diff --git a/rules/cloud/azure/azure_tap_added.yml b/rules/cloud/azure/azure_tap_added.yml index 46d468714..59d1eab01 100644 --- a/rules/cloud/azure/azure_tap_added.yml +++ b/rules/cloud/azure/azure_tap_added.yml @@ -18,5 +18,5 @@ detection: Status: Admin registered temporary access pass method for user condition: selection falsepositives: - - Administrator adding a legitmate temporary access pass + - Administrator adding a legitimate temporary access pass level: high diff --git a/rules/cloud/github/github_self_hosted_runner_changes_detected.yml b/rules/cloud/github/github_self_hosted_runner_changes_detected.yml index f24950219..7dc420524 100644 --- a/rules/cloud/github/github_self_hosted_runner_changes_detected.yml +++ b/rules/cloud/github/github_self_hosted_runner_changes_detected.yml @@ -4,7 +4,7 @@ status: experimental description: | A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, - it should be validated from GitHub UI becasue the log entry may not provide full context. + it should be validated from GitHub UI because the log entry may not provide full context. author: Muhammad Faisal date: 2023/01/27 references: @@ -49,7 +49,7 @@ fields: - 'repository_public' - '@timestamp' falsepositives: - - Allowed self-hosted runners changes in the envrionment. + - Allowed self-hosted runners changes in the environment. - A self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 14 days. - An ephemeral self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 1 day. level: low diff --git a/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml b/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml index 35b504161..c61ab6526 100644 --- a/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml +++ b/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml @@ -1,7 +1,7 @@ title: Vim GTFOBin Abuse - Linux id: 7ab8f73a-fcff-428b-84aa-6a5ff7877dea status: experimental -description: Detects usage of "vim" and it's sibilings as a GTFOBin to execute and proxy command and binary execution +description: Detects usage of "vim" and it's siblings as a GTFOBin to execute and proxy command and binary execution references: - https://gtfobins.github.io/gtfobins/vim/ - https://gtfobins.github.io/gtfobins/rvim/ diff --git a/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml b/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml index 07e9eff3f..e351e3bef 100644 --- a/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml +++ b/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml @@ -1,7 +1,7 @@ title: Sysinternals Tools AppX Versions Execution id: d29a20b2-be4b-4827-81f2-3d8a59eab5fc status: experimental -description: Detects execution of Sysinternals tools via an AppX package. Attackers could instal the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths +description: Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml index 30e93308f..67fabeac2 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml @@ -1,7 +1,7 @@ title: Suspicious AppX Package Installation Attempt id: 898d5fc9-fbc3-43de-93ad-38e97237c344 status: experimental -description: Detects an appx package installation with the error code "0x80073cff". Whihc indicates that the package didn't meet the sgining requirements and could be suspicious +description: Detects an appx package installation with the error code "0x80073cff" which indicates that the package didn't meet the signing requirements and could be suspicious references: - Internal Research - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml b/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml index 3b2926ed1..02cf7a12b 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml @@ -1,7 +1,7 @@ title: A Rule Has Been Deleted From The Windows Firewall Exception List id: c187c075-bb3e-4c62-b4fa-beae0ffc211f status: experimental -description: Detects when a singe rules or all of the rules have been deleted from the Windows Defender Firewall +description: Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 diff --git a/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml b/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml index 0af2a9c0c..4313c2917 100644 --- a/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml +++ b/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml @@ -21,7 +21,7 @@ detection: TargetUserSid|startswith: 'S-1-5-21-' # Standard user SidList|contains: - 'S-1-5-32-544' # Local admin - - '-500}' # Doamin admin + - '-500}' # Domain admin - '-518}' # Schema admin - '-519}' # Enterprise admin filter_admin: diff --git a/rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml b/rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml index 405c67f68..717c4e7cb 100644 --- a/rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml +++ b/rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml @@ -88,5 +88,5 @@ detection: - '\CCleaner Browser\Application\CCleanerBrowser.exe' condition: selection and not filter falsepositives: - - Legitimate usage of the softwares mentioned above + - Legitimate usage of the software mentioned above level: medium diff --git a/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml b/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml index ebfeeedd7..375d796e9 100644 --- a/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml +++ b/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml @@ -212,6 +212,6 @@ detection: - '\vLTZ19.sys' condition: selection falsepositives: - - False positives may occure if one of the vulnerable driver names mentioned above didn't change it's name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version. - - If you experience a lot of FP you could comment the driver name or it's exact known legitimate location (when possible) + - False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version. + - If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible) level: medium diff --git a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml index 187b8afab..ebf54c4c2 100644 --- a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml +++ b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml @@ -4,7 +4,7 @@ related: - id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 type: similar status: experimental -description: Detects the creation of system dlls that are not present on the system. Usualy to achieve dll hijacking +description: Detects the creation of system dlls that are not present on the system. Usually to achieve dll hijacking references: - https://decoded.avast.io/martinchlumecky/png-steganography/ - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 diff --git a/rules/windows/image_load/image_load_rundll32_loading_renamed_comsvcs.yml b/rules/windows/image_load/image_load_rundll32_loading_renamed_comsvcs.yml index f8fa5c83c..9ce044eaa 100644 --- a/rules/windows/image_load/image_load_rundll32_loading_renamed_comsvcs.yml +++ b/rules/windows/image_load/image_load_rundll32_loading_renamed_comsvcs.yml @@ -17,7 +17,7 @@ detection: selection: Image|endswith: '\rundll32.exe' Hashes|contains: - # Add more hashes for other windows verions + # Add more hashes for other windows versions - IMPHASH=eed93054cb555f3de70eaa9787f32ebb # Windows 11 21H2 x64 - IMPHASH=5e0dbdec1fce52daae251a110b4f309d # Windows 10 1607 - IMPHASH=eadbccbb324829acb5f2bbe87e5549a8 # Windows 10 1809 diff --git a/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml b/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml index 2a1efbf07..f1f5f1fd4 100644 --- a/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml +++ b/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml @@ -4,7 +4,7 @@ related: - id: df6ecb8b-7822-4f4b-b412-08f524b4576c type: similar status: experimental -description: Detects DLL sideloading of system dlls that are not present on the system by default. Usualy to achieve techniques such as UAC bypass and privilege escalation +description: Detects DLL sideloading of system dlls that are not present on the system by default. Usually to achieve techniques such as UAC bypass and privilege escalation references: - https://decoded.avast.io/martinchlumecky/png-steganography/ - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 diff --git a/rules/windows/image_load/image_load_side_load_vmguestlib.yml b/rules/windows/image_load/image_load_side_load_vmguestlib.yml index 8f388df66..dd372b750 100644 --- a/rules/windows/image_load/image_load_side_load_vmguestlib.yml +++ b/rules/windows/image_load/image_load_side_load_vmguestlib.yml @@ -25,5 +25,5 @@ detection: Signed: 'true' condition: selection and not filter falsepositives: - - FP could occure if the legitimate version of vmGuestLib already exists on the system + - FP could occur if the legitimate version of vmGuestLib already exists on the system level: medium diff --git a/rules/windows/network_connection/net_connection_win_python.yml b/rules/windows/network_connection/net_connection_win_python.yml index f65ffdc19..86cd4526d 100644 --- a/rules/windows/network_connection/net_connection_win_python.yml +++ b/rules/windows/network_connection/net_connection_win_python.yml @@ -31,7 +31,7 @@ detection: ParentImage: C:\ProgramData\Anaconda3\python.exe CommandLine|contains: 'C:\ProgramData\Anaconda3\Scripts\jupyter-notebook-script.py' filter_local_communication: - # This could be caused when launching an instance of Jupyter Notebook locally for example but can also be caused by other instances of python openning sockets locally etc. So comment this out if you want to monitor for those instances + # This could be caused when launching an instance of Jupyter Notebook locally for example but can also be caused by other instances of python opening sockets locally etc. So comment this out if you want to monitor for those instances DestinationIp: 127.0.0.1 SourceIp: 127.0.0.1 condition: selection and not 1 of filter_* diff --git a/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml b/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml index 00ab2ef73..30e9e89c1 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml @@ -23,7 +23,7 @@ logsource: detection: selection: ScriptBlockText|contains: - # Since most of the cmdlets use a unique enough string which is "-AADInt" we only used that portion. For a complet list please check the references linked above + # Since most of the cmdlets use a unique enough string which is "-AADInt" we only used that portion. For a complete list please check the references linked above - 'Add-AADInt' - 'ConvertTo-AADInt' - 'Disable-AADInt' diff --git a/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml b/rules/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml similarity index 100% rename from rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml rename to rules/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml b/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml index b57304c5f..feb1f9fac 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml @@ -27,7 +27,7 @@ detection: - '-Online' - '-FeatureName' selection_feature: - # Add any unsecure/unusual windows features to your env + # Add any insecure/unusual windows features to your env ScriptBlockText|contains: - 'TelnetServer' - 'Internet-Explorer-Optional-amd64' diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml index 97243d28e..583f40674 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml @@ -37,5 +37,5 @@ detection: condition: all of selection_* falsepositives: - Rare intended use of hidden services - - Rare FP could occure due to the non linearity of the ScriptBlockText log + - Rare FP could occur due to the non linearity of the ScriptBlockText log level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml b/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml index 90d9858be..89cceaf1f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml @@ -30,5 +30,5 @@ detection: condition: selection falsepositives: - Rare intended use of hidden services - - Rare FP could occure due to the non linearity of the ScriptBlockText log + - Rare FP could occur due to the non linearity of the ScriptBlockText log level: high diff --git a/rules/windows/process_creation/proc_creation_win_aadinternals_cmdlets_execution.yml b/rules/windows/process_creation/proc_creation_win_aadinternals_cmdlets_execution.yml index b1c4006e6..9dccebba6 100644 --- a/rules/windows/process_creation/proc_creation_win_aadinternals_cmdlets_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_aadinternals_cmdlets_execution.yml @@ -29,7 +29,7 @@ detection: - 'pwsh.dll' selection_cli: CommandLine|contains: - # Since most of the cmdlets use a unique enough string which is "-AADInt" we only used that portion. For a complet list please check the references linked above + # Since most of the cmdlets use a unique enough string which is "-AADInt" we only used that portion. For a complete list please check the references linked above - 'Add-AADInt' - 'ConvertTo-AADInt' - 'Disable-AADInt' diff --git a/rules/windows/process_creation/proc_creation_win_anydesk_piped_password_via_cli.yml b/rules/windows/process_creation/proc_creation_win_anydesk_piped_password_via_cli.yml index 50106f67c..3ab3c60ed 100644 --- a/rules/windows/process_creation/proc_creation_win_anydesk_piped_password_via_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_anydesk_piped_password_via_cli.yml @@ -23,5 +23,5 @@ detection: condition: selection falsepositives: - Legitimate piping of the password to anydesk - - Some FP could occure with similar tools that uses the same command line '--set-password' + - Some FP could occur with similar tools that uses the same command line '--set-password' level: medium diff --git a/rules/windows/process_creation/proc_creation_win_chisel_usage.yml b/rules/windows/process_creation/proc_creation_win_chisel_usage.yml index 2c4936720..1297c0731 100644 --- a/rules/windows/process_creation/proc_creation_win_chisel_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_chisel_usage.yml @@ -35,5 +35,5 @@ detection: - ':socks' condition: selection_img or all of selection_param* falsepositives: - - Some false positives may occure with other tools with similar commandlines + - Some false positives may occur with other tools with similar commandlines level: high diff --git a/rules/windows/process_creation/proc_creation_win_double_ext_parent.yml b/rules/windows/process_creation/proc_creation_win_double_ext_parent.yml index 6a8c3c2b9..7207edb06 100644 --- a/rules/windows/process_creation/proc_creation_win_double_ext_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_double_ext_parent.yml @@ -10,7 +10,7 @@ references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa author: frack113 date: 2023/01/06 -modified: 2023/02/04 +modified: 2023/02/05 tags: - attack.defense_evasion - attack.t1036.007 diff --git a/rules/windows/process_creation/proc_creation_win_enable_susp_windows_optional_feature.yml b/rules/windows/process_creation/proc_creation_win_enable_susp_windows_optional_feature.yml index 2c6e9b03b..2cab5dfc3 100644 --- a/rules/windows/process_creation/proc_creation_win_enable_susp_windows_optional_feature.yml +++ b/rules/windows/process_creation/proc_creation_win_enable_susp_windows_optional_feature.yml @@ -25,7 +25,7 @@ detection: - '-Online' - '-FeatureName' selection_feature: - # Add any unsecure/unusual windows features that you don't use in your environment + # Add any insecure/unusual windows features that you don't use in your environment CommandLine|contains: - 'TelnetServer' - 'Internet-Explorer-Optional-amd64' diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml b/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml index dba1ce0a0..f99ca8092 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml @@ -4,7 +4,7 @@ related: - id: c0b40568-b1e9-4b03-8d6c-b096da6da9ab type: similar status: experimental -description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th postiional argument +description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument author: Nasreddine Bencherchali (Nextron Systems), memory-shards references: - https://twitter.com/lefterispan/status/1286259016436514816 diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml b/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml index f6e3ec2e0..aefaa8854 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml @@ -4,7 +4,7 @@ related: - id: 7efd2c8d-8b18-45b7-947d-adfe9ed04f61 type: similar status: experimental -description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th postiional argument +description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument author: Nasreddine Bencherchali (Nextron Systems), memory-shards references: - https://twitter.com/lefterispan/status/1286259016436514816 diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_wsl.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_wsl.yml index ef27831b3..87b1cac52 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_susp_wsl.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_susp_wsl.yml @@ -33,7 +33,7 @@ detection: - ' --user root' - ' -u root' filter_kill: - # This filter is to handle a FP that occures when a process is spawned from WSL and then closed by the user + # This filter is to handle a FP that occurs when a process is spawned from WSL and then closed by the user # Example would be to open VsCode through it's server extension from WSL # GrandparentCommandLine: "C:\Users\XXX\AppData\Local\Programs\Microsoft VS Code\Code.exe" --ms-enable-electron-run-as-node c:\Users\XXX\.vscode\extensions\ms-vscode-remote.remote-wsl-0.72.0\dist\wslDaemon.js # ParentCommandLine: C:\WINDOWS\system32\cmd.exe /d /s /c "C:\WINDOWS\System32\wsl.exe -d Ubuntu-20.04 -e kill 1366" @@ -44,6 +44,6 @@ detection: - ' -e kill ' condition: all of selection_* and not 1 of filter_* falsepositives: - - Automation and orchestration scripts may use this method execute scripts etc + - Automation and orchestration scripts may use this method to execute scripts etc. - Legitimate use by Windows to kill processes opened via WSL (example VsCode WSL server) level: medium diff --git a/rules/windows/process_creation/proc_creation_win_mimikatz_command_line.yml b/rules/windows/process_creation/proc_creation_win_mimikatz_command_line.yml index e50583b5f..97d4c40e2 100644 --- a/rules/windows/process_creation/proc_creation_win_mimikatz_command_line.yml +++ b/rules/windows/process_creation/proc_creation_win_mimikatz_command_line.yml @@ -53,7 +53,7 @@ detection: filter_1: CommandLine|contains: 'function Convert-GuidToCompressedGuid' filter_vscode: - # This FP could occure when VSCode is installed and a search/or string selection is made to look for one of these detections mentioned above + # This FP could occur when VSCode is installed and a search/or string selection is made to look for one of these detections mentioned above ParentImage|endswith: \AppData\Local\Programs\Microsoft VS Code\Code.exe # This is the default install location please add your custom one to avoid FP CommandLine|contains|all: - '/d /s /c ' diff --git a/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml b/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml index 602a9ec13..2c9575b83 100644 --- a/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml +++ b/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml @@ -61,5 +61,5 @@ detection: - '/active no' condition: all of selection_* and not filter falsepositives: - - Some fasle positives could occure with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium + - Some false positives could occur with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium level: high diff --git a/rules/windows/process_creation/proc_creation_win_network_sniffing.yml b/rules/windows/process_creation/proc_creation_win_network_sniffing.yml index 15393f64e..dd256d1e3 100644 --- a/rules/windows/process_creation/proc_creation_win_network_sniffing.yml +++ b/rules/windows/process_creation/proc_creation_win_network_sniffing.yml @@ -32,5 +32,5 @@ detection: - 'yes' condition: 1 of selection_* falsepositives: - - Legitimate adminstration activity to troubleshoot network issues + - Legitimate administration activity to troubleshoot network issues level: medium diff --git a/rules/windows/process_creation/proc_creation_win_node_abuse.yml b/rules/windows/process_creation/proc_creation_win_node_abuse.yml index de8c1b698..7c3c47414 100644 --- a/rules/windows/process_creation/proc_creation_win_node_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_node_abuse.yml @@ -1,7 +1,7 @@ title: Potential Arbitrary Code Execution Via Node.EXE id: 6640f31c-01ad-49b5-beb5-83498a5cd8bd status: experimental -description: Detects the execution node.exe which is shipped with multiple softwares such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc +description: Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc references: - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html - https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml index fc557dea6..dfc7df627 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml @@ -1,7 +1,7 @@ title: Potential PowerShell Obfuscation Via Reversed Commands id: b6b49cd1-34d6-4ead-b1bf-176e9edba9a4 status: test -description: Detects the presenece of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers +description: Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers references: - https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/ - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_susp_parent_process.yml b/rules/windows/process_creation/proc_creation_win_powershell_susp_parent_process.yml index c69cb3445..65248da63 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_susp_parent_process.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_susp_parent_process.yml @@ -48,7 +48,7 @@ detection: - '\powershell.exe' - '\pwsh.exe' - CommandLine|contains: - - '/c powershell' # FPs with sub processes that contained "powershell" soemwhere in the command line + - '/c powershell' # FPs with sub processes that contained "powershell" somewhere in the command line - '/c pwsh' - Description: 'Windows PowerShell' - Product: 'PowerShell Core 6' diff --git a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml index ea149ab69..7c44b5fc2 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml @@ -18,7 +18,7 @@ detection: ParentImage|endswith: '\conhost.exe' filter_provider: Provider_Name: 'SystemTraceProvider-Process' # FPs with Aurora - # Note that some of these git events occure because of a spoofed parent image + # Note that some of these git events occur because of a spoofed parent image filter_git: # Example FP: # ParentCommandLine: "C:\Program Files\Git\cmd\git.exe" show --textconv :path/to/file diff --git a/rules/windows/process_creation/proc_creation_win_susp_netsupport_rat_exec_location.yml b/rules/windows/process_creation/proc_creation_win_susp_netsupport_rat_exec_location.yml index a5cd14550..eadcd35d9 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_netsupport_rat_exec_location.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_netsupport_rat_exec_location.yml @@ -1,7 +1,7 @@ title: Execution of NetSupport RAT From Unusual Location id: 37e8d358-6408-4853-82f4-98333fca7014 status: experimental -description: Detects execution of client32.exe (NetSupport RAT) from an unsual location (outisde of 'C:\Program Files') +description: Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\Program Files') references: - https://redcanary.com/blog/misbehaving-rats/ author: Nasreddine Bencherchali (Nextron Systems) diff --git a/rules/windows/process_creation/proc_creation_win_susp_rurat_exec_location.yml b/rules/windows/process_creation/proc_creation_win_susp_rurat_exec_location.yml index f37c18e95..36cf8a751 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_rurat_exec_location.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_rurat_exec_location.yml @@ -1,7 +1,7 @@ title: Execution of Remote Utilities RAT (RURAT) From Unusual Location id: e01fa958-6893-41d4-ae03-182477c5e77d status: experimental -description: Detects execution of Remote Utilities RAT (RURAT) from an unsual location (outisde of 'C:\Program Files') +description: Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\Program Files') references: - https://redcanary.com/blog/misbehaving-rats/ author: Nasreddine Bencherchali (Nextron Systems) diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml index e745e7a68..0606ad90d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml @@ -34,5 +34,5 @@ detection: - 'HIGHEST' condition: all of selection_* and not 1 of filter_* falsepositives: - - Legitmate processes that run at logon. Filter according to your environment + - Legitimate processes that run at logon. Filter according to your environment level: high diff --git a/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml b/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml index 07d66ecdb..c10e835ba 100644 --- a/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml +++ b/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml @@ -1,4 +1,4 @@ -title: Suspicious Command With Teams Objects Pathes +title: Suspicious Command With Teams Objects Paths id: d2eb17db-1d39-41dc-b57f-301f6512fa75 status: experimental description: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application. @@ -7,7 +7,7 @@ references: - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens author: '@SerkinValery' date: 2022/09/16 -modified: 2022/09/27 +modified: 2023/02/05 tags: - attack.credential_access - attack.t1528 diff --git a/rules/windows/process_creation/proc_creation_win_unusual_child_process_of_dns_exe.yml b/rules/windows/process_creation/proc_creation_win_unusual_child_process_of_dns_exe.yml index 921c617c2..a5d4bc085 100644 --- a/rules/windows/process_creation/proc_creation_win_unusual_child_process_of_dns_exe.yml +++ b/rules/windows/process_creation/proc_creation_win_unusual_child_process_of_dns_exe.yml @@ -1,4 +1,4 @@ -title: Unusual Child Porcess of dns.exe +title: Unusual Child Process of dns.exe id: a4e3d776-f12e-42c2-8510-9e6ed1f43ec3 status: experimental description: Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) @@ -6,6 +6,7 @@ references: - https://www.elastic.co/guide/en/security/current/unusual-child-process-of-dns.exe.html author: Tim Rauch date: 2022/09/27 +modified: 2023/02/05 tags: - attack.initial_access - attack.t1133 diff --git a/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml b/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml index 0552624be..a68ef2e02 100644 --- a/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml +++ b/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml @@ -48,5 +48,5 @@ detection: - 'C:\Temp\' condition: selection_parent and 1 of selection_children_* falsepositives: - - In development environment where VsCode is used heavily. False positives may occure when developers use task to compile or execute different types of code. Remove or add processes accordingly + - In development environment where VsCode is used heavily. False positives may occur when developers use task to compile or execute different types of code. Remove or add processes accordingly level: medium diff --git a/rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml b/rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml index 75e74fecb..27a58fde2 100644 --- a/rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml @@ -26,5 +26,5 @@ detection: - 'Security' condition: all of selection_* falsepositives: - - Legitmate usage of the utility by administrators to query the event log + - Legitimate usage of the utility by administrators to query the event log level: medium diff --git a/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml index 80bcbbe62..11f991a34 100644 --- a/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml @@ -35,7 +35,7 @@ detection: - '\mshta.exe' - '\verclsid.exe' selection_children_2: - # This is in a seperate selection due to the nature of FP generated with CMD + # This is in a separate selection due to the nature of FP generated with CMD Image|endswith: '\cmd.exe' CommandLine|contains: - 'powershell' diff --git a/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml b/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml index 22241a0af..b591da969 100644 --- a/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml +++ b/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml @@ -19,5 +19,5 @@ detection: Details: DWORD (0x00000001) condition: selection falsepositives: - - Legitmate use of the feature (alerts should be investigated either way) + - Legitimate use of the feature (alerts should be investigated either way) level: medium diff --git a/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml b/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml index 4c4c5ac50..d396e049e 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml @@ -18,7 +18,7 @@ detection: TargetObject|startswith: 'HKCR\' Details|startswith: 'URL:' filter_ms_trusted: - Details|startswith: 'URL:ms-' # Microsoft Protocols usualy start with "ms-" + Details|startswith: 'URL:ms-' # Microsoft Protocols usually start with "ms-" filter_generic_locations: Image|startswith: # Add more folders to avoid FP - 'C:\Program Files\' diff --git a/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml b/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml index 363ced98c..846585b37 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml @@ -41,5 +41,5 @@ detection: - ' -noninteractive ' condition: selection falsepositives: - - Legitimate admin or third party scripts. Baseline according to your environnement + - Legitimate admin or third party scripts. Baseline according to your environment level: medium diff --git a/rules/windows/registry/registry_set/registry_set_sophos_av_tamaper.yml b/rules/windows/registry/registry_set/registry_set_sophos_av_tamper.yml similarity index 86% rename from rules/windows/registry/registry_set/registry_set_sophos_av_tamaper.yml rename to rules/windows/registry/registry_set/registry_set_sophos_av_tamper.yml index 48fc4b899..0cc10ef29 100644 --- a/rules/windows/registry/registry_set/registry_set_sophos_av_tamaper.yml +++ b/rules/windows/registry/registry_set/registry_set_sophos_av_tamper.yml @@ -22,5 +22,5 @@ detection: Details: DWORD (0x00000000) condition: selection falsepositives: - - Some FP may occure when the feature is disabled by the AV itself, you should always investigate if the action was legitimate + - Some FP may occur when the feature is disabled by the AV itself, you should always investigate if the action was legitimate level: high diff --git a/rules/windows/registry/registry_set/registry_set_suspicious_env_variables.yml b/rules/windows/registry/registry_set/registry_set_suspicious_env_variables.yml index 4882910e5..fbbd25495 100644 --- a/rules/windows/registry/registry_set/registry_set_suspicious_env_variables.yml +++ b/rules/windows/registry/registry_set/registry_set_suspicious_env_variables.yml @@ -1,7 +1,7 @@ title: Suspicious Environment Variable Has Been Registered id: 966315ef-c5e1-4767-ba25-fce9c8de3660 status: test -description: Detects the creation of user-specific or system-wide environement variables via the registry. Which contains suspicious commands and strings +description: Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings references: - https://infosec.exchange/@sbousseaden/109542254124022664 author: Nasreddine Bencherchali (Nextron Systems) diff --git a/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml b/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml index 64dc3d851..acd441e60 100644 --- a/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml +++ b/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml @@ -21,5 +21,5 @@ detection: Details|endswith: DWORD (0x00000001) condition: selection falsepositives: - - Legitmate use of the multi session functionality + - Legitimate use of the multi session functionality level: medium diff --git a/rules/windows/sysmon/sysmon_file_block_exe.yml b/rules/windows/sysmon/sysmon_file_block_exe.yml index 4365401b8..da9efe2c6 100644 --- a/rules/windows/sysmon/sysmon_file_block_exe.yml +++ b/rules/windows/sysmon/sysmon_file_block_exe.yml @@ -11,7 +11,7 @@ tags: - attack.defense_evasion logsource: product: windows - category: file_block # make sure to have an approriate mapping for this category + category: file_block # make sure to have an appropriate mapping for this category detection: selection: EventID: 27 # this is fine, we want to match any block event