcdedit_susp_execution.yml | 2 +- .../proc_creation_win_certutil_decode.yml | 2 +- .../proc_creation_win_certutil_download.yml | 2 +- .../proc_creation_win_certutil_download_direct_ip.yml | 2 +- ...reation_win_certutil_download_file_sharing_domains.yml | 2 +- .../proc_creation_win_certutil_encode.yml | 2 +- .../proc_creation_win_chcp_codepage_lookup.yml | 2 +- .../proc_creation_win_chcp_codepage_switch.yml | 2 +- .../process_creation/proc_creation_win_clip_execution.yml | 2 +- ...creation_win_cmd_assoc_tamper_exe_file_association.yml | 2 +- .../proc_creation_win_dnscmd_discovery.yml | 4 ++-- .../proc_creation_win_dsacls_abuse_permissions.yml | 2 +- .../proc_creation_win_dsacls_password_spray.yml | 2 +- .../proc_creation_win_dtrace_kernel_dump.yml | 2 +- .../proc_creation_win_fsi_fsharp_code_execution.yml | 2 +- .../proc_creation_win_fsutil_symlinkevaluation.yml | 2 +- .../process_creation/proc_creation_win_fsutil_usage.yml | 2 +- .../proc_creation_win_gpresult_execution.yml | 2 +- .../proc_creation_win_hostname_execution.yml | 2 +- .../proc_creation_win_instalutil_no_log_execution.yml | 2 +- ..._win_lolbin_data_exfiltration_by_using_datasvcutil.yml | 6 +++--- .../process_creation/proc_creation_win_lolbin_mpiexec.yml | 2 +- .../process_creation/proc_creation_win_lolbin_replace.yml | 2 +- .../process_creation/proc_creation_win_lolbin_setres.yml | 2 +- ...eation_win_lolbin_susp_driver_installed_by_pnputil.yml | 2 +- .../proc_creation_win_lolbin_visualuiaverifynative.yml | 2 +- .../process_creation/proc_creation_win_lolbin_wfc.yml | 2 +- .../proc_creation_win_mofcomp_execution.yml | 2 +- .../proc_creation_win_mshta_susp_execution.yml | 2 +- .../proc_creation_win_msiexec_execute_dll.yml | 2 +- .../proc_creation_win_msiexec_install_quiet.yml | 2 +- .../proc_creation_win_mssql_sqlps_susp_execution.yml | 2 +- .../proc_creation_win_mstsc_remote_connection.yml | 2 +- .../proc_creation_win_netsh_fw_enable_group_rule.yml | 2 +- .../process_creation/proc_creation_win_nltest_recon.yml | 2 +- .../proc_creation_win_ntdsutil_susp_usage.yml | 2 +- .../proc_creation_win_powershell_base64_mppreference.yml | 2 +- ...c_creation_win_powershell_defender_disable_feature.yml | 2 +- .../proc_creation_win_powershell_defender_exclusion.yml | 2 +- ...in_powershell_enable_susp_windows_optional_feature.yml | 2 +- .../proc_creation_win_powershell_export_certificate.yml | 2 +- .../proc_creation_win_powershell_iex_patterns.yml | 2 +- ...creation_win_powershell_import_cert_susp_locations.yml | 2 +- ...n_powershell_service_dacl_modification_set_service.yml | 2 +- ...tion_win_powershell_set_policies_to_unsecure_level.yml | 4 ++-- .../process_creation/proc_creation_win_pua_ngrok.yml | 2 +- .../proc_creation_win_reg_add_run_key.yml | 2 +- ...proc_creation_win_reg_import_from_suspicious_paths.yml | 2 +- .../process_creation/proc_creation_win_regini_ads.yml | 2 +- .../proc_creation_win_regini_execution.yml | 2 +- .../proc_creation_win_registry_new_network_provider.yml | 2 +- .../proc_creation_win_renamed_sysinternals_procdump.yml | 2 +- ...c_creation_win_renamed_sysinternals_psexec_service.yml | 2 +- .../proc_creation_win_renamed_sysinternals_sdelete.yml | 2 +- .../proc_creation_win_rpcping_credential_capture.yml | 2 +- .../proc_creation_win_schtasks_change.yml | 2 +- .../proc_creation_win_schtasks_delete_all.yml | 2 +- .../proc_creation_win_schtasks_schedule_type.yml | 4 ++-- .../proc_creation_win_schtasks_schedule_type_system.yml | 4 ++-- ...ion_win_schtasks_schedule_via_masqueraded_xml_file.yml | 2 +- .../proc_creation_win_schtasks_system.yml | 2 +- .../proc_creation_win_shutdown_execution.yml | 2 +- .../proc_creation_win_shutdown_logoff.yml | 2 +- .../proc_creation_win_susp_16bit_application.yml | 2 +- ..._creation_win_susp_bad_opsec_sacrificial_processes.yml | 8 ++++---- .../proc_creation_win_susp_etw_trace_evasion.yml | 2 +- ...roc_creation_win_susp_ntfs_short_name_path_use_cli.yml | 2 +- ...c_creation_win_susp_ntfs_short_name_path_use_image.yml | 2 +- .../proc_creation_win_susp_ntfs_short_name_use_cli.yml | 2 +- .../proc_creation_win_susp_ntfs_short_name_use_image.yml | 2 +- .../proc_creation_win_susp_use_of_te_bin.yml | 2 +- .../proc_creation_win_susp_use_of_vsjitdebugger_bin.yml | 2 +- ...proc_creation_win_susp_web_request_cmd_and_cmdlets.yml | 2 +- ...ion_win_sysinternals_psexec_paexec_escalate_system.yml | 2 +- ..._creation_win_sysinternals_psexec_remote_execution.yml | 2 +- .../proc_creation_win_sysinternals_psexesvc.yml | 2 +- .../proc_creation_win_sysinternals_psexesvc_as_system.yml | 2 +- .../proc_creation_win_sysinternals_psservice.yml | 2 +- ...creation_win_sysinternals_pssuspend_susp_execution.yml | 2 +- ...creation_win_sysinternals_susp_psexec_paexec_flags.yml | 2 +- .../proc_creation_win_sysinternals_tools_masquerading.yml | 2 +- .../proc_creation_win_systeminfo_execution.yml | 2 +- .../proc_creation_win_takeown_recursive_own.yml | 2 +- .../proc_creation_win_whoami_groups_discovery.yml | 2 +- .../proc_creation_win_whoami_priv_discovery.yml | 2 +- ...roc_creation_win_winget_local_install_via_manifest.yml | 2 +- .../proc_creation_win_wmic_recon_process.yml | 2 +- .../proc_creation_win_wmic_recon_service.yml | 2 +- .../proc_creation_win_wmic_recon_volume.yml | 2 +- .../proc_creation_win_wmic_remote_execution.yml | 2 +- .../registry_delete_mstsc_history_cleared.yml | 2 +- ...registry_delete_removal_com_hijacking_registry_key.yml | 6 +++--- .../registry_event_mimikatz_printernightmare.yml | 2 +- .../registry_set/registry_set_aedebug_persistence.yml | 2 +- .../registry_set_asep_reg_keys_modification_classes.yml | 2 +- .../registry_set_asep_reg_keys_modification_common.yml | 2 +- ...y_set_asep_reg_keys_modification_currentcontrolset.yml | 2 +- ...stry_set_asep_reg_keys_modification_currentversion.yml | 2 +- ...y_set_asep_reg_keys_modification_currentversion_nt.yml | 2 +- ...y_set_asep_reg_keys_modification_internet_explorer.yml | 2 +- .../registry_set_asep_reg_keys_modification_office.yml | 2 +- ...try_set_asep_reg_keys_modification_session_manager.yml | 2 +- ...stry_set_asep_reg_keys_modification_system_scripts.yml | 2 +- .../registry_set_asep_reg_keys_modification_winsock2.yml | 2 +- ...egistry_set_asep_reg_keys_modification_wow6432node.yml | 2 +- ...set_asep_reg_keys_modification_wow6432node_classes.yml | 2 +- ...p_reg_keys_modification_wow6432node_currentversion.yml | 2 +- .../registry_set_bypass_uac_using_delegateexecute.yml | 2 +- .../registry_set/registry_set_change_security_zones.yml | 2 +- .../registry_set/registry_set_new_network_provider.yml | 2 +- .../registry_set_office_outlook_security_settings.yml | 2 +- .../registry_set/registry_set_persistence_app_paths.yml | 2 +- rules/windows/sysmon/sysmon_config_modification.yml | 2 +- 360 files changed, 424 insertions(+), 424 deletions(-) diff --git a/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml index 00ea92d48..72daaa379 100644 --- a/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml @@ -3,7 +3,7 @@ id: 0fcd1c79-4eeb-4746-aba9-1b458f7a79cb status: test description: Detects remote RPC calls to create or execute a scheduled task via ATSvc references: - - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 + - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ diff --git a/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml b/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml index cdcd1b6f1..02bbc17b4 100644 --- a/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml @@ -3,7 +3,7 @@ id: f177f2bc-5f3e-4453-b599-57eefce9a59c status: test description: Detects remote RPC calls to read information about scheduled tasks via AtScv references: - - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 + - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 - https://github.com/zeronetworks/rpcfirewall - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ diff --git a/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml b/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml index 1d7a89568..eacca0630 100644 --- a/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml +++ b/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml @@ -3,7 +3,7 @@ id: 56fda488-113e-4ce9-8076-afc2457922c3 status: test description: Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks. references: - - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN + - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ diff --git a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml index 8b26292dc..4fc39008f 100644 --- a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml @@ -3,7 +3,7 @@ id: ace3ff54-e7fd-46bd-8ea0-74b49a0aca1d status: test description: Detects remote RPC calls to create or execute a scheduled task references: - - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 + - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ diff --git a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml index 9626ffab7..da9c85a62 100644 --- a/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml @@ -3,7 +3,7 @@ id: 7f7c49eb-2977-4ac8-8ab0-ab1bae14730e status: test description: Detects remote RPC calls to read information about scheduled tasks references: - - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 + - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ diff --git a/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml index 76e0c3276..7421bda60 100644 --- a/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml @@ -4,8 +4,8 @@ status: test description: Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR references: - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 - - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1 - - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8 + - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1 + - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8 - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml b/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml index 86bc29fe3..7183cad1b 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml @@ -3,7 +3,7 @@ id: 68050b10-e477-4377-a99b-3721b422d6ef status: test description: Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI. references: - - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 + - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ author: Sagie Dulce, Dekel Paz diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml index 15d64b9fc..da5006fab 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml @@ -3,7 +3,7 @@ id: 35c55673-84ca-4e99-8d09-e334f3c29539 status: test description: Detects remote RPC calls to modify the registry and possible execute code references: - - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78 + - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78 - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml b/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml index 425c59967..2d7593745 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml @@ -3,7 +3,7 @@ id: d8ffe17e-04be-4886-beb9-c1dd1944b9a8 status: test description: Detects remote RPC calls to collect information references: - - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78 + - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78 - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml b/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml index ca31aa4b8..b1d115149 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml @@ -3,7 +3,7 @@ id: b6ea3cc7-542f-43ef-bbe4-980fbed444c7 status: test description: Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS references: - - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 + - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml index f1827b9ce..e08156598 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml @@ -3,7 +3,7 @@ id: 10018e73-06ec-46ec-8107-9172f1e04ff2 status: test description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR references: - - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 + - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ diff --git a/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml index de3b96ac0..ce90a2426 100644 --- a/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml @@ -3,7 +3,7 @@ id: aff229ab-f8cd-447b-b215-084d11e79eb0 status: test description: Detects remote RPC calls to create or execute a scheduled task via SASec references: - - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 + - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ diff --git a/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml b/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml index 3bd510f31..a9eb4ff15 100644 --- a/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml +++ b/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml @@ -3,7 +3,7 @@ id: 0a3ff354-93fc-4273-8a03-1078782de5b7 status: test description: Detects remote RPC calls to read information about scheduled tasks via SASec references: - - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 + - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ diff --git a/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml b/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml index 38c67a317..075d48fe4 100644 --- a/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml +++ b/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml @@ -3,7 +3,7 @@ id: 65f77b1e-8e79-45bf-bb67-5988a8ce45a5 status: test description: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership. references: - - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3 + - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3 - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ diff --git a/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml b/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml index 7db35b856..46dcb6b70 100644 --- a/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml +++ b/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml @@ -3,7 +3,7 @@ id: 6d580420-ff3f-4e0e-b6b0-41b90c787e28 status: test description: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership. references: - - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183 + - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183 - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md - https://github.com/zeronetworks/rpcfirewall - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ diff --git a/rules/cloud/azure/activity_logs/azure_application_deleted.yml b/rules/cloud/azure/activity_logs/azure_application_deleted.yml index 7ac5228ee..13d25e102 100644 --- a/rules/cloud/azure/activity_logs/azure_application_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_application_deleted.yml @@ -3,7 +3,7 @@ id: 410d2a41-1e6d-452f-85e5-abdd8257a823 status: test description: Identifies when a application is deleted in Azure. references: - - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy + - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy author: Austin Songer @austinsonger date: 2021/09/03 modified: 2022/10/09 diff --git a/rules/cloud/azure/activity_logs/azure_application_gateway_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_application_gateway_modified_or_deleted.yml index f0ad353c4..be418b360 100644 --- a/rules/cloud/azure/activity_logs/azure_application_gateway_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_application_gateway_modified_or_deleted.yml @@ -3,7 +3,7 @@ id: ad87d14e-7599-4633-ba81-aeb60cfe8cd6 status: test description: Identifies when a application gateway is modified or deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer date: 2021/08/16 modified: 2022/08/23 diff --git a/rules/cloud/azure/activity_logs/azure_application_security_group_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_application_security_group_modified_or_deleted.yml index 0f7d34bc0..a4b509a23 100644 --- a/rules/cloud/azure/activity_logs/azure_application_security_group_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_application_security_group_modified_or_deleted.yml @@ -3,7 +3,7 @@ id: 835747f1-9329-40b5-9cc3-97d465754ce6 status: test description: Identifies when a application security group is modified or deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer date: 2021/08/16 modified: 2022/08/23 diff --git a/rules/cloud/azure/activity_logs/azure_container_registry_created_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_container_registry_created_or_deleted.yml index f9c8753ec..34cd7abe5 100644 --- a/rules/cloud/azure/activity_logs/azure_container_registry_created_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_container_registry_created_or_deleted.yml @@ -3,7 +3,7 @@ id: 93e0ef48-37c8-49ed-a02c-038aab23628e status: test description: Detects when a Container Registry is created or deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 diff --git a/rules/cloud/azure/activity_logs/azure_device_no_longer_managed_or_compliant.yml b/rules/cloud/azure/activity_logs/azure_device_no_longer_managed_or_compliant.yml index dd2365036..52becf201 100644 --- a/rules/cloud/azure/activity_logs/azure_device_no_longer_managed_or_compliant.yml +++ b/rules/cloud/azure/activity_logs/azure_device_no_longer_managed_or_compliant.yml @@ -3,7 +3,7 @@ id: 542b9912-c01f-4e3f-89a8-014c48cdca7d status: test description: Identifies when a device in azure is no longer managed or compliant references: - - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory + - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory author: Austin Songer @austinsonger date: 2021/09/03 modified: 2022/10/09 diff --git a/rules/cloud/azure/activity_logs/azure_device_or_configuration_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_device_or_configuration_modified_or_deleted.yml index b05239e65..4ffcf901f 100644 --- a/rules/cloud/azure/activity_logs/azure_device_or_configuration_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_device_or_configuration_modified_or_deleted.yml @@ -3,7 +3,7 @@ id: 46530378-f9db-4af9-a9e5-889c177d3881 status: test description: Identifies when a device or device configuration in azure is modified or deleted. references: - - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory + - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory author: Austin Songer @austinsonger date: 2021/09/03 modified: 2022/10/09 diff --git a/rules/cloud/azure/activity_logs/azure_dns_zone_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_dns_zone_modified_or_deleted.yml index 5cf9825bb..fcc37df09 100644 --- a/rules/cloud/azure/activity_logs/azure_dns_zone_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_dns_zone_modified_or_deleted.yml @@ -3,7 +3,7 @@ id: af6925b0-8826-47f1-9324-337507a0babd status: test description: Identifies when DNS zone is modified or deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes author: Austin Songer @austinsonger date: 2021/08/08 modified: 2022/08/23 diff --git a/rules/cloud/azure/activity_logs/azure_firewall_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_firewall_modified_or_deleted.yml index 6a9d98390..bd484ffe4 100644 --- a/rules/cloud/azure/activity_logs/azure_firewall_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_firewall_modified_or_deleted.yml @@ -3,7 +3,7 @@ id: 512cf937-ea9b-4332-939c-4c2c94baadcd status: test description: Identifies when a firewall is created, modified, or deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger date: 2021/08/08 modified: 2022/08/23 diff --git a/rules/cloud/azure/activity_logs/azure_firewall_rule_collection_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_firewall_rule_collection_modified_or_deleted.yml index d8aed4657..2f1f7eb4e 100644 --- a/rules/cloud/azure/activity_logs/azure_firewall_rule_collection_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_firewall_rule_collection_modified_or_deleted.yml @@ -3,7 +3,7 @@ id: 025c9fe7-db72-49f9-af0d-31341dd7dd57 status: test description: Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger date: 2021/08/08 modified: 2022/08/23 diff --git a/rules/cloud/azure/activity_logs/azure_keyvault_key_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_keyvault_key_modified_or_deleted.yml index e23b60ee6..c30cf660a 100644 --- a/rules/cloud/azure/activity_logs/azure_keyvault_key_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_keyvault_key_modified_or_deleted.yml @@ -3,7 +3,7 @@ id: 80eeab92-0979-4152-942d-96749e11df40 status: test description: Identifies when a Keyvault Key is modified or deleted in Azure. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger date: 2021/08/16 modified: 2022/08/23 diff --git a/rules/cloud/azure/activity_logs/azure_keyvault_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_keyvault_modified_or_deleted.yml index 9d6b31f4b..0d2a7fc72 100644 --- a/rules/cloud/azure/activity_logs/azure_keyvault_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_keyvault_modified_or_deleted.yml @@ -3,7 +3,7 @@ id: 459a2970-bb84-4e6a-a32e-ff0fbd99448d status: test description: Identifies when a key vault is modified or deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger date: 2021/08/16 modified: 2022/08/23 diff --git a/rules/cloud/azure/activity_logs/azure_keyvault_secrets_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_keyvault_secrets_modified_or_deleted.yml index a97b431d7..1024e04c9 100644 --- a/rules/cloud/azure/activity_logs/azure_keyvault_secrets_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_keyvault_secrets_modified_or_deleted.yml @@ -3,7 +3,7 @@ id: b831353c-1971-477b-abb6-2828edc3bca1 status: test description: Identifies when secrets are modified or deleted in Azure. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger date: 2021/08/16 modified: 2022/08/23 diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_admission_controller.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_admission_controller.yml index 62467b426..2693117bb 100644 --- a/rules/cloud/azure/activity_logs/azure_kubernetes_admission_controller.yml +++ b/rules/cloud/azure/activity_logs/azure_kubernetes_admission_controller.yml @@ -10,7 +10,7 @@ description: | An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes author: Austin Songer @austinsonger date: 2021/11/25 modified: 2022/12/18 diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_cluster_created_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_cluster_created_or_deleted.yml index 60f6459f8..e0d9f6880 100644 --- a/rules/cloud/azure/activity_logs/azure_kubernetes_cluster_created_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_kubernetes_cluster_created_or_deleted.yml @@ -3,7 +3,7 @@ id: 9541f321-7cba-4b43-80fc-fbd1fb922808 status: test description: Detects when a Azure Kubernetes Cluster is created or deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_cronjob.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_cronjob.yml index b038d3f08..98d46a71d 100644 --- a/rules/cloud/azure/activity_logs/azure_kubernetes_cronjob.yml +++ b/rules/cloud/azure/activity_logs/azure_kubernetes_cronjob.yml @@ -6,7 +6,7 @@ description: | Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/ - https://kubernetes.io/docs/concepts/workloads/controllers/job/ - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_events_deleted.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_events_deleted.yml index 577db6d43..4b8f5a9ab 100644 --- a/rules/cloud/azure/activity_logs/azure_kubernetes_events_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_kubernetes_events_deleted.yml @@ -3,7 +3,7 @@ id: 225d8b09-e714-479c-a0e4-55e6f29adf35 status: test description: Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml author: Austin Songer @austinsonger date: 2021/07/24 diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_network_policy_change.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_network_policy_change.yml index 30525dc4c..969204b08 100644 --- a/rules/cloud/azure/activity_logs/azure_kubernetes_network_policy_change.yml +++ b/rules/cloud/azure/activity_logs/azure_kubernetes_network_policy_change.yml @@ -3,7 +3,7 @@ id: 08d6ac24-c927-4469-b3b7-2e422d6e3c43 status: test description: Identifies when a Azure Kubernetes network policy is modified or deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_pods_deleted.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_pods_deleted.yml index 4b97b1b0f..51dc1ba15 100644 --- a/rules/cloud/azure/activity_logs/azure_kubernetes_pods_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_kubernetes_pods_deleted.yml @@ -3,7 +3,7 @@ id: b02f9591-12c3-4965-986a-88028629b2e1 status: test description: Identifies the deletion of Azure Kubernetes Pods. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml author: Austin Songer @austinsonger date: 2021/07/24 diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_role_access.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_role_access.yml index ab21c690d..c6c2d6f0e 100644 --- a/rules/cloud/azure/activity_logs/azure_kubernetes_role_access.yml +++ b/rules/cloud/azure/activity_logs/azure_kubernetes_role_access.yml @@ -3,7 +3,7 @@ id: 818fee0c-e0ec-4e45-824e-83e4817b0887 status: test description: Identifies when ClusterRoles/Roles are being modified or deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_rolebinding_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_rolebinding_modified_or_deleted.yml index 26e5f3a78..14603bdfc 100644 --- a/rules/cloud/azure/activity_logs/azure_kubernetes_rolebinding_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_kubernetes_rolebinding_modified_or_deleted.yml @@ -3,7 +3,7 @@ id: 25cb259b-bbdc-4b87-98b7-90d7c72f8743 status: test description: Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_secret_or_config_object_access.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_secret_or_config_object_access.yml index 104cb0a32..d13ce24c0 100644 --- a/rules/cloud/azure/activity_logs/azure_kubernetes_secret_or_config_object_access.yml +++ b/rules/cloud/azure/activity_logs/azure_kubernetes_secret_or_config_object_access.yml @@ -3,7 +3,7 @@ id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c status: test description: Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_service_account_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_service_account_modified_or_deleted.yml index 16c04cc67..31158d909 100644 --- a/rules/cloud/azure/activity_logs/azure_kubernetes_service_account_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_kubernetes_service_account_modified_or_deleted.yml @@ -3,7 +3,7 @@ id: 12d027c3-b48c-4d9d-8bb6-a732200034b2 status: test description: Identifies when a service account is modified or deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 diff --git a/rules/cloud/azure/activity_logs/azure_mfa_disabled.yml b/rules/cloud/azure/activity_logs/azure_mfa_disabled.yml index 378bd6e25..2287dcb59 100644 --- a/rules/cloud/azure/activity_logs/azure_mfa_disabled.yml +++ b/rules/cloud/azure/activity_logs/azure_mfa_disabled.yml @@ -3,7 +3,7 @@ id: 7ea78478-a4f9-42a6-9dcd-f861816122bf status: test description: Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms. references: - - https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates + - https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates author: '@ionsor' date: 2022/02/08 tags: diff --git a/rules/cloud/azure/activity_logs/azure_network_firewall_policy_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_network_firewall_policy_modified_or_deleted.yml index bb51fbb34..f9340d105 100644 --- a/rules/cloud/azure/activity_logs/azure_network_firewall_policy_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_network_firewall_policy_modified_or_deleted.yml @@ -3,7 +3,7 @@ id: 83c17918-746e-4bd9-920b-8e098bf88c23 status: test description: Identifies when a Firewall Policy is Modified or Deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger date: 2021/09/02 modified: 2022/08/23 diff --git a/rules/cloud/azure/activity_logs/azure_network_firewall_rule_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_network_firewall_rule_modified_or_deleted.yml index e0a1bcb81..72af9a29d 100644 --- a/rules/cloud/azure/activity_logs/azure_network_firewall_rule_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_network_firewall_rule_modified_or_deleted.yml @@ -3,7 +3,7 @@ id: 2a7d64cf-81fa-4daf-ab1b-ab80b789c067 status: test description: Identifies when a Firewall Rule Configuration is Modified or Deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger date: 2021/08/08 modified: 2022/08/23 diff --git a/rules/cloud/azure/activity_logs/azure_network_p2s_vpn_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_network_p2s_vpn_modified_or_deleted.yml index f2e353cc3..20895725c 100644 --- a/rules/cloud/azure/activity_logs/azure_network_p2s_vpn_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_network_p2s_vpn_modified_or_deleted.yml @@ -3,7 +3,7 @@ id: d9557b75-267b-4b43-922f-a775e2d1f792 status: test description: Identifies when a Point-to-site VPN is Modified or Deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger date: 2021/08/08 modified: 2022/08/23 diff --git a/rules/cloud/azure/activity_logs/azure_network_security_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_network_security_modified_or_deleted.yml index f256222b5..100be5dd1 100644 --- a/rules/cloud/azure/activity_logs/azure_network_security_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_network_security_modified_or_deleted.yml @@ -3,7 +3,7 @@ id: d22b4df4-5a67-4859-a578-8c9a0b5af9df status: test description: Identifies when a network security configuration is modified or deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger date: 2021/08/08 modified: 2022/08/23 diff --git a/rules/cloud/azure/activity_logs/azure_network_virtual_device_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_network_virtual_device_modified_or_deleted.yml index a79c2bef3..41d8c4301 100644 --- a/rules/cloud/azure/activity_logs/azure_network_virtual_device_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_network_virtual_device_modified_or_deleted.yml @@ -5,7 +5,7 @@ description: | Identifies when a virtual network device is being modified or deleted. This can be a network interface, network virtual appliance, virtual hub, or virtual router. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger date: 2021/08/08 modified: 2022/08/23 diff --git a/rules/cloud/azure/activity_logs/azure_new_cloudshell_created.yml b/rules/cloud/azure/activity_logs/azure_new_cloudshell_created.yml index 2895634e5..3f05939c9 100644 --- a/rules/cloud/azure/activity_logs/azure_new_cloudshell_created.yml +++ b/rules/cloud/azure/activity_logs/azure_new_cloudshell_created.yml @@ -3,7 +3,7 @@ id: 72af37e2-ec32-47dc-992b-bc288a2708cb status: test description: Identifies when a new cloudshell is created inside of Azure portal. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer date: 2021/09/21 modified: 2022/08/23 diff --git a/rules/cloud/azure/activity_logs/azure_owner_removed_from_application_or_service_principal.yml b/rules/cloud/azure/activity_logs/azure_owner_removed_from_application_or_service_principal.yml index 6dc94f25e..62c8df70e 100644 --- a/rules/cloud/azure/activity_logs/azure_owner_removed_from_application_or_service_principal.yml +++ b/rules/cloud/azure/activity_logs/azure_owner_removed_from_application_or_service_principal.yml @@ -3,7 +3,7 @@ id: 636e30d5-3736-42ea-96b1-e6e2f8429fd6 status: test description: Identifies when a owner is was removed from a application or service principal in Azure. references: - - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy + - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy author: Austin Songer @austinsonger date: 2021/09/03 modified: 2022/10/09 diff --git a/rules/cloud/azure/activity_logs/azure_service_principal_created.yml b/rules/cloud/azure/activity_logs/azure_service_principal_created.yml index c0133ca46..559276da9 100644 --- a/rules/cloud/azure/activity_logs/azure_service_principal_created.yml +++ b/rules/cloud/azure/activity_logs/azure_service_principal_created.yml @@ -3,7 +3,7 @@ id: 0ddcff6d-d262-40b0-804b-80eb592de8e3 status: test description: Identifies when a service principal is created in Azure. references: - - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy + - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy author: Austin Songer @austinsonger date: 2021/09/02 modified: 2022/10/09 diff --git a/rules/cloud/azure/activity_logs/azure_service_principal_removed.yml b/rules/cloud/azure/activity_logs/azure_service_principal_removed.yml index 9fb6f81f0..f7e74e449 100644 --- a/rules/cloud/azure/activity_logs/azure_service_principal_removed.yml +++ b/rules/cloud/azure/activity_logs/azure_service_principal_removed.yml @@ -3,7 +3,7 @@ id: 448fd1ea-2116-4c62-9cde-a92d120e0f08 status: test description: Identifies when a service principal was removed in Azure. references: - - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy + - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy author: Austin Songer @austinsonger date: 2021/09/03 modified: 2022/10/09 diff --git a/rules/cloud/azure/activity_logs/azure_subscription_permissions_elevation_via_activitylogs.yml b/rules/cloud/azure/activity_logs/azure_subscription_permissions_elevation_via_activitylogs.yml index 3ec76e2dd..6e22ea319 100644 --- a/rules/cloud/azure/activity_logs/azure_subscription_permissions_elevation_via_activitylogs.yml +++ b/rules/cloud/azure/activity_logs/azure_subscription_permissions_elevation_via_activitylogs.yml @@ -6,7 +6,7 @@ description: | This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization + - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization author: Austin Songer @austinsonger date: 2021/11/26 modified: 2022/08/23 diff --git a/rules/cloud/azure/activity_logs/azure_suppression_rule_created.yml b/rules/cloud/azure/activity_logs/azure_suppression_rule_created.yml index 437a5ef5b..6b2327868 100644 --- a/rules/cloud/azure/activity_logs/azure_suppression_rule_created.yml +++ b/rules/cloud/azure/activity_logs/azure_suppression_rule_created.yml @@ -3,7 +3,7 @@ id: 92cc3e5d-eb57-419d-8c16-5c63f325a401 status: test description: Identifies when a suppression rule is created in Azure. Adversary's could attempt this to evade detection. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer date: 2021/08/16 modified: 2022/08/23 diff --git a/rules/cloud/azure/activity_logs/azure_virtual_network_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_virtual_network_modified_or_deleted.yml index fd8667d23..ecc062e15 100644 --- a/rules/cloud/azure/activity_logs/azure_virtual_network_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_virtual_network_modified_or_deleted.yml @@ -3,7 +3,7 @@ id: bcfcc962-0e4a-4fd9-84bb-a833e672df3f status: test description: Identifies when a Virtual Network is modified or deleted in Azure. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger date: 2021/08/08 modified: 2022/08/23 diff --git a/rules/cloud/azure/activity_logs/azure_vpn_connection_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_vpn_connection_modified_or_deleted.yml index 9022ff228..635724033 100644 --- a/rules/cloud/azure/activity_logs/azure_vpn_connection_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_vpn_connection_modified_or_deleted.yml @@ -3,7 +3,7 @@ id: 61171ffc-d79c-4ae5-8e10-9323dba19cd3 status: test description: Identifies when a VPN connection is modified or deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger date: 2021/08/08 modified: 2022/08/23 diff --git a/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_removedby_bad_actor.yml b/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_removedby_bad_actor.yml index 404b48e3b..3e51384d7 100644 --- a/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_removedby_bad_actor.yml +++ b/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_removedby_bad_actor.yml @@ -3,7 +3,7 @@ id: 26e7c5e2-6545-481e-b7e6-050143459635 status: test description: Monitor and alert on conditional access changes where non approved actor removed CA Policy. references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access author: Corissa Koopmans, '@corissalea' date: 2022/07/19 tags: diff --git a/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_updatedby_bad_actor.yml b/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_updatedby_bad_actor.yml index b93410d79..7abe79baa 100644 --- a/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_updatedby_bad_actor.yml +++ b/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_updatedby_bad_actor.yml @@ -3,7 +3,7 @@ id: 50a3c7aa-ec29-44a4-92c1-fce229eef6fc status: test description: Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value. references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access author: Corissa Koopmans, '@corissalea' date: 2022/07/19 modified: 2024/05/28 diff --git a/rules/cloud/azure/audit_logs/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml b/rules/cloud/azure/audit_logs/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml index e6a374399..dda18e6ce 100644 --- a/rules/cloud/azure/audit_logs/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml +++ b/rules/cloud/azure/audit_logs/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml @@ -3,7 +3,7 @@ id: 0922467f-db53-4348-b7bf-dee8d0d348c6 status: test description: Monitor and alert on conditional access changes. references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure author: Corissa Koopmans, '@corissalea' date: 2022/07/18 tags: diff --git a/rules/cloud/azure/audit_logs/azure_ad_account_created_deleted.yml b/rules/cloud/azure/audit_logs/azure_ad_account_created_deleted.yml index 91bc6265f..c4fc2281a 100644 --- a/rules/cloud/azure/audit_logs/azure_ad_account_created_deleted.yml +++ b/rules/cloud/azure/audit_logs/azure_ad_account_created_deleted.yml @@ -3,7 +3,7 @@ id: 6f583da0-3a90-4566-a4ed-83c09fe18bbf status: test description: Detects when an account was created and deleted in a short period of time. references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton date: 2022/08/11 modified: 2022/08/18 diff --git a/rules/cloud/azure/audit_logs/azure_ad_bitlocker_key_retrieval.yml b/rules/cloud/azure/audit_logs/azure_ad_bitlocker_key_retrieval.yml index 79aa10833..33a2a6516 100644 --- a/rules/cloud/azure/audit_logs/azure_ad_bitlocker_key_retrieval.yml +++ b/rules/cloud/azure/audit_logs/azure_ad_bitlocker_key_retrieval.yml @@ -3,7 +3,7 @@ id: a0413867-daf3-43dd-9245-734b3a787942 status: test description: Monitor and alert for Bitlocker key retrieval. references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#bitlocker-key-retrieval + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval author: Michael Epping, '@mepples21' date: 2022/06/28 tags: diff --git a/rules/cloud/azure/audit_logs/azure_ad_device_registration_policy_changes.yml b/rules/cloud/azure/audit_logs/azure_ad_device_registration_policy_changes.yml index dac899544..1c179fb9b 100644 --- a/rules/cloud/azure/audit_logs/azure_ad_device_registration_policy_changes.yml +++ b/rules/cloud/azure/audit_logs/azure_ad_device_registration_policy_changes.yml @@ -3,7 +3,7 @@ id: 9494bff8-959f-4440-bbce-fb87a208d517 status: test description: Monitor and alert for changes to the device registration policy. references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-registrations-and-joins-outside-policy author: Michael Epping, '@mepples21' date: 2022/06/28 tags: diff --git a/rules/cloud/azure/audit_logs/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml b/rules/cloud/azure/audit_logs/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml index e85511411..caf50500b 100644 --- a/rules/cloud/azure/audit_logs/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml +++ b/rules/cloud/azure/audit_logs/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml @@ -3,7 +3,7 @@ id: 4ad97bf5-a514-41a4-abd3-4f3455ad4865 status: test description: Detects guest users being invited to tenant by non-approved inviters references: - - https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-external-user-sign-ins + - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins author: MikeDuddington, '@dudders1' date: 2022/07/28 tags: diff --git a/rules/cloud/azure/audit_logs/azure_ad_users_added_to_device_admin_roles.yml b/rules/cloud/azure/audit_logs/azure_ad_users_added_to_device_admin_roles.yml index b44ceb6b4..ed7877ba3 100644 --- a/rules/cloud/azure/audit_logs/azure_ad_users_added_to_device_admin_roles.yml +++ b/rules/cloud/azure/audit_logs/azure_ad_users_added_to_device_admin_roles.yml @@ -3,7 +3,7 @@ id: 11c767ae-500b-423b-bae3-b234450736ed status: test description: Monitor and alert for users added to device admin roles. references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-administrator-roles + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-administrator-roles author: Michael Epping, '@mepples21' date: 2022/06/28 tags: diff --git a/rules/cloud/azure/audit_logs/azure_app_appid_uri_changes.yml b/rules/cloud/azure/audit_logs/azure_app_appid_uri_changes.yml index fd9df909a..ee212875e 100644 --- a/rules/cloud/azure/audit_logs/azure_app_appid_uri_changes.yml +++ b/rules/cloud/azure/audit_logs/azure_app_appid_uri_changes.yml @@ -3,7 +3,7 @@ id: 1b45b0d1-773f-4f23-aedc-814b759563b1 status: test description: Detects when a configuration change is made to an applications AppID URI. references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' date: 2022/06/02 tags: diff --git a/rules/cloud/azure/audit_logs/azure_app_credential_added.yml b/rules/cloud/azure/audit_logs/azure_app_credential_added.yml index e2d3803a9..cbbc388db 100644 --- a/rules/cloud/azure/audit_logs/azure_app_credential_added.yml +++ b/rules/cloud/azure/audit_logs/azure_app_credential_added.yml @@ -3,7 +3,7 @@ id: cbb67ecc-fb70-4467-9350-c910bdf7c628 status: test description: Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials. references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-credentials + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' date: 2022/05/26 tags: diff --git a/rules/cloud/azure/audit_logs/azure_app_delegated_permissions_all_users.yml b/rules/cloud/azure/audit_logs/azure_app_delegated_permissions_all_users.yml index 6b522d977..dce9b89e0 100644 --- a/rules/cloud/azure/audit_logs/azure_app_delegated_permissions_all_users.yml +++ b/rules/cloud/azure/audit_logs/azure_app_delegated_permissions_all_users.yml @@ -3,7 +3,7 @@ id: a6355fbe-f36f-45d8-8efc-ab42465cbc52 status: test description: Detects when highly privileged delegated permissions are granted on behalf of all users references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' date: 2022/07/28 tags: diff --git a/rules/cloud/azure/audit_logs/azure_app_end_user_consent.yml b/rules/cloud/azure/audit_logs/azure_app_end_user_consent.yml index 0311a2453..1a9ec243f 100644 --- a/rules/cloud/azure/audit_logs/azure_app_end_user_consent.yml +++ b/rules/cloud/azure/audit_logs/azure_app_end_user_consent.yml @@ -3,7 +3,7 @@ id: 9b2cc4c4-2ad4-416d-8e8e-ee6aa6f5035a status: test description: Detects when an end user consents to an application references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#end-user-consent + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#end-user-consent author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' date: 2022/07/28 tags: diff --git a/rules/cloud/azure/audit_logs/azure_app_end_user_consent_blocked.yml b/rules/cloud/azure/audit_logs/azure_app_end_user_consent_blocked.yml index 37439a1a7..667f6ef72 100644 --- a/rules/cloud/azure/audit_logs/azure_app_end_user_consent_blocked.yml +++ b/rules/cloud/azure/audit_logs/azure_app_end_user_consent_blocked.yml @@ -3,7 +3,7 @@ id: 7091372f-623c-4293-bc37-20c32b3492be status: test description: Detects when end user consent is blocked due to risk-based consent. references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#end-user-stopped-due-to-risk-based-consent author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' date: 2022/07/10 tags: diff --git a/rules/cloud/azure/audit_logs/azure_app_owner_added.yml b/rules/cloud/azure/audit_logs/azure_app_owner_added.yml index 3b29d899f..a02e56192 100644 --- a/rules/cloud/azure/audit_logs/azure_app_owner_added.yml +++ b/rules/cloud/azure/audit_logs/azure_app_owner_added.yml @@ -3,7 +3,7 @@ id: 74298991-9fc4-460e-a92e-511aa60baec1 status: test description: Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application. references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#new-owner + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#new-owner author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' date: 2022/06/02 tags: diff --git a/rules/cloud/azure/audit_logs/azure_app_permissions_msft.yml b/rules/cloud/azure/audit_logs/azure_app_permissions_msft.yml index 31f70985f..f6522e405 100644 --- a/rules/cloud/azure/audit_logs/azure_app_permissions_msft.yml +++ b/rules/cloud/azure/audit_logs/azure_app_permissions_msft.yml @@ -3,7 +3,7 @@ id: c1d147ae-a951-48e5-8b41-dcd0170c7213 status: test description: Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' date: 2022/07/10 tags: diff --git a/rules/cloud/azure/audit_logs/azure_app_privileged_permissions.yml b/rules/cloud/azure/audit_logs/azure_app_privileged_permissions.yml index 18ad0b8b3..c58eae3b7 100644 --- a/rules/cloud/azure/audit_logs/azure_app_privileged_permissions.yml +++ b/rules/cloud/azure/audit_logs/azure_app_privileged_permissions.yml @@ -6,7 +6,7 @@ related: status: test description: Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' date: 2022/07/28 modified: 2023/03/29 diff --git a/rules/cloud/azure/audit_logs/azure_app_role_added.yml b/rules/cloud/azure/audit_logs/azure_app_role_added.yml index 322583a2d..6cf587b1e 100644 --- a/rules/cloud/azure/audit_logs/azure_app_role_added.yml +++ b/rules/cloud/azure/audit_logs/azure_app_role_added.yml @@ -3,7 +3,7 @@ id: b04934b2-0a68-4845-8a19-bdfed3a68a7a status: test description: Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner. references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#service-principal-assigned-to-a-role + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' date: 2022/07/19 tags: diff --git a/rules/cloud/azure/audit_logs/azure_app_uri_modifications.yml b/rules/cloud/azure/audit_logs/azure_app_uri_modifications.yml index cdae8aa64..957d11f6d 100644 --- a/rules/cloud/azure/audit_logs/azure_app_uri_modifications.yml +++ b/rules/cloud/azure/audit_logs/azure_app_uri_modifications.yml @@ -5,7 +5,7 @@ description: | Detects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated. references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' date: 2022/06/02 tags: diff --git a/rules/cloud/azure/audit_logs/azure_change_to_authentication_method.yml b/rules/cloud/azure/audit_logs/azure_change_to_authentication_method.yml index 046bc2956..ede8166bd 100644 --- a/rules/cloud/azure/audit_logs/azure_change_to_authentication_method.yml +++ b/rules/cloud/azure/audit_logs/azure_change_to_authentication_method.yml @@ -3,7 +3,7 @@ id: 4d78a000-ab52-4564-88a5-7ab5242b20c7 status: test description: Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access. references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts author: AlertIQ date: 2021/10/10 modified: 2022/12/25 diff --git a/rules/cloud/azure/audit_logs/azure_federation_modified.yml b/rules/cloud/azure/audit_logs/azure_federation_modified.yml index 8ff1cf259..65b7e669e 100644 --- a/rules/cloud/azure/audit_logs/azure_federation_modified.yml +++ b/rules/cloud/azure/audit_logs/azure_federation_modified.yml @@ -3,7 +3,7 @@ id: 352a54e1-74ba-4929-9d47-8193d67aba1e status: test description: Identifies when an user or application modified the federation settings on the domain. references: - - https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes + - https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes author: Austin Songer date: 2021/09/06 modified: 2022/06/08 diff --git a/rules/cloud/azure/audit_logs/azure_group_user_addition_ca_modification.yml b/rules/cloud/azure/audit_logs/azure_group_user_addition_ca_modification.yml index fcf939136..398b77784 100644 --- a/rules/cloud/azure/audit_logs/azure_group_user_addition_ca_modification.yml +++ b/rules/cloud/azure/audit_logs/azure_group_user_addition_ca_modification.yml @@ -3,7 +3,7 @@ id: 91c95675-1f27-46d0-bead-d1ae96b97cd3 status: test description: Monitor and alert on group membership additions of groups that have CA policy modification access references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access author: Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner' date: 2022/08/04 tags: diff --git a/rules/cloud/azure/audit_logs/azure_group_user_removal_ca_modification.yml b/rules/cloud/azure/audit_logs/azure_group_user_removal_ca_modification.yml index 434085ec9..5b610b73b 100644 --- a/rules/cloud/azure/audit_logs/azure_group_user_removal_ca_modification.yml +++ b/rules/cloud/azure/audit_logs/azure_group_user_removal_ca_modification.yml @@ -3,7 +3,7 @@ id: 665e2d43-70dc-4ccc-9d27-026c9dd7ed9c status: test description: Monitor and alert on group membership removal of groups that have CA policy modification access references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access author: Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner' date: 2022/08/04 tags: diff --git a/rules/cloud/azure/audit_logs/azure_guest_invite_failure.yml b/rules/cloud/azure/audit_logs/azure_guest_invite_failure.yml index 5999f29f4..e6dc35bc1 100644 --- a/rules/cloud/azure/audit_logs/azure_guest_invite_failure.yml +++ b/rules/cloud/azure/audit_logs/azure_guest_invite_failure.yml @@ -3,7 +3,7 @@ id: 0b4b72e3-4c53-4d5b-b198-2c58cfef39a9 status: test description: Detects when a user that doesn't have permissions to invite a guest user attempts to invite one. references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#things-to-monitor author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' date: 2022/08/10 tags: diff --git a/rules/cloud/azure/audit_logs/azure_guest_to_member.yml b/rules/cloud/azure/audit_logs/azure_guest_to_member.yml index e42458ac4..dc5561d70 100644 --- a/rules/cloud/azure/audit_logs/azure_guest_to_member.yml +++ b/rules/cloud/azure/audit_logs/azure_guest_to_member.yml @@ -3,7 +3,7 @@ id: 8dee7a0d-43fd-4b3c-8cd1-605e189d195e status: test description: Detects the change of user type from "Guest" to "Member" for potential elevation of privilege. references: - - https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-external-user-sign-ins + - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins author: MikeDuddington, '@dudders1' date: 2022/06/30 tags: diff --git a/rules/cloud/azure/audit_logs/azure_pim_activation_approve_deny.yml b/rules/cloud/azure/audit_logs/azure_pim_activation_approve_deny.yml index e0cb9afc9..790dbae1c 100644 --- a/rules/cloud/azure/audit_logs/azure_pim_activation_approve_deny.yml +++ b/rules/cloud/azure/audit_logs/azure_pim_activation_approve_deny.yml @@ -3,7 +3,7 @@ id: 039a7469-0296-4450-84c0-f6966b16dc6d status: test description: Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated. references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' date: 2022/08/09 tags: diff --git a/rules/cloud/azure/audit_logs/azure_pim_alerts_disabled.yml b/rules/cloud/azure/audit_logs/azure_pim_alerts_disabled.yml index bcd081d77..8803800ae 100644 --- a/rules/cloud/azure/audit_logs/azure_pim_alerts_disabled.yml +++ b/rules/cloud/azure/audit_logs/azure_pim_alerts_disabled.yml @@ -3,7 +3,7 @@ id: aeaef14c-e5bf-4690-a9c8-835caad458bd status: test description: Detects when PIM alerts are set to disabled. references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' date: 2022/08/09 tags: diff --git a/rules/cloud/azure/audit_logs/azure_pim_change_settings.yml b/rules/cloud/azure/audit_logs/azure_pim_change_settings.yml index c5ef56275..0c70fec2b 100644 --- a/rules/cloud/azure/audit_logs/azure_pim_change_settings.yml +++ b/rules/cloud/azure/audit_logs/azure_pim_change_settings.yml @@ -3,7 +3,7 @@ id: db6c06c4-bf3b-421c-aa88-15672b88c743 status: test description: Detects when changes are made to PIM roles references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' date: 2022/08/09 tags: diff --git a/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_add.yml b/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_add.yml index 780beedfb..45826985c 100644 --- a/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_add.yml +++ b/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_add.yml @@ -3,7 +3,7 @@ id: 49a268a4-72f4-4e38-8a7b-885be690c5b5 status: test description: Detects when a user is added to a privileged role. references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' date: 2022/08/06 tags: diff --git a/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_bulk_change.yml b/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_bulk_change.yml index 8665f1ebc..9e01f26d0 100644 --- a/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_bulk_change.yml +++ b/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_bulk_change.yml @@ -3,7 +3,7 @@ id: 102e11e3-2db5-4c9e-bc26-357d42585d21 status: test description: Detects when a user is removed from a privileged role. Bulk changes should be investigated. references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' date: 2022/08/05 tags: diff --git a/rules/cloud/azure/audit_logs/azure_privileged_account_creation.yml b/rules/cloud/azure/audit_logs/azure_privileged_account_creation.yml index 7dae3cfd0..e216fc0d1 100644 --- a/rules/cloud/azure/audit_logs/azure_privileged_account_creation.yml +++ b/rules/cloud/azure/audit_logs/azure_privileged_account_creation.yml @@ -3,7 +3,7 @@ id: f7b5b004-dece-46e4-a4a5-f6fd0e1c6947 status: test description: Detects when a new admin is created. references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#changes-to-privileged-accounts author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H', Tim Shelton date: 2022/08/11 modified: 2022/08/16 diff --git a/rules/cloud/azure/audit_logs/azure_subscription_permissions_elevation_via_auditlogs.yml b/rules/cloud/azure/audit_logs/azure_subscription_permissions_elevation_via_auditlogs.yml index d8cb0ec13..2b89508d9 100644 --- a/rules/cloud/azure/audit_logs/azure_subscription_permissions_elevation_via_auditlogs.yml +++ b/rules/cloud/azure/audit_logs/azure_subscription_permissions_elevation_via_auditlogs.yml @@ -6,7 +6,7 @@ description: | This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment. references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#assignment-and-elevation + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation author: Austin Songer @austinsonger date: 2021/11/26 modified: 2022/12/25 diff --git a/rules/cloud/azure/audit_logs/azure_tap_added.yml b/rules/cloud/azure/audit_logs/azure_tap_added.yml index 726f36e60..a2c1c700e 100644 --- a/rules/cloud/azure/audit_logs/azure_tap_added.yml +++ b/rules/cloud/azure/audit_logs/azure_tap_added.yml @@ -3,7 +3,7 @@ id: fa84aaf5-8142-43cd-9ec2-78cfebf878ce status: test description: Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#changes-to-privileged-accounts author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' date: 2022/08/10 tags: diff --git a/rules/cloud/azure/audit_logs/azure_user_password_change.yml b/rules/cloud/azure/audit_logs/azure_user_password_change.yml index 650434073..48e9c96e6 100644 --- a/rules/cloud/azure/audit_logs/azure_user_password_change.yml +++ b/rules/cloud/azure/audit_logs/azure_user_password_change.yml @@ -3,7 +3,7 @@ id: 340ee172-4b67-4fb4-832f-f961bdc1f3aa status: test description: Detect when a user has reset their password in Azure AD references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts author: YochanaHenderson, '@Yochana-H' date: 2022/08/03 tags: diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_token.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_token.yml index 2b0bd1316..b5e041b58 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_token.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_token.yml @@ -3,8 +3,8 @@ id: 6555754e-5e7f-4a67-ad1c-4041c413a007 status: test description: Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location. references: - - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anomalous-token - - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins + - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow' date: 2023/08/07 tags: diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml index f083499b8..8cc25c641 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml @@ -3,8 +3,8 @@ id: 258b6593-215d-4a26-a141-c8e31c1299a6 status: test description: Indicates that there are anomalous patterns of behavior like suspicious changes to the directory. references: - - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anomalous-user-activity - - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins + - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-user-activity + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023/09/03 tags: diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml index b2a370d87..a8749edfb 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml @@ -3,8 +3,8 @@ id: be4d9c86-d702-4030-b52e-c7859110e5e8 status: test description: Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address. references: - - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address - - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins + - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023/09/03 tags: diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_address.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_address.yml index 5d6097fd6..556bdc52c 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_address.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_address.yml @@ -4,7 +4,7 @@ status: test description: Indicates sign-ins from an anonymous IP address, for example, using an anonymous browser or VPN. references: - https://learn.microsoft.com/en-us/graph/api/resources/riskdetection?view=graph-rest-1.0 - - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anonymous-ip-address + - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address author: Gloria Lee, '@gleeiamglo' date: 2023/08/22 tags: diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml index 493635128..2c01f60d9 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml @@ -3,8 +3,8 @@ id: 1a41023f-1e70-4026-921a-4d9341a9038e status: test description: Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior. references: - - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#atypical-travel - - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins + - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023/09/03 tags: diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml index 4f9cce108..31eec3df3 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml @@ -3,8 +3,8 @@ id: b2572bf9-e20a-4594-b528-40bde666525a status: test description: Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second. references: - - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#impossible-travel - - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins + - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023/09/03 tags: diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml index ef61496db..7fb671c20 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml @@ -3,8 +3,8 @@ id: 27e4f1d6-ae72-4ea0-8a67-77a73a289c3d status: test description: Indicates suspicious rules such as an inbox rule that forwards a copy of all emails to an external address references: - - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-inbox-forwarding - - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins + - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023/09/03 tags: diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml index 08b7cd01f..d2e8b849d 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml @@ -3,8 +3,8 @@ id: ceb55fd0-726e-4656-bf4e-b585b7f7d572 status: test description: Detects suspicious rules that delete or move messages or folders are set on a user's inbox. references: - - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules - - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins + - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023/09/03 tags: diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml index 2ad407202..34aa974f3 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml @@ -3,8 +3,8 @@ id: 19128e5e-4743-48dc-bd97-52e5775af817 status: test description: Indicates that the user's valid credentials have been leaked. references: - - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#leaked-credentials - - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins + - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#leaked-credentials + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023/09/03 tags: diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address.yml index 11b942592..0671ebad0 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address.yml @@ -3,8 +3,8 @@ id: a3f55ebd-0c01-4ed6-adc0-8fb76d8cd3cd status: experimental description: Indicates sign-in from a malicious IP address based on high failure rates. references: - - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malicious-ip-address - - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins + - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023/09/07 tags: diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address_suspicious.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address_suspicious.yml index 961202f93..3d88c48bc 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address_suspicious.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address_suspicious.yml @@ -3,8 +3,8 @@ id: 36440e1c-5c22-467a-889b-593e66498472 status: experimental description: Indicates sign-in from a malicious IP address known to be malicious at time of sign-in. references: - - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malicious-ip-address - - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins + - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023/09/07 tags: diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml index 8b2e301b4..29c83729a 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml @@ -3,8 +3,8 @@ id: 821b4dc3-1295-41e7-b157-39ab212dd6bd status: test description: Indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server. references: - - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated - - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins + - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023/09/03 tags: diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml index 3563ce2b9..d2739ae66 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml @@ -3,8 +3,8 @@ id: adf9f4d2-559e-4f5c-95be-c28dff0b1476 status: test description: Detects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations. references: - - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#new-country - - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins + - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023/09/03 tags: diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_password_spray.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_password_spray.yml index 50f1ab346..dd01d4ffe 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_password_spray.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_password_spray.yml @@ -3,8 +3,8 @@ id: 28ecba0a-c743-4690-ad29-9a8f6f25a6f9 status: test description: Indicates that a password spray attack has been successfully performed. references: - - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#password-spray - - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins + - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023/09/03 tags: diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_prt_access.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_prt_access.yml index c2c1dbdb7..e01a8b58a 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_prt_access.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_prt_access.yml @@ -3,8 +3,8 @@ id: a84fc3b1-c9ce-4125-8e74-bdcdb24021f1 status: experimental description: Indicates access attempt to the PRT resource which can be used to move laterally into an organization or perform credential theft references: - - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt - - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins + - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023/09/07 tags: diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml index 66ee18819..1e437ccb6 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml @@ -3,8 +3,8 @@ id: 944f6adb-7a99-4c69-80c1-b712579e93e6 status: test description: Indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser references: - - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-browser - - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins + - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-browser + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023/09/03 tags: diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml index c094c3138..21098ec74 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml @@ -3,9 +3,9 @@ id: a2cb56ff-4f46-437a-a0fa-ffa4d1303cba status: experimental description: Indicates user activity that is unusual for the user or consistent with known attack patterns. references: - - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in - - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user - - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins + - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in + - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023/09/07 tags: diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml index 3d1a71ead..a1a713143 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml @@ -3,8 +3,8 @@ id: e3393cba-31f0-4207-831e-aef90ab17a8c status: test description: Indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns references: - - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#token-issuer-anomaly - - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins + - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#token-issuer-anomaly + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023/09/03 tags: diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml index 654579875..dc27a4774 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml @@ -3,8 +3,8 @@ id: 128faeef-79dd-44ca-b43c-a9e236a60f49 status: test description: Detects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins. references: - - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#unfamiliar-sign-in-properties - - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins + - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#unfamiliar-sign-in-properties + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023/09/03 tags: diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml index f544b80e6..ff0e17841 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml @@ -3,7 +3,7 @@ id: e402c26a-267a-45bd-9615-bd9ceda6da85 status: experimental description: Identifies when an account hasn't signed in during the past n number of days. references: - - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role + - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023/09/14 tags: diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml index 240624f6e..3ce88cdde 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml @@ -3,7 +3,7 @@ id: 58af08eb-f9e1-43c8-9805-3ad9b0482bd8 status: experimental description: Identifies when an organization doesn't have the proper license for PIM and is out of compliance. references: - - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#the-organization-doesnt-have-microsoft-entra-premium-p2-or-microsoft-entra-id-governance + - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#the-organization-doesnt-have-microsoft-entra-premium-p2-or-microsoft-entra-id-governance author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023/09/14 tags: diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml index c36f8d16f..b84736347 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml @@ -3,7 +3,7 @@ id: b1bc08d1-8224-4758-a0e6-fbcfc98c73bb status: experimental description: Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack. references: - - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management + - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023/09/14 tags: diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml index 279cae7f0..ffe091cd2 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml @@ -3,7 +3,7 @@ id: 645fd80d-6c07-435b-9e06-7bc1b5656cba status: experimental description: Identifies when the same privilege role has multiple activations by the same user. references: - - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently + - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023/09/14 tags: diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml index 3a0208402..897ce1ede 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml @@ -3,7 +3,7 @@ id: 94a66f46-5b64-46ce-80b2-75dcbe627cc0 status: experimental description: Identifies when a privilege role can be activated without performing mfa. references: - - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation + - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023/09/14 tags: diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml index cc1cd00d1..fec0c1bbf 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml @@ -3,7 +3,7 @@ id: 8c6ec464-4ae4-43ac-936a-291da66ed13d status: experimental description: Identifies when a user has been assigned a privilege role and are not using that role. references: - - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles + - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023/09/14 tags: diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml index dd24c9ab2..0ffaf1db9 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml @@ -3,7 +3,7 @@ id: 7bbc309f-e2b1-4eb1-8369-131a367d67d3 status: experimental description: Identifies an event where there are there are too many accounts assigned the Global Administrator role. references: - - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators + - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023/09/14 tags: diff --git a/rules/cloud/azure/signin_logs/azure_account_lockout.yml b/rules/cloud/azure/signin_logs/azure_account_lockout.yml index 05b4393d7..d5b0cda9b 100644 --- a/rules/cloud/azure/signin_logs/azure_account_lockout.yml +++ b/rules/cloud/azure/signin_logs/azure_account_lockout.yml @@ -3,7 +3,7 @@ id: 2b7d6fc0-71ac-4cf7-8ed1-b5788ee5257a status: test description: Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password. references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts author: AlertIQ date: 2021/10/10 modified: 2022/12/25 diff --git a/rules/cloud/azure/signin_logs/azure_ad_auth_failure_increase.yml b/rules/cloud/azure/signin_logs/azure_ad_auth_failure_increase.yml index e239a5655..1ea9bb1fa 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_auth_failure_increase.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_auth_failure_increase.yml @@ -3,7 +3,7 @@ id: e1d02b53-c03c-4948-b11d-4d00cca49d03 status: test description: Detects when sign-ins increased by 10% or greater. references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1' date: 2022/08/11 tags: diff --git a/rules/cloud/azure/signin_logs/azure_ad_auth_sucess_increase.yml b/rules/cloud/azure/signin_logs/azure_ad_auth_sucess_increase.yml index 3c4751ae4..22453a187 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_auth_sucess_increase.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_auth_sucess_increase.yml @@ -3,7 +3,7 @@ id: 67d5f8fc-8325-44e4-8f5f-7c0ac07cb5ae status: test description: Detects when successful sign-ins increased by 10% or greater. references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton date: 2022/08/11 modified: 2022/08/18 diff --git a/rules/cloud/azure/signin_logs/azure_ad_auth_to_important_apps_using_single_factor_auth.yml b/rules/cloud/azure/signin_logs/azure_ad_auth_to_important_apps_using_single_factor_auth.yml index 4f4495d31..7988b73e2 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_auth_to_important_apps_using_single_factor_auth.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_auth_to_important_apps_using_single_factor_auth.yml @@ -3,7 +3,7 @@ id: f272fb46-25f2-422c-b667-45837994980f status: test description: Detect when authentications to important application(s) only required single-factor authentication references: - - https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts + - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts author: MikeDuddington, '@dudders1' date: 2022/07/28 tags: diff --git a/rules/cloud/azure/signin_logs/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml b/rules/cloud/azure/signin_logs/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml index 9aa985a10..7cfc4496e 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml @@ -3,7 +3,7 @@ id: 8c944ecb-6970-4541-8496-be554b8e2846 status: test description: Detect successful authentications from countries you do not operate out of. references: - - https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts + - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts author: MikeDuddington, '@dudders1' date: 2022/07/28 tags: diff --git a/rules/cloud/azure/signin_logs/azure_ad_device_registration_or_join_without_mfa.yml b/rules/cloud/azure/signin_logs/azure_ad_device_registration_or_join_without_mfa.yml index 51f92e935..23b4c37e7 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_device_registration_or_join_without_mfa.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_device_registration_or_join_without_mfa.yml @@ -3,7 +3,7 @@ id: 5afa454e-030c-4ab4-9253-a90aa7fcc581 status: test description: Monitor and alert for device registration or join events where MFA was not performed. references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-registrations-and-joins-outside-policy author: Michael Epping, '@mepples21' date: 2022/06/28 tags: diff --git a/rules/cloud/azure/signin_logs/azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml b/rules/cloud/azure/signin_logs/azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml index 8dc43efa0..50e3c2939 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml @@ -3,7 +3,7 @@ id: 28870ae4-6a13-4616-bd1a-235a7fad7458 status: test description: Detect failed authentications from countries you do not operate out of. references: - - https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts + - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts author: MikeDuddington, '@dudders1' date: 2022/07/28 tags: diff --git a/rules/cloud/azure/signin_logs/azure_ad_only_single_factor_auth_required.yml b/rules/cloud/azure/signin_logs/azure_ad_only_single_factor_auth_required.yml index a9673c1ec..94f1d0dcc 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_only_single_factor_auth_required.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_only_single_factor_auth_required.yml @@ -3,7 +3,7 @@ id: 28eea407-28d7-4e42-b0be-575d5ba60b2c status: test description: Detect when users are authenticating without MFA being required. references: - - https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts + - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts author: MikeDuddington, '@dudders1' date: 2022/07/27 tags: diff --git a/rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml b/rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml index dee8102de..c388974fe 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml @@ -3,7 +3,7 @@ id: 572b12d4-9062-11ed-a1eb-0242ac120002 status: test description: Detects risky authencaition from a non AD registered device without MFA being required. references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in author: Harjot Singh, '@cyb3rjy0t' date: 2023/01/10 tags: diff --git a/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_noncompliant_devices.yml b/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_noncompliant_devices.yml index a140f82c6..a1ae251b7 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_noncompliant_devices.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_noncompliant_devices.yml @@ -3,7 +3,7 @@ id: 4f77e1d7-3982-4ee0-8489-abf2d6b75284 status: test description: Monitor and alert for sign-ins where the device was non-compliant. references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in author: Michael Epping, '@mepples21' date: 2022/06/28 tags: diff --git a/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_unknown_devices.yml b/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_unknown_devices.yml index ea0ad71d9..661bbf4ae 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_unknown_devices.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_unknown_devices.yml @@ -3,7 +3,7 @@ id: 4d136857-6a1a-432a-82fc-5dd497ee5e7c status: test description: Monitor and alert for Sign-ins by unknown devices from non-Trusted locations. references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in author: Michael Epping, '@mepples21' date: 2022/06/28 modified: 2022/10/05 diff --git a/rules/cloud/azure/signin_logs/azure_app_device_code_authentication.yml b/rules/cloud/azure/signin_logs/azure_app_device_code_authentication.yml index 8e02b76f0..b8bbb76d5 100644 --- a/rules/cloud/azure/signin_logs/azure_app_device_code_authentication.yml +++ b/rules/cloud/azure/signin_logs/azure_app_device_code_authentication.yml @@ -6,7 +6,7 @@ description: | If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted. This can be a misconfigured application or potentially something malicious. references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-authentication-flows + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' date: 2022/06/01 tags: diff --git a/rules/cloud/azure/signin_logs/azure_app_ropc_authentication.yml b/rules/cloud/azure/signin_logs/azure_app_ropc_authentication.yml index ea7a08a26..46fb9933b 100644 --- a/rules/cloud/azure/signin_logs/azure_app_ropc_authentication.yml +++ b/rules/cloud/azure/signin_logs/azure_app_ropc_authentication.yml @@ -5,7 +5,7 @@ description: | Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider. references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-authentication-flows + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' date: 2022/06/01 tags: diff --git a/rules/cloud/azure/signin_logs/azure_blocked_account_attempt.yml b/rules/cloud/azure/signin_logs/azure_blocked_account_attempt.yml index abdeae62c..938403747 100644 --- a/rules/cloud/azure/signin_logs/azure_blocked_account_attempt.yml +++ b/rules/cloud/azure/signin_logs/azure_blocked_account_attempt.yml @@ -3,7 +3,7 @@ id: 4afac85c-224a-4dd7-b1af-8da40e1c60bd status: test description: Detects when an account is disabled or blocked for sign in but tried to log in references: - - https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-privileged-accounts + - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts author: Yochana Henderson, '@Yochana-H' date: 2022/06/17 tags: diff --git a/rules/cloud/azure/signin_logs/azure_conditional_access_failure.yml b/rules/cloud/azure/signin_logs/azure_conditional_access_failure.yml index 7836b8f1c..bbe017c08 100644 --- a/rules/cloud/azure/signin_logs/azure_conditional_access_failure.yml +++ b/rules/cloud/azure/signin_logs/azure_conditional_access_failure.yml @@ -3,7 +3,7 @@ id: b4a6d707-9430-4f5f-af68-0337f52d5c42 status: test description: Define a baseline threshold for failed sign-ins due to Conditional Access failures references: - - https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-privileged-accounts + - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts author: Yochana Henderson, '@Yochana-H' date: 2022/06/01 tags: diff --git a/rules/cloud/azure/signin_logs/azure_legacy_authentication_protocols.yml b/rules/cloud/azure/signin_logs/azure_legacy_authentication_protocols.yml index 735d47762..d0b1d6fb4 100644 --- a/rules/cloud/azure/signin_logs/azure_legacy_authentication_protocols.yml +++ b/rules/cloud/azure/signin_logs/azure_legacy_authentication_protocols.yml @@ -3,7 +3,7 @@ id: 60f6535a-760f-42a9-be3f-c9a0a025906e status: test description: Alert on when legacy authentication has been used on an account references: - - https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-privileged-accounts + - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts author: Yochana Henderson, '@Yochana-H' date: 2022/06/17 tags: diff --git a/rules/cloud/azure/signin_logs/azure_login_to_disabled_account.yml b/rules/cloud/azure/signin_logs/azure_login_to_disabled_account.yml index 360dd6745..d62152f5f 100644 --- a/rules/cloud/azure/signin_logs/azure_login_to_disabled_account.yml +++ b/rules/cloud/azure/signin_logs/azure_login_to_disabled_account.yml @@ -3,7 +3,7 @@ id: 908655e0-25cf-4ae1-b775-1c8ce9cf43d8 status: test description: Detect failed attempts to sign in to disabled accounts. references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts author: AlertIQ date: 2021/10/10 modified: 2022/12/25 diff --git a/rules/cloud/azure/signin_logs/azure_mfa_interrupted.yml b/rules/cloud/azure/signin_logs/azure_mfa_interrupted.yml index e6b395aed..ddd625324 100644 --- a/rules/cloud/azure/signin_logs/azure_mfa_interrupted.yml +++ b/rules/cloud/azure/signin_logs/azure_mfa_interrupted.yml @@ -3,7 +3,7 @@ id: 5496ff55-42ec-4369-81cb-00f417029e25 status: test description: Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge. references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts author: AlertIQ date: 2021/10/10 modified: 2022/12/18 diff --git a/rules/cloud/azure/signin_logs/azure_unusual_authentication_interruption.yml b/rules/cloud/azure/signin_logs/azure_unusual_authentication_interruption.yml index 5043451b2..fe9f718b3 100644 --- a/rules/cloud/azure/signin_logs/azure_unusual_authentication_interruption.yml +++ b/rules/cloud/azure/signin_logs/azure_unusual_authentication_interruption.yml @@ -3,7 +3,7 @@ id: 8366030e-7216-476b-9927-271d79f13cf3 status: test description: Detects when there is a interruption in the authentication process. references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts author: Austin Songer @austinsonger date: 2021/11/26 modified: 2022/12/18 diff --git a/rules/cloud/azure/signin_logs/azure_user_login_blocked_by_conditional_access.yml b/rules/cloud/azure/signin_logs/azure_user_login_blocked_by_conditional_access.yml index 059d1abe3..234607a01 100644 --- a/rules/cloud/azure/signin_logs/azure_user_login_blocked_by_conditional_access.yml +++ b/rules/cloud/azure/signin_logs/azure_user_login_blocked_by_conditional_access.yml @@ -5,7 +5,7 @@ description: | Detect access has been blocked by Conditional Access policies. The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts. references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts + - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts author: AlertIQ date: 2021/10/10 modified: 2022/12/25 diff --git a/rules/cloud/azure/signin_logs/azure_users_authenticating_to_other_azure_ad_tenants.yml b/rules/cloud/azure/signin_logs/azure_users_authenticating_to_other_azure_ad_tenants.yml index 8dcb1141d..33b337adf 100644 --- a/rules/cloud/azure/signin_logs/azure_users_authenticating_to_other_azure_ad_tenants.yml +++ b/rules/cloud/azure/signin_logs/azure_users_authenticating_to_other_azure_ad_tenants.yml @@ -3,7 +3,7 @@ id: 5f521e4b-0105-4b72-845b-2198a54487b9 status: test description: Detect when users in your Azure AD tenant are authenticating to other Azure AD Tenants. references: - - https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-external-user-sign-ins + - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins author: MikeDuddington, '@dudders1' date: 2022/06/30 tags: diff --git a/rules/cloud/m365/threat_detection/microsoft365_from_susp_ip_addresses.yml b/rules/cloud/m365/threat_detection/microsoft365_from_susp_ip_addresses.yml index 343b5466d..f9a91c0a6 100644 --- a/rules/cloud/m365/threat_detection/microsoft365_from_susp_ip_addresses.yml +++ b/rules/cloud/m365/threat_detection/microsoft365_from_susp_ip_addresses.yml @@ -5,8 +5,8 @@ description: | Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account. references: - - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference + - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy + - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference author: Austin Songer @austinsonger date: 2021/08/23 modified: 2022/10/09 diff --git a/rules/cloud/m365/threat_management/microsoft365_activity_by_terminated_user.yml b/rules/cloud/m365/threat_management/microsoft365_activity_by_terminated_user.yml index 70d11dba8..af6c28ab0 100644 --- a/rules/cloud/m365/threat_management/microsoft365_activity_by_terminated_user.yml +++ b/rules/cloud/m365/threat_management/microsoft365_activity_by_terminated_user.yml @@ -5,8 +5,8 @@ description: | Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce. This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company. references: - - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference + - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy + - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference author: Austin Songer @austinsonger date: 2021/08/23 modified: 2022/10/09 diff --git a/rules/cloud/m365/threat_management/microsoft365_activity_from_anonymous_ip_addresses.yml b/rules/cloud/m365/threat_management/microsoft365_activity_from_anonymous_ip_addresses.yml index 029f859f8..5cbd3069e 100644 --- a/rules/cloud/m365/threat_management/microsoft365_activity_from_anonymous_ip_addresses.yml +++ b/rules/cloud/m365/threat_management/microsoft365_activity_from_anonymous_ip_addresses.yml @@ -3,8 +3,8 @@ id: d8b0a4fe-07a8-41be-bd39-b14afa025d95 status: test description: Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address. references: - - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference + - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy + - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference author: Austin Songer @austinsonger date: 2021/08/23 modified: 2022/10/09 diff --git a/rules/cloud/m365/threat_management/microsoft365_activity_from_infrequent_country.yml b/rules/cloud/m365/threat_management/microsoft365_activity_from_infrequent_country.yml index 01002c7b6..5a624c423 100644 --- a/rules/cloud/m365/threat_management/microsoft365_activity_from_infrequent_country.yml +++ b/rules/cloud/m365/threat_management/microsoft365_activity_from_infrequent_country.yml @@ -3,8 +3,8 @@ id: 0f2468a2-5055-4212-a368-7321198ee706 status: test description: Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization. references: - - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference + - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy + - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference author: Austin Songer @austinsonger date: 2021/08/23 modified: 2022/10/09 diff --git a/rules/cloud/m365/threat_management/microsoft365_data_exfiltration_to_unsanctioned_app.yml b/rules/cloud/m365/threat_management/microsoft365_data_exfiltration_to_unsanctioned_app.yml index 9453776be..ea2877869 100644 --- a/rules/cloud/m365/threat_management/microsoft365_data_exfiltration_to_unsanctioned_app.yml +++ b/rules/cloud/m365/threat_management/microsoft365_data_exfiltration_to_unsanctioned_app.yml @@ -3,8 +3,8 @@ id: 2b669496-d215-47d8-bd9a-f4a45bf07cda status: test description: Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization. references: - - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference + - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy + - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference author: Austin Songer @austinsonger date: 2021/08/23 modified: 2022/10/09 diff --git a/rules/cloud/m365/threat_management/microsoft365_impossible_travel_activity.yml b/rules/cloud/m365/threat_management/microsoft365_impossible_travel_activity.yml index 14b3c7700..53b51031a 100644 --- a/rules/cloud/m365/threat_management/microsoft365_impossible_travel_activity.yml +++ b/rules/cloud/m365/threat_management/microsoft365_impossible_travel_activity.yml @@ -3,8 +3,8 @@ id: d7eab125-5f94-43df-8710-795b80fa1189 status: test description: Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel. references: - - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference + - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy + - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference author: Austin Songer @austinsonger date: 2020/07/06 modified: 2021/11/27 diff --git a/rules/cloud/m365/threat_management/microsoft365_logon_from_risky_ip_address.yml b/rules/cloud/m365/threat_management/microsoft365_logon_from_risky_ip_address.yml index 2ba14c9d4..a875b60a9 100644 --- a/rules/cloud/m365/threat_management/microsoft365_logon_from_risky_ip_address.yml +++ b/rules/cloud/m365/threat_management/microsoft365_logon_from_risky_ip_address.yml @@ -3,8 +3,8 @@ id: c191e2fa-f9d6-4ccf-82af-4f2aba08359f status: test description: Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address. references: - - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference + - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy + - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference author: Austin Songer @austinsonger date: 2021/08/23 modified: 2022/10/09 diff --git a/rules/cloud/m365/threat_management/microsoft365_potential_ransomware_activity.yml b/rules/cloud/m365/threat_management/microsoft365_potential_ransomware_activity.yml index 6ca1f523b..822e7ccca 100644 --- a/rules/cloud/m365/threat_management/microsoft365_potential_ransomware_activity.yml +++ b/rules/cloud/m365/threat_management/microsoft365_potential_ransomware_activity.yml @@ -3,8 +3,8 @@ id: bd132164-884a-48f1-aa2d-c6d646b04c69 status: test description: Detects when a Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware. references: - - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference + - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy + - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference author: austinsonger date: 2021/08/19 modified: 2022/10/09 diff --git a/rules/cloud/m365/threat_management/microsoft365_susp_inbox_forwarding.yml b/rules/cloud/m365/threat_management/microsoft365_susp_inbox_forwarding.yml index f7f74a5dd..135ab5432 100644 --- a/rules/cloud/m365/threat_management/microsoft365_susp_inbox_forwarding.yml +++ b/rules/cloud/m365/threat_management/microsoft365_susp_inbox_forwarding.yml @@ -3,8 +3,8 @@ id: 6c220477-0b5b-4b25-bb90-66183b4089e8 status: test description: Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address. references: - - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference + - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy + - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference author: Austin Songer @austinsonger date: 2021/08/22 modified: 2022/10/09 diff --git a/rules/cloud/m365/threat_management/microsoft365_susp_oauth_app_file_download_activities.yml b/rules/cloud/m365/threat_management/microsoft365_susp_oauth_app_file_download_activities.yml index d6dc40733..a5e1d9fca 100644 --- a/rules/cloud/m365/threat_management/microsoft365_susp_oauth_app_file_download_activities.yml +++ b/rules/cloud/m365/threat_management/microsoft365_susp_oauth_app_file_download_activities.yml @@ -3,8 +3,8 @@ id: ee111937-1fe7-40f0-962a-0eb44d57d174 status: test description: Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user. references: - - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference + - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy + - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference author: Austin Songer @austinsonger date: 2021/08/23 modified: 2022/10/09 diff --git a/rules/cloud/m365/threat_management/microsoft365_unusual_volume_of_file_deletion.yml b/rules/cloud/m365/threat_management/microsoft365_unusual_volume_of_file_deletion.yml index ff0b26d54..49f97ef05 100644 --- a/rules/cloud/m365/threat_management/microsoft365_unusual_volume_of_file_deletion.yml +++ b/rules/cloud/m365/threat_management/microsoft365_unusual_volume_of_file_deletion.yml @@ -3,8 +3,8 @@ id: 78a34b67-3c39-4886-8fb4-61c46dc18ecd status: test description: Detects when a Microsoft Cloud App Security reported a user has deleted a unusual a large volume of files. references: - - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference + - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy + - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference author: austinsonger date: 2021/08/19 modified: 2022/10/09 diff --git a/rules/cloud/m365/threat_management/microsoft365_user_restricted_from_sending_email.yml b/rules/cloud/m365/threat_management/microsoft365_user_restricted_from_sending_email.yml index 218f9d3e2..7620ba619 100644 --- a/rules/cloud/m365/threat_management/microsoft365_user_restricted_from_sending_email.yml +++ b/rules/cloud/m365/threat_management/microsoft365_user_restricted_from_sending_email.yml @@ -3,8 +3,8 @@ id: ff246f56-7f24-402a-baca-b86540e3925c status: test description: Detects when a Security Compliance Center reported a user who exceeded sending limits of the service policies and because of this has been restricted from sending email. references: - - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference + - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy + - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference author: austinsonger date: 2021/08/19 modified: 2022/10/09 diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yml b/rules/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yml index cf0ec3e19..a7353a4ff 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yml @@ -3,7 +3,7 @@ id: 86157017-c2b1-4d4a-8c33-93b8e67e4af4 status: test description: Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system. references: - - https://docs.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor + - https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor author: '@d4ns4n_ (Wuerth-Phoenix)' date: 2023/05/30 tags: diff --git a/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml index 1f7862a81..4a188b5e9 100644 --- a/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml +++ b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml @@ -8,7 +8,7 @@ description: | Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675). The occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy. references: - - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29 + - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29 - https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 - https://github.com/corelight/CVE-2021-1675 diff --git a/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse.yml b/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse.yml index f93896d04..b6b20076a 100644 --- a/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse.yml +++ b/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse.yml @@ -4,7 +4,7 @@ status: test description: Detects potential abuse of ntdsutil to dump ntds.dit database references: - https://twitter.com/mgreen27/status/1558223256704122882 - - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11) + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11) author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/14 tags: diff --git a/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml b/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml index b1d5215ff..d7e97fa05 100644 --- a/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml +++ b/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml @@ -4,7 +4,7 @@ status: test description: Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location references: - https://twitter.com/mgreen27/status/1558223256704122882 - - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11) + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11) author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/14 modified: 2023/10/23 diff --git a/rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml b/rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml index 929402112..36ee0eb3c 100644 --- a/rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml +++ b/rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml @@ -4,8 +4,8 @@ status: test description: Detects when an attacker calls the "ALTER SERVER AUDIT" or "DROP SERVER AUDIT" transaction in order to delete or disable audit logs on the server references: - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/ - - https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16 - - https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16 + - https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16 + - https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16 author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/13 tags: diff --git a/rules/windows/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml b/rules/windows/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml index d1aa64be6..5e9b1a24e 100644 --- a/rules/windows/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml +++ b/rules/windows/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml @@ -4,7 +4,7 @@ status: test description: Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started references: - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/ - - https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16 + - https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16 author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/13 tags: diff --git a/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml b/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml index 1b67129f8..3cd264830 100644 --- a/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml +++ b/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml @@ -3,8 +3,8 @@ id: 401e5d00-b944-11ea-8f9a-00163ecd60ae status: test description: Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events. references: - - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker - - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker + - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker + - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker - https://nxlog.co/documentation/nxlog-user-guide/applocker.html author: Pushkarev Dmitry date: 2020/06/28 diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml index 04bcfc6ac..0c178bde0 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml @@ -7,8 +7,8 @@ description: | references: - https://twitter.com/SBousseaden/status/1483810148602814466 - https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log - - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations - - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations + - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations + - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2022/01/20 modified: 2023/11/15 diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml index 752880df3..8b489aeed 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml @@ -3,8 +3,8 @@ id: 5daf11c3-022b-4969-adb9-365e6c078c7c status: test description: Detects block events for files that are disallowed by code integrity for protected processes references: - - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations - - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations + - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations + - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations - Internal Research author: Nasreddine Bencherchali (Nextron Systems) date: 2023/06/06 diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml index 48028ce32..88f5cd847 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml @@ -5,7 +5,7 @@ description: Detects blocked load events that did not meet the authenticode sign references: - https://twitter.com/wdormann/status/1590434950335320065 - https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log - - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations + - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations author: Nasreddine Bencherchali (Nextron Systems) date: 2022/11/10 modified: 2023/06/07 diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml index 78c6a8308..263a77487 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml @@ -3,8 +3,8 @@ id: 9b72b82d-f1c5-4632-b589-187159bc6ec1 status: test description: Detects blocked load attempts of revoked drivers references: - - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations - - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations + - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations + - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations - Internal Research author: Nasreddine Bencherchali (Nextron Systems) date: 2023/06/06 diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml index 77b42a69c..5857197ab 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml @@ -3,8 +3,8 @@ id: 320fccbf-5e32-4101-82b8-2679c5f007c6 status: test description: Detects the load of a revoked kernel driver references: - - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations - - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations + - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations + - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations - Internal Research author: Nasreddine Bencherchali (Nextron Systems) date: 2023/06/06 diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml index d415b043a..fa131873f 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml @@ -3,8 +3,8 @@ id: 6f156c48-3894-4952-baf0-16193e9067d2 status: test description: Detects blocked image load events with revoked certificates by code integrity. references: - - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations - - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations + - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations + - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations - Internal Research author: Nasreddine Bencherchali (Nextron Systems) date: 2023/06/06 diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml index 3ea655c28..168ce438b 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml @@ -3,8 +3,8 @@ id: 881b7725-47cc-4055-8000-425823344c59 status: test description: Detects image load events with revoked certificates by code integrity. references: - - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations - - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations + - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations + - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations - Internal Research author: Nasreddine Bencherchali (Nextron Systems) date: 2023/06/06 diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml index e72df2458..cfde6fdbd 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml @@ -3,8 +3,8 @@ id: 951f8d29-f2f6-48a7-859f-0673ff105e6f status: test description: Detects the presence of a loaded unsigned kernel module on the system. references: - - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations - - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations + - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations + - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations - Internal Research author: Nasreddine Bencherchali (Nextron Systems) date: 2023/06/06 diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml index 748cc057e..801071076 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml @@ -3,8 +3,8 @@ id: c92c24e7-f595-493f-9c98-53d5142f5c18 status: test description: Detects loaded unsigned image on the system references: - - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations - - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations + - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations + - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations - Internal Research author: Nasreddine Bencherchali (Nextron Systems) date: 2023/06/06 diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml index 80b2445fd..1ff2d7fbd 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml @@ -3,8 +3,8 @@ id: 2f8cd7a0-9d5a-4f62-9f8b-2c951aa0dd1f status: test description: Detects loaded kernel modules that did not meet the WHQL signing requirements. references: - - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations - - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations + - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations + - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations - Internal Research author: Nasreddine Bencherchali (Nextron Systems) date: 2023/06/06 diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml index b26093cb8..287e59bcc 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml @@ -3,7 +3,7 @@ id: cde0a575-7d3d-4a49-9817-b8004a7bf105 status: experimental description: Detects when a rule has been added to the Windows Firewall exception list references: - - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 date: 2022/02/19 modified: 2024/05/10 diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml index c724c1035..35c316fe7 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml @@ -6,7 +6,7 @@ related: status: experimental description: Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location. references: - - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) - https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/# author: frack113 date: 2023/02/26 diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml b/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml index 3b3076445..1974b5ec6 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml @@ -3,7 +3,7 @@ id: 79609c82-a488-426e-abcf-9f341a39365d status: experimental description: Detects when a all the rules have been deleted from the Windows Defender Firewall configuration references: - - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2023/01/17 modified: 2024/01/22 diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml b/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml index 36d2a7c48..38278e2d2 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml @@ -3,7 +3,7 @@ id: c187c075-bb3e-4c62-b4fa-beae0ffc211f status: test description: Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall references: - - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 date: 2022/02/19 modified: 2023/06/12 diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml b/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml index b4993af05..3735d8bae 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml @@ -3,7 +3,7 @@ id: 7ec15688-fd24-4177-ba43-1a950537ee39 status: test description: Detects activity when The Windows Defender Firewall service failed to load Group Policy references: - - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 date: 2022/02/19 modified: 2023/01/17 diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml b/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml index 16dd0de90..0893e06cb 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml @@ -3,7 +3,7 @@ id: 04b60639-39c0-412a-9fbe-e82499c881a3 status: test description: Detects activity when Windows Defender Firewall has been reset to its default configuration references: - - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 date: 2022/02/19 modified: 2023/04/21 diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml b/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml index 63749b921..3b1f60be7 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml @@ -3,7 +3,7 @@ id: 00bb5bd5-1379-4fcf-a965-a5b6f7478064 status: test description: Detects activity when the settings of the Windows firewall have been changed references: - - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2022/02/19 modified: 2023/04/21 diff --git a/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml b/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml index 32ecf00b5..3c7fabeee 100644 --- a/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml +++ b/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml @@ -5,7 +5,7 @@ description: Detects scenarios where an attacker enables the OpenSSH server and references: - https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH - https://winaero.com/enable-openssh-server-windows-10/ - - https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse + - https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse - https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 author: mdecrevoisier diff --git a/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml b/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml index 4753eb85d..fa7e68301 100644 --- a/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml +++ b/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml @@ -3,7 +3,7 @@ id: f88e112a-21aa-44bd-9b01-6ee2a2bbbed1 status: test description: Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary. references: - - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625 author: NVISO date: 2020/05/06 modified: 2024/03/11 diff --git a/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml b/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml index b874721de..e8a492702 100644 --- a/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml +++ b/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml @@ -25,7 +25,7 @@ detection: - '89e95b76-444d-4c62-991a-0facbeda640c' filter: - SubjectUserName|endswith: '$' - - SubjectUserName|startswith: 'MSOL_' # https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions#ad-ds-connector-account + - SubjectUserName|startswith: 'MSOL_' # https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/reference-connect-accounts-permissions#ad-ds-connector-account condition: selection and not filter fields: - ComputerName diff --git a/rules/windows/builtin/security/win_security_ad_user_enumeration.yml b/rules/windows/builtin/security/win_security_ad_user_enumeration.yml index 6acc7f42e..02d0d51d1 100644 --- a/rules/windows/builtin/security/win_security_ad_user_enumeration.yml +++ b/rules/windows/builtin/security/win_security_ad_user_enumeration.yml @@ -5,8 +5,8 @@ description: Detects read access to a domain user from a non-machine account references: - https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf - http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html - - https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all # For further investigation of the accessed properties - - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662 + - https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all # For further investigation of the accessed properties + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662 author: Maxime Thiebaut (@0xThiebaut) date: 2020/03/30 modified: 2022/11/08 @@ -21,7 +21,7 @@ detection: selection: EventID: 4662 # Using contains as the data commonly is structured as "%{bf967aba-0de6-11d0-a285-00aa003049e2}" - # The user class (https://docs.microsoft.com/en-us/windows/win32/adschema/c-user) + # The user class (https://learn.microsoft.com/en-us/windows/win32/adschema/c-user) ObjectType|contains: 'bf967aba-0de6-11d0-a285-00aa003049e2' AccessMask|endswith: # Note: Since the Access Mask can have more than once permission we need to add all permutations that include the READ property @@ -36,7 +36,7 @@ detection: filter_main_machine_accounts: SubjectUserName|endswith: '$' # Exclude machine accounts filter_main_msql: - SubjectUserName|startswith: 'MSOL_' # https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions#ad-ds-connector-account + SubjectUserName|startswith: 'MSOL_' # https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions#ad-ds-connector-account condition: selection and not 1 of filter_main_* falsepositives: - Administrators configuring new users. diff --git a/rules/windows/builtin/security/win_security_add_remove_computer.yml b/rules/windows/builtin/security/win_security_add_remove_computer.yml index 82ba374c5..26021daf2 100644 --- a/rules/windows/builtin/security/win_security_add_remove_computer.yml +++ b/rules/windows/builtin/security/win_security_add_remove_computer.yml @@ -4,8 +4,8 @@ status: test description: Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN. references: - https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md - - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741 - - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743 + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741 + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743 author: frack113 date: 2022/10/14 tags: diff --git a/rules/windows/builtin/security/win_security_admin_share_access.yml b/rules/windows/builtin/security/win_security_admin_share_access.yml index d2f98537e..43c6b024a 100644 --- a/rules/windows/builtin/security/win_security_admin_share_access.yml +++ b/rules/windows/builtin/security/win_security_admin_share_access.yml @@ -3,7 +3,7 @@ id: 098d7118-55bc-4912-a836-dc6483a8d150 status: test description: Detects access to ADMIN$ network share references: - - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140 + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5140 author: Florian Roth (Nextron Systems) date: 2017/03/04 modified: 2024/01/16 diff --git a/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml b/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml index e216adf8b..98a8035d9 100644 --- a/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml +++ b/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml @@ -18,8 +18,8 @@ logsource: detection: selection: EventID: 4738 - # According to Microsoft, the bit values are listed here: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720 - # However, that seems to be a simple copy from https://docs.microsoft.com/en-US/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties + # According to Microsoft, the bit values are listed here: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4720 + # However, that seems to be a simple copy from https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/useraccountcontrol-manipulate-account-properties # and the actual flags that are used are quite different and, unfortunately, not documented. # https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/ contains a number of EVTX files with relevant events, which can be used to extract # the following values. diff --git a/rules/windows/builtin/security/win_security_alert_ruler.yml b/rules/windows/builtin/security/win_security_alert_ruler.yml index 162633027..3565ff5a1 100644 --- a/rules/windows/builtin/security/win_security_alert_ruler.yml +++ b/rules/windows/builtin/security/win_security_alert_ruler.yml @@ -6,8 +6,8 @@ references: - https://github.com/sensepost/ruler - https://github.com/sensepost/ruler/issues/47 - https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427 - - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 - - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624 + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776 + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624 author: Florian Roth (Nextron Systems) date: 2017/05/31 modified: 2022/10/09 diff --git a/rules/windows/builtin/security/win_security_codeintegrity_check_failure.yml b/rules/windows/builtin/security/win_security_codeintegrity_check_failure.yml index 8203b0b35..8149598ef 100644 --- a/rules/windows/builtin/security/win_security_codeintegrity_check_failure.yml +++ b/rules/windows/builtin/security/win_security_codeintegrity_check_failure.yml @@ -4,8 +4,8 @@ status: stable description: | Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries. references: - - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5038 - - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6281 + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038 + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6281 author: Thomas Patzke date: 2019/12/03 modified: 2023/12/13 diff --git a/rules/windows/builtin/security/win_security_dcsync.yml b/rules/windows/builtin/security/win_security_dcsync.yml index c67258ffe..cffb472ea 100644 --- a/rules/windows/builtin/security/win_security_dcsync.yml +++ b/rules/windows/builtin/security/win_security_dcsync.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/gentilkiwi/status/1003236624925413376 - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2 - https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r - - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662 + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662 author: Benjamin Delpy, Florian Roth (Nextron Systems), Scott Dermott, Sorina Ionescu date: 2018/06/03 modified: 2022/04/26 diff --git a/rules/windows/builtin/security/win_security_device_installation_blocked.yml b/rules/windows/builtin/security/win_security_device_installation_blocked.yml index bf766e49d..67132d91b 100644 --- a/rules/windows/builtin/security/win_security_device_installation_blocked.yml +++ b/rules/windows/builtin/security/win_security_device_installation_blocked.yml @@ -4,7 +4,7 @@ status: test description: Detects an installation of a device that is forbidden by the system policy references: - https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md - - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6423 + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423 author: frack113 date: 2022/10/14 tags: diff --git a/rules/windows/builtin/security/win_security_external_device.yml b/rules/windows/builtin/security/win_security_external_device.yml index 09a622cef..efb26ace0 100644 --- a/rules/windows/builtin/security/win_security_external_device.yml +++ b/rules/windows/builtin/security/win_security_external_device.yml @@ -3,7 +3,7 @@ id: f69a87ea-955e-4fb4-adb2-bb9fd6685632 status: test description: Detects external disk drives or plugged-in USB devices. references: - - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6416 + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6416 author: Keith Wright date: 2019/11/20 modified: 2024/02/09 diff --git a/rules/windows/builtin/security/win_security_password_policy_enumerated.yml b/rules/windows/builtin/security/win_security_password_policy_enumerated.yml index e34601b31..637684bca 100644 --- a/rules/windows/builtin/security/win_security_password_policy_enumerated.yml +++ b/rules/windows/builtin/security/win_security_password_policy_enumerated.yml @@ -3,7 +3,7 @@ id: 12ba6a38-adb3-4d6b-91ba-a7fb248e3199 status: test description: Detects when the password policy is enumerated. references: - - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4661 + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661 - https://github.com/jpalanco/alienvault-ossim/blob/f74359c0c027e42560924b5cff25cdf121e5505a/os-sim/agent/src/ParserUtil.py#L951 author: Zach Mathis date: 2023/05/19 diff --git a/rules/windows/builtin/security/win_security_replay_attack_detected.yml b/rules/windows/builtin/security/win_security_replay_attack_detected.yml index 57779715a..47d992d63 100644 --- a/rules/windows/builtin/security/win_security_replay_attack_detected.yml +++ b/rules/windows/builtin/security/win_security_replay_attack_detected.yml @@ -4,7 +4,7 @@ status: test description: Detects possible Kerberos Replay Attack on the domain controllers when "KRB_AP_ERR_REPEAT" Kerberos response is sent to the client references: - https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md - - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649 + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4649 author: frack113 date: 2022/10/14 tags: diff --git a/rules/windows/builtin/security/win_security_susp_add_domain_trust.yml b/rules/windows/builtin/security/win_security_susp_add_domain_trust.yml index 41fb8d1ea..089b5483d 100644 --- a/rules/windows/builtin/security/win_security_susp_add_domain_trust.yml +++ b/rules/windows/builtin/security/win_security_susp_add_domain_trust.yml @@ -3,7 +3,7 @@ id: 0255a820-e564-4e40-af2b-6ac61160335c status: stable description: Addition of domains is seldom and should be verified for legitimacy. references: - - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4706 author: Thomas Patzke date: 2019/12/03 modified: 2024/01/16 diff --git a/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml b/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml index 872449525..db443a598 100644 --- a/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml +++ b/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml @@ -3,7 +3,7 @@ id: 9eb99343-d336-4020-a3cd-67f3819e68ee status: test description: This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted. references: - - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625 - https://twitter.com/SBousseaden/status/1101431884540710913 author: Florian Roth (Nextron Systems) date: 2017/02/19 diff --git a/rules/windows/builtin/security/win_security_susp_kerberos_manipulation.yml b/rules/windows/builtin/security/win_security_susp_kerberos_manipulation.yml index 5ef3041be..b82c1100f 100644 --- a/rules/windows/builtin/security/win_security_susp_kerberos_manipulation.yml +++ b/rules/windows/builtin/security/win_security_susp_kerberos_manipulation.yml @@ -3,7 +3,7 @@ id: f7644214-0eb0-4ace-9455-331ec4c09253 status: test description: Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker. references: - - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771 + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771 author: Florian Roth (Nextron Systems) date: 2017/02/10 modified: 2024/01/16 diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml index 24b77520d..74a1d121b 100644 --- a/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml @@ -3,7 +3,7 @@ id: 3a734d25-df5c-4b99-8034-af1ddb5883a4 status: test description: Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc. references: - - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698 + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698 author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/05 modified: 2022/12/07 diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml index c66270a5b..ef2b27416 100644 --- a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml @@ -10,8 +10,8 @@ related: status: test description: Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities references: - - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699 - - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701 + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4699 + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4701 author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/05 modified: 2023/03/13 diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml index 38b7b994b..f4bfb19da 100644 --- a/rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml @@ -6,7 +6,7 @@ related: status: test description: Detects update to a scheduled task event that contain suspicious keywords. references: - - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698 + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698 author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/05 tags: diff --git a/rules/windows/builtin/security/win_security_susp_sdelete.yml b/rules/windows/builtin/security/win_security_susp_sdelete.yml index 43c69b955..59e7648d9 100644 --- a/rules/windows/builtin/security/win_security_susp_sdelete.yml +++ b/rules/windows/builtin/security/win_security_susp_sdelete.yml @@ -5,7 +5,7 @@ description: Detects renaming of file while deletion with SDelete tool. references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - - https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete + - https://learn.microsoft.com/en-gb/sysinternals/downloads/sdelete author: Thomas Patzke date: 2017/06/14 modified: 2021/11/27 diff --git a/rules/windows/builtin/security/win_security_susp_time_modification.yml b/rules/windows/builtin/security/win_security_susp_time_modification.yml index 9d7532de1..aad7c7ab9 100644 --- a/rules/windows/builtin/security/win_security_susp_time_modification.yml +++ b/rules/windows/builtin/security/win_security_susp_time_modification.yml @@ -5,7 +5,7 @@ description: Detect scenarios where a potentially unauthorized application or us references: - Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well) - Live environment caused by malware - - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616 + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616 author: '@neu5ron' date: 2019/02/05 modified: 2022/08/03 diff --git a/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml b/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml index 7fabb7bad..b0a7a7c6e 100644 --- a/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml +++ b/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml @@ -3,7 +3,7 @@ id: c265cf08-3f99-46c1-8d59-328247057d57 status: stable description: Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity references: - - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732 + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732 - https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers author: Florian Roth (Nextron Systems) date: 2017/03/14 diff --git a/rules/windows/builtin/security/win_security_user_driver_loaded.yml b/rules/windows/builtin/security/win_security_user_driver_loaded.yml index a4454f537..b1ccd3829 100644 --- a/rules/windows/builtin/security/win_security_user_driver_loaded.yml +++ b/rules/windows/builtin/security/win_security_user_driver_loaded.yml @@ -9,7 +9,7 @@ description: | This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff. references: - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ - - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673 + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673 author: xknow (@xknow_infosec), xorxes (@xor_xes) date: 2019/04/08 modified: 2023/01/20 diff --git a/rules/windows/builtin/security/win_security_user_logoff.yml b/rules/windows/builtin/security/win_security_user_logoff.yml index e85b1cd04..26b2506d5 100644 --- a/rules/windows/builtin/security/win_security_user_logoff.yml +++ b/rules/windows/builtin/security/win_security_user_logoff.yml @@ -4,8 +4,8 @@ status: test description: Detects a user log-off activity. Could be used for example to correlate information during forensic investigations references: - https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md - - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634 - - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647 + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634 + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647 author: frack113 date: 2022/10/14 tags: diff --git a/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml b/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml index be8f14ee4..0e17660f4 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml @@ -6,7 +6,7 @@ related: status: stable description: Detects the "Windows Defender Threat Protection" service has been disabled references: - - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus + - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md author: Ján Trenčanský, frack113 date: 2020/07/28 diff --git a/rules/windows/builtin/windefend/win_defender_antimalware_platform_expired.yml b/rules/windows/builtin/windefend/win_defender_antimalware_platform_expired.yml index 06a399e1c..75f040b48 100644 --- a/rules/windows/builtin/windefend/win_defender_antimalware_platform_expired.yml +++ b/rules/windows/builtin/windefend/win_defender_antimalware_platform_expired.yml @@ -7,7 +7,7 @@ status: stable description: | Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled. references: - - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101 + - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/ author: Ján Trenčanský, frack113 diff --git a/rules/windows/builtin/windefend/win_defender_asr_lsass_access.yml b/rules/windows/builtin/windefend/win_defender_asr_lsass_access.yml index 9a05796d7..9db77659a 100644 --- a/rules/windows/builtin/windefend/win_defender_asr_lsass_access.yml +++ b/rules/windows/builtin/windefend/win_defender_asr_lsass_access.yml @@ -3,7 +3,7 @@ id: a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98 status: test description: Detects Access to LSASS Process references: - - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter + - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction author: Markus Neis date: 2018/08/26 modified: 2022/08/13 diff --git a/rules/windows/builtin/windefend/win_defender_asr_psexec_wmi.yml b/rules/windows/builtin/windefend/win_defender_asr_psexec_wmi.yml index f63f18cbe..756198932 100644 --- a/rules/windows/builtin/windefend/win_defender_asr_psexec_wmi.yml +++ b/rules/windows/builtin/windefend/win_defender_asr_psexec_wmi.yml @@ -3,7 +3,7 @@ id: 97b9ce1e-c5ab-11ea-87d0-0242ac130003 status: test description: Detects blocking of process creations originating from PSExec and WMI commands references: - - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=twitter#block-process-creations-originating-from-psexec-and-wmi-commands + - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands - https://twitter.com/duff22b/status/1280166329660497920 author: Bhabesh Raj date: 2020/07/14 diff --git a/rules/windows/builtin/windefend/win_defender_config_change_sample_submission_consent.yml b/rules/windows/builtin/windefend/win_defender_config_change_sample_submission_consent.yml index dde129ef0..fddc68abb 100644 --- a/rules/windows/builtin/windefend/win_defender_config_change_sample_submission_consent.yml +++ b/rules/windows/builtin/windefend/win_defender_config_change_sample_submission_consent.yml @@ -10,7 +10,7 @@ related: status: stable description: Detects disabling of the "Automatic Sample Submission" feature of Windows Defender. references: - - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide + - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide - https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/06 diff --git a/rules/windows/builtin/windefend/win_defender_history_delete.yml b/rules/windows/builtin/windefend/win_defender_history_delete.yml index bb7981c01..1898d9823 100644 --- a/rules/windows/builtin/windefend/win_defender_history_delete.yml +++ b/rules/windows/builtin/windefend/win_defender_history_delete.yml @@ -3,7 +3,7 @@ id: 2afe6582-e149-11ea-87d0-0242ac130003 status: test description: Windows Defender logs when the history of detected infections is deleted. references: - - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus + - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus - https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e author: Cian Heasley date: 2020/08/13 diff --git a/rules/windows/builtin/windefend/win_defender_malware_and_pua_scan_disabled.yml b/rules/windows/builtin/windefend/win_defender_malware_and_pua_scan_disabled.yml index 5b4e0c10e..b73bb5b51 100644 --- a/rules/windows/builtin/windefend/win_defender_malware_and_pua_scan_disabled.yml +++ b/rules/windows/builtin/windefend/win_defender_malware_and_pua_scan_disabled.yml @@ -6,7 +6,7 @@ related: status: stable description: Detects disabling of the Windows Defender feature of scanning for malware and other potentially unwanted software references: - - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010 + - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/ author: Ján Trenčanský, frack113 diff --git a/rules/windows/builtin/windefend/win_defender_malware_detected_amsi_source.yml b/rules/windows/builtin/windefend/win_defender_malware_detected_amsi_source.yml index 1c18c99c1..2d3a914e8 100644 --- a/rules/windows/builtin/windefend/win_defender_malware_detected_amsi_source.yml +++ b/rules/windows/builtin/windefend/win_defender_malware_detected_amsi_source.yml @@ -3,7 +3,7 @@ id: ea9bf0fa-edec-4fb8-8b78-b119f2528186 status: stable description: Detects triggering of AMSI by Windows Defender. references: - - https://docs.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps + - https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps author: Bhabesh Raj date: 2020/09/14 modified: 2022/12/07 diff --git a/rules/windows/builtin/windefend/win_defender_real_time_protection_disabled.yml b/rules/windows/builtin/windefend/win_defender_real_time_protection_disabled.yml index 48f8ee330..ac37b13c7 100644 --- a/rules/windows/builtin/windefend/win_defender_real_time_protection_disabled.yml +++ b/rules/windows/builtin/windefend/win_defender_real_time_protection_disabled.yml @@ -7,7 +7,7 @@ status: stable description: | Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initaited this action you might want to reduce it to a "medium" level if this occurs too many times in your environment references: - - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001 + - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/ author: Ján Trenčanský, frack113 diff --git a/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml b/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml index d9a3b4e1f..bae44cbf7 100644 --- a/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml +++ b/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml @@ -3,7 +3,7 @@ id: bc92ca75-cd42-4d61-9a37-9d5aa259c88b status: test description: Detects the restoration of files from the defender quarantine references: - - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide + - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/06 tags: diff --git a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml index 874a59e7c..4dbb69a59 100644 --- a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml +++ b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml @@ -10,7 +10,7 @@ related: status: stable description: Detects suspicious changes to the Windows Defender configuration references: - - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide + - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide - https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/06 diff --git a/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml b/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml index 887b9ac52..bde332ed9 100644 --- a/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml +++ b/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml @@ -4,7 +4,7 @@ status: stable description: Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring" references: - https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection - - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide + - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide author: Bhabesh Raj, Nasreddine Bencherchali date: 2021/07/05 modified: 2022/12/06 diff --git a/rules/windows/builtin/windefend/win_defender_threat.yml b/rules/windows/builtin/windefend/win_defender_threat.yml index ef569b349..9740f112d 100644 --- a/rules/windows/builtin/windefend/win_defender_threat.yml +++ b/rules/windows/builtin/windefend/win_defender_threat.yml @@ -3,7 +3,7 @@ id: 57b649ef-ff42-4fb0-8bf6-62da243a1708 status: stable description: Detects actions taken by Windows Defender malware detection engines references: - - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus + - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus author: Ján Trenčanský date: 2020/07/28 tags: diff --git a/rules/windows/builtin/windefend/win_defender_virus_scan_disabled.yml b/rules/windows/builtin/windefend/win_defender_virus_scan_disabled.yml index 6be250a41..30ddbabaa 100644 --- a/rules/windows/builtin/windefend/win_defender_virus_scan_disabled.yml +++ b/rules/windows/builtin/windefend/win_defender_virus_scan_disabled.yml @@ -6,7 +6,7 @@ related: status: stable description: Detects disabling of the Windows Defender virus scanning feature references: - - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012 + - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/ author: Ján Trenčanský, frack113 diff --git a/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml b/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml index fe533f366..ab68814cf 100644 --- a/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml +++ b/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml @@ -7,7 +7,7 @@ status: test description: Detects the creation of a new office macro files on the systems references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md - - https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference + - https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference author: Nasreddine Bencherchali (Nextron Systems) date: 2022/01/23 tags: diff --git a/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml b/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml index 1282361ec..6cbe5139c 100644 --- a/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml +++ b/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml @@ -7,7 +7,7 @@ status: test description: Detects the creation of a new office macro files on the systems via an application (browser, mail client). references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md - - https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference + - https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference author: Nasreddine Bencherchali (Nextron Systems) date: 2022/01/23 modified: 2023/04/18 diff --git a/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml b/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml index f0095b1d8..9012ab806 100644 --- a/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml +++ b/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml @@ -4,7 +4,7 @@ status: test description: Detects the creation of a office macro file from a a suspicious process references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md - - https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference + - https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2022/01/23 modified: 2023/02/22 diff --git a/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml b/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml index 580481f12..ad2d7b391 100644 --- a/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml +++ b/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml @@ -6,7 +6,7 @@ related: status: test description: Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence references: - - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2 + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2 author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/24 modified: 2023/01/06 diff --git a/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml b/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml index bf9f49625..2ca18ef36 100644 --- a/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml +++ b/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml @@ -5,7 +5,7 @@ description: Detects loading of "credui.dll" and related DLLs by an uncommon pro references: - https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password - - https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa + - https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa - https://github.com/S12cybersecurity/RDPCredentialStealer author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/10/20 diff --git a/rules/windows/image_load/image_load_dll_dbghelp_dbgcore_unsigned_load.yml b/rules/windows/image_load/image_load_dll_dbghelp_dbgcore_unsigned_load.yml index e5c21e9fb..d547f1666 100644 --- a/rules/windows/image_load/image_load_dll_dbghelp_dbgcore_unsigned_load.yml +++ b/rules/windows/image_load/image_load_dll_dbghelp_dbgcore_unsigned_load.yml @@ -9,7 +9,7 @@ description: | Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. references: - - https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump + - https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump - https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html - https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6 author: Perez Diego (@darkquassar), oscd.community, Ecco diff --git a/rules/windows/image_load/image_load_wsman_provider_image_load.yml b/rules/windows/image_load/image_load_wsman_provider_image_load.yml index ed9c37e9e..8327bffa0 100644 --- a/rules/windows/image_load/image_load_wsman_provider_image_load.yml +++ b/rules/windows/image_load/image_load_wsman_provider_image_load.yml @@ -5,7 +5,7 @@ description: Detects signs of potential use of the WSMAN provider from uncommon references: - https://twitter.com/chadtilbury/status/1275851297770610688 - https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/ - - https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture + - https://learn.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture - https://github.com/bohops/WSMan-WinRM author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/06/24 diff --git a/rules/windows/network_connection/net_connection_win_certutil_initiated_connection.yml b/rules/windows/network_connection/net_connection_win_certutil_initiated_connection.yml index 9723144eb..92f2fed0d 100644 --- a/rules/windows/network_connection/net_connection_win_certutil_initiated_connection.yml +++ b/rules/windows/network_connection/net_connection_win_certutil_initiated_connection.yml @@ -5,7 +5,7 @@ description: | Detects a network connection initiated by the certutil.exe utility. Attackers can abuse the utility in order to download malware or additional payloads. references: - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil author: frack113, Florian Roth (Nextron Systems) date: 2022/09/02 modified: 2024/05/31 diff --git a/rules/windows/network_connection/net_connection_win_msiexec_http.yml b/rules/windows/network_connection/net_connection_win_msiexec_http.yml index db7f471c6..8df6c6a27 100644 --- a/rules/windows/network_connection/net_connection_win_msiexec_http.yml +++ b/rules/windows/network_connection/net_connection_win_msiexec_http.yml @@ -5,7 +5,7 @@ description: | Detects an initiated network connection by "Msiexec.exe" over port 80 or 443. Adversaries might abuse "msiexec.exe" to install and execute remotely hosted packages. references: - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md author: frack113 date: 2022/01/16 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml index ca545b76a..ae4146ecd 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml @@ -5,7 +5,7 @@ description: | The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain. You can use it to reset the password of the local computer. references: - - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1 + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1 - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ author: frack113 date: 2022/02/21 diff --git a/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml b/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml index 2c8971122..2cb5b6a8c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml @@ -6,7 +6,7 @@ description: | This will bypass the default DNS server and uses a specified server for answering the query. references: - https://twitter.com/NathanMcNulty/status/1569497348841287681 - - https://docs.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps + - https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps author: Borna Talebi date: 2021/09/14 modified: 2022/10/09 diff --git a/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml b/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml index 6b7f3eb24..a80a8b0c4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml @@ -4,7 +4,7 @@ status: test description: Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information references: - https://attack.mitre.org/datasources/DS0005/ - - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7 + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7 author: frack113 date: 2022/01/12 tags: diff --git a/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml b/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml index 24b20ed0b..a3b95a5ed 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml @@ -6,7 +6,7 @@ description: | Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain.. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell - - https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0 + - https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0 author: frack113 date: 2021/12/28 tags: diff --git a/rules/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml b/rules/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml index d85c0d3a5..bac28693f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml @@ -6,7 +6,7 @@ description: | Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images references: - https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md - - https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps + - https://learn.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps author: frack113 date: 2022/09/10 tags: diff --git a/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml b/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml index dec7d5bd8..69582d08a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml @@ -4,7 +4,7 @@ status: test description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management - - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2 + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2 author: frack113 date: 2022/01/07 tags: diff --git a/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml b/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml index 1dccc7e51..96cd0f46c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml @@ -8,7 +8,7 @@ description: | Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images references: - - https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps + - https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps - https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system - https://learn.microsoft.com/en-us/windows/wsl/install-on-server author: frack113 diff --git a/rules/windows/powershell/powershell_script/posh_ps_export_certificate.yml b/rules/windows/powershell/powershell_script/posh_ps_export_certificate.yml index 08979b077..b2c88e84a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_export_certificate.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_export_certificate.yml @@ -7,7 +7,7 @@ status: test description: Detects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines. references: - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a - - https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate + - https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html author: Florian Roth (Nextron Systems) date: 2021/04/23 diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml b/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml index 3a916a384..59cfec877 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml @@ -7,7 +7,7 @@ description: | Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness - - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2 + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4 author: frack113 date: 2021/12/30 tags: diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml index 3a90a9f5b..9171a83ae 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml @@ -4,7 +4,7 @@ status: test description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command - - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2 + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.4 author: frack113 date: 2022/01/07 tags: diff --git a/rules/windows/powershell/powershell_script/posh_ps_localuser.yml b/rules/windows/powershell/powershell_script/posh_ps_localuser.yml index 37bfea051..e5a1937eb 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_localuser.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_localuser.yml @@ -6,7 +6,7 @@ description: | Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate - - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1 + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1 author: frack113 date: 2021/12/28 tags: diff --git a/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml b/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml index eb61b9663..171986681 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml @@ -3,7 +3,7 @@ id: cd185561-4760-45d6-a63e-a51325112cae status: test description: Detects usage of a PowerShell command to dump the live memory of a Windows machine references: - - https://docs.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo + - https://learn.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo?view=windowsserver2022-ps author: Max Altgelt (Nextron Systems) date: 2021/09/21 modified: 2022/12/25 diff --git a/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml b/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml index 59b86df07..dada94543 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml @@ -7,7 +7,7 @@ description: | Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt - - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85) + - https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85) - https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html author: frack113, MatilJ date: 2022/01/19 diff --git a/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml b/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml index 6e30760c7..65dba8860 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml @@ -6,7 +6,7 @@ description: | PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle - - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2 + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4 author: frack113 date: 2022/01/06 modified: 2023/01/02 diff --git a/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml b/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml index 70cf84c6c..7a8af323c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml @@ -4,7 +4,7 @@ status: test description: Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso - - https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps + - https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps author: frack113 date: 2022/02/01 tags: diff --git a/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml b/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml index 398800494..f12cb087b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml @@ -5,7 +5,7 @@ description: Detects PowerShell scripts leveraging the "Invoke-WebRequest" cmdle references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md - https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html - - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2 + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4 author: frack113 date: 2022/01/07 modified: 2023/05/04 diff --git a/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml b/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml index cd33d2386..6ae6b02f8 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml @@ -6,7 +6,7 @@ description: | The data may also be sent to an alternate network location from the main command and control server. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp - - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2 + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4 - https://www.ietf.org/rfc/rfc2821.txt author: frack113 date: 2022/09/26 diff --git a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml index 178c4d022..2334290a1 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml @@ -10,8 +10,8 @@ related: status: test description: Detects changing the PowerShell script execution policy to a potentially insecure level using the "Set-ExecutionPolicy" cmdlet. references: - - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1 - - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1 + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4 + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4 - https://adsecurity.org/?p=2604 author: frack113 date: 2021/10/20 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml index 8b2014ff8..a20c53e92 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml @@ -4,7 +4,7 @@ status: test description: Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy - - https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy + - https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps author: frack113 date: 2022/03/17 tags: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml index b1f39ee76..8d4366eff 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml @@ -4,7 +4,7 @@ status: test description: Detect use of Get-GPO to get one GPO or all the GPOs in a domain. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md - - https://docs.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps + - https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps author: frack113 date: 2022/06/04 tags: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml index 429bfab9a..e2eade20f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml @@ -4,7 +4,7 @@ status: test description: Get the processes that are running on the local computer. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process - - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7 + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.4 author: frack113 date: 2022/03/17 tags: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml index 19b123f9b..61aaac7d1 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml @@ -3,7 +3,7 @@ id: 42d36aa1-3240-4db0-8257-e0118dcdd9cd status: test description: Adversaries may carry out malicious operations using a virtual instance to avoid detection references: - - https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v + - https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine author: frack113 date: 2022/04/09 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml index 3ce1fb491..4d88e77e0 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml @@ -4,7 +4,7 @@ status: test description: Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image - - https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps + - https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps author: frack113 date: 2022/02/01 tags: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml index 67f3fd5e7..91fddbbdd 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml @@ -4,7 +4,7 @@ status: test description: Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell - - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2 + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2 author: frack113 date: 2022/08/13 tags: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml index 599488cb1..260250722 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml @@ -4,7 +4,7 @@ status: test description: Powershell use PassThru option to start in background references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md - - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7 + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7 author: frack113 date: 2022/01/15 tags: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml index 16d28fecf..245a48799 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml @@ -4,7 +4,7 @@ status: test description: Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream - - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2 + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2 author: frack113 date: 2022/02/01 tags: diff --git a/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml b/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml index f6f8e6cdc..5e897c204 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml @@ -7,7 +7,7 @@ status: experimental description: Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://bidouillesecurity.com/disable-windows-defender-in-powershell/ author: frack113, elhoim, Tim Shelton (fps, alias support), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) date: 2022/01/16 diff --git a/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml b/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml index 56ccb1a25..cf9b793c3 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml @@ -6,7 +6,7 @@ description: | For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell - - https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps + - https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps author: frack113 date: 2022/01/23 tags: diff --git a/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml b/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml index 5b56c82bb..54adcf55c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml @@ -6,7 +6,7 @@ related: status: test description: Detects when a user disables the Windows Firewall via a Profile to help evade defense. references: - - https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps + - https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps - https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell - http://powershellhelp.space/commands/set-netfirewallrule-psv5.php - http://woshub.com/manage-windows-firewall-powershell/ diff --git a/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml b/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml index 979c02d93..ca8f74c15 100644 --- a/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml +++ b/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml @@ -6,7 +6,7 @@ related: status: experimental description: Detects process access requests to LSASS process with potentially suspicious access flags references: - - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights + - https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment diff --git a/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml b/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml index 3d424306a..be7d766e3 100644 --- a/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml @@ -9,7 +9,7 @@ author: Nasreddine Bencherchali (Nextron Systems), memory-shards references: - https://twitter.com/lefterispan/status/1286259016436514816 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/ - - https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension + - https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension - https://twitter.com/jseerden/status/1247985304667066373/photo/1 date: 2022/12/24 tags: diff --git a/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml b/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml index 2ee4d6d4d..de4ae19b5 100644 --- a/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml @@ -9,7 +9,7 @@ author: Nasreddine Bencherchali (Nextron Systems), memory-shards references: - https://twitter.com/lefterispan/status/1286259016436514816 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/ - - https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension + - https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension - https://twitter.com/jseerden/status/1247985304667066373/photo/1 date: 2022/12/24 tags: diff --git a/rules/windows/process_creation/proc_creation_win_bcdedit_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_bcdedit_susp_execution.yml index 070910ed1..5b03cb593 100644 --- a/rules/windows/process_creation/proc_creation_win_bcdedit_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_bcdedit_susp_execution.yml @@ -3,7 +3,7 @@ id: c9fbe8e9-119d-40a6-9b59-dd58a5d84429 status: test description: Detects potential malicious and unauthorized usage of bcdedit.exe references: - - https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set + - https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set - https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2 author: '@neu5ron' date: 2019/02/07 diff --git a/rules/windows/process_creation/proc_creation_win_certutil_decode.yml b/rules/windows/process_creation/proc_creation_win_certutil_decode.yml index 221206546..17e40b7b6 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_decode.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_decode.yml @@ -3,7 +3,7 @@ id: cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7 status: test description: Detects the execution of certutil with either the "decode" or "decodehex" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution references: - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ - https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/ - https://twitter.com/JohnLaTwC/status/835149808817991680 diff --git a/rules/windows/process_creation/proc_creation_win_certutil_download.yml b/rules/windows/process_creation/proc_creation_win_certutil_download.yml index 31733b23b..b008ba1fd 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_download.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_download.yml @@ -6,7 +6,7 @@ related: status: test description: Detects the execution of certutil with certain flags that allow the utility to download files. references: - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil - https://forensicitguy.github.io/agenttesla-vba-certutil-download/ - https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/ - https://twitter.com/egre55/status/1087685529016193025 diff --git a/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml b/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml index 774d0a966..1ad97531b 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml @@ -8,7 +8,7 @@ related: status: test description: Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs. references: - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil - https://forensicitguy.github.io/agenttesla-vba-certutil-download/ - https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/ - https://twitter.com/egre55/status/1087685529016193025 diff --git a/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml index 854e18c7e..40be7869b 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml @@ -8,7 +8,7 @@ related: status: experimental description: Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites. references: - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil - https://forensicitguy.github.io/agenttesla-vba-certutil-download/ - https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/ - https://twitter.com/egre55/status/1087685529016193025 diff --git a/rules/windows/process_creation/proc_creation_win_certutil_encode.yml b/rules/windows/process_creation/proc_creation_win_certutil_encode.yml index 153a71d70..2b523b575 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_encode.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_encode.yml @@ -3,7 +3,7 @@ id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a status: test description: Detects the execution of certutil with the "encode" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration references: - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ - https://lolbas-project.github.io/lolbas/Binaries/Certutil/ author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) diff --git a/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml b/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml index d4dbdccba..b86bf5de7 100644 --- a/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml +++ b/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml @@ -4,7 +4,7 @@ status: experimental description: Detects use of chcp to look up the system locale value as part of host discovery references: - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/ - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp author: _pete_0, TheDFIRReport date: 2022/02/21 modified: 2024/03/05 diff --git a/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch.yml b/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch.yml index cdb33efdb..8e9c36622 100644 --- a/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch.yml +++ b/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch.yml @@ -3,7 +3,7 @@ id: c7942406-33dd-4377-a564-0f62db0593a3 status: test description: Detects a code page switch in command line or batch scripts to a rare language references: - - https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers + - https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers - https://twitter.com/cglyer/status/1183756892952248325 author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community date: 2019/10/14 diff --git a/rules/windows/process_creation/proc_creation_win_clip_execution.yml b/rules/windows/process_creation/proc_creation_win_clip_execution.yml index 74accce3a..9c5faf419 100644 --- a/rules/windows/process_creation/proc_creation_win_clip_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_clip_execution.yml @@ -3,7 +3,7 @@ id: ddeff553-5233-4ae9-bbab-d64d2bd634be status: test description: Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications. references: - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/clip - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md author: frack113 date: 2021/07/27 diff --git a/rules/windows/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml b/rules/windows/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml index b8a74a55f..09b8c38ac 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml @@ -8,7 +8,7 @@ description: | Detects when a program changes the default file association of any extension to an executable. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. references: - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/assoc + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc author: Nasreddine Bencherchali (Nextron Systems) date: 2022/06/28 modified: 2023/03/06 diff --git a/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml b/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml index b31f55077..dde5693d0 100644 --- a/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml @@ -3,8 +3,8 @@ id: b6457d63-d2a2-4e29-859d-4e7affc153d1 status: test description: Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain. references: - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd - - https://docs.microsoft.com/en-us/azure/dns/dns-zones-records + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd + - https://learn.microsoft.com/en-us/azure/dns/dns-zones-records - https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/ author: '@gott_cyber' date: 2022/07/31 diff --git a/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml b/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml index ef6c783f5..47e1ec620 100644 --- a/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml +++ b/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml @@ -4,7 +4,7 @@ status: test description: Detects usage of Dsacls to grant over permissive permissions references: - https://ss64.com/nt/dsacls.html - - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11) + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11) author: Nasreddine Bencherchali (Nextron Systems) date: 2022/06/20 modified: 2023/02/04 diff --git a/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml b/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml index 48323ecba..e9bdca041 100644 --- a/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml +++ b/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml @@ -5,7 +5,7 @@ description: Detects possible password spraying attempts using Dsacls references: - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone - https://ss64.com/nt/dsacls.html - - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11) + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11) author: Nasreddine Bencherchali (Nextron Systems) date: 2022/06/20 modified: 2023/02/04 diff --git a/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml b/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml index c5f6118b2..283c11675 100644 --- a/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml +++ b/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml @@ -4,7 +4,7 @@ status: test description: Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1 references: - https://twitter.com/0gtweet/status/1474899714290208777?s=12 - - https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace + - https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace author: Florian Roth (Nextron Systems) date: 2021/12/28 tags: diff --git a/rules/windows/process_creation/proc_creation_win_fsi_fsharp_code_execution.yml b/rules/windows/process_creation/proc_creation_win_fsi_fsharp_code_execution.yml index 417f2e98f..98d753ae9 100644 --- a/rules/windows/process_creation/proc_creation_win_fsi_fsharp_code_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_fsi_fsharp_code_execution.yml @@ -5,7 +5,7 @@ description: | Detects the execution of FSharp Interpreters "FsiAnyCpu.exe" and "FSi.exe" Both can be used for AWL bypass and to execute F# code via scripts or inline. references: - - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules + - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac - https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ - https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/ - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/ diff --git a/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml b/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml index dd1bd8a91..93e8d66c3 100644 --- a/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml +++ b/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml @@ -6,7 +6,7 @@ description: | This is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt references: - https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware - - https://docs.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior + - https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior author: frack113 date: 2022/03/02 modified: 2023/01/19 diff --git a/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml b/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml index 80a23bb47..46f442071 100644 --- a/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml @@ -5,7 +5,7 @@ description: | Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others). references: - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md - https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html - https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md diff --git a/rules/windows/process_creation/proc_creation_win_gpresult_execution.yml b/rules/windows/process_creation/proc_creation_win_gpresult_execution.yml index fcd62dfd0..3f702123b 100644 --- a/rules/windows/process_creation/proc_creation_win_gpresult_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_gpresult_execution.yml @@ -4,7 +4,7 @@ status: test description: Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult - https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/ - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf author: frack113 diff --git a/rules/windows/process_creation/proc_creation_win_hostname_execution.yml b/rules/windows/process_creation/proc_creation_win_hostname_execution.yml index c93b44289..182a60390 100644 --- a/rules/windows/process_creation/proc_creation_win_hostname_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_hostname_execution.yml @@ -4,7 +4,7 @@ status: test description: Use of hostname to get information references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/hostname + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname author: frack113 date: 2022/01/01 tags: diff --git a/rules/windows/process_creation/proc_creation_win_instalutil_no_log_execution.yml b/rules/windows/process_creation/proc_creation_win_instalutil_no_log_execution.yml index 5cdea7b06..29e4c231a 100644 --- a/rules/windows/process_creation/proc_creation_win_instalutil_no_log_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_instalutil_no_log_execution.yml @@ -4,7 +4,7 @@ status: test description: Uses the .NET InstallUtil.exe application in order to execute image without log references: - https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/ - - https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool + - https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool author: frack113 date: 2022/01/23 modified: 2022/02/04 diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml b/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml index 1f516ee4a..8866f67c7 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml @@ -4,9 +4,9 @@ status: test description: Detects when a user performs data exfiltration by using DataSvcUtil.exe references: - https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6 - - https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe - - https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services - - https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services + - https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe + - https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services + - https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services - https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/ author: Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger date: 2021/09/30 diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_mpiexec.yml b/rules/windows/process_creation/proc_creation_win_lolbin_mpiexec.yml index 17a60ad9c..ca48e6aca 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_mpiexec.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_mpiexec.yml @@ -4,7 +4,7 @@ status: test description: Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary references: - https://twitter.com/mrd0x/status/1465058133303246867 - - https://docs.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps + - https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps author: Florian Roth (Nextron Systems) date: 2022/01/11 modified: 2022/03/04 diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml b/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml index 5382fd776..3f9015e79 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml @@ -4,7 +4,7 @@ status: test description: Detects the use of Replace.exe which can be used to replace file with another file references: - https://lolbas-project.github.io/lolbas/Binaries/Replace/ - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/replace + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/replace author: frack113 date: 2022/03/06 modified: 2024/03/13 diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml index 3138b7cd4..b9461288e 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml @@ -6,7 +6,7 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Setres/ - https://twitter.com/0gtweet/status/1583356502340870144 - https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html - - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11) + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11) author: '@gott_cyber' date: 2022/12/11 tags: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml index 070ac963b..257866ce3 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml @@ -3,7 +3,7 @@ id: a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1 status: test description: Detects when a possible suspicious driver is being installed via pnputil.exe lolbin references: - - https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax + - https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax - https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html author: Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, Austin Songer @austinsonger date: 2021/09/30 diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml b/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml index ff38d9d46..966d6a89c 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml @@ -4,7 +4,7 @@ status: test description: VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules. references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/ - - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules + - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac - https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/ - https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io' diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml b/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml index 1cee5bd75..2332ab8ee 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml @@ -4,7 +4,7 @@ status: test description: The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules. references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/ - - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules + - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io' date: 2022/06/01 tags: diff --git a/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml b/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml index 9864893d9..70f44c091 100644 --- a/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml @@ -8,7 +8,7 @@ description: | references: - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ - https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml - - https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp + - https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/12 modified: 2023/04/11 diff --git a/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml index fae60156f..c2f33a804 100644 --- a/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml @@ -5,7 +5,7 @@ description: Detection for mshta.exe suspicious execution patterns sometimes inv references: - http://blog.sevagas.com/?Hacking-around-HTA-files - https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356 - - https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script + - https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script - https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997 - https://twitter.com/mattifestation/status/1326228491302563846 author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule) diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml b/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml index 99e4439af..fe957298f 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml @@ -5,7 +5,7 @@ description: | Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi) references: - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md - https://twitter.com/_st0pp3r_/status/1583914515996897281 author: frack113 diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml b/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml index 7137fd175..66abbe28c 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml @@ -5,7 +5,7 @@ description: | Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi) references: - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md - https://twitter.com/_st0pp3r_/status/1583914244344799235 author: frack113 diff --git a/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml index 6c8c49a0e..00e841f28 100644 --- a/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml @@ -5,7 +5,7 @@ description: | This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs. references: - - https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 + - https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/ - https://twitter.com/bryon_/status/975835709587075072 author: 'Agro (@agro_sev) oscd.community' diff --git a/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml b/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml index 2de2a3b16..a8d9af11a 100644 --- a/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml +++ b/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml @@ -6,7 +6,7 @@ description: | Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc author: frack113 date: 2022/01/07 modified: 2024/06/04 diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml index ea754893b..9efa732a7 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml @@ -4,7 +4,7 @@ status: test description: Adversaries may modify system firewalls in order to bypass controls limiting network usage references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall - - https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior + - https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior author: frack113 date: 2022/01/09 modified: 2023/02/14 diff --git a/rules/windows/process_creation/proc_creation_win_nltest_recon.yml b/rules/windows/process_creation/proc_creation_win_nltest_recon.yml index 638262eb6..8a1677b39 100644 --- a/rules/windows/process_creation/proc_creation_win_nltest_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_nltest_recon.yml @@ -10,7 +10,7 @@ related: status: test description: Detects nltest commands that can be used for information discovery references: - - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) - https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/ - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/ - https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters diff --git a/rules/windows/process_creation/proc_creation_win_ntdsutil_susp_usage.yml b/rules/windows/process_creation/proc_creation_win_ntdsutil_susp_usage.yml index c7dd0aa6a..0424f9743 100644 --- a/rules/windows/process_creation/proc_creation_win_ntdsutil_susp_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_ntdsutil_susp_usage.yml @@ -6,7 +6,7 @@ related: status: test description: Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc. references: - - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11) + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11) - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/14 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml index 01cbda778..443d39e73 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml @@ -3,7 +3,7 @@ id: c6fb44c6-71f5-49e6-9462-1425d328aee3 status: test description: Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV references: - - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus + - https://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://twitter.com/AdamTheAnalyst/status/1483497517119590403 author: Florian Roth (Nextron Systems) diff --git a/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml b/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml index c8bc76643..929f71457 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml @@ -3,7 +3,7 @@ id: 1ec65a5f-9473-4f12-97da-622044d6df21 status: test description: Detects requests to disable Microsoft Defender features using PowerShell commands references: - - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE - https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files author: Florian Roth (Nextron Systems) diff --git a/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml b/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml index ff574a5ea..e7f7aa037 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml @@ -6,7 +6,7 @@ related: status: test description: Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets references: - - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus + - https://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://twitter.com/AdamTheAnalyst/status/1483497517119590403 author: Florian Roth (Nextron Systems) diff --git a/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml b/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml index efaf862a3..e76ea4027 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml @@ -8,7 +8,7 @@ description: | Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images references: - - https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps + - https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps - https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system - https://learn.microsoft.com/en-us/windows/wsl/install-on-server author: Nasreddine Bencherchali (Nextron Systems) diff --git a/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml b/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml index 9f158a8ba..3a4500a1e 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml @@ -7,7 +7,7 @@ status: test description: Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines. references: - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a - - https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate + - https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html author: Nasreddine Bencherchali (Nextron Systems) date: 2023/05/18 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_iex_patterns.yml b/rules/windows/process_creation/proc_creation_win_powershell_iex_patterns.yml index f1c6c560c..cd10df947 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_iex_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_iex_patterns.yml @@ -3,7 +3,7 @@ id: 09576804-7a05-458e-a817-eb718ca91f54 status: test description: Detects suspicious ways to run Invoke-Execution using IEX alias references: - - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2 + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2 - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2022/03/24 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml b/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml index 402733ae5..c817650d7 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml @@ -4,7 +4,7 @@ status: test description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. references: - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/ - - https://docs.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps + - https://learn.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/09 modified: 2023/01/16 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml b/rules/windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml index f88447855..e27730d65 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml @@ -7,7 +7,7 @@ status: test description: Detects suspicious DACL modifications via the "Set-Service" cmdlet using the "SecurityDescriptorSddl" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable references: - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ - - https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings + - https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings author: Nasreddine Bencherchali (Nextron Systems) date: 2022/10/18 tags: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml b/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml index 06897c562..6feca9f49 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml @@ -10,8 +10,8 @@ related: status: test description: Detects changing the PowerShell script execution policy to a potentially insecure level using the "-ExecutionPolicy" flag. references: - - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1 - - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1 + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4 + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4 - https://adsecurity.org/?p=2604 - https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/ author: frack113 diff --git a/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml b/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml index 1f26b339e..0f5ec4408 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml @@ -48,5 +48,5 @@ detection: condition: 1 of selection* falsepositives: - Another tool that uses the command line switches of Ngrok - - Ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0) + - Ngrok http 3978 (https://learn.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0) level: high diff --git a/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml b/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml index cfc7d3217..633554ee7 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml @@ -4,7 +4,7 @@ status: test description: Detects suspicious command line reg.exe tool adding key to RUN key in Registry references: - https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/ - - https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys + - https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys author: Florian Roth (Nextron Systems) date: 2021/06/28 modified: 2023/01/30 diff --git a/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml b/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml index d0e7c7917..d344c053e 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml @@ -6,7 +6,7 @@ related: status: test description: Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility references: - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import author: frack113, Nasreddine Bencherchali date: 2022/08/01 modified: 2023/02/05 diff --git a/rules/windows/process_creation/proc_creation_win_regini_ads.yml b/rules/windows/process_creation/proc_creation_win_regini_ads.yml index a7e3579bd..ab6d822d9 100644 --- a/rules/windows/process_creation/proc_creation_win_regini_ads.yml +++ b/rules/windows/process_creation/proc_creation_win_regini_ads.yml @@ -8,7 +8,7 @@ description: Detects the import of an alternate data stream with regini.exe, reg references: - https://lolbas-project.github.io/lolbas/Binaries/Regini/ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini author: Eli Salem, Sander Wiebing, oscd.community date: 2020/10/12 modified: 2023/02/08 diff --git a/rules/windows/process_creation/proc_creation_win_regini_execution.yml b/rules/windows/process_creation/proc_creation_win_regini_execution.yml index 1a58c575a..26f46d98f 100644 --- a/rules/windows/process_creation/proc_creation_win_regini_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_regini_execution.yml @@ -8,7 +8,7 @@ description: Detects the execution of regini.exe which can be used to modify reg references: - https://lolbas-project.github.io/lolbas/Binaries/Regini/ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini author: Eli Salem, Sander Wiebing, oscd.community date: 2020/10/08 modified: 2023/02/08 diff --git a/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml b/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml index 9f3ffc22d..8de386c8e 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml @@ -6,7 +6,7 @@ related: status: test description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it references: - - https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade + - https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade - https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/23 diff --git a/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml b/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml index e18ae6c6c..d7e4d8961 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml @@ -8,7 +8,7 @@ description: | Detects the execution of a renamed ProcDump executable. This often done by attackers or malware in order to evade defensive mechanisms. references: - - https://docs.microsoft.com/en-us/sysinternals/downloads/procdump + - https://learn.microsoft.com/en-us/sysinternals/downloads/procdump author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2019/11/18 modified: 2024/06/25 diff --git a/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_psexec_service.yml b/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_psexec_service.yml index 1e0d3ea02..e81403524 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_psexec_service.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_psexec_service.yml @@ -3,7 +3,7 @@ id: 51ae86a2-e2e1-4097-ad85-c46cb6851de4 status: test description: Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators references: - - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec + - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec - https://www.youtube.com/watch?v=ro2QuZTIMBM author: Florian Roth (Nextron Systems) date: 2022/07/21 diff --git a/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml b/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml index ff78489fa..2b0f5e0e7 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml @@ -3,7 +3,7 @@ id: c1d867fe-8d95-4487-aab4-e53f2d339f90 status: test description: Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming) references: - - https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete + - https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md author: Florian Roth (Nextron Systems) date: 2022/09/06 diff --git a/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml b/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml index e08ccad30..d3b3c1f28 100644 --- a/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml +++ b/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml @@ -6,7 +6,7 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Rpcping/ - https://twitter.com/vysecurity/status/974806438316072960 - https://twitter.com/vysecurity/status/873181705024266241 - - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11) + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11) author: Julia Fomina, oscd.community date: 2020/10/09 modified: 2024/03/13 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_change.yml b/rules/windows/process_creation/proc_creation_win_schtasks_change.yml index 12714c27b..23f810200 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_change.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_change.yml @@ -10,7 +10,7 @@ description: | Instead they modify the task after creation to include their malicious payload references: - Internal Research - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/28 modified: 2022/11/18 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_delete_all.yml b/rules/windows/process_creation/proc_creation_win_schtasks_delete_all.yml index 25533c8ef..c26cf5645 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_delete_all.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_delete_all.yml @@ -3,7 +3,7 @@ id: 220457c1-1c9f-4c2e-afe6-9598926222c1 status: test description: Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users. references: - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml index 604057346..8f54cd529 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml @@ -6,8 +6,8 @@ related: status: test description: Detects scheduled task creations or modification on a suspicious schedule type references: - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/09 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type_system.yml b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type_system.yml index 393d19e45..628579ef5 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type_system.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type_system.yml @@ -6,8 +6,8 @@ related: status: test description: Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type references: - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/31 tags: diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml index 5efda8a85..2a7737600 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml @@ -3,7 +3,7 @@ id: dd2a821e-3b07-4d3b-a9ac-929fe4c6ca0c status: test description: Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence references: - - https://docs.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml- + - https://learn.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml- - https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml author: Swachchhanda Shrawan Poudel, Elastic (idea) date: 2023/04/20 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_system.yml b/rules/windows/process_creation/proc_creation_win_schtasks_system.yml index 9e7d9d330..a40a2ee44 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_system.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_system.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges references: - https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/28 modified: 2023/10/11 diff --git a/rules/windows/process_creation/proc_creation_win_shutdown_execution.yml b/rules/windows/process_creation/proc_creation_win_shutdown_execution.yml index 11ff764fb..585142013 100644 --- a/rules/windows/process_creation/proc_creation_win_shutdown_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_shutdown_execution.yml @@ -4,7 +4,7 @@ status: test description: Use of the commandline to shutdown or reboot windows references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown author: frack113 date: 2022/01/01 tags: diff --git a/rules/windows/process_creation/proc_creation_win_shutdown_logoff.yml b/rules/windows/process_creation/proc_creation_win_shutdown_logoff.yml index e694e3742..b9aa501c7 100644 --- a/rules/windows/process_creation/proc_creation_win_shutdown_logoff.yml +++ b/rules/windows/process_creation/proc_creation_win_shutdown_logoff.yml @@ -4,7 +4,7 @@ status: test description: Detects the rare use of the command line tool shutdown to logoff a user references: - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown author: frack113 date: 2022/10/01 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml b/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml index 64e2aaf3a..5dc67e471 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml @@ -3,7 +3,7 @@ id: 16905e21-66ee-42fe-b256-1318ada2d770 status: test description: Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications references: - - https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support + - https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support - https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7 - https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/ - https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/ diff --git a/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml index 07a9efd11..1cea50926 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml @@ -12,10 +12,10 @@ references: - https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/ - https://www.cobaltstrike.com/help-opsec - https://twitter.com/CyberRaiju/status/1251492025678983169 - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32 - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 - - https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool - - https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32 + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 + - https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool + - https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems) date: 2020/10/23 modified: 2023/12/02 diff --git a/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml b/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml index 1249e5a1e..ef9f41237 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml @@ -3,7 +3,7 @@ id: a238b5d0-ce2d-4414-a676-7a531b3d13d6 status: test description: Detects a command that clears or disables any ETW trace log which could indicate a logging evasion. references: - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil - https://abuse.io/lockergoga.txt - https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63 author: '@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community' diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml index de26e2a30..28f7b3558 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml @@ -7,7 +7,7 @@ status: test description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection references: - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/ - - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10) - https://twitter.com/frack113/status/1555830623633375232 author: frack113, Nasreddine Bencherchali date: 2022/08/07 diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml index dbb56975c..8300c093c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml @@ -7,7 +7,7 @@ status: test description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection references: - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/ - - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10) - https://twitter.com/frack113/status/1555830623633375232 author: frack113, Nasreddine Bencherchali date: 2022/08/07 diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml index 445bc32d4..4643eadc1 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml @@ -7,7 +7,7 @@ status: test description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection references: - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/ - - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10) - https://twitter.com/jonasLyk/status/1555914501802921984 author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2022/08/05 diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml index 2256975f8..ac150106f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml @@ -7,7 +7,7 @@ status: test description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection references: - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/ - - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10) - https://twitter.com/jonasLyk/status/1555914501802921984 author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2022/08/06 diff --git a/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml b/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml index 406f171fa..acd96a790 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml @@ -7,7 +7,7 @@ description: | references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/ - https://twitter.com/pabraeken/status/993298228840992768 - - https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/ + - https://learn.microsoft.com/en-us/windows-hardware/drivers/taef/ author: 'Agro (@agro_sev) oscd.community' date: 2020/10/13 modified: 2021/11/27 diff --git a/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml b/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml index e6984b67c..ca8667658 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml @@ -8,7 +8,7 @@ description: | references: - https://twitter.com/pabraeken/status/990758590020452353 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/ - - https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019 + - https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019 author: Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community date: 2020/10/14 modified: 2022/10/09 diff --git a/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml b/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml index 9a0c0846a..125912e9b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml @@ -12,7 +12,7 @@ description: Detects the use of various web request commands with commandline to references: - https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/ - https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell - - https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps + - https://learn.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger date: 2019/10/24 modified: 2023/01/10 diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml index 2b45fd3d7..42776d610 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml @@ -6,7 +6,7 @@ related: status: test description: Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights references: - - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec + - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec - https://www.poweradmin.com/paexec/ - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml index abb352311..43742e69a 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml @@ -3,7 +3,7 @@ id: ea011323-7045-460b-b2d7-0f7442ea6b38 status: test description: Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility references: - - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec + - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec - https://www.poweradmin.com/paexec/ - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc.yml index bd75ae192..c76f471df 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc.yml @@ -6,7 +6,7 @@ related: status: test description: Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution references: - - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec + - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec - https://www.youtube.com/watch?v=ro2QuZTIMBM author: Thomas Patzke, Romaissa Adjailia, Florian Roth (Nextron Systems) date: 2017/06/12 diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml index 5ed1f05f3..b00da4ce2 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml @@ -6,7 +6,7 @@ related: status: test description: Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account) references: - - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec + - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec author: Florian Roth (Nextron Systems) date: 2022/07/21 modified: 2023/02/28 diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml index 6ab71e628..8a6778afc 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml @@ -3,7 +3,7 @@ id: 3371f518-5fe3-4cf6-a14b-2a0ae3fd8a4f status: test description: Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering references: - - https://docs.microsoft.com/en-us/sysinternals/downloads/psservice + - https://learn.microsoft.com/en-us/sysinternals/downloads/psservice author: Nasreddine Bencherchali (Nextron Systems) date: 2022/06/16 modified: 2023/02/24 diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml index 3d72c6b43..76ef6c2dc 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml @@ -6,7 +6,7 @@ related: status: test description: Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses references: - - https://docs.microsoft.com/en-us/sysinternals/downloads/pssuspend + - https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend - https://twitter.com/0gtweet/status/1638069413717975046 author: Nasreddine Bencherchali (Nextron Systems) date: 2023/03/23 diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml index e27722590..20ee3faad 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml @@ -6,7 +6,7 @@ related: status: test description: Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges references: - - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec + - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec - https://www.poweradmin.com/paexec/ - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_tools_masquerading.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_tools_masquerading.yml index 230dd5864..daa94bb5b 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_tools_masquerading.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_tools_masquerading.yml @@ -3,7 +3,7 @@ id: 7cce6fc8-a07f-4d84-a53e-96e1879843c9 status: test description: Detects binaries that use the same name as legitimate sysinternals tools to evade detection references: - - https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite + - https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite author: frack113 date: 2021/12/20 modified: 2022/12/08 diff --git a/rules/windows/process_creation/proc_creation_win_systeminfo_execution.yml b/rules/windows/process_creation/proc_creation_win_systeminfo_execution.yml index 2f78f2621..324555a26 100644 --- a/rules/windows/process_creation/proc_creation_win_systeminfo_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_systeminfo_execution.yml @@ -4,7 +4,7 @@ status: test description: Detects usage of the "systeminfo" command to retrieve information references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo author: frack113 date: 2022/01/01 modified: 2022/07/14 diff --git a/rules/windows/process_creation/proc_creation_win_takeown_recursive_own.yml b/rules/windows/process_creation/proc_creation_win_takeown_recursive_own.yml index cb766221b..351f2ed5f 100644 --- a/rules/windows/process_creation/proc_creation_win_takeown_recursive_own.yml +++ b/rules/windows/process_creation/proc_creation_win_takeown_recursive_own.yml @@ -3,7 +3,7 @@ id: 554601fb-9b71-4bcc-abf4-21a611be4fde status: test description: Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders references: - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/takeown + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility author: frack113 date: 2022/01/30 diff --git a/rules/windows/process_creation/proc_creation_win_whoami_groups_discovery.yml b/rules/windows/process_creation/proc_creation_win_whoami_groups_discovery.yml index a4866b997..229cf65c7 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_groups_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_groups_discovery.yml @@ -3,7 +3,7 @@ id: bd8b828d-0dca-48e1-8a63-8a58ecf2644f status: test description: Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes. references: - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/whoami author: Nasreddine Bencherchali (Nextron Systems) date: 2023/02/28 tags: diff --git a/rules/windows/process_creation/proc_creation_win_whoami_priv_discovery.yml b/rules/windows/process_creation/proc_creation_win_whoami_priv_discovery.yml index bbfcd96ae..c60f3dc91 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_priv_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_priv_discovery.yml @@ -3,7 +3,7 @@ id: 97a80ec7-0e2f-4d05-9ef4-65760e634f6b status: test description: Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt. references: - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/whoami author: Florian Roth (Nextron Systems) date: 2021/05/05 modified: 2023/02/28 diff --git a/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml b/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml index 9ffd2a924..1bc59fa97 100644 --- a/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml +++ b/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml @@ -6,7 +6,7 @@ description: | The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe, msi or msix files later. references: - - https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install + - https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install - https://lolbas-project.github.io/lolbas/Binaries/Winget/ - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget author: Sreeman, Florian Roth (Nextron Systems), frack113 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml index 415ca5be2..2899144ce 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml @@ -4,7 +4,7 @@ status: test description: Detects the execution of "wmic" with the "process" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic author: frack113 date: 2022/01/01 modified: 2023/02/14 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml index 7b6db1f33..947bcaee7 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml @@ -11,7 +11,7 @@ description: | A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2023/02/14 tags: diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_volume.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_volume.yml index 0100dffb1..b5719fa30 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_volume.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_volume.yml @@ -10,7 +10,7 @@ description: | observed being used by threat actors such as Volt Typhoon. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic author: Stephen Lincoln `@slincoln-aiq`(AttackIQ) date: 2024/02/02 tags: diff --git a/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml b/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml index 06bbf697d..b62dee19e 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml @@ -9,7 +9,7 @@ status: test description: Detects the execution of WMIC to query information on a remote system references: - https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/ - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2023/02/14 tags: diff --git a/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml b/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml index 92895090a..a84d29bd6 100644 --- a/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml +++ b/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml @@ -3,7 +3,7 @@ id: 07bdd2f5-9c58-4f38-aec8-e101bb79ef8d status: test description: Detects the deletion of registry keys containing the MSTSC connection history references: - - https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer + - https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer - http://woshub.com/how-to-clear-rdp-connections-history/ - https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html author: Christian Burkard (Nextron Systems) diff --git a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml index 535200c2d..3b9c723e6 100644 --- a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml +++ b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml @@ -7,9 +7,9 @@ description: | references: - https://github.com/OTRF/detection-hackathon-apt29/issues/7 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md - - https://docs.microsoft.com/en-us/windows/win32/shell/launch - - https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand - - https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code + - https://learn.microsoft.com/en-us/windows/win32/shell/launch + - https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand + - https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/05/02 modified: 2023/01/19 diff --git a/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml b/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml index d7f15aaec..93125c35c 100644 --- a/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml +++ b/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml @@ -5,7 +5,7 @@ description: Detects static QMS 810 and mimikatz driver name used by Mimikatz as references: - https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760 - https://www.lexjansen.com/sesug/1993/SESUG93035.pdf - - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 + - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 - https://nvd.nist.gov/vuln/detail/cve-2021-1675 - https://nvd.nist.gov/vuln/detail/cve-2021-34527 author: Markus Neis, @markus_neis, Florian Roth diff --git a/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml b/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml index 3e5e31cba..eb34f8af8 100644 --- a/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml @@ -4,7 +4,7 @@ status: test description: Detects when an attacker adds a new "Debugger" value to the "AeDebug" key in order to achieve persistence which will get invoked when an application crashes references: - https://persistence-info.github.io/Data/aedebug.html - - https://docs.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging + - https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/21 modified: 2023/08/17 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml index f4c3a6e8a..fd8502fac 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml @@ -7,7 +7,7 @@ status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns + - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml index 7dccae04b..cb5ca3db3 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml @@ -7,7 +7,7 @@ status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns + - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys - https://persistence-info.github.io/Data/userinitmprlogonscript.html # UserInitMprLogonScript author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name) diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml index d30b50a8a..e279685e7 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml @@ -7,7 +7,7 @@ status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns + - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml index decacbab8..c7e4ee004 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml @@ -7,7 +7,7 @@ status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns + - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys - https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/ author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml index b7a665399..be904f887 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml @@ -7,7 +7,7 @@ status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns + - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml index 7179b0d1b..b8c34acbf 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml @@ -7,7 +7,7 @@ status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns + - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml index be13624af..cf3d316ac 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml @@ -7,7 +7,7 @@ status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns + - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml index 99ee0c43e..437353071 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml @@ -7,7 +7,7 @@ status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns + - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml index 0cebfd23d..e37645244 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml @@ -7,7 +7,7 @@ status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns + - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml index 968defa29..a8b8522fe 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml @@ -7,7 +7,7 @@ status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns + - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml index cdb28f290..7f5aa4431 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml @@ -7,7 +7,7 @@ status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns + - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys - https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/ author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml index 81ba5c770..b70ea0924 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml @@ -7,7 +7,7 @@ status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns + - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml index 4249f5e19..b68db8e12 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml @@ -7,7 +7,7 @@ status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns + - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 diff --git a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml index 7c3810b9b..ef628a4e6 100644 --- a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml +++ b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml @@ -3,7 +3,7 @@ id: 46dd5308-4572-4d12-aa43-8938f0184d4f status: test description: Bypasses User Account Control using a fileless method references: - - https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand + - https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand - https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute author: frack113 diff --git a/rules/windows/registry/registry_set/registry_set_change_security_zones.yml b/rules/windows/registry/registry_set/registry_set_change_security_zones.yml index ad9043c6e..09f677b81 100644 --- a/rules/windows/registry/registry_set/registry_set_change_security_zones.yml +++ b/rules/windows/registry/registry_set/registry_set_change_security_zones.yml @@ -7,7 +7,7 @@ status: test description: Hides the file extension through modification of the registry references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone - - https://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries + - https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries author: frack113 date: 2022/01/22 modified: 2023/08/17 diff --git a/rules/windows/registry/registry_set/registry_set_new_network_provider.yml b/rules/windows/registry/registry_set/registry_set_new_network_provider.yml index 0da51be40..67adfa6bc 100644 --- a/rules/windows/registry/registry_set/registry_set_new_network_provider.yml +++ b/rules/windows/registry/registry_set/registry_set_new_network_provider.yml @@ -6,7 +6,7 @@ related: status: test description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it references: - - https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade + - https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade - https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/23 diff --git a/rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml b/rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml index 8e97a8fc3..c93c12d50 100644 --- a/rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml +++ b/rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml @@ -7,7 +7,7 @@ status: test description: Detects changes to the registry values related to outlook security settings references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md - - https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings + - https://learn.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings author: frack113 date: 2021/12/28 modified: 2023/08/17 diff --git a/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml b/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml index 311b5a788..9348cc024 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml @@ -8,7 +8,7 @@ description: | Second, to prepend information to the PATH environment variable on a per-application, per-process basis. references: - https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ - - https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN + - https://learn.microsoft.com/en-us/windows/win32/shell/app-registration author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/10 modified: 2023/08/17 diff --git a/rules/windows/sysmon/sysmon_config_modification.yml b/rules/windows/sysmon/sysmon_config_modification.yml index 4954c93b7..f8101ba46 100644 --- a/rules/windows/sysmon/sysmon_config_modification.yml +++ b/rules/windows/sysmon/sysmon_config_modification.yml @@ -3,7 +3,7 @@ id: 8ac03a65-6c84-4116-acad-dc1558ff7a77 status: test description: Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration references: - - https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon + - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon author: frack113 date: 2022/01/12 tags: