From 2bfb0935a08c52859f2653bf51dbf9f4bbb5d7aa Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 3 Feb 2025 18:23:12 +0100 Subject: [PATCH] Merge PR #5177 from @nasbench - promote older rules status from `experimental` to `test` chore: promote older rules status from `experimental` to `test` Co-authored-by: nasbench --- .../2024/Exploits/CVE-2024-1212/web_exploit_cve_2024_1212_.yml | 2 +- ...proc_creation_win_malware_kamikakabot_lnk_lure_execution.yml | 2 +- ...oc_creation_win_malware_kamikakabot_schtasks_persistence.yml | 2 +- .../registry_set_malware_kamikakabot_winlogon_persistence.yml | 2 +- .../net_connection_win_dfsvc_non_local_ip.yml | 2 +- .../net_connection_win_powershell_network_connection.yml | 2 +- .../registry_set_service_image_path_user_controlled_folder.yml | 2 +- .../kubernetes/audit/kubernetes_audit_deployment_deleted.yml | 2 +- .../kubernetes/audit/kubernetes_audit_events_deleted.yml | 2 +- .../kubernetes/audit/kubernetes_audit_exec_into_container.yml | 2 +- .../kubernetes/audit/kubernetes_audit_hostpath_mount.yml | 2 +- .../audit/kubernetes_audit_pod_in_system_namespace.yml | 2 +- .../audit/kubernetes_audit_privileged_pod_creation.yml | 2 +- .../audit/kubernetes_audit_rbac_permisions_listing.yml | 2 +- .../kubernetes/audit/kubernetes_audit_secrets_enumeration.yml | 2 +- .../audit/kubernetes_audit_serviceaccount_creation.yml | 2 +- .../kubernetes/audit/kubernetes_audit_sidecar_injection.yml | 2 +- rules/application/opencanary/opencanary_ftp_login_attempt.yml | 2 +- rules/application/opencanary/opencanary_git_clone_request.yml | 2 +- rules/application/opencanary/opencanary_http_get.yml | 2 +- .../opencanary/opencanary_http_post_login_attempt.yml | 2 +- .../opencanary/opencanary_httpproxy_login_attempt.yml | 2 +- rules/application/opencanary/opencanary_mssql_login_sqlauth.yml | 2 +- rules/application/opencanary/opencanary_mssql_login_winauth.yml | 2 +- rules/application/opencanary/opencanary_mysql_login_attempt.yml | 2 +- rules/application/opencanary/opencanary_ntp_monlist.yml | 2 +- rules/application/opencanary/opencanary_redis_command.yml | 2 +- rules/application/opencanary/opencanary_sip_request.yml | 2 +- rules/application/opencanary/opencanary_smb_file_open.yml | 2 +- rules/application/opencanary/opencanary_snmp_cmd.yml | 2 +- rules/application/opencanary/opencanary_ssh_login_attempt.yml | 2 +- rules/application/opencanary/opencanary_ssh_new_connection.yml | 2 +- .../application/opencanary/opencanary_telnet_login_attempt.yml | 2 +- rules/application/opencanary/opencanary_tftp_request.yml | 2 +- .../opencanary/opencanary_vnc_connection_attempt.yml | 2 +- ...n_lnx_remote_access_tools_teamviewer_incoming_connection.yml | 2 +- ...macos_remote_access_tools_teamviewer_incoming_connection.yml | 2 +- .../file_event_win_create_evtx_non_common_locations.yml | 2 +- .../net_connection_win_domain_external_ip_lookup.yml | 2 +- .../proc_creation_win_cmd_redirection_susp_folder.yml | 2 +- .../proc_creation_win_odbcconf_response_file_susp.yml | 2 +- ...n_win_remote_access_tools_teamviewer_incoming_connection.yml | 2 +- .../process_creation/proc_creation_win_renamed_nircmd.yml | 2 +- .../proc_creation_win_rundll32_uncommon_dll_extension.yml | 2 +- .../proc_creation_win_schtasks_susp_pattern.yml | 2 +- ...proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml | 2 +- .../proc_creation_win_tasklist_module_enumeration.yml | 2 +- .../registry_set/registry_set_add_load_service_in_safe_mode.yml | 2 +- .../registry/registry_set/registry_set_add_port_monitor.yml | 2 +- .../registry_set/registry_set_change_sysmon_driver_altitude.yml | 2 +- .../registry_set/registry_set_change_winevt_channelaccess.yml | 2 +- .../registry_set_disable_windows_defender_service.yml | 2 +- .../registry_set/registry_set_disable_winevt_logging.yml | 2 +- rules/windows/registry/registry_set/registry_set_hide_file.yml | 2 +- .../registry_set/registry_set_optimize_file_sharing_network.yml | 2 +- .../registry/registry_set/registry_set_persistence_ifilter.yml | 2 +- .../registry/registry_set/registry_set_servicedll_hijack.yml | 2 +- .../registry_set/registry_set_timeproviders_dllname.yml | 2 +- 58 files changed, 58 insertions(+), 58 deletions(-) diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-1212/web_exploit_cve_2024_1212_.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-1212/web_exploit_cve_2024_1212_.yml index aceda5977..40d980e1b 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-1212/web_exploit_cve_2024_1212_.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-1212/web_exploit_cve_2024_1212_.yml @@ -1,6 +1,6 @@ title: CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection id: eafb8bd5-7605-4bfe-a9ec-0442bc151f15 -status: experimental +status: test description: | Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster. It looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an "Authorization" header with a base64 encoded value with an uncommon character. diff --git a/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_lnk_lure_execution.yml b/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_lnk_lure_execution.yml index fdedc59a0..be3c9710f 100644 --- a/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_lnk_lure_execution.yml +++ b/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_lnk_lure_execution.yml @@ -1,6 +1,6 @@ title: Potential KamiKakaBot Activity - Lure Document Execution id: 24474469-bd80-46cc-9e08-9fbe81bfaaca -status: experimental +status: test description: | Detects the execution of a Word document via the WinWord Start Menu shortcut. This behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection. diff --git a/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_schtasks_persistence.yml b/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_schtasks_persistence.yml index 2f7e2ac82..b6bd4d926 100644 --- a/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_schtasks_persistence.yml +++ b/rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_schtasks_persistence.yml @@ -1,6 +1,6 @@ title: Potential KamiKakaBot Activity - Shutdown Schedule Task Creation id: fe9e8ba9-4419-41e6-a574-bd9f7b3af961 -status: experimental +status: test description: | Detects the creation of a schedule task that runs weekly and execute the "shutdown /l /f" command. This behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system. diff --git a/rules-emerging-threats/2024/Malware/KamiKakaBot/registry_set_malware_kamikakabot_winlogon_persistence.yml b/rules-emerging-threats/2024/Malware/KamiKakaBot/registry_set_malware_kamikakabot_winlogon_persistence.yml index 8db60f70e..f60f41bdc 100644 --- a/rules-emerging-threats/2024/Malware/KamiKakaBot/registry_set_malware_kamikakabot_winlogon_persistence.yml +++ b/rules-emerging-threats/2024/Malware/KamiKakaBot/registry_set_malware_kamikakabot_winlogon_persistence.yml @@ -1,6 +1,6 @@ title: Potential KamiKakaBot Activity - Winlogon Shell Persistence id: c9b86500-1ec2-4de6-9120-d744c8fb5caf -status: experimental +status: test description: | Detects changes to the "Winlogon" registry key where a process will set the value of the "Shell" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence. references: diff --git a/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_non_local_ip.yml b/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_non_local_ip.yml index 9ed2da51d..9185d2c50 100644 --- a/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_non_local_ip.yml +++ b/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_non_local_ip.yml @@ -1,6 +1,6 @@ title: Dfsvc.EXE Network Connection To Non-Local IPs id: 3c21219b-49b5-4268-bce6-c914ed50f09c -status: experimental +status: test description: Detects network connections from "dfsvc.exe" used to handled ClickOnce applications to non-local IPs references: - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 diff --git a/rules-threat-hunting/windows/network_connection/net_connection_win_powershell_network_connection.yml b/rules-threat-hunting/windows/network_connection/net_connection_win_powershell_network_connection.yml index cfc045bbe..7396f6e8c 100644 --- a/rules-threat-hunting/windows/network_connection/net_connection_win_powershell_network_connection.yml +++ b/rules-threat-hunting/windows/network_connection/net_connection_win_powershell_network_connection.yml @@ -1,6 +1,6 @@ title: Network Connection Initiated By PowerShell Process id: 1f21ec3f-810d-4b0e-8045-322202e22b4b -status: experimental +status: test description: | Detects a network connection that was initiated from a PowerShell process. Often times malicious powershell scripts download additional payloads or communicate back to command and control channels via uncommon ports or IPs. diff --git a/rules-threat-hunting/windows/registry/registry_set/registry_set_service_image_path_user_controlled_folder.yml b/rules-threat-hunting/windows/registry/registry_set/registry_set_service_image_path_user_controlled_folder.yml index 3ec4f793b..a0673f43a 100644 --- a/rules-threat-hunting/windows/registry/registry_set/registry_set_service_image_path_user_controlled_folder.yml +++ b/rules-threat-hunting/windows/registry/registry_set/registry_set_service_image_path_user_controlled_folder.yml @@ -3,7 +3,7 @@ id: 277dc340-0540-42e7-8efb-5ff460045e07 related: - id: 277dc340-0540-42e7-8efb-5ff460045e07 type: obsolete -status: experimental +status: test description: | Detects the setting of the "ImagePath" value of a service registry key to a path controlled by a non-administrator user such as "\AppData\" or "\ProgramData\". Attackers often use such directories for staging purposes. diff --git a/rules/application/kubernetes/audit/kubernetes_audit_deployment_deleted.yml b/rules/application/kubernetes/audit/kubernetes_audit_deployment_deleted.yml index 4663c8029..732c65e11 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_deployment_deleted.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_deployment_deleted.yml @@ -1,6 +1,6 @@ title: Deployment Deleted From Kubernetes Cluster id: 40967487-139b-4811-81d9-c9767a92aa5a -status: experimental +status: test description: | Detects the removal of a deployment from a Kubernetes cluster. This could indicate disruptive activity aiming to impact business operations. diff --git a/rules/application/kubernetes/audit/kubernetes_audit_events_deleted.yml b/rules/application/kubernetes/audit/kubernetes_audit_events_deleted.yml index d7dafc6eb..66c45fd8b 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_events_deleted.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_events_deleted.yml @@ -3,7 +3,7 @@ id: 3132570d-cab2-4561-9ea6-1743644b2290 related: - id: 225d8b09-e714-479c-a0e4-55e6f29adf35 type: derived -status: experimental +status: test description: | Detects when events are deleted in Kubernetes. An adversary may delete Kubernetes events in an attempt to evade detection. diff --git a/rules/application/kubernetes/audit/kubernetes_audit_exec_into_container.yml b/rules/application/kubernetes/audit/kubernetes_audit_exec_into_container.yml index 8c6ca8153..1d8535910 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_exec_into_container.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_exec_into_container.yml @@ -1,6 +1,6 @@ title: Potential Remote Command Execution In Pod Container id: a1b0ca4e-7835-413e-8471-3ff2b8a66be6 -status: experimental +status: test description: | Detects attempts to execute remote commands, within a Pod's container using e.g. the "kubectl exec" command. references: diff --git a/rules/application/kubernetes/audit/kubernetes_audit_hostpath_mount.yml b/rules/application/kubernetes/audit/kubernetes_audit_hostpath_mount.yml index fe9e05c30..0dd150574 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_hostpath_mount.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_hostpath_mount.yml @@ -1,6 +1,6 @@ title: Container With A hostPath Mount Created id: 402b955c-8fe0-4a8c-b635-622b4ac5f902 -status: experimental +status: test description: | Detects creation of a container with a hostPath mount. A hostPath volume mounts a directory or a file from the node to the container. diff --git a/rules/application/kubernetes/audit/kubernetes_audit_pod_in_system_namespace.yml b/rules/application/kubernetes/audit/kubernetes_audit_pod_in_system_namespace.yml index 512c0e2fb..7fa1d7b75 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_pod_in_system_namespace.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_pod_in_system_namespace.yml @@ -1,6 +1,6 @@ title: Creation Of Pod In System Namespace id: a80d927d-ac6e-443f-a867-e8d6e3897318 -status: experimental +status: test description: | Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods. System pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names. diff --git a/rules/application/kubernetes/audit/kubernetes_audit_privileged_pod_creation.yml b/rules/application/kubernetes/audit/kubernetes_audit_privileged_pod_creation.yml index a9a04702b..fcc168582 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_privileged_pod_creation.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_privileged_pod_creation.yml @@ -1,6 +1,6 @@ title: Privileged Container Deployed id: c5cd1b20-36bb-488d-8c05-486be3d0cb97 -status: experimental +status: test description: | Detects the creation of a "privileged" container, an action which could be indicative of a threat actor mounting a container breakout attacks. A privileged container is a container that can access the host with all of the root capabilities of the host machine. This allows it to view, interact and modify processes, network operations, IPC calls, the file system, mount points, SELinux configurations etc. as the root user on the host. diff --git a/rules/application/kubernetes/audit/kubernetes_audit_rbac_permisions_listing.yml b/rules/application/kubernetes/audit/kubernetes_audit_rbac_permisions_listing.yml index cefd4c4b8..d680a4644 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_rbac_permisions_listing.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_rbac_permisions_listing.yml @@ -1,6 +1,6 @@ title: RBAC Permission Enumeration Attempt id: 84b777bd-c946-4d17-aa2e-c39f5a454325 -status: experimental +status: test description: | Detects identities attempting to enumerate their Kubernetes RBAC permissions. In the early stages of a breach, attackers will aim to list the permissions they have within the compromised environment. diff --git a/rules/application/kubernetes/audit/kubernetes_audit_secrets_enumeration.yml b/rules/application/kubernetes/audit/kubernetes_audit_secrets_enumeration.yml index 0dc2b66d1..d690e5975 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_secrets_enumeration.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_secrets_enumeration.yml @@ -3,7 +3,7 @@ id: eeb3e9e1-b685-44e4-9232-6bb701f925b5 related: - id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c type: derived -status: experimental +status: test description: Detects enumeration of Kubernetes secrets. references: - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/ diff --git a/rules/application/kubernetes/audit/kubernetes_audit_serviceaccount_creation.yml b/rules/application/kubernetes/audit/kubernetes_audit_serviceaccount_creation.yml index 6c41efac8..3755cb1b1 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_serviceaccount_creation.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_serviceaccount_creation.yml @@ -3,7 +3,7 @@ id: e31bae15-83ed-473e-bf31-faf4f8a17d36 related: - id: 12d027c3-b48c-4d9d-8bb6-a732200034b2 type: derived -status: experimental +status: test description: | Detects creation of new Kubernetes service account, which could indicate an attacker's attempt to persist within a cluster. references: diff --git a/rules/application/kubernetes/audit/kubernetes_audit_sidecar_injection.yml b/rules/application/kubernetes/audit/kubernetes_audit_sidecar_injection.yml index 4ff32df28..3a6fa87b7 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_sidecar_injection.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_sidecar_injection.yml @@ -1,6 +1,6 @@ title: Potential Sidecar Injection Into Running Deployment id: ad9012a6-e518-4432-9890-f3b82b8fc71f -status: experimental +status: test description: | Detects attempts to inject a sidecar container into a running deployment. A sidecar container is an additional container within a pod, that resides alongside the main container. diff --git a/rules/application/opencanary/opencanary_ftp_login_attempt.yml b/rules/application/opencanary/opencanary_ftp_login_attempt.yml index 46632d232..9fb47b670 100644 --- a/rules/application/opencanary/opencanary_ftp_login_attempt.yml +++ b/rules/application/opencanary/opencanary_ftp_login_attempt.yml @@ -1,6 +1,6 @@ title: OpenCanary - FTP Login Attempt id: 6991bc2b-ae2e-447f-bc55-3a1ba04c14e5 -status: experimental +status: test description: Detects instances where an FTP service on an OpenCanary node has had a login attempt. references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration diff --git a/rules/application/opencanary/opencanary_git_clone_request.yml b/rules/application/opencanary/opencanary_git_clone_request.yml index cb928c355..ef03fa7ba 100644 --- a/rules/application/opencanary/opencanary_git_clone_request.yml +++ b/rules/application/opencanary/opencanary_git_clone_request.yml @@ -1,6 +1,6 @@ title: OpenCanary - GIT Clone Request id: 4fe17521-aef3-4e6a-9d6b-4a7c8de155a8 -status: experimental +status: test description: Detects instances where a GIT service on an OpenCanary node has had Git Clone request. references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration diff --git a/rules/application/opencanary/opencanary_http_get.yml b/rules/application/opencanary/opencanary_http_get.yml index c65cc6663..41c5bbd69 100644 --- a/rules/application/opencanary/opencanary_http_get.yml +++ b/rules/application/opencanary/opencanary_http_get.yml @@ -1,6 +1,6 @@ title: OpenCanary - HTTP GET Request id: af6c3078-84cd-4c68-8842-08b76bd81b13 -status: experimental +status: test description: Detects instances where an HTTP service on an OpenCanary node has received a GET request. references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration diff --git a/rules/application/opencanary/opencanary_http_post_login_attempt.yml b/rules/application/opencanary/opencanary_http_post_login_attempt.yml index 1bc99bf01..ef35ae4d9 100644 --- a/rules/application/opencanary/opencanary_http_post_login_attempt.yml +++ b/rules/application/opencanary/opencanary_http_post_login_attempt.yml @@ -1,6 +1,6 @@ title: OpenCanary - HTTP POST Login Attempt id: af1ac430-df6b-4b38-b976-0b52f07a0252 -status: experimental +status: test description: | Detects instances where an HTTP service on an OpenCanary node has had login attempt via Form POST. references: diff --git a/rules/application/opencanary/opencanary_httpproxy_login_attempt.yml b/rules/application/opencanary/opencanary_httpproxy_login_attempt.yml index 20693573c..7fac3a3b7 100644 --- a/rules/application/opencanary/opencanary_httpproxy_login_attempt.yml +++ b/rules/application/opencanary/opencanary_httpproxy_login_attempt.yml @@ -1,6 +1,6 @@ title: OpenCanary - HTTPPROXY Login Attempt id: 5498fc09-adc6-4804-b9d9-5cca1f0b8760 -status: experimental +status: test description: | Detects instances where an HTTPPROXY service on an OpenCanary node has had an attempt to proxy another page. references: diff --git a/rules/application/opencanary/opencanary_mssql_login_sqlauth.yml b/rules/application/opencanary/opencanary_mssql_login_sqlauth.yml index 66e236c26..8cd7fd030 100644 --- a/rules/application/opencanary/opencanary_mssql_login_sqlauth.yml +++ b/rules/application/opencanary/opencanary_mssql_login_sqlauth.yml @@ -1,6 +1,6 @@ title: OpenCanary - MSSQL Login Attempt Via SQLAuth id: 3ec9a16d-0b4f-4967-9542-ebf38ceac7dd -status: experimental +status: test description: | Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using SQLAuth. references: diff --git a/rules/application/opencanary/opencanary_mssql_login_winauth.yml b/rules/application/opencanary/opencanary_mssql_login_winauth.yml index a731303ab..2d15c251e 100644 --- a/rules/application/opencanary/opencanary_mssql_login_winauth.yml +++ b/rules/application/opencanary/opencanary_mssql_login_winauth.yml @@ -1,6 +1,6 @@ title: OpenCanary - MSSQL Login Attempt Via Windows Authentication id: 6e78f90f-0043-4a01-ac41-f97681613a66 -status: experimental +status: test description: | Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication. references: diff --git a/rules/application/opencanary/opencanary_mysql_login_attempt.yml b/rules/application/opencanary/opencanary_mysql_login_attempt.yml index 405c03c86..9017a46d1 100644 --- a/rules/application/opencanary/opencanary_mysql_login_attempt.yml +++ b/rules/application/opencanary/opencanary_mysql_login_attempt.yml @@ -1,6 +1,6 @@ title: OpenCanary - MySQL Login Attempt id: e7d79a1b-25ed-4956-bd56-bd344fa8fd06 -status: experimental +status: test description: Detects instances where a MySQL service on an OpenCanary node has had a login attempt. references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration diff --git a/rules/application/opencanary/opencanary_ntp_monlist.yml b/rules/application/opencanary/opencanary_ntp_monlist.yml index e6ae4e0d9..8f694286d 100644 --- a/rules/application/opencanary/opencanary_ntp_monlist.yml +++ b/rules/application/opencanary/opencanary_ntp_monlist.yml @@ -1,6 +1,6 @@ title: OpenCanary - NTP Monlist Request id: 7cded4b3-f09e-405a-b96f-24248433ba44 -status: experimental +status: test description: Detects instances where an NTP service on an OpenCanary node has had a NTP monlist request. references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration diff --git a/rules/application/opencanary/opencanary_redis_command.yml b/rules/application/opencanary/opencanary_redis_command.yml index 9a18bee4a..3cc252d86 100644 --- a/rules/application/opencanary/opencanary_redis_command.yml +++ b/rules/application/opencanary/opencanary_redis_command.yml @@ -1,6 +1,6 @@ title: OpenCanary - REDIS Action Command Attempt id: 547dfc53-ebf6-4afe-8d2e-793d9574975d -status: experimental +status: test description: Detects instances where a REDIS service on an OpenCanary node has had an action command attempted. references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration diff --git a/rules/application/opencanary/opencanary_sip_request.yml b/rules/application/opencanary/opencanary_sip_request.yml index 56f71242a..23f4d9986 100644 --- a/rules/application/opencanary/opencanary_sip_request.yml +++ b/rules/application/opencanary/opencanary_sip_request.yml @@ -1,6 +1,6 @@ title: OpenCanary - SIP Request id: e30de276-68ec-435c-ab99-ef3befec6c61 -status: experimental +status: test description: Detects instances where an SIP service on an OpenCanary node has had a SIP request. references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration diff --git a/rules/application/opencanary/opencanary_smb_file_open.yml b/rules/application/opencanary/opencanary_smb_file_open.yml index 7c12e2563..f4415ffb2 100644 --- a/rules/application/opencanary/opencanary_smb_file_open.yml +++ b/rules/application/opencanary/opencanary_smb_file_open.yml @@ -1,6 +1,6 @@ title: OpenCanary - SMB File Open Request id: 22777c9e-873a-4b49-855f-6072ab861a52 -status: experimental +status: test description: Detects instances where an SMB service on an OpenCanary node has had a file open request. references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration diff --git a/rules/application/opencanary/opencanary_snmp_cmd.yml b/rules/application/opencanary/opencanary_snmp_cmd.yml index deb9ee935..57bd9a570 100644 --- a/rules/application/opencanary/opencanary_snmp_cmd.yml +++ b/rules/application/opencanary/opencanary_snmp_cmd.yml @@ -1,6 +1,6 @@ title: OpenCanary - SNMP OID Request id: e9856028-fd4e-46e6-b3d1-10f7ceb95078 -status: experimental +status: test description: Detects instances where an SNMP service on an OpenCanary node has had an OID request. references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration diff --git a/rules/application/opencanary/opencanary_ssh_login_attempt.yml b/rules/application/opencanary/opencanary_ssh_login_attempt.yml index 431b5fe18..0e1572426 100644 --- a/rules/application/opencanary/opencanary_ssh_login_attempt.yml +++ b/rules/application/opencanary/opencanary_ssh_login_attempt.yml @@ -1,6 +1,6 @@ title: OpenCanary - SSH Login Attempt id: ff7139bc-fdb1-4437-92f2-6afefe8884cb -status: experimental +status: test description: Detects instances where an SSH service on an OpenCanary node has had a login attempt. references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration diff --git a/rules/application/opencanary/opencanary_ssh_new_connection.yml b/rules/application/opencanary/opencanary_ssh_new_connection.yml index 223bcd0e1..f3656da4c 100644 --- a/rules/application/opencanary/opencanary_ssh_new_connection.yml +++ b/rules/application/opencanary/opencanary_ssh_new_connection.yml @@ -1,6 +1,6 @@ title: OpenCanary - SSH New Connection Attempt id: cd55f721-5623-4663-bd9b-5229cab5237d -status: experimental +status: test description: Detects instances where an SSH service on an OpenCanary node has had a connection attempt. references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration diff --git a/rules/application/opencanary/opencanary_telnet_login_attempt.yml b/rules/application/opencanary/opencanary_telnet_login_attempt.yml index f3bb08fab..0d4aca202 100644 --- a/rules/application/opencanary/opencanary_telnet_login_attempt.yml +++ b/rules/application/opencanary/opencanary_telnet_login_attempt.yml @@ -1,6 +1,6 @@ title: OpenCanary - Telnet Login Attempt id: 512cff7a-683a-43ad-afe0-dd398e872f36 -status: experimental +status: test description: Detects instances where a Telnet service on an OpenCanary node has had a login attempt. references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration diff --git a/rules/application/opencanary/opencanary_tftp_request.yml b/rules/application/opencanary/opencanary_tftp_request.yml index dfd595998..1af398358 100644 --- a/rules/application/opencanary/opencanary_tftp_request.yml +++ b/rules/application/opencanary/opencanary_tftp_request.yml @@ -1,6 +1,6 @@ title: OpenCanary - TFTP Request id: b4e6b016-a2ac-4759-ad85-8000b300d61e -status: experimental +status: test description: Detects instances where a TFTP service on an OpenCanary node has had a request. references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration diff --git a/rules/application/opencanary/opencanary_vnc_connection_attempt.yml b/rules/application/opencanary/opencanary_vnc_connection_attempt.yml index b9b99a2e1..44669aad6 100644 --- a/rules/application/opencanary/opencanary_vnc_connection_attempt.yml +++ b/rules/application/opencanary/opencanary_vnc_connection_attempt.yml @@ -1,6 +1,6 @@ title: OpenCanary - VNC Connection Attempt id: 9db5446c-b44a-4291-8b89-fcab5609c3b3 -status: experimental +status: test description: Detects instances where a VNC service on an OpenCanary node has had a connection attempt. references: - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration diff --git a/rules/linux/process_creation/proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml b/rules/linux/process_creation/proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml index 0ddc7f59f..6a344a515 100644 --- a/rules/linux/process_creation/proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml +++ b/rules/linux/process_creation/proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml @@ -5,7 +5,7 @@ related: type: similar - id: f459ccb4-9805-41ea-b5b2-55e279e2424a type: similar -status: experimental +status: test description: | Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder. diff --git a/rules/macos/process_creation/proc_creation_macos_remote_access_tools_teamviewer_incoming_connection.yml b/rules/macos/process_creation/proc_creation_macos_remote_access_tools_teamviewer_incoming_connection.yml index 3ccdd9b12..088ffdb20 100644 --- a/rules/macos/process_creation/proc_creation_macos_remote_access_tools_teamviewer_incoming_connection.yml +++ b/rules/macos/process_creation/proc_creation_macos_remote_access_tools_teamviewer_incoming_connection.yml @@ -5,7 +5,7 @@ related: type: similar - id: 1f6b8cd4-3e60-47cc-b282-5aa1cbc9182d type: similar -status: experimental +status: test description: | Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder. diff --git a/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml b/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml index 0f9cfc8cb..41f7ade4b 100644 --- a/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml +++ b/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml @@ -1,6 +1,6 @@ title: EVTX Created In Uncommon Location id: 65236ec7-ace0-4f0c-82fd-737b04fd4dcb -status: experimental +status: test description: | Detects the creation of new files with the ".evtx" extension in non-common or non-standard location. This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within. diff --git a/rules/windows/network_connection/net_connection_win_domain_external_ip_lookup.yml b/rules/windows/network_connection/net_connection_win_domain_external_ip_lookup.yml index 86927b8a0..36797e38e 100644 --- a/rules/windows/network_connection/net_connection_win_domain_external_ip_lookup.yml +++ b/rules/windows/network_connection/net_connection_win_domain_external_ip_lookup.yml @@ -3,7 +3,7 @@ id: edf3485d-dac4-4d50-90e4-b0e5813f7e60 related: - id: ec82e2a5-81ea-4211-a1f8-37a0286df2c2 type: derived -status: experimental +status: test description: Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity. references: - https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md diff --git a/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml b/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml index baa9d9355..e95a87358 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml @@ -5,7 +5,7 @@ related: type: derived - id: 4f4eaa9f-5ad4-410c-a4be-bc6132b0175a type: similar -status: experimental +status: test description: | Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location. This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration. diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml index fe0adf15d..1a3e92091 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml @@ -5,7 +5,7 @@ related: type: derived - id: 65d2be45-8600-4042-b4c0-577a1ff8a60e type: obsolete -status: experimental +status: test description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension. references: - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.yml index 4eb010662..5c3cee11b 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.yml @@ -5,7 +5,7 @@ related: type: similar - id: f459ccb4-9805-41ea-b5b2-55e279e2424a type: similar -status: experimental +status: test description: | Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder. diff --git a/rules/windows/process_creation/proc_creation_win_renamed_nircmd.yml b/rules/windows/process_creation/proc_creation_win_renamed_nircmd.yml index 521f4e2b5..858800834 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_nircmd.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_nircmd.yml @@ -1,6 +1,6 @@ title: Renamed NirCmd.EXE Execution id: 264982dc-dbad-4dce-b707-1e0d3e0f73d9 -status: experimental +status: test description: Detects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields. references: - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml b/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml index a349f84d3..4da867588 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml @@ -1,6 +1,6 @@ title: Rundll32 Execution With Uncommon DLL Extension id: c3a99af4-35a9-4668-879e-c09aeb4f2bdf -status: experimental +status: test description: Detects the execution of rundll32 with a command line that doesn't contain a common extension references: - https://twitter.com/mrd0x/status/1481630810495139841?s=12 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml b/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml index d2470cf01..70ed5f6d1 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml @@ -1,6 +1,6 @@ title: Suspicious Command Patterns In Scheduled Task Creation id: f2c64357-b1d2-41b7-849f-34d2682c0fad -status: experimental +status: test description: Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands references: - https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/ diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml index 7df179152..1cdcaf461 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml @@ -1,6 +1,6 @@ title: Kernel Memory Dump Via LiveKD id: c7746f1c-47d3-43d6-8c45-cd1e54b6b0a2 -status: experimental +status: test description: Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory references: - https://learn.microsoft.com/en-us/sysinternals/downloads/livekd diff --git a/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml b/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml index 8fdc84c06..7c65d3eb6 100644 --- a/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml +++ b/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml @@ -1,6 +1,6 @@ title: Loaded Module Enumeration Via Tasklist.EXE id: 34275eb8-fa19-436b-b959-3d9ecd53fa1f -status: experimental +status: test description: | Detects the enumeration of a specific DLL or EXE being used by a binary via "tasklist.exe". This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question. diff --git a/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml b/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml index 8b3a681b3..4905def49 100644 --- a/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml +++ b/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml @@ -1,6 +1,6 @@ title: Registry Persistence via Service in Safe Mode id: 1547e27c-3974-43e2-a7d7-7f484fb928ec -status: experimental +status: test description: Detects the modification of the registry to allow a driver or service to persist in Safe Mode. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network diff --git a/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml b/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml index 9ab7067df..75ac8d1ae 100644 --- a/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml +++ b/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml @@ -1,6 +1,6 @@ title: Add Port Monitor Persistence in Registry id: 944e8941-f6f6-4ee8-ac05-1c224e923c0e -status: experimental +status: test description: | Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. diff --git a/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml b/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml index c7fd6a068..3cff92e1f 100644 --- a/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml +++ b/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml @@ -1,6 +1,6 @@ title: Sysmon Driver Altitude Change id: 4916a35e-bfc4-47d0-8e25-a003d7067061 -status: experimental +status: test description: | Detects changes in Sysmon driver altitude value. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot. diff --git a/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml b/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml index 02892198e..fb6805137 100644 --- a/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml +++ b/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml @@ -1,6 +1,6 @@ title: Change Winevt Channel Access Permission Via Registry id: 7d9263bd-dc47-4a58-bc92-5474abab390c -status: experimental +status: test description: Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel. references: - https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/ diff --git a/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml b/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml index 011974d7f..d88fbea33 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml @@ -1,6 +1,6 @@ title: Windows Defender Service Disabled - Registry id: e1aa95de-610a-427d-b9e7-9b46cfafbe6a -status: experimental +status: test description: Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ diff --git a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml index eab8aeb95..7feacfa62 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml @@ -1,6 +1,6 @@ title: Disable Windows Event Logging Via Registry id: 2f78da12-f7c7-430b-8b19-a28f269b77a3 -status: experimental +status: test description: Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel references: - https://twitter.com/WhichbufferArda/status/1543900539280293889 diff --git a/rules/windows/registry/registry_set/registry_set_hide_file.yml b/rules/windows/registry/registry_set/registry_set_hide_file.yml index c861b98a5..8b6699d4e 100644 --- a/rules/windows/registry/registry_set/registry_set_hide_file.yml +++ b/rules/windows/registry/registry_set/registry_set_hide_file.yml @@ -1,6 +1,6 @@ title: Displaying Hidden Files Feature Disabled id: 5a5152f1-463f-436b-b2f5-8eceb3964b42 -status: experimental +status: test description: | Detects modifications to the "Hidden" and "ShowSuperHidden" explorer registry values in order to disable showing of hidden files and system files. This technique is abused by several malware families to hide their files from normal users. diff --git a/rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml b/rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml index cdd2cdc28..fb5498fc4 100644 --- a/rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml +++ b/rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml @@ -1,6 +1,6 @@ title: MaxMpxCt Registry Value Changed id: 0e6a9e62-627e-496c-aef5-bfa39da29b5e -status: experimental +status: test description: | Detects changes to the "MaxMpxCt" registry value. MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate. diff --git a/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml b/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml index 2859ab511..04e14bc0b 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml @@ -1,6 +1,6 @@ title: Register New IFiltre For Persistence id: b23818c7-e575-4d13-8012-332075ec0a2b -status: experimental +status: test description: | Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files. diff --git a/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml b/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml index b4ccf2764..48962dc34 100644 --- a/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml +++ b/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml @@ -1,6 +1,6 @@ title: ServiceDll Hijack id: 612e47e9-8a59-43a6-b404-f48683f45bd6 -status: experimental +status: test description: | Detects changes to the "ServiceDLL" value related to a service in the registry. This is often used as a method of persistence. diff --git a/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml b/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml index 9e4e6b7c4..f334d0f2f 100644 --- a/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml +++ b/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml @@ -1,6 +1,6 @@ title: New TimeProviders Registered With Uncommon DLL Name id: e88a6ddc-74f7-463b-9b26-f69fc0d2ce85 -status: experimental +status: test description: | Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. Adversaries may abuse time providers to execute DLLs when the system boots.