From 34c5d66c22bbe41fe701cb6341d78ce324e6b24a Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Wed, 29 Apr 2026 01:20:23 +0200 Subject: [PATCH] Merge PR #5966 from @nasbench - Update mitre tags to use attack v19 chore: update mitre tags to use attack v19 --- .../2014/TA/Axiom/proc_creation_win_apt_zxshell.yml | 2 +- .../Turla/proc_creation_win_apt_turla_comrat_may20.yml | 2 +- .../proc_creation_win_exploit_cve_2015_1641.yml | 2 +- .../Fireball/proc_creation_win_malware_fireball.yml | 2 +- .../proc_access_win_malware_verclsid_shellcode.yml | 2 +- .../NotPetya/proc_creation_win_malware_notpetya.yml | 5 +++-- ...roc_creation_win_malware_plugx_susp_exe_locations.yml | 3 ++- .../WannaCry/proc_creation_win_malware_wannacry.yml | 2 +- .../TA/Dragonfly/proc_creation_win_apt_ta17_293a_ps.yml | 2 +- ...proc_creation_win_apt_lazarus_binary_masquerading.yml | 2 +- .../APT27/proc_creation_win_apt_apt27_emissary_panda.yml | 3 ++- .../2018/TA/APT28/proc_creation_win_apt_sofacy.yml | 2 +- ...nt_win_apt_cozy_bear_phishing_campaign_indicators.yml | 2 +- ...eation_win_apt_apt29_phishing_campaign_indicators.yml | 2 +- .../registry_event_apt_oceanlotus_registry.yml | 2 +- .../proc_creation_win_apt_muddywater_activity.yml | 2 +- .../TA/OilRig/proc_creation_win_apt_oilrig_mar18.yml | 2 +- .../2018/TA/OilRig/registry_event_apt_oilrig_mar18.yml | 2 +- .../2018/TA/OilRig/win_security_apt_oilrig_mar18.yml | 2 +- .../2018/TA/OilRig/win_system_apt_oilrig_mar18.yml | 2 +- .../proc_creation_win_exploit_cve_2019_1378.yml | 2 +- .../CVE-2019-14287/lnx_sudo_exploit_cve_2019_14287.yml | 1 - .../proc_creation_lnx_exploit_cve_2019_14287.yml | 1 - .../BabyShark/proc_creation_win_malware_babyshark.yml | 2 +- .../Malware/Dridex/proc_creation_win_malware_dridex.yml | 2 +- .../Malware/Emotet/proc_creation_win_malware_emotet.yml | 2 +- .../2019/Malware/Ursnif/registry_add_malware_ursnif.yml | 2 +- .../proc_creation_win_apt_aptc12_bluemushroom.yml | 2 +- .../EmpireMonkey/proc_creation_win_apt_empiremonkey.yml | 2 +- .../proc_creation_win_apt_equationgroup_dll_u_load.yml | 2 +- .../TA/Operation-Wocao/proc_creation_win_apt_wocao.yml | 2 +- .../2019/TA/Operation-Wocao/win_security_apt_wocao.yml | 2 +- ...gistry_set_exploit_cve_2020_1048_new_printer_port.yml | 2 +- .../proc_creation_win_malware_blue_mockingbird.yml | 2 +- .../registry_set_mal_blue_mockingbird.yml | 2 +- .../ComRAT/proxy_malware_comrat_network_indicators.yml | 1 - ...oc_creation_win_malware_emotet_rundll32_execution.yml | 2 +- .../registry_event_malware_flowcloud_markers.yml | 2 +- .../proc_creation_win_malware_ke3chang_tidepool.yml | 4 ++-- .../TA/Evilnum/proc_creation_win_apt_evilnum_jul20.yml | 2 +- .../TA/Greenbug/proc_creation_win_apt_greenbug_may20.yml | 2 +- .../TA/TAIDOOR-RAT/proc_creation_win_apt_taidoor.yml | 2 +- .../Winnti/proc_creation_win_apt_winnti_mal_hk_jan20.yml | 3 ++- .../TA/Winnti/proc_creation_win_apt_winnti_pipemon.yml | 3 ++- .../av_exploit_cve_2021_34527_print_nightmare.yml | 2 +- ..._delete_win_exploit_cve_2021_1675_print_nightmare.yml | 3 ++- ...image_load_exploit_cve_2021_1675_spoolsv_dll_load.yml | 3 ++- .../lnx_auth_exploit_cve_2021_4034_pwnkit_lpe.yml | 1 - ...exploit_cve_2021_40444_office_directory_traversal.yml | 2 +- ...n_security_samaccountname_spoofing_cve_2021_42287.yml | 2 +- ...roc_creation_win_exploit_other_razorinstaller_lpe.yml | 2 +- .../proc_creation_win_malware_blackbyte_ransomware.yml | 2 +- ...gistry_set_win_malware_blackbyte_privesc_registry.yml | 2 +- .../file_event_win_malware_devil_bait_script_drop.yml | 2 +- ...c_creation_win_malware_devil_bait_output_redirect.yml | 2 +- ...event_win_malware_goofy_guineapig_file_indicators.yml | 2 +- ...fy_guineapig_googleupdate_uncommon_child_instance.yml | 2 +- .../Malware/Netwire/registry_add_malware_netwire.yml | 2 +- .../file_event_win_malware_pingback_backdoor.yml | 3 ++- .../Pingback/image_load_malware_pingback_backdoor.yml | 3 ++- .../proc_creation_win_malware_pingback_backdoor.yml | 3 ++- .../file_event_win_malware_small_sieve_evasion_typo.yml | 2 +- .../proc_creation_win_malware_small_sieve_cli_arg.yml | 3 ++- .../TA/PRIVATELOG/image_load_usp_svchost_clfsw32.yml | 2 +- .../registry_set_exploit_cve_2022_30190_msdt_follina.yml | 2 +- .../create_remote_thread_win_malware_bumblebee.yml | 2 +- ..._2023_36884_office_windows_html_rce_file_patterns.yml | 2 +- .../file_event_win_malware_coldsteel_renamed_cmd.yml | 2 +- ..._event_win_malware_coldsteel_service_dll_creation.yml | 2 +- ...ge_load_malware_coldsteel_persistence_service_dll.yml | 2 +- ..._creation_win_malware_coldsteel_anonymous_process.yml | 2 +- .../proc_creation_win_malware_coldsteel_cleanup.yml | 2 +- ...reation_win_malware_coldsteel_service_persistence.yml | 2 +- .../win_system_malware_coldsteel_persistence_service.yml | 2 +- .../proc_creation_win_malware_guloader_execution.yml | 2 +- ...ion_win_malware_icedid_rundll32_dllregisterserver.yml | 2 +- ...n_win_malware_pikabot_combined_commands_execution.yml | 2 +- ...c_creation_win_malware_pikabot_rundll32_hollowing.yml | 2 +- ...n_win_malware_pikabot_rundll32_uncommon_extension.yml | 2 +- ...creation_win_malware_qakbot_regsvr32_calc_pattern.yml | 2 +- ...oc_creation_win_malware_qakbot_rundll32_execution.yml | 2 +- ...proc_creation_win_malware_qakbot_rundll32_exports.yml | 2 +- ...on_win_malware_qakbot_rundll32_fake_dll_execution.yml | 2 +- ...ation_win_malware_rhadamanthys_stealer_dll_launch.yml | 2 +- ...reation_win_malware_rorschach_ransomware_activity.yml | 1 - .../image_load_malware_3cx_compromise_susp_dll.yml | 2 +- ...roc_creation_win_malware_3cx_compromise_execution.yml | 2 +- ...creation_win_malware_3cx_compromise_susp_children.yml | 2 +- ...c_creation_win_malware_3cx_compromise_susp_update.yml | 2 +- .../image_load_apt_cozy_bear_graphical_proton_dlls.yml | 3 ++- .../image_load_apt_diamond_sleet_side_load.yml | 3 ++- .../registry_event_apt_diamond_sleet_scheduled_task.yml | 4 ++-- .../image_load_apt_lazarus_side_load_activity.yml | 3 ++- .../file_event_lnx_apt_unc4841_exfil_mail_pattern.yml | 2 +- .../file_event_lnx_apt_unc4841_file_indicators.yml | 2 +- .../proc_creation_lnx_apt_unc4841_openssl_connection.yml | 2 +- ...apt_unc4841_wget_download_compressed_file_tmep_sh.yml | 2 +- ...lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml | 2 +- ...024_1709_user_database_modification_screenconnect.yml | 2 +- ...alprotect_exploit_cve_2024_3400_command_injection.yml | 2 +- .../proc_creation_win_malware_lummac_more_vbc.yml | 2 +- ...d_malware_raspberry_robin_side_load_aclui_oleview.yml | 3 ++- ...are_raspberry_robin_rundll32_shell32_cpl_exection.yml | 2 +- ..._raspberry_robin_internet_settings_zonemap_tamper.yml | 2 +- ...file_event_win_malware_kapeka_backdoor_indicators.yml | 2 +- .../kapeka/image_load_malware_kapeka_backdoor_wll.yml | 2 +- ...on_win_malware_kapeka_backdoor_rundll32_execution.yml | 2 +- ...egistry_set_malware_kapeka_backdoor_configuration.yml | 2 +- .../file_event_win_apt_forest_blizzard_activity.yml | 4 ++-- ...file_event_win_apt_forest_blizzard_constrained_js.yml | 4 ++-- .../proc_creation_win_apt_forest_blizzard_activity.yml | 2 +- ...ile_event_win_apt_unknown_exploitation_indicators.yml | 2 +- .../image_load_win_exploit_cve_2025_33053.yml | 2 +- .../proc_access_win_exploit_cve_2025_33053.yml | 2 +- .../proc_creation_win_exploit_cve_2025_33053.yml | 2 +- .../proc_creation_win_exploit_cve_2025_49144.yml | 3 ++- .../proc_creation_win_exploit_cve_2025_57788.yml | 2 +- ...eation_lnx_exploit_cve_2025_5054_or_cve_2025_4598.yml | 1 - .../file_event_macos_malware_amos_persistence.yml | 2 +- .../RedSun/file_event_win_exploit_redsun_indicators.yml | 2 +- .../pipe_created_win_exploit_redsun_named_pipe.yml | 5 +++-- ...oc_creation_win_redsun_conhost_via_tiering_engine.yml | 2 +- ...r_exploit_redsun_tiering_engine_detected_as_eicar.yml | 5 +++-- ...proc_creation_lnx_axios_npm_compromise_indicators.yml | 1 - ...oc_creation_macos_axios_npm_compromise_indicators.yml | 1 - ...proc_creation_win_axios_npm_compromise_indicators.yml | 1 - ...udtrail_console_login_success_from_susp_locations.yml | 2 +- ...azure_ad_account_created_deleted_nonapproved_user.yml | 2 +- .../azure_ad_account_signin_outside_hours.yml | 2 +- .../signin_logs/azure_privileged_account_no_saw_paw.yml | 2 +- .../azure_privileged_account_sigin_expected_controls.yml | 2 +- .../azure_privileged_account_signin_outside_hours.yml | 2 +- .../identity/okta/okta_session_impersonation_granted.yml | 2 +- .../builtin/security/win_security_admin_logon.yml | 1 - ...security_modification_of_msds_dmsa_link_attribute.yml | 2 +- .../security/win_security_msds_dmsa_object_creation.yml | 2 +- .../security/win_security_potential_pass_the_hash.yml | 1 - .../win_security_remote_registry_management_via_reg.yml | 2 +- .../security/win_security_susp_interactive_logons.yml | 2 +- .../microsoft365_susp_email_forwarding_activity.yml | 2 +- ...ft365_susp_inbox_rule_creation_or_update_activity.yml | 2 +- .../file_event_lnx_susp_long_filename_pattern.yml | 2 +- ...oc_creation_lnx_susp_process_termination_via_kill.yml | 4 ++-- .../builtin/firewall_as/win_firewall_as_change_rule.yml | 4 ++-- .../create_remote_thread_win_loadlibrary.yml | 2 +- ...e_remote_thread_win_susp_target_shell_application.yml | 2 +- .../file_access_win_office_outlook_mail_credential.yml | 2 +- .../file_access/file_access_win_susp_reg_and_hive.yml | 2 +- .../file_change_win_date_changed_to_another_year.yml | 2 +- .../file_delete/file_delete_win_zone_identifier_ads.yml | 2 +- .../file_event/file_event_win_dump_file_creation.yml | 2 +- ..._win_wdac_policy_creation_in_codeintegrity_folder.yml | 4 ++-- .../file_rename/file_rename_win_non_dll_to_dll_ext.yml | 2 +- .../image_load/image_load_dll_amsi_uncommon_process.yml | 1 - ...image_load_dll_bitsproxy_load_by_uncommon_process.yml | 3 ++- ...mage_load_win_werfaultsecure_dbgcore_dbghelp_load.yml | 4 ++-- .../net_connection_win_dllhost_non_local_ip.yml | 2 +- .../net_connection_win_hh_http_connection.yml | 2 +- .../net_connection_win_msiexec_http.yml | 2 +- .../posh_ps_email_forwarding_activity.yml | 2 +- .../posh_ps_inbox_rule_creation_or_update_activity.yml | 2 +- .../powershell_script/posh_ps_mailbox_access.yml | 2 +- .../posh_ps_new_netfirewallrule_allow.yml | 4 ++-- .../powershell_script/posh_ps_remove_item_path.yml | 2 +- .../powershell_script/posh_ps_token_obfuscation.yml | 2 +- ...roc_access_win_susp_potential_shellcode_injection.yml | 2 +- .../process_creation/proc_creation_win_attrib_system.yml | 2 +- .../proc_creation_win_boinc_execution.yml | 2 +- .../proc_creation_win_cmd_set_prompt_abuse.yml | 2 +- .../proc_creation_win_conhost_headless_execution.yml | 1 - .../proc_creation_win_csc_compilation.yml | 2 +- .../proc_creation_win_dfsvc_child_processes.yml | 2 +- .../proc_creation_win_diskshadow_child_process.yml | 2 +- .../proc_creation_win_diskshadow_script_mode.yml | 2 +- ...proc_creation_win_explorer_child_of_shell_process.yml | 2 +- .../proc_creation_win_extexport_execution.yml | 2 +- .../proc_creation_win_iexpress_execution.yml | 2 +- ...reation_win_microsoft_workflow_compiler_execution.yml | 2 +- .../proc_creation_win_mode_codepage_change.yml | 2 +- .../proc_creation_win_office_svchost_parent.yml | 2 +- .../proc_creation_win_powershell_crypto_namespace.yml | 2 +- ...creation_win_powershell_new_netfirewallrule_allow.yml | 4 ++-- ...proc_creation_win_regsvr32_dllregisterserver_exec.yml | 2 +- .../proc_creation_win_rundll32_by_ordinal.yml | 2 +- .../proc_creation_win_rundll32_dllregisterserver.yml | 2 +- .../proc_creation_win_susp_cli_obfuscation_unicode.yml | 2 +- .../proc_creation_win_susp_elevated_system_shell.yml | 1 - ...reation_win_susp_execution_from_guid_folder_names.yml | 2 +- ...c_creation_win_susp_file_permission_modifications.yml | 2 +- ...oc_creation_win_susp_ntfs_short_name_path_use_cli.yml | 2 +- .../proc_creation_win_susp_parent_execute_itself.yml | 2 +- ...proc_creation_win_wsl_arbitrary_command_execution.yml | 2 +- .../registry_set_office_trusted_location.yml | 2 +- .../registry_set_powershell_crypto_namespace.yml | 2 +- ...try_set_service_image_path_user_controlled_folder.yml | 2 +- ...tbucket_audit_global_secret_scanning_rule_deleted.yml | 4 ++-- ...tbucket_audit_global_ssh_settings_change_detected.yml | 4 ++-- ...bitbucket_audit_log_configuration_update_detected.yml | 4 ++-- ...ket_audit_project_secret_scanning_allowlist_added.yml | 4 ++-- ..._audit_secret_scanning_exempt_repository_detected.yml | 4 ++-- .../bitbucket_audit_secret_scanning_rule_deleted.yml | 4 ++-- .../bitbucket_audit_user_login_failure_detected.yml | 2 +- .../audit/github_disable_high_risk_configuration.yml | 2 +- .../github/audit/github_new_secret_created.yml | 2 +- .../audit/github_push_protection_bypass_detected.yml | 4 ++-- .../github/audit/github_push_protection_disabled.yml | 4 ++-- .../audit/github_repository_archive_status_changed.yml | 2 +- .../audit/github_secret_scanning_feature_disabled.yml | 4 ++-- .../audit/github_self_hosted_runner_changes_detected.yml | 2 +- .../audit/github_ssh_certificate_config_changed.yml | 2 +- .../kubernetes_audit_change_admission_controller.yml | 2 +- .../kubernetes/audit/kubernetes_audit_events_deleted.yml | 2 +- .../audit/kubernetes_audit_pod_in_system_namespace.yml | 2 +- .../opencanary/opencanary_httpproxy_login_attempt.yml | 1 - .../opencanary/opencanary_ssh_login_attempt.yml | 2 +- .../opencanary/opencanary_ssh_new_connection.yml | 2 +- .../opencanary/opencanary_telnet_login_attempt.yml | 2 +- .../rpc_firewall_remote_registry_lateral_movement.yml | 2 +- .../aws/cloudtrail/aws_cloudtrail_bucket_deleted.yml | 2 +- .../aws_cloudtrail_console_login_success_without_mfa.yml | 2 +- .../aws/cloudtrail/aws_cloudtrail_disable_logging.yml | 4 ++-- ..._cloudtrail_guardduty_detector_deleted_or_updated.yml | 6 +++--- .../cloudtrail/aws_cloudtrail_imds_malicious_usage.yml | 2 +- .../aws/cloudtrail/aws_cloudtrail_new_acl_entries.yml | 4 ++-- .../aws/cloudtrail/aws_cloudtrail_new_route_added.yml | 4 ++-- .../cloudtrail/aws_cloudtrail_vpc_flow_logs_deleted.yml | 2 +- .../aws/cloudtrail/aws_config_disable_recording.yml | 4 ++-- .../cloud/aws/cloudtrail/aws_console_getsignintoken.yml | 1 - rules/cloud/aws/cloudtrail/aws_delete_identity.yml | 2 +- rules/cloud/aws/cloudtrail/aws_delete_saml_provider.yml | 2 +- .../aws/cloudtrail/aws_ec2_import_key_pair_activity.yml | 2 +- rules/cloud/aws/cloudtrail/aws_guardduty_disruption.yml | 4 ++-- .../aws_iam_s3browser_loginprofile_creation.yml | 2 +- ...iam_s3browser_templated_s3_bucket_policy_creation.yml | 2 +- .../aws_iam_s3browser_user_or_accesskey_creation.yml | 2 +- rules/cloud/aws/cloudtrail/aws_root_account_usage.yml | 2 +- .../aws/cloudtrail/aws_securityhub_finding_evasion.yml | 4 ++-- rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml | 2 +- rules/cloud/aws/cloudtrail/aws_sts_assumerole_misuse.yml | 1 - .../aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml | 1 - rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml | 2 +- .../azure_aadhybridhealth_adfs_new_server.yml | 2 +- .../azure_aadhybridhealth_adfs_service_delete.yml | 2 +- .../activity_logs/azure_ad_user_added_to_admin_role.yml | 2 +- .../azure/activity_logs/azure_application_deleted.yml | 1 - .../activity_logs/azure_firewall_modified_or_deleted.yml | 4 ++-- ...zure_firewall_rule_collection_modified_or_deleted.yml | 4 ++-- .../azure_kubernetes_admission_controller.yml | 2 +- .../activity_logs/azure_kubernetes_events_deleted.yml | 5 ++--- rules/cloud/azure/activity_logs/azure_mfa_disabled.yml | 2 +- ...azure_network_firewall_policy_modified_or_deleted.yml | 4 ++-- ...ner_removed_from_application_or_service_principal.yml | 2 +- .../activity_logs/azure_service_principal_created.yml | 2 +- .../activity_logs/azure_service_principal_removed.yml | 2 +- ...bscription_permissions_elevation_via_activitylogs.yml | 2 +- .../azure_aad_secops_ca_policy_removedby_bad_actor.yml | 2 +- .../azure_aad_secops_ca_policy_updatedby_bad_actor.yml | 2 +- .../azure_aad_secops_new_ca_policy_addedby_bad_actor.yml | 1 - .../audit_logs/azure_ad_account_created_deleted.yml | 2 +- .../audit_logs/azure_ad_bitlocker_key_retrieval.yml | 2 +- .../azure_ad_certificate_based_authencation_enabled.yml | 2 +- .../azure_ad_device_registration_policy_changes.yml | 2 +- ..._users_invited_to_tenant_by_non_approved_inviters.yml | 2 +- .../azure/audit_logs/azure_ad_new_root_ca_added.yml | 2 +- .../azure_ad_users_added_to_device_admin_roles.yml | 2 +- .../azure/audit_logs/azure_app_appid_uri_changes.yml | 2 +- .../azure/audit_logs/azure_app_uri_modifications.yml | 2 +- .../audit_logs/azure_change_to_authentication_method.yml | 2 +- .../cloud/azure/audit_logs/azure_federation_modified.yml | 2 +- .../azure_group_user_addition_ca_modification.yml | 2 +- .../azure_group_user_removal_ca_modification.yml | 2 +- .../azure/audit_logs/azure_guest_invite_failure.yml | 2 +- rules/cloud/azure/audit_logs/azure_guest_to_member.yml | 2 +- .../audit_logs/azure_pim_activation_approve_deny.yml | 2 +- .../cloud/azure/audit_logs/azure_pim_alerts_disabled.yml | 2 +- .../cloud/azure/audit_logs/azure_pim_change_settings.yml | 2 +- .../audit_logs/azure_priviledged_role_assignment_add.yml | 2 +- .../audit_logs/azure_privileged_account_creation.yml | 2 +- ..._subscription_permissions_elevation_via_auditlogs.yml | 2 +- rules/cloud/azure/audit_logs/azure_tap_added.yml | 2 +- .../azure/audit_logs/azure_user_password_change.yml | 2 +- .../azure_identity_protection_anonymous_ip_activity.yml | 2 +- .../azure_identity_protection_atypical_travel.yml | 2 +- .../azure_identity_protection_impossible_travel.yml | 2 +- .../azure_identity_protection_inbox_manipulation.yml | 2 +- .../azure_identity_protection_new_coutry_region.yml | 2 +- .../azure_identity_protection_suspicious_browser.yml | 2 +- .../azure_identity_protection_threat_intel.yml | 2 +- .../azure_identity_protection_unfamilar_sign_in.yml | 2 +- .../azure_pim_account_stale.yml | 2 +- .../azure_pim_invalid_license.yml | 2 +- .../azure_pim_role_assigned_outside_of_pim.yml | 2 +- .../azure_pim_role_frequent_activation.yml | 2 +- .../azure_pim_role_no_mfa_required.yml | 2 +- .../azure_pim_role_not_used.yml | 2 +- .../azure_pim_too_many_global_admins.yml | 2 +- .../azure/signin_logs/azure_ad_auth_failure_increase.yml | 2 +- .../azure/signin_logs/azure_ad_auth_sucess_increase.yml | 2 +- ...d_auth_to_important_apps_using_single_factor_auth.yml | 2 +- ...ications_from_countries_you_do_not_operate_out_of.yml | 2 +- .../azure_ad_device_registration_or_join_without_mfa.yml | 2 +- ...led_auth_from_countries_you_do_not_operate_out_of.yml | 2 +- .../azure_ad_only_single_factor_auth_required.yml | 3 ++- ...gn_ins_with_singlefactorauth_from_unknown_devices.yml | 2 +- .../azure_ad_sign_ins_from_noncompliant_devices.yml | 2 +- .../azure_ad_sign_ins_from_unknown_devices.yml | 2 +- .../azure_ad_suspicious_signin_bypassing_mfa.yml | 2 +- .../signin_logs/azure_app_device_code_authentication.yml | 2 +- .../azure/signin_logs/azure_app_ropc_authentication.yml | 2 +- .../azure/signin_logs/azure_blocked_account_attempt.yml | 2 +- .../signin_logs/azure_conditional_access_failure.yml | 2 +- .../azure_legacy_authentication_protocols.yml | 2 +- .../signin_logs/azure_login_to_disabled_account.yml | 2 +- rules/cloud/azure/signin_logs/azure_mfa_denies.yml | 2 +- rules/cloud/azure/signin_logs/azure_mfa_interrupted.yml | 2 +- .../azure_unusual_authentication_interruption.yml | 2 +- .../azure_user_login_blocked_by_conditional_access.yml | 2 +- ...re_users_authenticating_to_other_azure_ad_tenants.yml | 2 +- .../audit/gcp_breakglass_container_workload_deployed.yml | 1 - .../gcp/audit/gcp_firewall_rule_modified_or_deleted.yml | 4 ++-- .../gcp/audit/gcp_kubernetes_admission_controller.yml | 2 +- .../gcp/gworkspace/login/gcp_gworkspace_govattack.yml | 2 +- .../gworkspace/login/gcp_gworkspace_suspicious_login.yml | 2 +- .../audit/microsoft365_bypass_conditional_access.yml | 2 +- rules/cloud/m365/audit/microsoft365_disabling_mfa.yml | 2 +- .../microsoft365_new_federated_domain_added_audit.yml | 2 +- .../microsoft365_impossible_travel_activity.yml | 2 +- .../microsoft365_logon_from_risky_ip_address.yml | 2 +- .../cisco_duo/cisco_duo_mfa_bypass_via_bypass_code.yml | 2 +- rules/identity/okta/okta_mfa_reset_or_deactivated.yml | 2 +- .../identity/okta/okta_new_behaviours_admin_console.yml | 2 +- .../okta_user_session_start_via_anonymised_proxy.yml | 4 ++-- rules/linux/auditd/execve/lnx_auditd_binary_padding.yml | 2 +- .../auditd/execve/lnx_auditd_bpfdoor_port_redirect.yml | 4 ++-- .../auditd/execve/lnx_auditd_capabilities_discovery.yml | 1 - .../auditd/execve/lnx_auditd_change_file_time_attr.yml | 2 +- .../execve/lnx_auditd_chattr_immutable_removal.yml | 2 +- .../execve/lnx_auditd_file_or_folder_permissions.yml | 2 +- .../execve/lnx_auditd_hidden_files_directories.yml | 2 +- .../execve/lnx_auditd_hidden_zip_files_steganography.yml | 2 +- .../auditd/execve/lnx_auditd_masquerading_crond.yml | 2 +- .../auditd/execve/lnx_auditd_modify_system_firewall.yml | 4 ++-- .../execve/lnx_auditd_steghide_embed_steganography.yml | 2 +- .../execve/lnx_auditd_steghide_extract_steganography.yml | 2 +- .../lnx_auditd_unzip_hidden_zip_files_steganography.yml | 2 +- .../linux/auditd/lnx_auditd_disable_aslr_protection.yml | 5 +++-- .../auditd/path/lnx_auditd_auditing_config_change.yml | 4 ++-- .../auditd/path/lnx_auditd_hidden_binary_execution.yml | 3 ++- rules/linux/auditd/path/lnx_auditd_ld_so_preload_mod.yml | 3 ++- .../auditd/path/lnx_auditd_logging_config_change.yml | 4 ++-- .../service_stop/lnx_auditd_disable_system_firewall.yml | 4 ++-- .../lnx_auditd_clean_disable_dmesg_logs_via_syslog.yml | 4 ++-- rules/linux/builtin/lnx_ldso_preload_injection.yml | 3 ++- rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml | 2 +- rules/linux/builtin/lnx_shell_clear_cmd_history.yml | 9 +-------- .../lnx_syslog_security_tools_disabling_syslog.yml | 4 ++-- .../file_event/file_event_lnx_doas_conf_creation.yml | 1 - .../file_event_lnx_persistence_sudoers_files.yml | 1 - ...nt_lnx_susp_filename_with_embedded_base64_command.yml | 2 +- .../file_event_lnx_triple_cross_rootkit_lock_file.yml | 2 +- .../file_event_lnx_triple_cross_rootkit_persistence.yml | 2 -- .../proc_creation_lnx_auditctl_clear_rules.yml | 4 ++-- .../proc_creation_lnx_av_kaspersky_av_disabled.yml | 4 ++-- .../process_creation/proc_creation_lnx_base64_decode.yml | 2 +- .../proc_creation_lnx_base64_execution.yml | 2 +- .../proc_creation_lnx_base64_shebang_cli.yml | 2 +- .../proc_creation_lnx_bpf_kprob_tracing_enabled.yml | 2 +- .../process_creation/proc_creation_lnx_cap_setgid.yml | 1 - .../process_creation/proc_creation_lnx_cap_setuid.yml | 1 - .../proc_creation_lnx_chattr_immutable_removal.yml | 2 +- ...reation_lnx_chmod_targeting_sensitive_directories.yml | 2 +- .../process_creation/proc_creation_lnx_clear_logs.yml | 4 ++-- .../process_creation/proc_creation_lnx_clear_syslog.yml | 4 ++-- .../proc_creation_lnx_crontab_removal.yml | 2 +- .../proc_creation_lnx_dd_process_injection.yml | 2 +- .../process_creation/proc_creation_lnx_disable_ufw.yml | 4 ++-- .../proc_creation_lnx_doas_execution.yml | 1 - .../proc_creation_lnx_esxcli_syslog_config_change.yml | 6 +++--- .../process_creation/proc_creation_lnx_file_deletion.yml | 2 +- .../proc_creation_lnx_install_root_certificate.yml | 2 +- .../proc_creation_lnx_install_suspicious_packages.yml | 2 +- .../proc_creation_lnx_iptables_flush_ufw.yml | 4 ++-- .../process_creation/proc_creation_lnx_mount_hidepid.yml | 2 +- .../proc_creation_lnx_proxy_connection.yml | 1 - ...proc_creation_lnx_python_base64_encoded_execution.yml | 2 +- .../proc_creation_lnx_remove_package.yml | 2 +- .../proc_creation_lnx_security_tools_disabling.yml | 4 ++-- .../proc_creation_lnx_services_stop_and_disable.yml | 4 ++-- .../process_creation/proc_creation_lnx_setgid_setuid.yml | 1 - .../proc_creation_lnx_susp_execution_tmp_folder.yml | 2 +- .../proc_creation_lnx_susp_interactive_bash.yml | 2 +- .../proc_creation_lnx_susp_pipe_shell.yml | 2 +- .../process_creation/proc_creation_lnx_touch_susp.yml | 2 +- ...c_creation_lnx_triple_cross_rootkit_execve_hijack.yml | 2 +- .../proc_creation_lnx_triple_cross_rootkit_install.yml | 2 +- .../proc_creation_macos_base64_decode.yml | 2 +- .../proc_creation_macos_binary_padding.yml | 2 +- .../proc_creation_macos_change_file_time_attr.yml | 2 +- .../proc_creation_macos_chflags_hidden_flag.yml | 2 +- .../proc_creation_macos_clear_system_logs.yml | 4 ++-- .../proc_creation_macos_create_hidden_account.yml | 2 +- .../proc_creation_macos_disable_security_tools.yml | 4 ++-- .../proc_creation_macos_dscl_add_user_to_admin_group.yml | 2 +- ...roc_creation_macos_dseditgroup_add_to_admin_group.yml | 2 +- ...c_creation_macos_dsenableroot_enable_root_account.yml | 2 +- .../proc_creation_macos_nscurl_usage.yml | 1 - ...proc_creation_macos_payload_decoded_and_decrypted.yml | 2 +- ...s_remote_access_tools_renamed_meshagent_execution.yml | 2 +- .../proc_creation_macos_space_after_filename.yml | 2 +- ...creation_macos_susp_execution_macos_script_editor.yml | 2 +- ...reation_macos_sysadminctl_add_user_to_admin_group.yml | 2 +- ...c_creation_macos_sysadminctl_enable_guest_account.yml | 2 +- .../proc_creation_macos_sysctl_discovery.yml | 2 +- .../proc_creation_macos_system_profiler_discovery.yml | 2 +- ...proc_creation_macos_tail_base64_decode_from_image.yml | 2 +- .../proc_creation_macos_xattr_gatekeeper_bypass.yml | 2 +- rules/network/cisco/aaa/cisco_cli_clear_logs.yml | 2 +- rules/network/cisco/aaa/cisco_cli_crypto_actions.yml | 2 +- rules/network/cisco/aaa/cisco_cli_disable_logging.yml | 4 ++-- rules/network/cisco/aaa/cisco_cli_dot1x_disabled.yml | 4 ++-- rules/network/cisco/aaa/cisco_cli_file_deletion.yml | 2 +- rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml | 2 +- rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml | 2 +- .../fortinet_fortigate_new_firewall_address_object.yml | 4 ++-- .../fortinet_fortigate_new_firewall_policy_added.yml | 4 ++-- rules/network/huawei/bgp/huawei_bgp_auth_failed.yml | 2 +- rules/network/juniper/bgp/juniper_bgp_missing_md5.yml | 2 +- rules/web/proxy_generic/proxy_download_susp_dyndns.yml | 1 - .../proxy_hktl_cobalt_strike_malleable_c2_requests.yml | 1 - .../proxy_generic/proxy_hktl_empire_ua_uri_patterns.yml | 1 - .../web/proxy_generic/proxy_raw_paste_service_access.yml | 1 - .../web/proxy_generic/proxy_susp_flash_download_loc.yml | 2 +- rules/web/proxy_generic/proxy_telegram_api.yml | 1 - rules/web/proxy_generic/proxy_ua_bitsadmin_susp_ip.yml | 3 ++- rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml | 3 ++- rules/web/proxy_generic/proxy_ua_empty.yml | 1 - rules/web/proxy_generic/proxy_ua_powershell.yml | 1 - rules/web/webserver_generic/web_ssti_in_access_logs.yml | 2 +- .../win_application_error_msmpeng_crash.yml | 5 +++-- .../microsoft-windows_audit_cve/win_audit_cve.yml | 2 +- .../microsoft_windows_backup/win_susp_backup_delete.yml | 2 +- .../win_software_restriction_policies_block.yml | 1 - .../msiinstaller/win_msi_install_from_web.yml | 2 +- .../mssqlserver/win_mssql_disable_audit_settings.yml | 2 +- .../win_application_msmpeng_crash_wer.yml | 5 +++-- ...ppmodel_runtime_sysinternals_tools_appx_execution.yml | 2 +- .../win_appxdeployment_server_applocker_block.yml | 2 +- ..._server_appx_downloaded_from_file_sharing_domains.yml | 2 +- ...px_package_deployment_failed_signing_requirements.yml | 2 +- ...ployment_server_appx_package_in_staging_directory.yml | 2 +- .../win_appxdeployment_server_mal_appx_names.yml | 2 +- .../win_appxdeployment_server_policy_block.yml | 2 +- ..._appxdeployment_server_uncommon_package_locations.yml | 2 +- ...xpackaging_server_full_trust_package_installation.yml | 2 +- ...ppxpackaging_server_unsigned_package_installation.yml | 2 +- .../win_appxpackaging_om_sups_appx_signature.yml | 2 +- .../win_bits_client_new_job_via_bitsadmin.yml | 3 ++- .../win_bits_client_new_job_via_powershell.yml | 3 ++- ...n_bits_client_new_transfer_saving_susp_extensions.yml | 3 ++- ...bits_client_new_transfer_via_file_sharing_domains.yml | 3 ++- .../win_bits_client_new_transfer_via_ip_address.yml | 3 ++- .../win_bits_client_new_transfer_via_uncommon_tld.yml | 3 ++- .../win_bits_client_new_trasnfer_susp_local_folder.yml | 3 ++- .../win_dns_server_susp_server_level_plugin_dll.yml | 3 ++- .../builtin/firewall_as/win_firewall_as_add_rule.yml | 4 ++-- .../firewall_as/win_firewall_as_add_rule_susp_folder.yml | 4 ++-- .../firewall_as/win_firewall_as_add_rule_wmiprvse.yml | 4 ++-- .../firewall_as/win_firewall_as_delete_all_rules.yml | 4 ++-- .../builtin/firewall_as/win_firewall_as_delete_rule.yml | 4 ++-- .../firewall_as/win_firewall_as_failed_load_gpo.yml | 4 ++-- .../builtin/firewall_as/win_firewall_as_reset_config.yml | 4 ++-- .../firewall_as/win_firewall_as_setting_change.yml | 4 ++-- .../iis-configuration/win_iis_logging_etw_disabled.yml | 4 ++-- .../iis-configuration/win_iis_logging_http_disabled.yml | 4 ++-- .../builtin/iis-configuration/win_iis_module_added.yml | 4 ++-- .../builtin/iis-configuration/win_iis_module_removed.yml | 4 ++-- .../win_exchange_proxyshell_remove_mailbox_export.yml | 2 +- rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml | 1 - .../win_security_access_token_abuse.yml | 2 +- .../account_management/win_security_admin_rdp_login.yml | 2 +- .../win_security_overpass_the_hash.yml | 1 - .../account_management/win_security_pass_the_hash_2.yml | 1 - ...win_security_successful_external_remote_rdp_login.yml | 2 +- ...win_security_successful_external_remote_smb_login.yml | 2 +- .../win_security_susp_failed_logon_source.yml | 2 +- .../win_security_susp_logon_newcredentials.yml | 1 - ...in_security_susp_privesc_kerberos_relay_over_ldap.yml | 1 - .../win_security_wfp_endpoint_agent_blocked.yml | 4 ++-- .../security/win_security_ad_object_writedac_access.yml | 2 +- .../security/win_security_add_remove_computer.yml | 2 +- .../win_security_alert_enable_weak_encryption.yml | 4 ++-- .../builtin/security/win_security_alert_ruler.yml | 1 - .../builtin/security/win_security_audit_log_cleared.yml | 4 ++-- .../win_security_codeintegrity_check_failure.yml | 2 +- .../win_security_default_domain_gpo_modification.yml | 2 +- .../security/win_security_disable_event_auditing.yml | 4 ++-- .../win_security_disable_event_auditing_critical.yml | 4 ++-- .../builtin/security/win_security_dot_net_etw_tamper.yml | 4 ++-- .../builtin/security/win_security_hktl_edr_silencer.yml | 4 ++-- .../builtin/security/win_security_hktl_nofilter.yml | 2 +- ...ecurity_invoke_obfuscation_clip_services_security.yml | 3 +-- ...voke_obfuscation_obfuscated_iex_services_security.yml | 2 +- ...curity_invoke_obfuscation_stdin_services_security.yml | 2 +- ...security_invoke_obfuscation_var_services_security.yml | 2 +- ...invoke_obfuscation_via_compress_services_security.yml | 2 +- ...y_invoke_obfuscation_via_rundll_services_security.yml | 2 +- ...ty_invoke_obfuscation_via_stdin_services_security.yml | 2 +- ...invoke_obfuscation_via_use_clip_services_security.yml | 2 +- ...nvoke_obfuscation_via_use_mshta_services_security.yml | 2 +- ...ke_obfuscation_via_use_rundll32_services_security.yml | 2 +- ...rity_invoke_obfuscation_via_var_services_security.yml | 2 +- ...rpreter_or_cobaltstrike_getsystem_service_install.yml | 2 +- .../builtin/security/win_security_net_ntlm_downgrade.yml | 5 ++--- ...rity_new_or_renamed_user_account_with_dollar_sign.yml | 2 +- .../builtin/security/win_security_possible_dc_shadow.yml | 2 +- .../builtin/security/win_security_rdp_reverse_tunnel.yml | 1 - .../win_security_registry_permissions_weakness_check.yml | 3 ++- .../win_security_scm_database_privileged_operation.yml | 1 - .../win_security_sdelete_potential_secure_deletion.yml | 3 ++- .../security/win_security_susp_add_sid_history.yml | 2 +- .../builtin/security/win_security_susp_computer_name.yml | 2 +- .../security/win_security_susp_failed_logon_reasons.yml | 2 +- ...curity_susp_group_policy_abuse_privilege_addition.yml | 2 +- ...ity_susp_group_policy_startup_script_added_to_gpo.yml | 2 +- .../win_security_susp_logon_explicit_credentials.yml | 2 +- .../security/win_security_susp_opened_encrypted_zip.yml | 2 +- .../win_security_susp_opened_encrypted_zip_filename.yml | 2 +- .../win_security_susp_opened_encrypted_zip_outlook.yml | 2 +- ...n_security_susp_possible_shadow_credentials_added.yml | 2 +- .../security/win_security_susp_time_modification.yml | 2 +- .../win_security_sysmon_channel_reference_deletion.yml | 2 +- .../win_security_user_added_to_local_administrators.yml | 2 +- .../builtin/security/win_security_user_driver_loaded.yml | 4 ++-- ...ity_windows_defender_exclusions_registry_modified.yml | 4 ++-- ...security_windows_defender_exclusions_write_access.yml | 4 ++-- ...n_security_mitigations_defender_load_unsigned_dll.yml | 3 ++- ...urity_mitigations_unsigned_dll_from_susp_location.yml | 3 ++- .../win_system_application_sysmon_crash.yml | 4 ++-- .../builtin/system/lsasrv/win_system_lsasrv_ntlmv1.yml | 1 - .../win_system_adcs_enrollment_request_denied.yml | 2 +- .../win_system_susp_dhcp_config.yml | 3 ++- .../win_system_susp_dhcp_config_failed.yml | 3 ++- .../win_system_eventlog_cleared.yml | 4 ++-- .../win_system_susp_eventlog_cleared.yml | 4 ++-- .../system/netlogon/win_system_vul_cve_2020_1472.yml | 1 - .../win_system_defender_disabled.yml | 4 ++-- .../win_system_invoke_obfuscation_clip_services.yml | 2 +- ...system_invoke_obfuscation_obfuscated_iex_services.yml | 2 +- .../win_system_invoke_obfuscation_stdin_services.yml | 2 +- .../win_system_invoke_obfuscation_var_services.yml | 2 +- ...n_system_invoke_obfuscation_via_compress_services.yml | 2 +- ...win_system_invoke_obfuscation_via_rundll_services.yml | 2 +- .../win_system_invoke_obfuscation_via_stdin_services.yml | 2 +- ...n_system_invoke_obfuscation_via_use_clip_services.yml | 2 +- ..._system_invoke_obfuscation_via_use_mshta_services.yml | 2 +- ...stem_invoke_obfuscation_via_use_rundll32_services.yml | 2 +- .../win_system_invoke_obfuscation_via_var_services.yml | 2 +- ...er_or_cobaltstrike_getsystem_service_installation.yml | 2 +- .../win_system_service_terminated_error_generic.yml | 2 +- .../win_system_service_terminated_error_important.yml | 2 +- .../win_system_service_terminated_unexpectedly.yml | 2 +- .../win_defender_antimalware_platform_expired.yml | 4 ++-- .../win_defender_config_change_exclusion_added.yml | 4 ++-- .../win_defender_config_change_exploit_guard_tamper.yml | 4 ++-- ..._defender_config_change_sample_submission_consent.yml | 4 ++-- .../builtin/windefend/win_defender_history_delete.yml | 2 +- .../win_defender_malware_and_pua_scan_disabled.yml | 4 ++-- .../win_defender_real_time_protection_disabled.yml | 4 ++-- .../win_defender_real_time_protection_errors.yml | 4 ++-- .../windefend/win_defender_restored_quarantine_file.yml | 4 ++-- .../win_defender_suspicious_features_tampering.yml | 4 ++-- .../windefend/win_defender_tamper_protection_trigger.yml | 4 ++-- .../windefend/win_defender_virus_scan_disabled.yml | 4 ++-- .../create_remote_thread_win_hktl_cactustorch.yml | 2 +- .../create_remote_thread_win_hktl_cobaltstrike.yml | 2 +- .../create_remote_thread_win_powershell_susp_targets.yml | 2 +- ...eate_remote_thread_win_susp_relevant_source_image.yml | 2 +- ...eate_remote_thread_win_susp_uncommon_source_image.yml | 2 +- ...eate_remote_thread_win_susp_uncommon_target_image.yml | 2 +- .../create_remote_thread_win_ttdinjec.yml | 3 ++- .../create_stream_hash_ads_executable.yml | 2 +- .../create_stream_hash_creation_internet_file.yml | 2 +- ...hash_file_sharing_domains_download_susp_extension.yml | 2 +- ...h_file_sharing_domains_download_unusual_extension.yml | 2 +- .../create_stream_hash_hktl_generic_download.yml | 2 +- .../create_stream_hash_regedit_export_to_ads.yml | 2 +- .../create_stream_hash_susp_ip_domains.yml | 2 +- .../create_stream_hash_winget_susp_package_source.yml | 2 +- .../create_stream_hash_zip_tld_download.yml | 2 +- .../dns_query/dns_query_win_regsvr32_dns_query.yml | 2 +- rules/windows/driver_load/driver_load_win_windivert.yml | 2 +- .../file_delete_win_delete_event_log_files.yml | 2 +- .../file_delete_win_delete_exchange_powershell_logs.yml | 2 +- .../file_delete_win_delete_iis_access_logs.yml | 2 +- .../file_delete/file_delete_win_delete_own_image.yml | 2 +- ...file_delete_win_delete_powershell_command_history.yml | 2 +- .../file/file_delete/file_delete_win_delete_prefetch.yml | 2 +- .../file_delete_win_delete_teamviewer_logs.yml | 2 +- .../file_delete/file_delete_win_delete_tomcat_logs.yml | 2 +- ...ile_delete_win_sysinternals_sdelete_file_deletion.yml | 2 +- .../file_delete_win_zone_identifier_ads_uncommon.yml | 2 +- .../file_event_win_arcsoc_susp_file_created.yml | 3 ++- .../file_event_win_create_evtx_non_common_locations.yml | 4 ++-- .../file_event_win_create_non_existent_dlls.yml | 3 ++- .../file_event_win_creation_system_dll_files.yml | 2 +- .../file_event/file_event_win_creation_system_file.yml | 2 +- .../file_event_win_csharp_compile_artefact.yml | 2 +- .../file_event_win_dll_sideloading_space_path.yml | 3 ++- .../file_event_win_dump_file_susp_creation.yml | 2 +- .../file_event_win_hktl_powerup_dllhijacking.yml | 3 ++- ...ent_win_initial_access_dll_search_order_hijacking.yml | 3 ++- .../file_event_win_iphlpapi_dll_sideloading.yml | 3 ++- .../file_event_win_mysqld_uncommon_file_creation.yml | 2 +- .../file/file_event/file_event_win_net_cli_artefact.yml | 2 +- ...le_event_win_new_files_in_uncommon_appdata_folder.yml | 2 +- .../file/file_event/file_event_win_new_scr_file.yml | 2 +- ..._event_win_office_onenote_files_in_susp_locations.yml | 2 +- .../file_event_win_office_onenote_susp_dropped_files.yml | 2 +- ...vent_win_office_publisher_files_in_susp_locations.yml | 2 +- ...s_script_policy_test_creation_by_uncommon_process.yml | 2 +- .../file_event/file_event_win_rdp_file_susp_creation.yml | 2 +- .../file_event_win_redmimicry_winnti_filedrop.yml | 2 +- .../file_event/file_event_win_regedit_print_as_pdf.yml | 2 +- .../file/file_event/file_event_win_sed_file_creation.yml | 2 +- .../file_event_win_shell_write_susp_files_extensions.yml | 2 +- .../file/file_event/file_event_win_susp_colorcpl.yml | 2 +- .../file_event_win_susp_creation_by_mobsync.yml | 2 +- .../file_event_win_susp_default_gpo_dir_write.yml | 2 +- .../file_event/file_event_win_susp_double_extension.yml | 2 +- .../file_event_win_susp_executable_creation.yml | 2 +- .../file/file_event/file_event_win_susp_get_variable.yml | 2 +- .../file_event_win_susp_hidden_dir_index_allocation.yml | 2 +- .../file_event_win_susp_homoglyph_filename.yml | 3 +-- ...le_event_win_susp_legitimate_app_dropping_archive.yml | 2 +- .../file_event_win_susp_legitimate_app_dropping_exe.yml | 2 +- ...susp_legitimate_app_dropping_in_uncommon_location.yml | 2 +- ...ile_event_win_susp_legitimate_app_dropping_script.yml | 2 +- .../file_event_win_susp_lnk_double_extension.yml | 2 +- ...in_susp_procexplorer_driver_created_in_tmp_folder.yml | 4 ++-- .../file_event_win_susp_recycle_bin_fake_exec.yml | 2 +- ...in_susp_right_to_left_override_extension_spoofing.yml | 2 +- .../file_event_win_susp_spool_drivers_color_drop.yml | 2 +- .../file_event_win_susp_wdac_policy_creation.yml | 2 +- ...e_event_win_sysinternals_livekd_default_dump_name.yml | 2 +- .../file_event_win_sysinternals_livekd_driver.yml | 2 +- ...vent_win_sysinternals_livekd_driver_susp_creation.yml | 2 +- ...nt_win_system32_local_folder_privilege_escalation.yml | 2 +- .../file_event_win_uac_bypass_consent_comctl32.yml | 1 - .../file_event_win_uac_bypass_dotnet_profiler.yml | 1 - .../file_event/file_event_win_uac_bypass_eventvwr.yml | 2 +- .../file_event_win_uac_bypass_idiagnostic_profile.yml | 1 - .../file_event/file_event_win_uac_bypass_ieinstal.yml | 1 - .../file_event_win_uac_bypass_msconfig_gui.yml | 1 - .../file_event_win_uac_bypass_ntfs_reparse_point.yml | 1 - .../file/file_event/file_event_win_uac_bypass_winsat.yml | 1 - .../file/file_event/file_event_win_uac_bypass_wmp.yml | 1 - .../file_event/file_event_win_werfault_dll_hijacking.yml | 3 ++- .../file/file_event/file_event_win_winrm_awl_bypass.yml | 2 +- .../file_event/file_event_win_wpbbin_persistence.yml | 2 +- ...ile_executable_detected_win_susp_embeded_sed_file.yml | 2 +- .../image_load_cmstp_load_dll_from_susp_location.yml | 2 +- .../image_load_dll_amsi_suspicious_process.yml | 2 +- ...l_azure_microsoft_account_token_provider_dll_load.yml | 3 ++- ...load_dll_comsvcs_load_renamed_version_by_rundll32.yml | 1 - .../image_load_dll_rstrtmgr_suspicious_load.yml | 4 ++-- .../image_load/image_load_dll_rstrtmgr_uncommon_load.yml | 4 ++-- .../image_load/image_load_dll_sdiageng_load_by_msdt.yml | 2 +- .../image_load/image_load_dll_tttracer_module_load.yml | 2 +- .../image_load/image_load_dll_unsigned_node_load.yml | 2 +- .../image_load/image_load_dll_vss_ps_susp_load.yml | 1 - .../image_load/image_load_dll_vssapi_susp_load.yml | 1 - .../image_load/image_load_dll_vsstrace_susp_load.yml | 1 - .../windows/image_load/image_load_hktl_sharpevtmute.yml | 4 ++-- .../image_load/image_load_office_powershell_dll_load.yml | 2 +- rules/windows/image_load/image_load_side_load_7za.yml | 3 ++- .../image_load/image_load_side_load_antivirus.yml | 3 ++- .../image_load/image_load_side_load_appverifui.yml | 3 ++- ..._side_load_aruba_networks_virtual_intranet_access.yml | 3 ++- rules/windows/image_load/image_load_side_load_avkkid.yml | 3 ++- .../image_load/image_load_side_load_ccleaner_du.yml | 3 ++- .../image_load_side_load_ccleaner_reactivator.yml | 3 ++- .../image_load_side_load_chrome_frame_helper.yml | 3 ++- .../image_load_side_load_classicexplorer32.yml | 3 ++- .../windows/image_load/image_load_side_load_comctl32.yml | 3 ++- .../windows/image_load/image_load_side_load_coregen.yml | 2 +- ...image_load_side_load_cpl_from_non_system_location.yml | 3 ++- .../windows/image_load/image_load_side_load_dbgcore.yml | 3 ++- .../windows/image_load/image_load_side_load_dbghelp.yml | 3 ++- .../windows/image_load/image_load_side_load_dbgmodel.yml | 3 ++- rules/windows/image_load/image_load_side_load_eacore.yml | 3 ++- .../windows/image_load/image_load_side_load_edputil.yml | 3 ++- .../image_load_side_load_from_non_system_location.yml | 3 ++- .../windows/image_load/image_load_side_load_goopdate.yml | 3 ++- .../image_load/image_load_side_load_gup_libcurl.yml | 3 ++- .../windows/image_load/image_load_side_load_iviewers.yml | 3 ++- rules/windows/image_load/image_load_side_load_jli.yml | 3 ++- .../windows/image_load/image_load_side_load_jsschhlp.yml | 3 ++- .../image_load/image_load_side_load_keyscrambler.yml | 3 ++- rules/windows/image_load/image_load_side_load_libvlc.yml | 3 ++- .../image_load/image_load_side_load_mfdetours.yml | 3 ++- .../image_load_side_load_mfdetours_unsigned.yml | 3 ++- rules/windows/image_load/image_load_side_load_mpsvc.yml | 3 ++- .../windows/image_load/image_load_side_load_mscorsvc.yml | 3 ++- .../image_load_side_load_non_existent_dlls.yml | 3 ++- .../image_load/image_load_side_load_office_dlls.yml | 3 ++- rules/windows/image_load/image_load_side_load_python.yml | 3 ++- rules/windows/image_load/image_load_side_load_rcdll.yml | 3 ++- ...image_load_side_load_rjvplatform_default_location.yml | 3 ++- ...e_load_side_load_rjvplatform_non_default_location.yml | 3 ++- .../windows/image_load/image_load_side_load_robform.yml | 3 ++- .../image_load/image_load_side_load_shell_chrome_api.yml | 3 ++- .../image_load/image_load_side_load_shelldispatch.yml | 3 ++- .../windows/image_load/image_load_side_load_smadhook.yml | 3 ++- .../image_load/image_load_side_load_solidpdfcreator.yml | 3 ++- .../image_load/image_load_side_load_third_party.yml | 3 ++- rules/windows/image_load/image_load_side_load_ualapi.yml | 3 ++- .../image_load/image_load_side_load_vcruntime140.yml | 3 ++- .../image_load/image_load_side_load_vivaldi_elf.yml | 3 ++- .../image_load/image_load_side_load_vmguestlib.yml | 3 ++- .../image_load_side_load_vmmap_dbghelp_signed.yml | 3 ++- .../image_load_side_load_vmmap_dbghelp_unsigned.yml | 3 ++- .../image_load/image_load_side_load_vmware_xfer.yml | 3 ++- .../windows/image_load/image_load_side_load_waveedit.yml | 3 ++- rules/windows/image_load/image_load_side_load_wazuh.yml | 3 ++- .../image_load/image_load_side_load_windows_defender.yml | 3 ++- rules/windows/image_load/image_load_side_load_wwlib.yml | 3 ++- .../image_load/image_load_susp_baaupdate_dll_load.yml | 2 +- .../image_load_susp_clickonce_unsigned_module_loaded.yml | 3 ++- .../image_load_susp_dll_load_system_process.yml | 2 +- .../image_load/image_load_susp_python_image_load.yml | 2 +- .../image_load_susp_script_dotnet_clr_dll_load.yml | 2 +- .../windows/image_load/image_load_susp_unsigned_dll.yml | 2 +- .../image_load/image_load_thor_unsigned_execution.yml | 3 ++- .../image_load/image_load_uac_bypass_iscsicpl.yml | 1 - .../image_load/image_load_uac_bypass_via_dism.yml | 3 ++- .../image_load_win_mmc_loads_script_engine_dll.yml | 2 +- .../image_load_win_susp_dbgcore_dbghelp_load.yml | 4 ++-- .../image_load/image_load_win_trusted_path_bypass.yml | 3 ++- .../image_load_wmic_remote_xsl_scripting_dlls.yml | 2 +- .../net_connection_win_addinutil_initiated.yml | 2 +- .../net_connection_win_cmstp_initiated_connection.yml | 2 +- .../network_connection/net_connection_win_notepad.yml | 2 +- .../net_connection_win_office_uncommon_ports.yml | 2 +- .../net_connection_win_regasm_network_activity.yml | 2 +- .../net_connection_win_regsvr32_network_activity.yml | 2 +- .../net_connection_win_rundll32_net_connections.yml | 2 +- ...nection_win_silenttrinity_stager_msbuild_activity.yml | 2 +- .../net_connection_win_susp_binary_no_cmdline.yml | 2 +- ..._connection_win_susp_outbound_kerberos_connection.yml | 1 - ...t_connection_win_susp_outbound_mobsync_connection.yml | 2 +- .../net_connection_win_winlogon_net_connections.yml | 2 +- .../net_connection_win_wordpad_uncommon_ports.yml | 2 +- .../net_connection_win_wuauclt_network_connection.yml | 2 +- .../pipe_created/pipe_created_hktl_cobaltstrike.yml | 2 +- .../pipe_created/pipe_created_hktl_cobaltstrike_re.yml | 2 +- ...pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml | 2 +- .../pipe_created/pipe_created_hktl_coercedpotato.yml | 2 +- .../windows/pipe_created/pipe_created_hktl_efspotato.yml | 2 +- .../pipe_created/pipe_created_hktl_koh_default_pipe.yml | 2 +- .../pipe_created_susp_malicious_namedpipes.yml | 2 +- .../powershell_classic/posh_pc_downgrade_attack.yml | 1 - .../powershell_classic/posh_pc_exe_calling_ps.yml | 1 - .../posh_pc_remotefxvgpudisablement_abuse.yml | 2 +- .../powershell_classic/posh_pc_renamed_powershell.yml | 2 +- .../posh_pc_tamper_windows_defender_set_mp.yml | 4 ++-- .../posh_pm_clear_powershell_history.yml | 2 +- .../powershell_module/posh_pm_decompress_commands.yml | 2 +- .../posh_pm_invoke_obfuscation_clip.yml | 2 +- .../posh_pm_invoke_obfuscation_obfuscated_iex.yml | 2 +- .../posh_pm_invoke_obfuscation_stdin.yml | 2 +- .../powershell_module/posh_pm_invoke_obfuscation_var.yml | 2 +- .../posh_pm_invoke_obfuscation_via_compress.yml | 2 +- .../posh_pm_invoke_obfuscation_via_rundll.yml | 2 +- .../posh_pm_invoke_obfuscation_via_stdin.yml | 2 +- .../posh_pm_invoke_obfuscation_via_use_clip.yml | 2 +- .../posh_pm_invoke_obfuscation_via_use_mhsta.yml | 2 +- .../posh_pm_invoke_obfuscation_via_use_rundll32.yml | 2 +- .../posh_pm_invoke_obfuscation_via_var.yml | 2 +- .../posh_pm_remotefxvgpudisablement_abuse.yml | 2 +- .../posh_pm_susp_reset_computermachinepassword.yml | 2 +- .../posh_pm_syncappvpublishingserver_exe.yml | 2 +- .../posh_ps_amsi_bypass_pattern_nov22.yml | 4 ++-- .../powershell_script/posh_ps_amsi_null_bits_bypass.yml | 4 ++-- .../posh_ps_clear_powershell_history.yml | 2 +- .../posh_ps_clearing_windows_console_history.yml | 2 +- .../posh_ps_copy_item_system_directory.yml | 2 +- .../powershell_script/posh_ps_cor_profiler.yml | 3 ++- .../posh_ps_create_new_dmsasvc_account.yml | 2 +- .../powershell_script/posh_ps_detect_vm_env.yml | 2 +- .../posh_ps_disable_psreadline_command_history.yml | 2 +- .../posh_ps_disable_windows_optional_feature.yml | 4 ++-- .../posh_ps_dotnet_assembly_from_file.yml | 2 +- .../posh_ps_enable_susp_windows_optional_feature.yml | 2 +- .../powershell_script/posh_ps_etw_trace_evasion.yml | 5 +++-- .../powershell_script/posh_ps_get_acl_service.yml | 3 ++- .../powershell/powershell_script/posh_ps_hktl_rubeus.yml | 1 - .../powershell/powershell_script/posh_ps_hktl_winpwn.yml | 1 - .../posh_ps_install_unsigned_appx_packages.yml | 2 +- .../posh_ps_invoke_obfuscation_clip.yml | 2 +- .../posh_ps_invoke_obfuscation_obfuscated_iex.yml | 2 +- .../posh_ps_invoke_obfuscation_stdin.yml | 2 +- .../powershell_script/posh_ps_invoke_obfuscation_var.yml | 2 +- .../posh_ps_invoke_obfuscation_via_compress.yml | 2 +- .../posh_ps_invoke_obfuscation_via_rundll.yml | 2 +- .../posh_ps_invoke_obfuscation_via_stdin.yml | 2 +- .../posh_ps_invoke_obfuscation_via_use_clip.yml | 2 +- .../posh_ps_invoke_obfuscation_via_use_mhsta.yml | 2 +- .../posh_ps_invoke_obfuscation_via_use_rundll32.yml | 2 +- .../posh_ps_invoke_obfuscation_via_var.yml | 2 +- .../posh_ps_modification_of_dmsa_link_attribute.yml | 2 +- .../posh_ps_modify_group_policy_settings.yml | 2 +- .../powershell_script/posh_ps_ntfs_ads_access.yml | 2 +- .../posh_ps_remotefxvgpudisablement_abuse.yml | 2 +- .../posh_ps_root_certificate_installed.yml | 2 +- .../posh_ps_run_from_mount_diskimage.yml | 2 +- .../powershell/powershell_script/posh_ps_set_acl.yml | 2 +- .../powershell_script/posh_ps_set_acl_susp_location.yml | 2 +- .../powershell_script/posh_ps_shellcode_b64.yml | 2 +- .../posh_ps_store_file_in_alternate_data_stream.yml | 2 +- .../powershell_script/posh_ps_susp_ace_tampering.yml | 2 +- .../powershell_script/posh_ps_susp_alias_obfscuation.yml | 2 +- .../powershell_script/posh_ps_susp_clear_eventlog.yml | 4 ++-- .../powershell_script/posh_ps_susp_follina_execution.yml | 2 +- .../powershell_script/posh_ps_susp_hyper_v_condlet.yml | 2 +- .../powershell_script/posh_ps_susp_iofilestream.yml | 2 +- .../powershell_script/posh_ps_susp_mount_diskimage.yml | 2 +- .../posh_ps_susp_mounted_share_deletion.yml | 2 +- ...osh_ps_susp_service_dacl_modification_set_service.yml | 3 ++- .../powershell_script/posh_ps_susp_set_alias.yml | 2 +- .../powershell_script/posh_ps_susp_start_process.yml | 2 +- .../powershell_script/posh_ps_susp_unblock_file.yml | 2 +- .../powershell_script/posh_ps_susp_windowstyle.yml | 2 +- .../powershell_script/posh_ps_susp_write_eventlog.yml | 2 +- .../posh_ps_syncappvpublishingserver_exe.yml | 2 +- .../posh_ps_tamper_windows_defender_rem_mp.yml | 4 ++-- .../posh_ps_tamper_windows_defender_set_mp.yml | 4 ++-- .../powershell/powershell_script/posh_ps_timestomp.yml | 2 +- .../posh_ps_using_set_service_to_hide_services.yml | 3 ++- .../posh_ps_vbscript_registry_modification.yml | 2 +- .../posh_ps_win32_nteventlogfile_usage.yml | 2 +- .../posh_ps_win32_product_install_msi.yml | 2 +- .../posh_ps_win_defender_exclusions_added.yml | 4 ++-- .../posh_ps_windows_firewall_profile_disabled.yml | 4 ++-- .../powershell_script/posh_ps_x509enrollment.yml | 2 +- .../proc_access_win_cmstp_execution_by_access.yml | 2 +- ...ccess_win_hktl_cobaltstrike_bof_injection_pattern.yml | 4 ++-- .../proc_access_win_hktl_handlekatz_lsass_access.yml | 1 - ...c_access_win_hktl_littlecorporal_generated_maldoc.yml | 2 +- .../process_access/proc_access_win_hktl_sysmonente.yml | 4 ++-- .../proc_access_win_susp_all_access_uncommon_target.yml | 2 +- .../proc_access_win_susp_dbgcore_dbghelp_load.yml | 4 ++-- .../proc_access_win_svchost_credential_dumping.yml | 1 - .../proc_access_win_svchost_susp_access_request.yml | 4 ++-- ...oc_access_win_uac_bypass_editionupgrademanagerobj.yml | 1 - .../proc_access_win_uac_bypass_wow64_logger.yml | 1 - .../proc_access_win_werfaultsecure_msmpeng_access.yml | 4 ++-- .../proc_creation_win_addinutil_suspicious_cmdline.yml | 2 +- ...roc_creation_win_addinutil_uncommon_child_process.yml | 2 +- .../proc_creation_win_addinutil_uncommon_cmdline.yml | 2 +- .../proc_creation_win_addinutil_uncommon_dir_exec.yml | 2 +- .../proc_creation_win_adplus_memory_dump.yml | 1 - .../proc_creation_win_agentexecutor_potential_abuse.yml | 2 +- .../proc_creation_win_agentexecutor_susp_usage.yml | 2 +- .../proc_creation_win_amsi_registry_tampering.yml | 5 ++--- .../proc_creation_win_appvlp_uncommon_child_process.yml | 2 +- .../proc_creation_win_aspnet_compiler_exectuion.yml | 3 ++- ...c_creation_win_aspnet_compiler_susp_child_process.yml | 3 ++- .../proc_creation_win_aspnet_compiler_susp_paths.yml | 3 ++- ...proc_creation_win_atbroker_uncommon_ats_execution.yml | 2 +- .../proc_creation_win_attrib_hiding_files.yml | 2 +- .../proc_creation_win_attrib_system_susp_paths.yml | 2 +- .../proc_creation_win_auditpol_nt_resource_kit_usage.yml | 4 ++-- .../proc_creation_win_auditpol_susp_execution.yml | 4 ++-- ...tion_win_autologger_session_registry_modification.yml | 4 ++-- .../proc_creation_win_baaupdate_susp_child_process.yml | 2 +- .../proc_creation_win_bash_command_execution.yml | 2 +- .../proc_creation_win_bash_file_execution.yml | 2 +- .../proc_creation_win_bcdedit_susp_execution.yml | 2 +- ...proc_creation_win_bginfo_suspicious_child_process.yml | 2 +- .../proc_creation_win_bginfo_uncommon_child_process.yml | 2 +- .../proc_creation_win_bitlockertogo_execution.yml | 2 +- .../proc_creation_win_bitsadmin_download.yml | 3 ++- .../proc_creation_win_bitsadmin_download_direct_ip.yml | 3 ++- ...ation_win_bitsadmin_download_file_sharing_domains.yml | 3 ++- ...c_creation_win_bitsadmin_download_susp_extensions.yml | 3 ++- ...creation_win_bitsadmin_download_susp_targetfolder.yml | 3 ++- ...proc_creation_win_bitsadmin_potential_persistence.yml | 3 ++- ...creation_win_browsers_chromium_headless_debugging.yml | 2 +- ...proc_creation_win_browsers_chromium_headless_exec.yml | 2 +- ...tion_win_browsers_chromium_headless_file_download.yml | 2 +- .../proc_creation_win_calc_uncommon_exec.yml | 2 +- ...proc_creation_win_cdb_arbitrary_command_execution.yml | 2 +- ...roc_creation_win_certmgr_certificate_installation.yml | 2 +- .../proc_creation_win_certoc_load_dll.yml | 2 +- .../proc_creation_win_certoc_load_dll_susp_locations.yml | 2 +- ...oc_creation_win_certutil_certificate_installation.yml | 2 +- .../proc_creation_win_certutil_decode.yml | 2 +- .../proc_creation_win_certutil_download.yml | 2 +- .../proc_creation_win_certutil_download_direct_ip.yml | 2 +- ...eation_win_certutil_download_file_sharing_domains.yml | 2 +- .../proc_creation_win_certutil_encode.yml | 2 +- ...proc_creation_win_certutil_encode_susp_extensions.yml | 2 +- .../proc_creation_win_certutil_encode_susp_location.yml | 2 +- .../proc_creation_win_certutil_export_pfx.yml | 2 +- .../proc_creation_win_certutil_ntlm_coercion.yml | 2 +- .../proc_creation_win_chcp_codepage_switch.yml | 2 +- .../proc_creation_win_citrix_trolleyexpress_procdump.yml | 2 +- .../proc_creation_win_cmd_curl_download_exec_combo.yml | 2 +- .../proc_creation_win_cmd_del_execution.yml | 2 +- .../proc_creation_win_cmd_del_greedy_deletion.yml | 2 +- ..._creation_win_cmd_launched_with_hidden_start_flag.yml | 2 +- .../proc_creation_win_cmd_ntdllpipe_redirect.yml | 2 +- ...roc_creation_win_cmd_ping_copy_combined_execution.yml | 2 +- ...proc_creation_win_cmd_ping_del_combined_execution.yml | 2 +- .../proc_creation_win_cmd_redirection_susp_folder.yml | 2 +- .../proc_creation_win_cmd_rmdir_execution.yml | 2 +- .../proc_creation_win_cmdl32_arbitrary_file_download.yml | 2 +- .../proc_creation_win_cmstp_execution_by_creation.yml | 2 +- .../proc_creation_win_conhost_headless_powershell.yml | 2 +- .../proc_creation_win_conhost_legacy_option.yml | 2 +- .../proc_creation_win_conhost_susp_child_process.yml | 2 +- ..._creation_win_conhost_susp_winshell_child_process.yml | 2 +- .../proc_creation_win_control_panel_item.yml | 2 +- .../proc_creation_win_create_new_dmsasvc_account.yml | 2 +- .../proc_creation_win_createdump_lolbin_execution.yml | 2 +- ..._creation_win_credential_guard_registry_tampering.yml | 4 ++-- .../proc_creation_win_csc_susp_dynamic_compilation.yml | 2 +- .../proc_creation_win_csc_susp_parent.yml | 2 +- .../process_creation/proc_creation_win_csi_execution.yml | 2 +- .../proc_creation_win_csi_use_of_csharp_console.yml | 2 +- .../proc_creation_win_customshellhost_susp_exec.yml | 2 +- ..._win_dctask64_arbitrary_command_and_dll_execution.yml | 2 +- ...c_creation_win_defaultpack_uncommon_child_process.yml | 2 +- ...roc_creation_win_defender_default_action_modified.yml | 4 ++-- .../proc_creation_win_defender_remove_context_menu.yml | 4 ++-- .../proc_creation_win_devcon_disable_vmci_driver.yml | 4 ++-- .../proc_creation_win_device_credential_deployment.yml | 2 +- .../proc_creation_win_deviceenroller_dll_sideloading.yml | 3 ++- .../proc_creation_win_devinit_lolbin_usage.yml | 2 +- ...roc_creation_win_dfsvc_suspicious_child_processes.yml | 2 +- .../proc_creation_win_diskshadow_child_process_susp.yml | 2 +- ...proc_creation_win_diskshadow_script_mode_susp_ext.yml | 2 +- ...creation_win_diskshadow_script_mode_susp_location.yml | 2 +- ...ion_win_dism_enable_powershell_web_access_feature.yml | 1 - .../process_creation/proc_creation_win_dism_remove.yml | 4 ++-- .../proc_creation_win_dll_sideload_vmware_xfer.yml | 3 ++- .../proc_creation_win_dllhost_no_cli_execution.yml | 2 +- ...on_win_dnscmd_install_new_server_level_plugin_dll.yml | 4 +++- .../proc_creation_win_dnx_execute_csharp_code.yml | 2 +- ...reation_win_dotnet_arbitrary_dll_csproj_execution.yml | 2 +- .../proc_creation_win_dotnet_trace_lolbin_execution.yml | 2 +- .../proc_creation_win_dotnetdump_memory_dump.yml | 2 +- .../proc_creation_win_dsacls_abuse_permissions.yml | 2 +- .../proc_creation_win_dsacls_password_spray.yml | 2 +- .../proc_creation_win_dumpminitool_execution.yml | 2 +- .../proc_creation_win_dumpminitool_susp_execution.yml | 2 +- ...roc_creation_win_dxcap_arbitrary_binary_execution.yml | 2 +- ...creation_win_event_logging_disable_via_key_minint.yml | 4 ++-- .../proc_creation_win_eventvwr_susp_child_process.yml | 1 - .../proc_creation_win_expand_cabinet_files.yml | 2 +- .../proc_creation_win_explorer_break_process_tree.yml | 2 +- .../proc_creation_win_explorer_nouaccheck.yml | 1 - .../proc_creation_win_findstr_download.yml | 2 +- .../process_creation/proc_creation_win_findstr_lnk.yml | 2 +- .../proc_creation_win_findstr_subfolder_search.yml | 2 +- .../proc_creation_win_fltmc_unload_driver.yml | 7 ++++--- .../proc_creation_win_fltmc_unload_driver_sysmon.yml | 7 ++++--- ..._creation_win_forfiles_child_process_masquerading.yml | 2 +- ...proc_creation_win_format_uncommon_filesystem_load.yml | 2 +- .../proc_creation_win_fsutil_symlinkevaluation.yml | 2 +- .../process_creation/proc_creation_win_fsutil_usage.yml | 2 +- ...proc_creation_win_ftp_arbitrary_command_execution.yml | 2 +- ...proc_creation_win_googleupdate_susp_child_process.yml | 2 +- .../proc_creation_win_gup_suspicious_execution.yml | 3 ++- .../proc_creation_win_hh_chm_execution.yml | 2 +- ..._creation_win_hh_chm_remote_download_or_execution.yml | 2 +- ...proc_creation_win_hh_html_help_susp_child_process.yml | 2 +- .../proc_creation_win_hh_susp_execution.yml | 2 +- .../proc_creation_win_hktl_c3_rundll32_pattern.yml | 2 +- ...c_creation_win_hktl_cobaltstrike_load_by_rundll32.yml | 2 +- .../proc_creation_win_hktl_coercedpotato.yml | 2 +- .../process_creation/proc_creation_win_hktl_covenant.yml | 2 +- ...tion_win_hktl_crackmapexec_powershell_obfuscation.yml | 2 +- .../proc_creation_win_hktl_dinjector.yml | 2 +- .../proc_creation_win_hktl_edr_freeze.yml | 4 ++-- .../proc_creation_win_hktl_edrsilencer.yml | 4 ++-- ...oc_creation_win_hktl_empire_powershell_uac_bypass.yml | 1 - .../process_creation/proc_creation_win_hktl_gmer.yml | 2 +- .../proc_creation_win_hktl_hollowreaper.yml | 2 +- .../proc_creation_win_hktl_impersonate.yml | 2 +- .../proc_creation_win_hktl_invoke_obfuscation_clip.yml | 2 +- ...ktl_invoke_obfuscation_obfuscated_iex_commandline.yml | 2 +- .../proc_creation_win_hktl_invoke_obfuscation_stdin.yml | 2 +- .../proc_creation_win_hktl_invoke_obfuscation_var.yml | 2 +- ...creation_win_hktl_invoke_obfuscation_via_compress.yml | 2 +- ...oc_creation_win_hktl_invoke_obfuscation_via_stdin.yml | 2 +- ...creation_win_hktl_invoke_obfuscation_via_use_clip.yml | 2 +- ...reation_win_hktl_invoke_obfuscation_via_use_mhsta.yml | 2 +- ...proc_creation_win_hktl_invoke_obfuscation_via_var.yml | 2 +- .../proc_creation_win_hktl_krbrelayup.yml | 1 - .../proc_creation_win_hktl_localpotato.yml | 2 +- .../proc_creation_win_hktl_meterpreter_getsystem.yml | 2 +- .../proc_creation_win_hktl_powertool.yml | 4 ++-- ...proc_creation_win_hktl_redmimicry_winnti_playbook.yml | 2 +- .../process_creation/proc_creation_win_hktl_rubeus.yml | 1 - .../proc_creation_win_hktl_selectmyparent.yml | 2 +- .../proc_creation_win_hktl_sharp_dpapi_execution.yml | 2 +- .../proc_creation_win_hktl_sharp_impersonation.yml | 2 +- .../proc_creation_win_hktl_sharpevtmute.yml | 4 ++-- .../process_creation/proc_creation_win_hktl_sharpup.yml | 2 +- .../proc_creation_win_hktl_stracciatella_execution.yml | 4 ++-- .../process_creation/proc_creation_win_hktl_uacme.yml | 1 - .../process_creation/proc_creation_win_hktl_winpwn.yml | 1 - ...proc_creation_win_hktl_wmiexec_default_powershell.yml | 2 +- .../process_creation/proc_creation_win_hktl_xordump.yml | 2 +- .../process_creation/proc_creation_win_hktl_zipexec.yml | 2 +- .../proc_creation_win_hvci_registry_tampering.yml | 4 ++-- .../proc_creation_win_hxtsr_masquerading.yml | 2 +- .../process_creation/proc_creation_win_icacls_deny.yml | 2 +- .../proc_creation_win_iexpress_susp_execution.yml | 2 +- .../proc_creation_win_iis_appcmd_http_logging.yml | 4 ++-- .../proc_creation_win_iis_appcmd_susp_rewrite_rule.yml | 2 +- .../proc_creation_win_iis_logs_deletion.yml | 2 +- .../proc_creation_win_ilasm_il_code_compilation.yml | 3 ++- .../proc_creation_win_imagingdevices_unusual_parents.yml | 2 +- .../proc_creation_win_imewbdld_download.yml | 2 +- ...reation_win_infdefaultinstall_execute_sct_scripts.yml | 2 +- .../proc_creation_win_installutil_download.yml | 2 +- .../proc_creation_win_instalutil_no_log_execution.yml | 2 +- .../process_creation/proc_creation_win_jsc_execution.yml | 3 ++- .../proc_creation_win_kavremover_uncommon_execution.yml | 3 ++- .../process_creation/proc_creation_win_kd_execution.yml | 2 +- ...proc_creation_win_keyscrambler_susp_child_process.yml | 2 +- .../proc_creation_win_ldifde_file_load.yml | 2 +- .../proc_creation_win_link_uncommon_parent_process.yml | 2 +- .../proc_creation_win_logman_disable_eventlog.yml | 6 +++--- .../proc_creation_win_lolbin_devtoolslauncher.yml | 2 +- .../proc_creation_win_lolbin_diantz_ads.yml | 2 +- .../proc_creation_win_lolbin_extrac32_ads.yml | 2 +- .../proc_creation_win_lolbin_gpscript.yml | 2 +- .../proc_creation_win_lolbin_ie4uinit.yml | 2 +- .../proc_creation_win_lolbin_launch_vsdevshell.yml | 2 +- .../proc_creation_win_lolbin_manage_bde.yml | 2 +- ...c_creation_win_lolbin_mavinject_process_injection.yml | 2 +- .../proc_creation_win_lolbin_mpiexec.yml | 2 +- .../proc_creation_win_lolbin_msdeploy.yml | 2 +- .../proc_creation_win_lolbin_openwith.yml | 2 +- .../process_creation/proc_creation_win_lolbin_pcwrun.yml | 2 +- .../proc_creation_win_lolbin_pcwrun_follina.yml | 2 +- .../process_creation/proc_creation_win_lolbin_pcwutl.yml | 2 +- .../process_creation/proc_creation_win_lolbin_pester.yml | 2 +- .../proc_creation_win_lolbin_pester_1.yml | 2 +- .../proc_creation_win_lolbin_printbrm.yml | 2 +- .../process_creation/proc_creation_win_lolbin_pubprn.yml | 2 +- .../proc_creation_win_lolbin_rasautou_dll_execution.yml | 2 +- .../proc_creation_win_lolbin_register_app.yml | 2 +- .../process_creation/proc_creation_win_lolbin_remote.yml | 3 ++- .../proc_creation_win_lolbin_runexehelper.yml | 2 +- .../proc_creation_win_lolbin_runscripthelper.yml | 2 +- .../proc_creation_win_lolbin_scriptrunner.yml | 2 +- .../proc_creation_win_lolbin_settingsynchost.yml | 2 +- .../process_creation/proc_creation_win_lolbin_sftp.yml | 2 +- ...n_win_lolbin_syncappvpublishingserver_execute_psh.yml | 2 +- ...n_lolbin_syncappvpublishingserver_vbs_execute_psh.yml | 2 +- .../proc_creation_win_lolbin_tracker.yml | 2 +- .../proc_creation_win_lolbin_ttdinject.yml | 3 ++- .../proc_creation_win_lolbin_tttracer_mod_load.yml | 2 +- .../proc_creation_win_lolbin_unregmp2.yml | 2 +- .../proc_creation_win_lolbin_utilityfunctions.yml | 2 +- .../proc_creation_win_lolbin_visual_basic_compiler.yml | 2 +- .../proc_creation_win_lolbin_visualuiaverifynative.yml | 2 +- .../proc_creation_win_lolbin_vsiisexelauncher.yml | 3 ++- .../process_creation/proc_creation_win_lolbin_wfc.yml | 3 ++- .../proc_creation_win_lolscript_register_app.yml | 2 +- ...n_lsa_ppl_protection_setting_modification_via_cli.yml | 4 ++-- .../proc_creation_win_mftrace_child_process.yml | 3 ++- ..._win_mmc_default_domain_gpo_modification_via_gpme.yml | 2 +- .../proc_creation_win_mmc_rlo_abuse_pattern.yml | 2 +- .../proc_creation_win_mode_codepage_russian.yml | 2 +- .../proc_creation_win_mofcomp_execution.yml | 2 +- .../proc_creation_win_mpcmdrun_dll_sideload_defender.yml | 3 ++- ...roc_creation_win_mpcmdrun_download_arbitrary_file.yml | 2 +- ...n_win_mpcmdrun_remove_windows_defender_definition.yml | 4 ++-- .../proc_creation_win_msbuild_susp_parent_process.yml | 2 +- .../proc_creation_win_msdt_answer_file_exec.yml | 2 +- ...roc_creation_win_msdt_arbitrary_command_execution.yml | 2 +- .../proc_creation_win_msdt_susp_cab_options.yml | 2 +- .../proc_creation_win_msdt_susp_parent.yml | 2 +- .../proc_creation_win_msedge_proxy_download.yml | 2 +- .../process_creation/proc_creation_win_mshta_http.yml | 2 +- .../proc_creation_win_mshta_javascript.yml | 2 +- .../proc_creation_win_mshta_lethalhta_technique.yml | 2 +- .../proc_creation_win_mshta_susp_child_processes.yml | 2 +- .../proc_creation_win_mshta_susp_execution.yml | 2 +- .../process_creation/proc_creation_win_msiexec_dll.yml | 2 +- .../proc_creation_win_msiexec_embedding.yml | 2 +- .../proc_creation_win_msiexec_execute_dll.yml | 2 +- .../proc_creation_win_msiexec_install_quiet.yml | 2 +- .../proc_creation_win_msiexec_install_remote.yml | 2 +- .../proc_creation_win_msiexec_masquerading.yml | 2 +- .../proc_creation_win_msiexec_web_install.yml | 2 +- .../proc_creation_win_msix_ai_stub_execution.yml | 3 ++- .../proc_creation_win_msohtmed_download.yml | 2 +- .../proc_creation_win_mspub_download.yml | 2 +- .../proc_creation_win_msra_process_injection.yml | 2 +- .../proc_creation_win_mssql_sqlps_susp_execution.yml | 2 +- ...proc_creation_win_mssql_sqltoolsps_susp_execution.yml | 2 +- .../proc_creation_win_msxsl_execution.yml | 2 +- .../proc_creation_win_msxsl_remote_execution.yml | 2 +- .../proc_creation_win_net_share_unmount.yml | 2 +- .../proc_creation_win_net_use_password_plaintext.yml | 2 +- .../proc_creation_win_netsh_fw_add_rule.yml | 4 ++-- ...ation_win_netsh_fw_allow_program_in_susp_location.yml | 4 ++-- .../proc_creation_win_netsh_fw_allow_rdp.yml | 4 ++-- .../proc_creation_win_netsh_fw_delete_rule.yml | 4 ++-- .../proc_creation_win_netsh_fw_disable.yml | 4 ++-- .../proc_creation_win_netsh_fw_enable_group_rule.yml | 4 ++-- .../proc_creation_win_netsh_fw_set_rule.yml | 2 +- .../proc_creation_win_netsh_port_forwarding.yml | 1 - .../proc_creation_win_netsh_port_forwarding_3389.yml | 1 - .../process_creation/proc_creation_win_node_abuse.yml | 3 ++- ...proc_creation_win_node_adobe_creative_cloud_abuse.yml | 2 +- .../proc_creation_win_nslookup_poweshell_download.yml | 2 +- .../proc_creation_win_odbcconf_driver_install.yml | 2 +- .../proc_creation_win_odbcconf_driver_install_susp.yml | 2 +- .../proc_creation_win_odbcconf_exec_susp_locations.yml | 2 +- .../proc_creation_win_odbcconf_register_dll_regsvr.yml | 2 +- ...oc_creation_win_odbcconf_register_dll_regsvr_susp.yml | 2 +- .../proc_creation_win_odbcconf_response_file.yml | 2 +- .../proc_creation_win_odbcconf_response_file_susp.yml | 2 +- ...proc_creation_win_odbcconf_uncommon_child_process.yml | 2 +- .../proc_creation_win_office_arbitrary_cli_download.yml | 2 +- ...c_creation_win_office_exec_from_trusted_locations.yml | 2 +- ...tion_win_office_onenote_embedded_script_execution.yml | 2 +- ...in_office_outlook_enable_unsafe_client_mail_rules.yml | 2 +- ...on_win_office_outlook_susp_child_processes_remote.yml | 2 +- .../proc_creation_win_office_susp_child_processes.yml | 2 +- .../proc_creation_win_office_winword_dll_load.yml | 2 +- ...tion_win_offlinescannershell_mpclient_sideloading.yml | 2 +- .../process_creation/proc_creation_win_ping_hex_ip.yml | 2 +- .../proc_creation_win_powercfg_execution.yml | 2 +- ...c_creation_win_powershell_amsi_init_failed_bypass.yml | 4 ++-- ...roc_creation_win_powershell_amsi_null_bits_bypass.yml | 4 ++-- ...roc_creation_win_powershell_base64_encoded_obfusc.yml | 2 +- ...c_creation_win_powershell_base64_frombase64string.yml | 2 +- .../proc_creation_win_powershell_base64_invoke.yml | 2 +- .../proc_creation_win_powershell_base64_mppreference.yml | 4 ++-- ...on_win_powershell_base64_reflection_assembly_load.yml | 2 +- ...powershell_base64_reflection_assembly_load_obfusc.yml | 2 +- .../proc_creation_win_powershell_base64_wmi_classes.yml | 2 +- .../proc_creation_win_powershell_cl_invocation.yml | 2 +- .../proc_creation_win_powershell_cl_loadassembly.yml | 2 +- .../proc_creation_win_powershell_cl_mutexverifiers.yml | 2 +- ...ion_win_powershell_cmdline_convertto_securestring.yml | 2 +- ..._creation_win_powershell_cmdline_reversed_strings.yml | 2 +- ...reation_win_powershell_cmdline_special_characters.yml | 2 +- .../proc_creation_win_powershell_comobject_msi.yml | 2 +- ...proc_creation_win_powershell_comobject_msi_remote.yml | 2 +- ..._creation_win_powershell_defender_disable_feature.yml | 4 ++-- .../proc_creation_win_powershell_defender_exclusion.yml | 4 ++-- ...owershell_disable_defender_av_security_monitoring.yml | 4 ++-- .../proc_creation_win_powershell_disable_firewall.yml | 4 ++-- .../proc_creation_win_powershell_disable_ie_features.yml | 4 ++-- .../proc_creation_win_powershell_downgrade_attack.yml | 1 - ...reation_win_powershell_download_cradle_obfuscated.yml | 4 ++-- ...n_powershell_enable_susp_windows_optional_feature.yml | 2 +- .../proc_creation_win_powershell_encoding_patterns.yml | 2 +- .../proc_creation_win_powershell_frombase64string.yml | 2 +- ...tion_win_powershell_hide_services_via_set_service.yml | 3 ++- ...reation_win_powershell_import_cert_susp_locations.yml | 2 +- ...ion_win_powershell_install_unsigned_appx_packages.yml | 2 +- .../proc_creation_win_powershell_invocation_specific.yml | 2 +- ...proc_creation_win_powershell_obfuscation_via_utf8.yml | 2 +- ...tion_win_powershell_remotefxvgpudisablement_abuse.yml | 2 +- .../proc_creation_win_powershell_remove_mppreference.yml | 4 ++-- .../proc_creation_win_powershell_run_script_from_ads.yml | 2 +- ...ation_win_powershell_run_script_from_input_stream.yml | 1 - .../proc_creation_win_powershell_set_acl.yml | 2 +- ...roc_creation_win_powershell_set_acl_susp_location.yml | 2 +- ...proc_creation_win_powershell_set_service_disabled.yml | 4 ++-- .../proc_creation_win_powershell_token_obfuscation.yml | 2 +- ...reation_win_powershell_uninstall_defender_feature.yml | 4 ++-- .../proc_creation_win_powershell_x509enrollment.yml | 2 +- .../proc_creation_win_powershell_xor_commandline.yml | 2 +- .../proc_creation_win_presentationhost_download.yml | 2 +- ...ation_win_presentationhost_uncommon_location_exec.yml | 2 +- .../proc_creation_win_pressanykey_lolbin_execution.yml | 2 +- .../proc_creation_win_print_dump_sensitive_files.yml | 2 +- .../proc_creation_win_print_remote_file_copy.yml | 2 +- .../proc_creation_win_protocolhandler_download.yml | 2 +- .../proc_creation_win_provlaunch_potential_abuse.yml | 2 +- .../proc_creation_win_provlaunch_susp_child_process.yml | 2 +- .../proc_creation_win_pua_advancedrun.yml | 2 +- .../proc_creation_win_pua_advancedrun_priv_user.yml | 2 +- .../process_creation/proc_creation_win_pua_cleanwipe.yml | 4 ++-- .../proc_creation_win_pua_defendercheck.yml | 2 +- .../proc_creation_win_pua_process_hacker.yml | 2 +- .../proc_creation_win_pua_rcedit_execution.yml | 2 +- .../proc_creation_win_pua_system_informer.yml | 2 +- ...proc_creation_win_python_base64_encoded_execution.yml | 2 +- .../proc_creation_win_rasdial_execution.yml | 1 - .../proc_creation_win_reg_add_safeboot.yml | 4 ++-- ...ion_win_reg_credential_access_via_password_filter.yml | 2 +- .../proc_creation_win_reg_defender_exclusion.yml | 4 ++-- .../proc_creation_win_reg_delete_runmru.yml | 2 +- .../proc_creation_win_reg_delete_safeboot.yml | 4 ++-- .../proc_creation_win_reg_delete_services.yml | 4 ++-- .../proc_creation_win_reg_desktop_background_change.yml | 2 +- ..._creation_win_reg_disable_defender_wmi_autologger.yml | 4 ++-- .../proc_creation_win_reg_disable_sec_services.yml | 4 ++-- ...roc_creation_win_reg_import_from_suspicious_paths.yml | 2 +- ...roc_creation_win_reg_lsa_disable_restricted_admin.yml | 2 +- ...roc_creation_win_reg_modify_group_policy_settings.yml | 2 +- .../process_creation/proc_creation_win_reg_nolmhash.yml | 2 +- .../proc_creation_win_reg_rdp_keys_tamper.yml | 2 +- .../proc_creation_win_reg_service_imagepath_change.yml | 3 ++- .../proc_creation_win_reg_susp_paths.yml | 4 ++-- .../proc_creation_win_reg_volsnap_disable.yml | 4 ++-- .../proc_creation_win_reg_windows_defender_tamper.yml | 4 ++-- ...eation_win_reg_write_protect_for_storage_disabled.yml | 4 ++-- ...proc_creation_win_regasm_no_flag_or_dll_execution.yml | 2 +- ...n_win_regasm_regsvcs_uncommon_extension_execution.yml | 2 +- ...on_win_regasm_regsvcs_uncommon_location_execution.yml | 2 +- .../proc_creation_win_regedit_import_keys.yml | 2 +- .../proc_creation_win_regedit_import_keys_ads.yml | 2 +- .../proc_creation_win_regedit_trustedinstaller.yml | 1 - .../process_creation/proc_creation_win_regini_ads.yml | 2 +- .../proc_creation_win_regini_execution.yml | 2 +- .../proc_creation_win_registry_cimprovider_dll_load.yml | 3 ++- ...stry_ie_security_zone_protocol_defaults_downgrade.yml | 2 +- ..._registry_office_disable_python_security_warnings.yml | 4 ++-- ...win_registry_privilege_escalation_via_service_key.yml | 3 ++- ...tion_win_registry_provlaunch_provisioning_command.yml | 2 +- ...ation_win_registry_set_unsecure_powershell_policy.yml | 2 +- ..._creation_win_registry_special_accounts_hide_user.yml | 2 +- .../proc_creation_win_regsvr32_flags_anomaly.yml | 2 +- .../proc_creation_win_regsvr32_http_ip_pattern.yml | 2 +- .../proc_creation_win_regsvr32_network_pattern.yml | 2 +- .../proc_creation_win_regsvr32_remote_share.yml | 2 +- .../proc_creation_win_regsvr32_susp_child_process.yml | 2 +- .../proc_creation_win_regsvr32_susp_exec_path_1.yml | 2 +- .../proc_creation_win_regsvr32_susp_exec_path_2.yml | 2 +- .../proc_creation_win_regsvr32_susp_extensions.yml | 2 +- .../proc_creation_win_regsvr32_susp_parent.yml | 2 +- .../proc_creation_win_regsvr32_uncommon_extension.yml | 2 +- ...tion_win_remote_access_tools_netsupport_susp_exec.yml | 2 +- ...n_remote_access_tools_renamed_meshagent_execution.yml | 2 +- ...in_remote_access_tools_rurat_non_default_location.yml | 2 +- .../proc_creation_win_renamed_autohotkey.yml | 2 +- .../proc_creation_win_renamed_autoit.yml | 2 +- .../proc_creation_win_renamed_binary.yml | 2 +- .../proc_creation_win_renamed_binary_highly_relevant.yml | 2 +- .../process_creation/proc_creation_win_renamed_boinc.yml | 2 +- .../proc_creation_win_renamed_browsercore.yml | 2 +- .../proc_creation_win_renamed_createdump.yml | 2 +- .../process_creation/proc_creation_win_renamed_curl.yml | 2 +- .../proc_creation_win_renamed_dctask64.yml | 2 +- .../process_creation/proc_creation_win_renamed_ftp.yml | 2 +- .../proc_creation_win_renamed_jusched.yml | 2 +- .../proc_creation_win_renamed_mavinject.yml | 2 +- .../proc_creation_win_renamed_megasync.yml | 2 +- .../process_creation/proc_creation_win_renamed_msdt.yml | 2 +- .../proc_creation_win_renamed_msteams.yml | 2 +- .../proc_creation_win_renamed_netsupport_rat.yml | 2 +- .../proc_creation_win_renamed_nircmd.yml | 2 +- .../proc_creation_win_renamed_office_processes.yml | 2 +- .../proc_creation_win_renamed_paexec.yml | 2 +- .../proc_creation_win_renamed_pingcastle.yml | 2 +- .../process_creation/proc_creation_win_renamed_plink.yml | 2 +- .../proc_creation_win_renamed_pressanykey.yml | 2 +- .../process_creation/proc_creation_win_renamed_rurat.yml | 2 +- .../proc_creation_win_renamed_schtasks_execution.yml | 2 +- .../proc_creation_win_renamed_sysinternals_procdump.yml | 2 +- .../process_creation/proc_creation_win_renamed_vmnat.yml | 3 ++- ...oc_creation_win_rundll32_ads_stored_dll_execution.yml | 2 +- ...tion_win_rundll32_advpack_obfuscated_ordinal_call.yml | 2 +- .../proc_creation_win_rundll32_inline_vbs.yml | 2 +- .../proc_creation_win_rundll32_installscreensaver.yml | 2 +- ...c_creation_win_rundll32_mshtml_runhtmlapplication.yml | 2 +- .../proc_creation_win_rundll32_no_params.yml | 2 +- ...roc_creation_win_rundll32_obfuscated_ordinal_call.yml | 2 +- .../proc_creation_win_rundll32_parent_explorer.yml | 2 +- ...oc_creation_win_rundll32_process_dump_via_comsvcs.yml | 2 +- .../proc_creation_win_rundll32_run_locations.yml | 2 +- ...creation_win_rundll32_setupapi_installhinfsection.yml | 2 +- ...proc_creation_win_rundll32_shell32_susp_execution.yml | 2 +- ...eation_win_rundll32_shelldispatch_potential_abuse.yml | 2 +- .../proc_creation_win_rundll32_spawn_explorer.yml | 2 +- .../proc_creation_win_rundll32_susp_activity.yml | 2 +- .../proc_creation_win_rundll32_susp_control_dll_load.yml | 2 +- ..._win_rundll32_susp_execution_with_image_extension.yml | 2 +- ...oc_creation_win_rundll32_susp_shellexec_execution.yml | 2 +- ...ion_win_rundll32_susp_shellexec_ordinal_execution.yml | 2 +- .../proc_creation_win_rundll32_susp_shimcache_flush.yml | 2 +- .../process_creation/proc_creation_win_rundll32_sys.yml | 2 +- .../proc_creation_win_rundll32_udl_exec.yml | 2 +- .../proc_creation_win_rundll32_unc_path.yml | 2 +- ...proc_creation_win_rundll32_uncommon_dll_extension.yml | 2 +- .../proc_creation_win_rundll32_user32_dll.yml | 2 +- .../proc_creation_win_runonce_execution.yml | 2 +- ...tion_win_sc_change_sevice_image_path_by_non_admin.yml | 3 ++- .../proc_creation_win_sc_disable_service.yml | 4 ++-- .../proc_creation_win_sc_sdset_hide_sevices.yml | 3 ++- .../proc_creation_win_sc_sdset_modification.yml | 3 ++- ...oc_creation_win_sc_service_tamper_for_persistence.yml | 3 ++- ...c_creation_win_schtasks_curl_and_powershell_combo.yml | 2 +- ...on_win_schtasks_schedule_via_masqueraded_xml_file.yml | 2 +- .../proc_creation_win_schtasks_system_process.yml | 2 +- .../proc_creation_win_sdclt_child_process.yml | 1 - .../proc_creation_win_sdiagnhost_susp_child.yml | 2 +- .../proc_creation_win_secedit_execution.yml | 8 +++++--- .../proc_creation_win_setres_uncommon_child_process.yml | 2 +- .../proc_creation_win_setup16_custom_lst_execution.yml | 3 ++- .../proc_creation_win_sftp_proxy_command_execution.yml | 2 +- ...proc_creation_win_sigverif_uncommon_child_process.yml | 2 +- .../proc_creation_win_speechruntime_child_process.yml | 2 +- .../proc_creation_win_splwow64_cli_anomaly.yml | 2 +- .../proc_creation_win_squirrel_download.yml | 2 +- .../proc_creation_win_squirrel_proxy_execution.yml | 2 +- .../proc_creation_win_ssh_proxy_execution.yml | 2 +- .../proc_creation_win_stordiag_susp_child_process.yml | 2 +- .../proc_creation_win_susp_16bit_application.yml | 2 +- .../proc_creation_win_susp_abusing_debug_privilege.yml | 1 - .../proc_creation_win_susp_alternate_data_streams.yml | 2 +- ...in_susp_always_install_elevated_windows_installer.yml | 1 - .../proc_creation_win_susp_appx_execution.yml | 2 +- ...creation_win_susp_bad_opsec_sacrificial_processes.yml | 2 +- .../proc_creation_win_susp_child_process_as_system_.yml | 2 +- ...roc_creation_win_susp_cli_obfuscation_escape_char.yml | 2 +- ...roc_creation_win_susp_cli_obfuscation_unicode_img.yml | 2 +- ...tion_win_susp_clickfix_filefix_whitespace_padding.yml | 2 +- ...or_loop_execution_with_recursive_directory_search.yml | 2 +- ...ation_win_susp_commandline_path_traversal_evasion.yml | 2 +- .../proc_creation_win_susp_copy_system_dir.yml | 2 +- .../proc_creation_win_susp_copy_system_dir_lolbin.yml | 2 +- .../proc_creation_win_susp_disable_raccine.yml | 4 ++-- .../proc_creation_win_susp_double_extension_parent.yml | 2 +- .../proc_creation_win_susp_dumpstack_log_evasion.yml | 2 +- ...proc_creation_win_susp_elavated_msi_spawned_shell.yml | 1 - ...on_win_susp_elevated_system_shell_uncommon_parent.yml | 1 - .../proc_creation_win_susp_emoji_usage_in_cli_1.yml | 2 +- .../proc_creation_win_susp_emoji_usage_in_cli_2.yml | 2 +- .../proc_creation_win_susp_emoji_usage_in_cli_3.yml | 2 +- .../proc_creation_win_susp_emoji_usage_in_cli_4.yml | 2 +- .../proc_creation_win_susp_etw_modification_cmdline.yml | 4 ++-- .../proc_creation_win_susp_etw_trace_evasion.yml | 5 +++-- .../proc_creation_win_susp_eventlog_clear.yml | 6 +++--- ...n_win_susp_execution_from_public_folder_as_parent.yml | 2 +- .../proc_creation_win_susp_execution_path.yml | 2 +- ...roc_creation_win_susp_hidden_dir_index_allocation.yml | 2 +- ..._creation_win_susp_hiding_malware_in_fonts_folder.yml | 2 +- ...c_creation_win_susp_homoglyph_cyrillic_lookalikes.yml | 3 +-- .../proc_creation_win_susp_image_missing.yml | 2 +- ...oc_creation_win_susp_lolbin_exec_from_non_c_drive.yml | 2 +- .../proc_creation_win_susp_ms_appinstaller_download.yml | 2 +- .../proc_creation_win_susp_no_image_name.yml | 2 +- .../proc_creation_win_susp_non_exe_image.yml | 2 +- .../proc_creation_win_susp_non_priv_reg_or_ps.yml | 2 +- .../proc_creation_win_susp_nteventlogfile_usage.yml | 2 +- ..._creation_win_susp_ntfs_short_name_path_use_image.yml | 2 +- .../proc_creation_win_susp_ntfs_short_name_use_cli.yml | 2 +- .../proc_creation_win_susp_ntfs_short_name_use_image.yml | 2 +- .../process_creation/proc_creation_win_susp_parents.yml | 2 +- ...oc_creation_win_susp_powershell_execution_via_dll.yml | 2 +- .../proc_creation_win_susp_proc_wrong_parent.yml | 2 +- ...proc_creation_win_susp_recycle_bin_fake_execution.yml | 2 +- ...istry_modification_of_ms_setting_protocol_handler.yml | 2 +- .../proc_creation_win_susp_right_to_left_override.yml | 2 +- .../proc_creation_win_susp_service_dir.yml | 2 +- .../proc_creation_win_susp_service_tamper.yml | 4 ++-- .../proc_creation_win_susp_shadow_copies_deletion.yml | 2 +- .../proc_creation_win_susp_shell_spawn_susp_program.yml | 2 +- .../proc_creation_win_susp_sysnative.yml | 2 +- .../proc_creation_win_susp_system_exe_anomaly.yml | 2 +- .../proc_creation_win_susp_system_user_anomaly.yml | 2 +- .../proc_creation_win_susp_task_folder_evasion.yml | 2 +- .../proc_creation_win_susp_use_of_te_bin.yml | 2 +- .../proc_creation_win_susp_use_of_vsjitdebugger_bin.yml | 2 +- .../proc_creation_win_susp_userinit_child.yml | 2 +- ...proc_creation_win_susp_velociraptor_child_process.yml | 1 - .../proc_creation_win_susp_weak_or_abused_passwords.yml | 2 +- .../proc_creation_win_susp_workfolders.yml | 2 +- ..._creation_win_svchost_execution_with_no_cli_flags.yml | 2 +- .../proc_creation_win_svchost_masqueraded_execution.yml | 2 +- ..._creation_win_svchost_uncommon_command_line_flags.yml | 2 +- ...proc_creation_win_svchost_uncommon_parent_process.yml | 2 +- .../proc_creation_win_sysinternals_livekd_execution.yml | 2 +- ...eation_win_sysinternals_livekd_kernel_memory_dump.yml | 2 +- .../proc_creation_win_sysinternals_procdump.yml | 2 +- .../proc_creation_win_sysinternals_procdump_evasion.yml | 2 +- .../proc_creation_win_sysinternals_procdump_lsass.yml | 2 +- ...reation_win_sysinternals_pssuspend_susp_execution.yml | 4 ++-- ...oc_creation_win_sysinternals_sysmon_config_update.yml | 4 ++-- .../proc_creation_win_sysinternals_sysmon_uninstall.yml | 4 ++-- ...proc_creation_win_sysinternals_tools_masquerading.yml | 2 +- ...win_systemsettingsadminflows_turn_on_dev_features.yml | 2 +- .../proc_creation_win_takeown_recursive_own.yml | 2 +- .../process_creation/proc_creation_win_taskkill_sep.yml | 4 ++-- .../proc_creation_win_taskmgr_localsystem.yml | 2 +- .../proc_creation_win_taskmgr_susp_child_process.yml | 2 +- .../proc_creation_win_uac_bypass_changepk_slui.yml | 1 - .../proc_creation_win_uac_bypass_cleanmgr.yml | 1 - .../proc_creation_win_uac_bypass_cmstp.yml | 2 +- ...c_creation_win_uac_bypass_cmstp_com_object_access.yml | 2 +- .../proc_creation_win_uac_bypass_computerdefaults.yml | 1 - .../proc_creation_win_uac_bypass_consent_comctl32.yml | 1 - .../proc_creation_win_uac_bypass_dismhost.yml | 1 - ...proc_creation_win_uac_bypass_eventvwr_recentviews.yml | 2 +- .../proc_creation_win_uac_bypass_fodhelper.yml | 1 - ...creation_win_uac_bypass_hijacking_firwall_snap_in.yml | 1 - .../proc_creation_win_uac_bypass_icmluautil.yml | 1 - .../proc_creation_win_uac_bypass_idiagnostic_profile.yml | 1 - .../proc_creation_win_uac_bypass_ieinstal.yml | 1 - .../proc_creation_win_uac_bypass_msconfig_gui.yml | 1 - .../proc_creation_win_uac_bypass_ntfs_reparse_point.yml | 1 - .../proc_creation_win_uac_bypass_pkgmgr_dism.yml | 1 - .../proc_creation_win_uac_bypass_sdclt.yml | 1 - .../proc_creation_win_uac_bypass_trustedpath.yml | 1 - .../proc_creation_win_uac_bypass_winsat.yml | 1 - .../proc_creation_win_uac_bypass_wmp.yml | 1 - .../proc_creation_win_uac_bypass_wsreset.yml | 1 - ...c_creation_win_uac_bypass_wsreset_integrity_level.yml | 1 - .../proc_creation_win_uninstall_crowdstrike_falcon.yml | 4 ++-- ...tion_win_user_shell_folders_registry_modification.yml | 2 +- .../proc_creation_win_vbscript_registry_modification.yml | 2 +- .../proc_creation_win_verclsid_runs_com.yml | 2 +- .../proc_creation_win_virtualbox_execution.yml | 2 +- ...roc_creation_win_virtualbox_vboxdrvinst_execution.yml | 2 +- ...roc_creation_win_vscode_child_processes_anomalies.yml | 2 +- .../proc_creation_win_vsdiagnostics_execution_proxy.yml | 2 +- .../process_creation/proc_creation_win_vshadow_exec.yml | 2 +- ...oc_creation_win_vslsagent_agentextensionpath_load.yml | 2 +- ...in_vulnerable_driver_blocklist_registry_tampering.yml | 4 ++-- ...ation_win_wab_execution_from_non_default_location.yml | 2 +- .../proc_creation_win_wab_unusual_parents.yml | 2 +- .../proc_creation_win_werfault_reflect_debugger_exec.yml | 2 +- .../proc_creation_win_werfaultsecure_abuse.yml | 4 ++-- .../proc_creation_win_wermgr_susp_child_process.yml | 2 +- .../proc_creation_win_winget_add_custom_source.yml | 1 - ...oc_creation_win_winget_add_insecure_custom_source.yml | 1 - .../proc_creation_win_winget_add_susp_custom_source.yml | 1 - ...oc_creation_win_winget_local_install_via_manifest.yml | 1 - .../proc_creation_win_winrm_awl_bypass.yml | 2 +- ...n_win_winrm_execution_via_scripting_api_winrm_vbs.yml | 2 +- .../proc_creation_win_winrs_local_command_execution.yml | 2 +- .../proc_creation_win_wlrmdr_uncommon_child_process.yml | 2 +- .../proc_creation_win_wmic_namespace_defender.yml | 4 ++-- .../proc_creation_win_wmic_service_startup_change.yml | 4 ++-- .../proc_creation_win_wmic_squiblytwo_bypass.yml | 2 +- ...roc_creation_win_wmic_stdregprov_reg_modification.yml | 2 +- ...eation_win_wmic_susp_execution_via_office_process.yml | 2 +- ...roc_creation_win_wmic_uninstall_security_products.yml | 4 ++-- .../proc_creation_win_wmic_xsl_script_processing.yml | 2 +- .../proc_creation_win_wmiprvse_susp_child_processes.yml | 2 +- .../proc_creation_win_wpbbin_potential_persistence.yml | 2 +- .../proc_creation_win_wsl_child_processes_anomalies.yml | 2 +- .../proc_creation_win_wsl_kali_linux_usage.yml | 2 +- .../proc_creation_win_wsl_windows_binaries_execution.yml | 2 +- .../proc_creation_win_wuauclt_dll_loading.yml | 2 +- .../proc_creation_win_wuauclt_no_cli_flags_execution.yml | 2 +- ...eation_win_xwizard_execution_non_default_location.yml | 3 ++- ...oc_creation_win_xwizard_runwizard_com_object_exec.yml | 2 +- .../proc_tampering_susp_process_hollowing.yml | 2 +- ...cess_thread_susp_disk_access_using_uncommon_tools.yml | 2 +- .../registry_delete_defender_context_menu.yml | 2 +- .../registry_delete_disable_credential_guard.yml | 4 ++-- .../registry_delete_exploit_guard_protected_folders.yml | 4 ++-- .../registry_delete_mstsc_history_cleared.yml | 3 ++- .../registry_delete_removal_amsi_registry_key.yml | 4 ++-- ...egistry_delete_removal_com_hijacking_registry_key.yml | 2 +- .../registry/registry_delete/registry_delete_runmru.yml | 2 +- ...delete_schtasks_hide_task_via_index_value_removal.yml | 4 ++-- ...ry_delete_schtasks_hide_task_via_sd_value_removal.yml | 4 ++-- .../registry_event/registry_event_bypass_via_wsreset.yml | 1 - .../registry_event_cmstp_execution_by_registry.yml | 2 +- .../registry_event_defender_threat_action_modified.yml | 4 ++-- ...ble_security_events_logging_adding_reg_key_minint.yml | 4 ++-- .../registry_event_disable_wdigest_credential_guard.yml | 2 +- .../registry_event/registry_event_mal_azorult.yml | 2 +- .../registry_event_malware_qakbot_registry.yml | 2 +- .../registry_event/registry_event_net_ntlm_downgrade.yml | 4 ++-- .../registry_event_portproxy_registry_key.yml | 1 - .../registry_event_redmimicry_winnti_reg.yml | 2 +- .../registry_event_runonce_persistence.yml | 2 +- .../registry_event_shell_open_keys_manipulation.yml | 1 - .../registry_event_susp_atbroker_change.yml | 2 +- ...registry_event_susp_process_registry_modification.yml | 2 +- .../registry_set_enable_anonymous_connection.yml | 4 ++-- .../registry_set_add_load_service_in_safe_mode.yml | 2 +- .../registry_set_allow_rdp_remote_assistance_feature.yml | 2 +- .../registry_set/registry_set_amsi_com_hijack.yml | 4 ++-- .../registry/registry_set/registry_set_amsi_disable.yml | 5 ++--- .../registry_set/registry_set_bginfo_custom_db.yml | 2 +- .../registry_set/registry_set_bginfo_custom_vbscript.yml | 2 +- .../registry_set_bginfo_custom_wmi_query.yml | 2 +- .../registry_set_bypass_uac_using_delegateexecute.yml | 1 - .../registry_set_bypass_uac_using_silentcleanup_task.yml | 1 - .../registry_set_change_sysmon_driver_altitude.yml | 4 ++-- .../registry_set_change_winevt_channelaccess.yml | 4 ++-- .../registry_set/registry_set_clickonce_trust_prompt.yml | 2 +- .../registry_set/registry_set_comhijack_sdclt.yml | 1 - .../registry_set/registry_set_crashdump_disabled.yml | 3 ++- .../registry_set/registry_set_create_minint_key.yml | 4 ++-- .../registry_set_creation_service_susp_folder.yml | 2 +- .../registry_set_credential_guard_disabled.yml | 4 ++-- ...set_custom_file_open_handler_powershell_execution.yml | 2 +- .../registry_set_dbgmanageddebugger_persistence.yml | 3 ++- .../registry_set/registry_set_defender_exclusions.yml | 4 ++-- .../registry_set_desktop_background_change.yml | 2 +- .../registry_set_devdrv_disallow_antivirus_filter.yml | 4 ++-- ...iceguard_hypervisorenforcedcodeintegrity_disabled.yml | 4 ++-- ...uard_hypervisorenforcedpagingtranslation_disabled.yml | 4 ++-- .../registry_set/registry_set_dhcp_calloutdll.yml | 4 +++- .../registry_set_disable_administrative_share.yml | 2 +- .../registry_set_disable_autologger_sessions.yml | 4 ++-- .../registry_set_disable_defender_firewall.yml | 4 ++-- .../registry_set/registry_set_disable_function_user.yml | 2 +- .../registry_set_disable_macroruntimescanscope.yml | 2 +- .../registry_set_disable_privacy_settings_experience.yml | 4 ++-- ...egistry_set_disable_security_center_notifications.yml | 2 +- .../registry_set_disable_windows_defender_service.yml | 4 ++-- .../registry_set_disable_windows_event_log_access.yml | 2 +- .../registry_set_disable_windows_firewall.yml | 4 ++-- .../registry_set/registry_set_disable_winevt_logging.yml | 4 ++-- ...abled_exploit_guard_net_protection_on_ms_defender.yml | 4 ++-- ...registry_set_disabled_microsoft_defender_eventlog.yml | 4 ++-- ...set_disabled_pua_protection_on_microsoft_defender.yml | 4 ++-- ..._disabled_tamper_protection_on_microsoft_defender.yml | 4 ++-- .../registry_set/registry_set_disallowrun_execution.yml | 2 +- .../registry_set/registry_set_dns_over_https_enabled.yml | 3 ++- .../registry_set_dns_server_level_plugin_dll.yml | 4 +++- .../registry_set/registry_set_dot_net_etw_tamper.yml | 4 ++-- .../registry_set/registry_set_dsrm_tampering.yml | 2 +- .../registry_set_enabling_cor_profiler_env_variables.yml | 3 ++- .../registry_set/registry_set_enabling_turnoffcheck.yml | 4 ++-- .../registry_set/registry_set_evtx_file_key_tamper.yml | 4 ++-- .../registry_set_exploit_guard_susp_allowed_apps.yml | 4 ++-- .../registry_set_fax_change_service_user.yml | 2 +- .../registry_set/registry_set_fax_dll_persistance.yml | 2 +- .../registry_set_file_association_exefile.yml | 2 +- .../registry/registry_set/registry_set_hide_file.yml | 2 +- .../registry_set/registry_set_hide_function_user.yml | 2 +- ...registry_set_hide_scheduled_task_via_index_tamper.yml | 4 ++-- .../registry_set/registry_set_hvci_disallowed_images.yml | 2 +- ..._set_ie_security_zone_protocol_defaults_downgrade.yml | 2 +- .../registry_set_ime_non_default_extension.yml | 4 ++-- .../registry_set/registry_set_ime_suspicious_paths.yml | 4 ++-- ...set_internet_explorer_disable_first_run_customize.yml | 2 +- .../registry_set_lsa_disablerestrictedadmin.yml | 2 +- .../registry_set_net_cli_ngenassemblyusagelog.yml | 2 +- .../registry_set_office_access_vbom_tamper.yml | 2 +- ...gistry_set_office_disable_protected_view_features.yml | 4 ++-- ...istry_set_office_disable_python_security_warnings.yml | 4 ++-- ...et_office_outlook_enable_unsafe_client_mail_rules.yml | 2 +- .../registry_set_office_trust_record_susp_location.yml | 2 +- .../registry_set_office_trusted_location_uncommon.yml | 2 +- .../registry_set_office_vba_warnings_tamper.yml | 2 +- .../registry_set_optimize_file_sharing_network.yml | 2 +- .../registry_set_persistence_custom_protocol_handler.yml | 2 +- .../registry_set_persistence_event_viewer_events_asp.yml | 2 +- .../registry_set_persistence_globalflags.yml | 1 - .../registry_set/registry_set_persistence_ie.yml | 2 +- .../registry_set_persistence_outlook_homepage.yml | 2 +- .../registry_set_persistence_outlook_todaypage.yml | 2 +- .../registry_set_persistence_reflectdebugger.yml | 2 +- .../registry_set_policies_associations_tamper.yml | 2 +- .../registry_set_policies_attachments_tamper.yml | 2 +- .../registry_set_potential_oci_dll_redirection.yml | 4 +++- .../registry_set_powershell_execution_policy.yml | 2 +- .../registry_set_powershell_logging_disabled.yml | 3 ++- .../registry_set_provisioning_command_abuse.yml | 2 +- .../registry_set/registry_set_rpcrt4_etw_tamper.yml | 4 ++-- .../registry_set_scr_file_executed_by_rundll32.yml | 2 +- .../registry_set/registry_set_services_etw_tamper.yml | 4 ++-- .../registry_set/registry_set_set_nopolicies_user.yml | 2 +- .../registry_set/registry_set_sip_persistence.yml | 2 +- .../registry_set/registry_set_sophos_av_tamper.yml | 4 ++-- .../registry_set/registry_set_special_accounts.yml | 2 +- .../registry_set_suppress_defender_notifications.yml | 2 +- .../registry_set_susp_pendingfilerenameoperations.yml | 2 +- .../registry_set/registry_set_susp_printer_driver.yml | 3 ++- .../registry_set_susp_runmru_space_character.yml | 2 +- .../registry_set/registry_set_susp_service_installed.yml | 4 ++-- ...ry_set_susp_shell_open_keys_modification_patterns.yml | 1 - .../registry_set_susp_typedpaths_space_characters.yml | 2 +- .../registry_set/registry_set_susp_wfp_filter_added.yml | 4 ++-- .../registry_set_suspicious_env_variables.yml | 2 +- .../registry_set/registry_set_system_lsa_nolmhash.yml | 2 +- .../registry_set_terminal_server_suspicious.yml | 2 +- .../registry_set_terminal_server_tampering.yml | 2 +- .../registry_set_tls_protocol_old_version_enabled.yml | 2 +- .../registry_set/registry_set_turn_on_dev_features.yml | 2 +- .../registry_set/registry_set_uac_bypass_eventvwr.yml | 1 - .../registry_set/registry_set_uac_bypass_sdclt.yml | 1 - .../registry_set/registry_set_uac_bypass_winsat.yml | 1 - .../registry_set/registry_set_uac_bypass_wmp.yml | 1 - .../registry/registry_set/registry_set_uac_disable.yml | 1 - .../registry_set_uac_disable_notification.yml | 1 - .../registry_set_uac_disable_secure_desktop_prompt.yml | 1 - .../registry_set_vulnerable_driver_blocklist_disable.yml | 4 ++-- .../registry_set/registry_set_wab_dllpath_reg_change.yml | 2 +- .../registry_set_wdigest_enable_uselogoncredential.yml | 2 +- .../registry_set_windows_defender_tamper.yml | 4 ++-- .../registry_set_winget_admin_settings_tampering.yml | 2 +- .../registry_set_winget_enable_local_manifest.yml | 2 +- .../registry_set_winlogon_allow_multiple_tssessions.yml | 2 +- rules/windows/sysmon/sysmon_config_modification.yml | 2 +- .../windows/sysmon/sysmon_config_modification_error.yml | 2 +- .../windows/sysmon/sysmon_config_modification_status.yml | 2 +- rules/windows/sysmon/sysmon_file_block_executable.yml | 2 +- rules/windows/sysmon/sysmon_file_block_shredding.yml | 2 +- rules/windows/sysmon/sysmon_file_executable_detected.yml | 2 +- 1612 files changed, 1887 insertions(+), 1867 deletions(-) diff --git a/rules-emerging-threats/2014/TA/Axiom/proc_creation_win_apt_zxshell.yml b/rules-emerging-threats/2014/TA/Axiom/proc_creation_win_apt_zxshell.yml index 872bd24f7..aed7f9d4f 100644 --- a/rules-emerging-threats/2014/TA/Axiom/proc_creation_win_apt_zxshell.yml +++ b/rules-emerging-threats/2014/TA/Axiom/proc_creation_win_apt_zxshell.yml @@ -10,8 +10,8 @@ date: 2017-07-20 modified: 2021-11-27 tags: - attack.execution + - attack.stealth - attack.t1059.003 - - attack.defense-evasion - attack.t1218.011 - attack.s0412 - attack.g0001 diff --git a/rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml b/rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml index fb31f4de1..0f0cbadf3 100644 --- a/rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml +++ b/rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml @@ -10,7 +10,7 @@ modified: 2025-10-19 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion + - attack.stealth - attack.g0010 - attack.execution - attack.t1059.001 diff --git a/rules-emerging-threats/2015/Exploits/CVE-2015-1641/proc_creation_win_exploit_cve_2015_1641.yml b/rules-emerging-threats/2015/Exploits/CVE-2015-1641/proc_creation_win_exploit_cve_2015_1641.yml index a617999f5..ee554853c 100644 --- a/rules-emerging-threats/2015/Exploits/CVE-2015-1641/proc_creation_win_exploit_cve_2015_1641.yml +++ b/rules-emerging-threats/2015/Exploits/CVE-2015-1641/proc_creation_win_exploit_cve_2015_1641.yml @@ -9,7 +9,7 @@ author: Florian Roth (Nextron Systems) date: 2018-02-22 modified: 2021-11-27 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036.005 - cve.2015-1641 - detection.emerging-threats diff --git a/rules-emerging-threats/2017/Malware/Fireball/proc_creation_win_malware_fireball.yml b/rules-emerging-threats/2017/Malware/Fireball/proc_creation_win_malware_fireball.yml index e1072ef6d..7d0ffb320 100644 --- a/rules-emerging-threats/2017/Malware/Fireball/proc_creation_win_malware_fireball.yml +++ b/rules-emerging-threats/2017/Malware/Fireball/proc_creation_win_malware_fireball.yml @@ -10,7 +10,7 @@ date: 2017-06-03 modified: 2021-11-27 tags: - attack.execution - - attack.defense-evasion + - attack.stealth - attack.t1218.011 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2017/Malware/Hancitor/proc_access_win_malware_verclsid_shellcode.yml b/rules-emerging-threats/2017/Malware/Hancitor/proc_access_win_malware_verclsid_shellcode.yml index 9da9226b0..75f4ecdd3 100644 --- a/rules-emerging-threats/2017/Malware/Hancitor/proc_access_win_malware_verclsid_shellcode.yml +++ b/rules-emerging-threats/2017/Malware/Hancitor/proc_access_win_malware_verclsid_shellcode.yml @@ -8,8 +8,8 @@ author: John Lambert (tech), Florian Roth (Nextron Systems) date: 2017-03-04 modified: 2021-11-27 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth - attack.t1055 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml b/rules-emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml index a6eb9f685..29b7980da 100644 --- a/rules-emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml +++ b/rules-emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml @@ -9,9 +9,10 @@ author: Florian Roth (Nextron Systems), Tom Ueltschi date: 2019-01-16 modified: 2022-12-15 tags: - - attack.defense-evasion + - attack.stealth + - attack.defense-impairment - attack.t1218.011 - - attack.t1070.001 + - attack.t1685.005 - attack.credential-access - attack.t1003.001 - car.2016-04-002 diff --git a/rules-emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml b/rules-emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml index ee436d718..e9ecd4d45 100644 --- a/rules-emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml +++ b/rules-emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml @@ -11,8 +11,9 @@ modified: 2023-02-03 tags: - attack.privilege-escalation - attack.persistence + - attack.execution + - attack.stealth - attack.s0013 - - attack.defense-evasion - attack.t1574.001 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2017/Malware/WannaCry/proc_creation_win_malware_wannacry.yml b/rules-emerging-threats/2017/Malware/WannaCry/proc_creation_win_malware_wannacry.yml index ee3a4887c..ab5c551de 100644 --- a/rules-emerging-threats/2017/Malware/WannaCry/proc_creation_win_malware_wannacry.yml +++ b/rules-emerging-threats/2017/Malware/WannaCry/proc_creation_win_malware_wannacry.yml @@ -10,10 +10,10 @@ date: 2019-01-16 modified: 2025-10-18 tags: - attack.lateral-movement + - attack.defense-impairment - attack.t1210 - attack.discovery - attack.t1083 - - attack.defense-evasion - attack.t1222.001 - attack.impact - attack.t1486 diff --git a/rules-emerging-threats/2017/TA/Dragonfly/proc_creation_win_apt_ta17_293a_ps.yml b/rules-emerging-threats/2017/TA/Dragonfly/proc_creation_win_apt_ta17_293a_ps.yml index fb69934e9..9e1fb6bd2 100644 --- a/rules-emerging-threats/2017/TA/Dragonfly/proc_creation_win_apt_ta17_293a_ps.yml +++ b/rules-emerging-threats/2017/TA/Dragonfly/proc_creation_win_apt_ta17_293a_ps.yml @@ -8,7 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2017-10-22 modified: 2023-05-02 tags: - - attack.defense-evasion + - attack.stealth - attack.g0035 - attack.t1036.003 - car.2013-05-009 diff --git a/rules-emerging-threats/2017/TA/Lazarus/proc_creation_win_apt_lazarus_binary_masquerading.yml b/rules-emerging-threats/2017/TA/Lazarus/proc_creation_win_apt_lazarus_binary_masquerading.yml index e9758f1b5..a693f1a73 100644 --- a/rules-emerging-threats/2017/TA/Lazarus/proc_creation_win_apt_lazarus_binary_masquerading.yml +++ b/rules-emerging-threats/2017/TA/Lazarus/proc_creation_win_apt_lazarus_binary_masquerading.yml @@ -8,7 +8,7 @@ author: Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1) date: 2020-06-03 modified: 2023-03-10 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036.005 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2018/TA/APT27/proc_creation_win_apt_apt27_emissary_panda.yml b/rules-emerging-threats/2018/TA/APT27/proc_creation_win_apt_apt27_emissary_panda.yml index b226632ea..9ee3638ff 100644 --- a/rules-emerging-threats/2018/TA/APT27/proc_creation_win_apt_apt27_emissary_panda.yml +++ b/rules-emerging-threats/2018/TA/APT27/proc_creation_win_apt_apt27_emissary_panda.yml @@ -12,7 +12,8 @@ modified: 2023-03-09 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1574.001 - attack.g0027 - detection.emerging-threats diff --git a/rules-emerging-threats/2018/TA/APT28/proc_creation_win_apt_sofacy.yml b/rules-emerging-threats/2018/TA/APT28/proc_creation_win_apt_sofacy.yml index d26593a3f..dbaf4df69 100644 --- a/rules-emerging-threats/2018/TA/APT28/proc_creation_win_apt_sofacy.yml +++ b/rules-emerging-threats/2018/TA/APT28/proc_creation_win_apt_sofacy.yml @@ -10,8 +10,8 @@ author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community date: 2018-03-01 modified: 2023-05-31 tags: - - attack.defense-evasion - attack.execution + - attack.stealth - attack.g0007 - attack.t1059.003 - attack.t1218.011 diff --git a/rules-emerging-threats/2018/TA/APT29-CozyBear/file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml b/rules-emerging-threats/2018/TA/APT29-CozyBear/file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml index d106fb093..cadbceac8 100644 --- a/rules-emerging-threats/2018/TA/APT29-CozyBear/file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml +++ b/rules-emerging-threats/2018/TA/APT29-CozyBear/file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml @@ -12,7 +12,7 @@ author: '@41thexplorer' date: 2018-11-20 modified: 2023-02-20 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.011 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml b/rules-emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml index 855a3cd55..df248259c 100644 --- a/rules-emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml +++ b/rules-emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml @@ -13,8 +13,8 @@ author: Florian Roth (Nextron Systems), @41thexplorer date: 2018-11-20 modified: 2023-03-08 tags: - - attack.defense-evasion - attack.execution + - attack.stealth - attack.t1218.011 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2018/TA/APT32-Oceanlotus/registry_event_apt_oceanlotus_registry.yml b/rules-emerging-threats/2018/TA/APT32-Oceanlotus/registry_event_apt_oceanlotus_registry.yml index 123fa28ff..4ea908147 100644 --- a/rules-emerging-threats/2018/TA/APT32-Oceanlotus/registry_event_apt_oceanlotus_registry.yml +++ b/rules-emerging-threats/2018/TA/APT32-Oceanlotus/registry_event_apt_oceanlotus_registry.yml @@ -10,7 +10,7 @@ date: 2019-04-14 modified: 2023-09-28 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2018/TA/MuddyWater/proc_creation_win_apt_muddywater_activity.yml b/rules-emerging-threats/2018/TA/MuddyWater/proc_creation_win_apt_muddywater_activity.yml index 01866f874..98ca577c4 100644 --- a/rules-emerging-threats/2018/TA/MuddyWater/proc_creation_win_apt_muddywater_activity.yml +++ b/rules-emerging-threats/2018/TA/MuddyWater/proc_creation_win_apt_muddywater_activity.yml @@ -7,8 +7,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-03-10 tags: - - attack.defense-evasion - attack.execution + - attack.stealth - attack.g0069 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2018/TA/OilRig/proc_creation_win_apt_oilrig_mar18.yml b/rules-emerging-threats/2018/TA/OilRig/proc_creation_win_apt_oilrig_mar18.yml index e63a3424a..2ee196ea1 100644 --- a/rules-emerging-threats/2018/TA/OilRig/proc_creation_win_apt_oilrig_mar18.yml +++ b/rules-emerging-threats/2018/TA/OilRig/proc_creation_win_apt_oilrig_mar18.yml @@ -18,11 +18,11 @@ tags: - attack.privilege-escalation - attack.execution - attack.persistence + - attack.defense-impairment - attack.g0049 - attack.t1053.005 - attack.s0111 - attack.t1543.003 - - attack.defense-evasion - attack.t1112 - attack.command-and-control - attack.t1071.004 diff --git a/rules-emerging-threats/2018/TA/OilRig/registry_event_apt_oilrig_mar18.yml b/rules-emerging-threats/2018/TA/OilRig/registry_event_apt_oilrig_mar18.yml index 47792f214..485567e0d 100644 --- a/rules-emerging-threats/2018/TA/OilRig/registry_event_apt_oilrig_mar18.yml +++ b/rules-emerging-threats/2018/TA/OilRig/registry_event_apt_oilrig_mar18.yml @@ -18,11 +18,11 @@ tags: - attack.privilege-escalation - attack.execution - attack.persistence + - attack.defense-impairment - attack.g0049 - attack.t1053.005 - attack.s0111 - attack.t1543.003 - - attack.defense-evasion - attack.t1112 - attack.command-and-control - attack.t1071.004 diff --git a/rules-emerging-threats/2018/TA/OilRig/win_security_apt_oilrig_mar18.yml b/rules-emerging-threats/2018/TA/OilRig/win_security_apt_oilrig_mar18.yml index 8a1127aea..bec5e382a 100644 --- a/rules-emerging-threats/2018/TA/OilRig/win_security_apt_oilrig_mar18.yml +++ b/rules-emerging-threats/2018/TA/OilRig/win_security_apt_oilrig_mar18.yml @@ -18,11 +18,11 @@ tags: - attack.privilege-escalation - attack.execution - attack.persistence + - attack.defense-impairment - attack.g0049 - attack.t1053.005 - attack.s0111 - attack.t1543.003 - - attack.defense-evasion - attack.t1112 - attack.command-and-control - attack.t1071.004 diff --git a/rules-emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml b/rules-emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml index f15798a15..268ae8704 100644 --- a/rules-emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml +++ b/rules-emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml @@ -18,11 +18,11 @@ tags: - attack.privilege-escalation - attack.execution - attack.persistence + - attack.defense-impairment - attack.g0049 - attack.t1053.005 - attack.s0111 - attack.t1543.003 - - attack.defense-evasion - attack.t1112 - attack.command-and-control - attack.t1071.004 diff --git a/rules-emerging-threats/2019/Exploits/CVE-2019-1378/proc_creation_win_exploit_cve_2019_1378.yml b/rules-emerging-threats/2019/Exploits/CVE-2019-1378/proc_creation_win_exploit_cve_2019_1378.yml index 0dccbb91b..e35be332e 100644 --- a/rules-emerging-threats/2019/Exploits/CVE-2019-1378/proc_creation_win_exploit_cve_2019_1378.yml +++ b/rules-emerging-threats/2019/Exploits/CVE-2019-1378/proc_creation_win_exploit_cve_2019_1378.yml @@ -9,8 +9,8 @@ date: 2019-11-15 modified: 2021-11-27 tags: - attack.persistence - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth - attack.t1068 - attack.execution - attack.t1059.003 diff --git a/rules-emerging-threats/2019/Exploits/CVE-2019-14287/lnx_sudo_exploit_cve_2019_14287.yml b/rules-emerging-threats/2019/Exploits/CVE-2019-14287/lnx_sudo_exploit_cve_2019_14287.yml index c2c9352ad..1ef1a92f7 100644 --- a/rules-emerging-threats/2019/Exploits/CVE-2019-14287/lnx_sudo_exploit_cve_2019_14287.yml +++ b/rules-emerging-threats/2019/Exploits/CVE-2019-14287/lnx_sudo_exploit_cve_2019_14287.yml @@ -13,7 +13,6 @@ author: Florian Roth (Nextron Systems) date: 2019-10-15 modified: 2022-11-26 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1068 - attack.t1548.003 diff --git a/rules-emerging-threats/2019/Exploits/CVE-2019-14287/proc_creation_lnx_exploit_cve_2019_14287.yml b/rules-emerging-threats/2019/Exploits/CVE-2019-14287/proc_creation_lnx_exploit_cve_2019_14287.yml index 7c173ce41..acd7c8fc6 100644 --- a/rules-emerging-threats/2019/Exploits/CVE-2019-14287/proc_creation_lnx_exploit_cve_2019_14287.yml +++ b/rules-emerging-threats/2019/Exploits/CVE-2019-14287/proc_creation_lnx_exploit_cve_2019_14287.yml @@ -10,7 +10,6 @@ author: Florian Roth (Nextron Systems) date: 2019-10-15 modified: 2022-10-05 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1068 - attack.t1548.003 diff --git a/rules-emerging-threats/2019/Malware/BabyShark/proc_creation_win_malware_babyshark.yml b/rules-emerging-threats/2019/Malware/BabyShark/proc_creation_win_malware_babyshark.yml index 1ed49d349..4b4fe86bb 100644 --- a/rules-emerging-threats/2019/Malware/BabyShark/proc_creation_win_malware_babyshark.yml +++ b/rules-emerging-threats/2019/Malware/BabyShark/proc_creation_win_malware_babyshark.yml @@ -9,8 +9,8 @@ date: 2019-02-24 modified: 2023-03-08 tags: - attack.execution - - attack.defense-evasion - attack.discovery + - attack.stealth - attack.t1012 - attack.t1059.003 - attack.t1059.001 diff --git a/rules-emerging-threats/2019/Malware/Dridex/proc_creation_win_malware_dridex.yml b/rules-emerging-threats/2019/Malware/Dridex/proc_creation_win_malware_dridex.yml index 4dd71e545..820050494 100644 --- a/rules-emerging-threats/2019/Malware/Dridex/proc_creation_win_malware_dridex.yml +++ b/rules-emerging-threats/2019/Malware/Dridex/proc_creation_win_malware_dridex.yml @@ -9,8 +9,8 @@ author: Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali date: 2019-01-10 modified: 2023-02-03 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth - attack.t1055 - attack.discovery - attack.t1135 diff --git a/rules-emerging-threats/2019/Malware/Emotet/proc_creation_win_malware_emotet.yml b/rules-emerging-threats/2019/Malware/Emotet/proc_creation_win_malware_emotet.yml index 6ed472548..53af81eed 100644 --- a/rules-emerging-threats/2019/Malware/Emotet/proc_creation_win_malware_emotet.yml +++ b/rules-emerging-threats/2019/Malware/Emotet/proc_creation_win_malware_emotet.yml @@ -12,8 +12,8 @@ date: 2019-09-30 modified: 2023-02-04 tags: - attack.execution + - attack.stealth - attack.t1059.001 - - attack.defense-evasion - attack.t1027 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2019/Malware/Ursnif/registry_add_malware_ursnif.yml b/rules-emerging-threats/2019/Malware/Ursnif/registry_add_malware_ursnif.yml index cd20b67c1..50845513c 100644 --- a/rules-emerging-threats/2019/Malware/Ursnif/registry_add_malware_ursnif.yml +++ b/rules-emerging-threats/2019/Malware/Ursnif/registry_add_malware_ursnif.yml @@ -10,8 +10,8 @@ date: 2019-02-13 modified: 2025-10-22 tags: - attack.persistence - - attack.defense-evasion - attack.execution + - attack.defense-impairment - attack.t1112 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2019/TA/APC-C-12/proc_creation_win_apt_aptc12_bluemushroom.yml b/rules-emerging-threats/2019/TA/APC-C-12/proc_creation_win_apt_aptc12_bluemushroom.yml index 6cd18c003..92e7b4827 100644 --- a/rules-emerging-threats/2019/TA/APC-C-12/proc_creation_win_apt_aptc12_bluemushroom.yml +++ b/rules-emerging-threats/2019/TA/APC-C-12/proc_creation_win_apt_aptc12_bluemushroom.yml @@ -8,7 +8,7 @@ author: Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Ne date: 2019-10-02 modified: 2023-03-29 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.010 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2019/TA/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml b/rules-emerging-threats/2019/TA/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml index da6f6944f..fbd7b9f2c 100644 --- a/rules-emerging-threats/2019/TA/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml +++ b/rules-emerging-threats/2019/TA/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml @@ -9,7 +9,7 @@ author: Markus Neis, Nasreddine Bencherchali (Nextron Systems) date: 2019-04-02 modified: 2023-03-09 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.010 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2019/TA/EquationGroup/proc_creation_win_apt_equationgroup_dll_u_load.yml b/rules-emerging-threats/2019/TA/EquationGroup/proc_creation_win_apt_equationgroup_dll_u_load.yml index 387db7a6a..3fe0f27ca 100644 --- a/rules-emerging-threats/2019/TA/EquationGroup/proc_creation_win_apt_equationgroup_dll_u_load.yml +++ b/rules-emerging-threats/2019/TA/EquationGroup/proc_creation_win_apt_equationgroup_dll_u_load.yml @@ -9,8 +9,8 @@ author: Florian Roth (Nextron Systems) date: 2019-03-04 modified: 2023-03-09 tags: + - attack.stealth - attack.g0020 - - attack.defense-evasion - attack.t1218.011 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2019/TA/Operation-Wocao/proc_creation_win_apt_wocao.yml b/rules-emerging-threats/2019/TA/Operation-Wocao/proc_creation_win_apt_wocao.yml index 094caf27b..a5193197b 100644 --- a/rules-emerging-threats/2019/TA/Operation-Wocao/proc_creation_win_apt_wocao.yml +++ b/rules-emerging-threats/2019/TA/Operation-Wocao/proc_creation_win_apt_wocao.yml @@ -15,8 +15,8 @@ tags: - attack.privilege-escalation - attack.persistence - attack.discovery + - attack.stealth - attack.t1012 - - attack.defense-evasion - attack.t1036.004 - attack.t1027 - attack.execution diff --git a/rules-emerging-threats/2019/TA/Operation-Wocao/win_security_apt_wocao.yml b/rules-emerging-threats/2019/TA/Operation-Wocao/win_security_apt_wocao.yml index f43960fa7..dc4b1b32a 100644 --- a/rules-emerging-threats/2019/TA/Operation-Wocao/win_security_apt_wocao.yml +++ b/rules-emerging-threats/2019/TA/Operation-Wocao/win_security_apt_wocao.yml @@ -13,8 +13,8 @@ tags: - attack.privilege-escalation - attack.persistence - attack.discovery + - attack.stealth - attack.t1012 - - attack.defense-evasion - attack.t1036.004 - attack.t1027 - attack.execution diff --git a/rules-emerging-threats/2020/Exploits/CVE-2020-1048/registry_set_exploit_cve_2020_1048_new_printer_port.yml b/rules-emerging-threats/2020/Exploits/CVE-2020-1048/registry_set_exploit_cve_2020_1048_new_printer_port.yml index 16b244a21..4d6549695 100644 --- a/rules-emerging-threats/2020/Exploits/CVE-2020-1048/registry_set_exploit_cve_2020_1048_new_printer_port.yml +++ b/rules-emerging-threats/2020/Exploits/CVE-2020-1048/registry_set_exploit_cve_2020_1048_new_printer_port.yml @@ -12,7 +12,7 @@ modified: 2024-03-25 tags: - attack.persistence - attack.execution - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 - cve.2020-1048 - detection.emerging-threats diff --git a/rules-emerging-threats/2020/Malware/Blue-Mockingbird/proc_creation_win_malware_blue_mockingbird.yml b/rules-emerging-threats/2020/Malware/Blue-Mockingbird/proc_creation_win_malware_blue_mockingbird.yml index bfe71e326..1186e2fef 100644 --- a/rules-emerging-threats/2020/Malware/Blue-Mockingbird/proc_creation_win_malware_blue_mockingbird.yml +++ b/rules-emerging-threats/2020/Malware/Blue-Mockingbird/proc_creation_win_malware_blue_mockingbird.yml @@ -12,8 +12,8 @@ date: 2020-05-14 modified: 2022-10-09 tags: - attack.persistence - - attack.defense-evasion - attack.execution + - attack.defense-impairment - attack.t1112 - attack.t1047 - detection.emerging-threats diff --git a/rules-emerging-threats/2020/Malware/Blue-Mockingbird/registry_set_mal_blue_mockingbird.yml b/rules-emerging-threats/2020/Malware/Blue-Mockingbird/registry_set_mal_blue_mockingbird.yml index 584750849..73c6461c6 100644 --- a/rules-emerging-threats/2020/Malware/Blue-Mockingbird/registry_set_mal_blue_mockingbird.yml +++ b/rules-emerging-threats/2020/Malware/Blue-Mockingbird/registry_set_mal_blue_mockingbird.yml @@ -11,9 +11,9 @@ author: Trent Liffick (@tliffick) date: 2020-05-14 modified: 2023-08-17 tags: - - attack.defense-evasion - attack.execution - attack.persistence + - attack.defense-impairment - attack.t1112 - attack.t1047 - detection.emerging-threats diff --git a/rules-emerging-threats/2020/Malware/ComRAT/proxy_malware_comrat_network_indicators.yml b/rules-emerging-threats/2020/Malware/ComRAT/proxy_malware_comrat_network_indicators.yml index 406a970af..fbe9dfafd 100644 --- a/rules-emerging-threats/2020/Malware/ComRAT/proxy_malware_comrat_network_indicators.yml +++ b/rules-emerging-threats/2020/Malware/ComRAT/proxy_malware_comrat_network_indicators.yml @@ -8,7 +8,6 @@ author: Florian Roth (Nextron Systems) date: 2020-05-26 modified: 2024-02-26 tags: - - attack.defense-evasion - attack.command-and-control - attack.t1071.001 - attack.g0010 diff --git a/rules-emerging-threats/2020/Malware/Emotet/proc_creation_win_malware_emotet_rundll32_execution.yml b/rules-emerging-threats/2020/Malware/Emotet/proc_creation_win_malware_emotet_rundll32_execution.yml index f807c753a..4fb8e6a9f 100644 --- a/rules-emerging-threats/2020/Malware/Emotet/proc_creation_win_malware_emotet_rundll32_execution.yml +++ b/rules-emerging-threats/2020/Malware/Emotet/proc_creation_win_malware_emotet_rundll32_execution.yml @@ -9,7 +9,7 @@ author: FPT.EagleEye date: 2020-12-25 modified: 2023-02-21 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.011 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2020/Malware/FlowCloud/registry_event_malware_flowcloud_markers.yml b/rules-emerging-threats/2020/Malware/FlowCloud/registry_event_malware_flowcloud_markers.yml index 5cc2c99be..91163276b 100644 --- a/rules-emerging-threats/2020/Malware/FlowCloud/registry_event_malware_flowcloud_markers.yml +++ b/rules-emerging-threats/2020/Malware/FlowCloud/registry_event_malware_flowcloud_markers.yml @@ -10,8 +10,8 @@ author: NVISO date: 2020-06-09 modified: 2024-03-20 tags: - - attack.defense-evasion - attack.persistence + - attack.defense-impairment - attack.t1112 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2020/Malware/Ke3chang-TidePool/proc_creation_win_malware_ke3chang_tidepool.yml b/rules-emerging-threats/2020/Malware/Ke3chang-TidePool/proc_creation_win_malware_ke3chang_tidepool.yml index adac2bf95..34208d232 100644 --- a/rules-emerging-threats/2020/Malware/Ke3chang-TidePool/proc_creation_win_malware_ke3chang_tidepool.yml +++ b/rules-emerging-threats/2020/Malware/Ke3chang-TidePool/proc_creation_win_malware_ke3chang_tidepool.yml @@ -9,9 +9,9 @@ author: Markus Neis, Swisscom date: 2020-06-18 modified: 2023-03-10 tags: + - attack.defense-impairment - attack.g0004 - - attack.defense-evasion - - attack.t1562.001 + - attack.t1685 - detection.emerging-threats logsource: category: process_creation diff --git a/rules-emerging-threats/2020/TA/Evilnum/proc_creation_win_apt_evilnum_jul20.yml b/rules-emerging-threats/2020/TA/Evilnum/proc_creation_win_apt_evilnum_jul20.yml index 930f82675..7c7dfe124 100644 --- a/rules-emerging-threats/2020/TA/Evilnum/proc_creation_win_apt_evilnum_jul20.yml +++ b/rules-emerging-threats/2020/TA/Evilnum/proc_creation_win_apt_evilnum_jul20.yml @@ -9,7 +9,7 @@ author: Florian Roth (Nextron Systems) date: 2020-07-10 modified: 2023-03-09 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.011 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2020/TA/Greenbug/proc_creation_win_apt_greenbug_may20.yml b/rules-emerging-threats/2020/TA/Greenbug/proc_creation_win_apt_greenbug_may20.yml index af71f8438..754c95d5e 100644 --- a/rules-emerging-threats/2020/TA/Greenbug/proc_creation_win_apt_greenbug_may20.yml +++ b/rules-emerging-threats/2020/TA/Greenbug/proc_creation_win_apt_greenbug_may20.yml @@ -8,12 +8,12 @@ author: Florian Roth (Nextron Systems) date: 2020-05-20 modified: 2023-03-09 tags: + - attack.stealth - attack.g0049 - attack.execution - attack.t1059.001 - attack.command-and-control - attack.t1105 - - attack.defense-evasion - attack.t1036.005 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2020/TA/TAIDOOR-RAT/proc_creation_win_apt_taidoor.yml b/rules-emerging-threats/2020/TA/TAIDOOR-RAT/proc_creation_win_apt_taidoor.yml index 36c897893..058bc9b1f 100644 --- a/rules-emerging-threats/2020/TA/TAIDOOR-RAT/proc_creation_win_apt_taidoor.yml +++ b/rules-emerging-threats/2020/TA/TAIDOOR-RAT/proc_creation_win_apt_taidoor.yml @@ -9,8 +9,8 @@ date: 2020-07-30 modified: 2021-11-27 tags: - attack.privilege-escalation - - attack.defense-evasion - attack.execution + - attack.stealth - attack.t1055.001 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_mal_hk_jan20.yml b/rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_mal_hk_jan20.yml index 8a06ce04c..ae524c8b7 100644 --- a/rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_mal_hk_jan20.yml +++ b/rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_mal_hk_jan20.yml @@ -10,7 +10,8 @@ modified: 2021-11-27 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1574.001 - attack.g0044 - detection.emerging-threats diff --git a/rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_pipemon.yml b/rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_pipemon.yml index f283f5018..905145401 100644 --- a/rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_pipemon.yml +++ b/rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_pipemon.yml @@ -10,7 +10,8 @@ modified: 2021-11-27 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1574.001 - attack.g0044 - detection.emerging-threats diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/av_exploit_cve_2021_34527_print_nightmare.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/av_exploit_cve_2021_34527_print_nightmare.yml index b0c2e4be7..9974ee1a3 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/av_exploit_cve_2021_34527_print_nightmare.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/av_exploit_cve_2021_34527_print_nightmare.yml @@ -10,8 +10,8 @@ author: Sittikorn S, Nuttakorn T, Tim Shelton date: 2021-07-01 modified: 2023-10-23 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth - attack.t1055 - detection.emerging-threats - cve.2021-34527 diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/file_delete_win_exploit_cve_2021_1675_print_nightmare.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/file_delete_win_exploit_cve_2021_1675_print_nightmare.yml index aa8978887..311533cdf 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/file_delete_win_exploit_cve_2021_1675_print_nightmare.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/file_delete_win_exploit_cve_2021_1675_print_nightmare.yml @@ -10,8 +10,9 @@ date: 2021-07-01 modified: 2023-02-17 tags: - attack.persistence - - attack.defense-evasion - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574 - cve.2021-1675 - detection.emerging-threats diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/image_load_exploit_cve_2021_1675_spoolsv_dll_load.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/image_load_exploit_cve_2021_1675_spoolsv_dll_load.yml index 2b01ae6fe..2c72bba40 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-1675/image_load_exploit_cve_2021_1675_spoolsv_dll_load.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-1675/image_load_exploit_cve_2021_1675_spoolsv_dll_load.yml @@ -11,8 +11,9 @@ date: 2021-06-29 modified: 2022-06-02 tags: - attack.persistence - - attack.defense-evasion - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574 - cve.2021-1675 - cve.2021-34527 diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-4034/lnx_auth_exploit_cve_2021_4034_pwnkit_lpe.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-4034/lnx_auth_exploit_cve_2021_4034_pwnkit_lpe.yml index db1f5d2da..caac7aef4 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-4034/lnx_auth_exploit_cve_2021_4034_pwnkit_lpe.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-4034/lnx_auth_exploit_cve_2021_4034_pwnkit_lpe.yml @@ -8,7 +8,6 @@ author: Sreeman date: 2022-01-26 modified: 2024-09-11 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548.001 - detection.emerging-threats diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml index 557ba1d39..e3b9f22f6 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml @@ -11,9 +11,9 @@ date: 2022-06-02 modified: 2023-02-04 tags: - attack.execution - - attack.defense-evasion - cve.2021-40444 - detection.emerging-threats + - attack.stealth logsource: product: windows category: process_creation diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-42287/win_security_samaccountname_spoofing_cve_2021_42287.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-42287/win_security_samaccountname_spoofing_cve_2021_42287.yml index c8e6d692f..1dee6ffc9 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-42287/win_security_samaccountname_spoofing_cve_2021_42287.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-42287/win_security_samaccountname_spoofing_cve_2021_42287.yml @@ -9,8 +9,8 @@ date: 2021-12-22 modified: 2022-12-25 tags: - attack.privilege-escalation - - attack.defense-evasion - attack.persistence + - attack.stealth - attack.t1036 - attack.t1098 - cve.2021-42287 diff --git a/rules-emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml b/rules-emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml index 042d43a16..8507c0349 100644 --- a/rules-emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml +++ b/rules-emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml @@ -9,8 +9,8 @@ author: Florian Roth (Nextron Systems), Maxime Thiebaut date: 2021-08-23 modified: 2024-12-01 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.defense-impairment - attack.t1553 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2021/Malware/BlackByte/proc_creation_win_malware_blackbyte_ransomware.yml b/rules-emerging-threats/2021/Malware/BlackByte/proc_creation_win_malware_blackbyte_ransomware.yml index 961b0fe04..8d739da5d 100644 --- a/rules-emerging-threats/2021/Malware/BlackByte/proc_creation_win_malware_blackbyte_ransomware.yml +++ b/rules-emerging-threats/2021/Malware/BlackByte/proc_creation_win_malware_blackbyte_ransomware.yml @@ -9,8 +9,8 @@ date: 2022-02-25 modified: 2023-02-08 tags: - attack.execution - - attack.defense-evasion - attack.impact + - attack.stealth - attack.t1485 - attack.t1498 - attack.t1059.001 diff --git a/rules-emerging-threats/2021/Malware/BlackByte/registry_set_win_malware_blackbyte_privesc_registry.yml b/rules-emerging-threats/2021/Malware/BlackByte/registry_set_win_malware_blackbyte_privesc_registry.yml index 3ef31cd94..49fbbaa00 100644 --- a/rules-emerging-threats/2021/Malware/BlackByte/registry_set_win_malware_blackbyte_privesc_registry.yml +++ b/rules-emerging-threats/2021/Malware/BlackByte/registry_set_win_malware_blackbyte_privesc_registry.yml @@ -13,7 +13,7 @@ date: 2022-01-24 modified: 2025-10-21 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2021/Malware/Devil-Bait/file_event_win_malware_devil_bait_script_drop.yml b/rules-emerging-threats/2021/Malware/Devil-Bait/file_event_win_malware_devil_bait_script_drop.yml index 2608a6269..3bd0afd5e 100644 --- a/rules-emerging-threats/2021/Malware/Devil-Bait/file_event_win_malware_devil_bait_script_drop.yml +++ b/rules-emerging-threats/2021/Malware/Devil-Bait/file_event_win_malware_devil_bait_script_drop.yml @@ -7,8 +7,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-05-15 tags: - - attack.defense-evasion - detection.emerging-threats + - attack.stealth logsource: product: windows category: file_event diff --git a/rules-emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml b/rules-emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml index d980b7a18..1adae71ef 100644 --- a/rules-emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml +++ b/rules-emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml @@ -12,7 +12,7 @@ author: Nasreddine Bencherchali (Nextron Systems), NCSC (Idea) date: 2023-05-15 modified: 2025-10-19 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/file_event_win_malware_goofy_guineapig_file_indicators.yml b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/file_event_win_malware_goofy_guineapig_file_indicators.yml index 65988e332..2a6aa2a0f 100644 --- a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/file_event_win_malware_goofy_guineapig_file_indicators.yml +++ b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/file_event_win_malware_goofy_guineapig_file_indicators.yml @@ -8,8 +8,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-05-14 tags: - attack.execution - - attack.defense-evasion - detection.emerging-threats + - attack.stealth logsource: product: windows category: file_event diff --git a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml index 7cd983b2d..1f3373988 100644 --- a/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml +++ b/rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml @@ -7,8 +7,8 @@ references: author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2023-05-15 tags: - - attack.defense-evasion - detection.emerging-threats + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2021/Malware/Netwire/registry_add_malware_netwire.yml b/rules-emerging-threats/2021/Malware/Netwire/registry_add_malware_netwire.yml index 77917a6df..78795d558 100644 --- a/rules-emerging-threats/2021/Malware/Netwire/registry_add_malware_netwire.yml +++ b/rules-emerging-threats/2021/Malware/Netwire/registry_add_malware_netwire.yml @@ -13,7 +13,7 @@ date: 2021-10-07 modified: 2025-11-03 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2021/Malware/Pingback/file_event_win_malware_pingback_backdoor.yml b/rules-emerging-threats/2021/Malware/Pingback/file_event_win_malware_pingback_backdoor.yml index f023e2d9b..45501b920 100644 --- a/rules-emerging-threats/2021/Malware/Pingback/file_event_win_malware_pingback_backdoor.yml +++ b/rules-emerging-threats/2021/Malware/Pingback/file_event_win_malware_pingback_backdoor.yml @@ -15,8 +15,9 @@ date: 2021-05-05 modified: 2023-02-17 tags: - attack.privilege-escalation - - attack.defense-evasion - attack.persistence + - attack.execution + - attack.stealth - attack.t1574.001 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yml b/rules-emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yml index 766f4abca..59373d4d0 100644 --- a/rules-emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yml +++ b/rules-emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yml @@ -15,8 +15,9 @@ date: 2021-05-05 modified: 2023-02-17 tags: - attack.privilege-escalation - - attack.defense-evasion - attack.persistence + - attack.execution + - attack.stealth - attack.t1574.001 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml b/rules-emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml index dd9a4e30f..6e5a42bb5 100644 --- a/rules-emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml +++ b/rules-emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml @@ -15,8 +15,9 @@ date: 2021-05-05 modified: 2023-02-17 tags: - attack.privilege-escalation - - attack.defense-evasion - attack.persistence + - attack.execution + - attack.stealth - attack.t1574.001 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2021/Malware/Small-Sieve/file_event_win_malware_small_sieve_evasion_typo.yml b/rules-emerging-threats/2021/Malware/Small-Sieve/file_event_win_malware_small_sieve_evasion_typo.yml index 291cfbe4d..bba9a1c1f 100644 --- a/rules-emerging-threats/2021/Malware/Small-Sieve/file_event_win_malware_small_sieve_evasion_typo.yml +++ b/rules-emerging-threats/2021/Malware/Small-Sieve/file_event_win_malware_small_sieve_evasion_typo.yml @@ -7,7 +7,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) date: 2023-05-19 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036.005 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml b/rules-emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml index b6b59c3f6..a5e8360b5 100644 --- a/rules-emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml +++ b/rules-emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml @@ -8,8 +8,9 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-05-19 tags: - attack.privilege-escalation - - attack.defense-evasion - attack.persistence + - attack.execution + - attack.stealth - attack.t1574.001 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2021/TA/PRIVATELOG/image_load_usp_svchost_clfsw32.yml b/rules-emerging-threats/2021/TA/PRIVATELOG/image_load_usp_svchost_clfsw32.yml index 3e2f55231..018b32daa 100644 --- a/rules-emerging-threats/2021/TA/PRIVATELOG/image_load_usp_svchost_clfsw32.yml +++ b/rules-emerging-threats/2021/TA/PRIVATELOG/image_load_usp_svchost_clfsw32.yml @@ -8,8 +8,8 @@ author: Florian Roth (Nextron Systems) date: 2021-09-07 modified: 2022-10-09 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth - attack.t1055 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-30190/registry_set_exploit_cve_2022_30190_msdt_follina.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-30190/registry_set_exploit_cve_2022_30190_msdt_follina.yml index ff3b0d174..2c7f0cece 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-30190/registry_set_exploit_cve_2022_30190_msdt_follina.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-30190/registry_set_exploit_cve_2022_30190_msdt_follina.yml @@ -9,7 +9,7 @@ author: Sittikorn S date: 2020-05-31 modified: 2023-08-17 tags: - - attack.defense-evasion + - attack.stealth - attack.t1221 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2022/Malware/Bumblebee/create_remote_thread_win_malware_bumblebee.yml b/rules-emerging-threats/2022/Malware/Bumblebee/create_remote_thread_win_malware_bumblebee.yml index 58e81dd97..d81d277cc 100644 --- a/rules-emerging-threats/2022/Malware/Bumblebee/create_remote_thread_win_malware_bumblebee.yml +++ b/rules-emerging-threats/2022/Malware/Bumblebee/create_remote_thread_win_malware_bumblebee.yml @@ -7,8 +7,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-09-27 tags: - - attack.defense-evasion - attack.execution + - attack.stealth - attack.t1218.011 - attack.t1059.001 - detection.emerging-threats diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml index f8d0f70be..88ef2b0d7 100644 --- a/rules-emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml @@ -10,9 +10,9 @@ author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) date: 2023-07-13 tags: - attack.persistence - - attack.defense-evasion - cve.2023-36884 - detection.emerging-threats + - attack.stealth logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_renamed_cmd.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_renamed_cmd.yml index 354176b8c..50c7d2fe6 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_renamed_cmd.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_renamed_cmd.yml @@ -8,8 +8,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-04-30 tags: - attack.persistence - - attack.defense-evasion - detection.emerging-threats + - attack.stealth logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_service_dll_creation.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_service_dll_creation.yml index a9297e710..6c1edfcbe 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_service_dll_creation.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_service_dll_creation.yml @@ -8,8 +8,8 @@ author: X__Junior (Nextron Systems) date: 2023-04-30 tags: - attack.persistence - - attack.defense-evasion - detection.emerging-threats + - attack.stealth logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/image_load_malware_coldsteel_persistence_service_dll.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/image_load_malware_coldsteel_persistence_service_dll.yml index 2cc5fefcd..620315e6e 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/image_load_malware_coldsteel_persistence_service_dll.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/image_load_malware_coldsteel_persistence_service_dll.yml @@ -9,8 +9,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-05-02 tags: - attack.persistence - - attack.defense-evasion - detection.emerging-threats + - attack.stealth logsource: product: windows category: image_load diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml index a515c5931..10d162a29 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml @@ -8,8 +8,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-04-30 tags: - attack.persistence - - attack.defense-evasion - detection.emerging-threats + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_cleanup.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_cleanup.yml index 769328190..ec56c1df9 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_cleanup.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_cleanup.yml @@ -8,8 +8,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-04-30 tags: - attack.persistence - - attack.defense-evasion - detection.emerging-threats + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yml index 26d3eb27b..409eb0460 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yml @@ -8,8 +8,8 @@ author: X__Junior (Nextron Systems) date: 2023-04-30 tags: - attack.persistence - - attack.defense-evasion - detection.emerging-threats + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2023/Malware/COLDSTEEL/win_system_malware_coldsteel_persistence_service.yml b/rules-emerging-threats/2023/Malware/COLDSTEEL/win_system_malware_coldsteel_persistence_service.yml index 8e73e2137..403b88e16 100644 --- a/rules-emerging-threats/2023/Malware/COLDSTEEL/win_system_malware_coldsteel_persistence_service.yml +++ b/rules-emerging-threats/2023/Malware/COLDSTEEL/win_system_malware_coldsteel_persistence_service.yml @@ -7,9 +7,9 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-05-02 tags: - - attack.defense-evasion - attack.persistence - detection.emerging-threats + - attack.stealth logsource: product: windows service: system diff --git a/rules-emerging-threats/2023/Malware/GuLoader/proc_creation_win_malware_guloader_execution.yml b/rules-emerging-threats/2023/Malware/GuLoader/proc_creation_win_malware_guloader_execution.yml index 8b09f5e0f..8009af9fa 100644 --- a/rules-emerging-threats/2023/Malware/GuLoader/proc_creation_win_malware_guloader_execution.yml +++ b/rules-emerging-threats/2023/Malware/GuLoader/proc_creation_win_malware_guloader_execution.yml @@ -10,7 +10,7 @@ author: '@kostastsale' date: 2023-08-07 tags: - attack.privilege-escalation - - attack.defense-evasion + - attack.stealth - attack.t1055 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml b/rules-emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml index 66474ffbb..852f14551 100644 --- a/rules-emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml +++ b/rules-emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml @@ -8,7 +8,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-08-31 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.011 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml index d05d96155..ed6d1d561 100644 --- a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml +++ b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml @@ -11,9 +11,9 @@ references: author: Alejandro Houspanossian ('@lekz86') date: 2024-01-02 tags: - - attack.defense-evasion - attack.command-and-control - attack.execution + - attack.stealth - attack.t1059.003 - attack.t1105 - attack.t1218 diff --git a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml index f62ee3dab..a63641f9d 100644 --- a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml +++ b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml @@ -13,7 +13,7 @@ date: 2023-10-27 modified: 2024-01-26 tags: - attack.privilege-escalation - - attack.defense-evasion + - attack.stealth - attack.t1055.012 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_uncommon_extension.yml b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_uncommon_extension.yml index f96639ab8..38108f87a 100644 --- a/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_uncommon_extension.yml +++ b/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_uncommon_extension.yml @@ -11,9 +11,9 @@ references: author: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) date: 2024-01-26 tags: - - attack.defense-evasion - attack.execution - detection.emerging-threats + - attack.stealth logsource: product: windows category: process_creation diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml index 9b8e5582e..7542f1675 100644 --- a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml @@ -8,9 +8,9 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-05-26 modified: 2024-03-05 tags: - - attack.defense-evasion - attack.execution - detection.emerging-threats + - attack.stealth logsource: product: windows category: process_creation diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml index 99d65ad5b..93f2bf636 100644 --- a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml @@ -7,9 +7,9 @@ references: author: X__Junior (Nextron Systems) date: 2023-05-24 tags: - - attack.defense-evasion - attack.execution - detection.emerging-threats + - attack.stealth logsource: product: windows category: process_creation diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml index 181cee777..98a0ff5a5 100644 --- a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml @@ -8,9 +8,9 @@ author: X__Junior (Nextron Systems) date: 2023-05-24 modified: 2023-05-30 tags: - - attack.defense-evasion - attack.execution - detection.emerging-threats + - attack.stealth logsource: product: windows category: process_creation diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml index 68ab9c998..546577d4d 100644 --- a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml @@ -7,9 +7,9 @@ references: author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2023-05-24 tags: - - attack.defense-evasion - attack.execution - detection.emerging-threats + - attack.stealth logsource: product: windows category: process_creation diff --git a/rules-emerging-threats/2023/Malware/Rhadamanthys/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml b/rules-emerging-threats/2023/Malware/Rhadamanthys/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml index 4ff234075..90b49f996 100644 --- a/rules-emerging-threats/2023/Malware/Rhadamanthys/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml +++ b/rules-emerging-threats/2023/Malware/Rhadamanthys/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml @@ -11,7 +11,7 @@ author: TropChaud date: 2023-01-26 modified: 2023-02-05 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.011 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml b/rules-emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml index ad65e967c..54f6fdee8 100644 --- a/rules-emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml +++ b/rules-emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml @@ -11,7 +11,6 @@ tags: - attack.execution - attack.t1059.003 - attack.t1059.001 - - attack.defense-evasion - detection.emerging-threats logsource: category: process_creation diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml index a2e3c3f3a..d73b21d87 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml @@ -23,8 +23,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-03-31 modified: 2024-11-23 tags: - - attack.defense-evasion - detection.emerging-threats + - attack.stealth logsource: category: image_load product: windows diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml index bc7941a8d..6b281468e 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml @@ -23,7 +23,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-03-29 modified: 2024-11-23 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 - attack.execution - detection.emerging-threats diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml index c2f0253b4..22dc5a606 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml @@ -25,7 +25,7 @@ date: 2023-03-29 tags: - attack.command-and-control - attack.execution - - attack.defense-evasion + - attack.stealth - attack.t1218 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_update.yml b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_update.yml index 001f09e32..73202d5d5 100644 --- a/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_update.yml +++ b/rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_update.yml @@ -23,7 +23,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-03-29 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 - attack.execution - detection.emerging-threats diff --git a/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml b/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml index db6e3d967..e46670429 100644 --- a/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml +++ b/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml @@ -7,9 +7,10 @@ references: author: CISA date: 2023-12-18 tags: - - attack.defense-evasion - attack.persistence - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/image_load_apt_diamond_sleet_side_load.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/image_load_apt_diamond_sleet_side_load.yml index 9b4989d0b..c5da29f74 100644 --- a/rules-emerging-threats/2023/TA/Diamond-Sleet/image_load_apt_diamond_sleet_side_load.yml +++ b/rules-emerging-threats/2023/TA/Diamond-Sleet/image_load_apt_diamond_sleet_side_load.yml @@ -7,9 +7,10 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-10-24 tags: - - attack.defense-evasion - attack.persistence - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml b/rules-emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml index 4b03169c6..8978a5cd6 100644 --- a/rules-emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml +++ b/rules-emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml @@ -8,8 +8,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-10-24 tags: - - attack.defense-evasion - - attack.t1562 + - attack.defense-impairment + - attack.t1685 - detection.emerging-threats logsource: product: windows diff --git a/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml b/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml index c8cc16e68..efa2bc552 100644 --- a/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml +++ b/rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml @@ -8,9 +8,10 @@ references: author: Thurein Oo, Nasreddine Bencherchali (Nextron Systems) date: 2023-10-18 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.persistence + - attack.execution + - attack.stealth - attack.t1574.001 - attack.g0032 - detection.emerging-threats diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_exfil_mail_pattern.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_exfil_mail_pattern.yml index 23aae15e2..ba0b625d1 100644 --- a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_exfil_mail_pattern.yml +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_exfil_mail_pattern.yml @@ -9,8 +9,8 @@ date: 2023-06-16 tags: - attack.execution - attack.persistence - - attack.defense-evasion - detection.emerging-threats + - attack.stealth logsource: product: linux category: file_event diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_file_indicators.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_file_indicators.yml index 4cd610e15..029dac67a 100644 --- a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_file_indicators.yml +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_file_indicators.yml @@ -10,8 +10,8 @@ modified: 2025-08-19 tags: - attack.execution - attack.persistence - - attack.defense-evasion - detection.emerging-threats + - attack.stealth logsource: product: linux category: file_event diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_openssl_connection.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_openssl_connection.yml index d00c1ce2a..dd33c7860 100644 --- a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_openssl_connection.yml +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_openssl_connection.yml @@ -7,7 +7,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-06-16 tags: - - attack.defense-evasion + - attack.stealth - attack.t1140 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_compressed_file_tmep_sh.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_compressed_file_tmep_sh.yml index e5d4acd43..b64f6a851 100644 --- a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_compressed_file_tmep_sh.yml +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_compressed_file_tmep_sh.yml @@ -7,7 +7,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-06-16 tags: - - attack.defense-evasion + - attack.stealth - attack.t1140 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml index 5bd1f1def..758715849 100644 --- a/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml +++ b/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml @@ -7,7 +7,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-06-16 tags: - - attack.defense-evasion + - attack.stealth - attack.t1140 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-1709/win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-1709/win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml index 505d056c3..491ed638d 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-1709/win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-1709/win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml @@ -15,9 +15,9 @@ references: author: Matt Anderson, Kris Luzadre, Andrew Schwartz, Huntress date: 2024-02-20 tags: - - attack.defense-evasion - cve.2024-1709 - detection.emerging-threats + - attack.defense-impairment logsource: product: windows service: security diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-3400/paloalto_globalprotect_exploit_cve_2024_3400_command_injection.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-3400/paloalto_globalprotect_exploit_cve_2024_3400_command_injection.yml index f82f7f2da..2a8367b96 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-3400/paloalto_globalprotect_exploit_cve_2024_3400_command_injection.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-3400/paloalto_globalprotect_exploit_cve_2024_3400_command_injection.yml @@ -15,9 +15,9 @@ tags: - attack.initial-access - attack.persistence - attack.privilege-escalation - - attack.defense-evasion - cve.2024-3400 - detection.emerging-threats + - attack.stealth logsource: category: appliance product: paloalto diff --git a/rules-emerging-threats/2024/Malware/Lummac-Stealer/proc_creation_win_malware_lummac_more_vbc.yml b/rules-emerging-threats/2024/Malware/Lummac-Stealer/proc_creation_win_malware_lummac_more_vbc.yml index 2fb0416ce..2524114f5 100644 --- a/rules-emerging-threats/2024/Malware/Lummac-Stealer/proc_creation_win_malware_lummac_more_vbc.yml +++ b/rules-emerging-threats/2024/Malware/Lummac-Stealer/proc_creation_win_malware_lummac_more_vbc.yml @@ -14,7 +14,7 @@ author: Joseliyo Sanchez, @Joseliyo_Jstnk date: 2024-12-19 tags: - attack.privilege-escalation - - attack.defense-evasion + - attack.stealth - attack.t1055 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2024/Malware/Raspberry-Robin/image_load_malware_raspberry_robin_side_load_aclui_oleview.yml b/rules-emerging-threats/2024/Malware/Raspberry-Robin/image_load_malware_raspberry_robin_side_load_aclui_oleview.yml index 1c05db50c..49b6a963b 100644 --- a/rules-emerging-threats/2024/Malware/Raspberry-Robin/image_load_malware_raspberry_robin_side_load_aclui_oleview.yml +++ b/rules-emerging-threats/2024/Malware/Raspberry-Robin/image_load_malware_raspberry_robin_side_load_aclui_oleview.yml @@ -13,8 +13,9 @@ author: Swachchhanda Shrawan Poudel date: 2024-07-31 tags: - attack.persistence - - attack.defense-evasion - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2024/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_rundll32_shell32_cpl_exection.yml b/rules-emerging-threats/2024/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_rundll32_shell32_cpl_exection.yml index c8327f904..9ed930820 100644 --- a/rules-emerging-threats/2024/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_rundll32_shell32_cpl_exection.yml +++ b/rules-emerging-threats/2024/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_rundll32_shell32_cpl_exection.yml @@ -10,8 +10,8 @@ references: author: Swachchhanda Shrawan Poudel date: 2024-03-07 tags: - - attack.defense-evasion - attack.execution + - attack.stealth - attack.t1218.011 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2024/Malware/Raspberry-Robin/registry_set_malware_raspberry_robin_internet_settings_zonemap_tamper.yml b/rules-emerging-threats/2024/Malware/Raspberry-Robin/registry_set_malware_raspberry_robin_internet_settings_zonemap_tamper.yml index 80a7329bf..265fc6b62 100644 --- a/rules-emerging-threats/2024/Malware/Raspberry-Robin/registry_set_malware_raspberry_robin_internet_settings_zonemap_tamper.yml +++ b/rules-emerging-threats/2024/Malware/Raspberry-Robin/registry_set_malware_raspberry_robin_internet_settings_zonemap_tamper.yml @@ -16,8 +16,8 @@ author: Swachchhanda Shrawan Poudel date: 2024-07-31 tags: - attack.persistence + - attack.defense-impairment - attack.t1112 - - attack.defense-evasion - detection.emerging-threats logsource: category: registry_set diff --git a/rules-emerging-threats/2024/Malware/kapeka/file_event_win_malware_kapeka_backdoor_indicators.yml b/rules-emerging-threats/2024/Malware/kapeka/file_event_win_malware_kapeka_backdoor_indicators.yml index bf5f653c4..2d9e23ba2 100644 --- a/rules-emerging-threats/2024/Malware/kapeka/file_event_win_malware_kapeka_backdoor_indicators.yml +++ b/rules-emerging-threats/2024/Malware/kapeka/file_event_win_malware_kapeka_backdoor_indicators.yml @@ -10,8 +10,8 @@ references: author: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) date: 2024-07-03 tags: - - attack.defense-evasion - detection.emerging-threats + - attack.stealth logsource: category: file_event product: windows diff --git a/rules-emerging-threats/2024/Malware/kapeka/image_load_malware_kapeka_backdoor_wll.yml b/rules-emerging-threats/2024/Malware/kapeka/image_load_malware_kapeka_backdoor_wll.yml index b33d2ab92..509c0ebbd 100644 --- a/rules-emerging-threats/2024/Malware/kapeka/image_load_malware_kapeka_backdoor_wll.yml +++ b/rules-emerging-threats/2024/Malware/kapeka/image_load_malware_kapeka_backdoor_wll.yml @@ -11,8 +11,8 @@ author: Swachchhanda Shrawan Poudel date: 2024-07-03 tags: - attack.execution + - attack.stealth - attack.t1204.002 - - attack.defense-evasion - attack.t1218.011 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_rundll32_execution.yml b/rules-emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_rundll32_execution.yml index ef65d9c71..a02de1154 100644 --- a/rules-emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_rundll32_execution.yml +++ b/rules-emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_rundll32_execution.yml @@ -9,7 +9,7 @@ references: author: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) date: 2024-07-03 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.011 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_configuration.yml b/rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_configuration.yml index 08f0a67b7..b12644dec 100644 --- a/rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_configuration.yml +++ b/rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_configuration.yml @@ -11,7 +11,7 @@ author: Swachchhanda Shrawan Poudel date: 2024-07-03 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1553.003 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_activity.yml b/rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_activity.yml index d2f700f99..0edf79382 100644 --- a/rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_activity.yml +++ b/rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_activity.yml @@ -10,8 +10,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2024-04-23 modified: 2024-07-11 tags: - - attack.defense-evasion - - attack.t1562.002 + - attack.defense-impairment + - attack.t1685.001 - detection.emerging-threats logsource: category: file_event diff --git a/rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_constrained_js.yml b/rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_constrained_js.yml index f84175c42..27343effd 100644 --- a/rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_constrained_js.yml +++ b/rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_constrained_js.yml @@ -9,8 +9,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2024-04-23 tags: - - attack.defense-evasion - - attack.t1562.002 + - attack.defense-impairment + - attack.t1685.001 - detection.emerging-threats logsource: category: file_event diff --git a/rules-emerging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml b/rules-emerging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml index fc8e078fe..ba62f07d7 100644 --- a/rules-emerging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml +++ b/rules-emerging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml @@ -10,9 +10,9 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2024-04-23 modified: 2025-01-22 tags: - - attack.defense-evasion - attack.execution - detection.emerging-threats + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules-emerging-threats/2024/TA/SlashAndGrab-Exploitation-In-Wild/file_event_win_apt_unknown_exploitation_indicators.yml b/rules-emerging-threats/2024/TA/SlashAndGrab-Exploitation-In-Wild/file_event_win_apt_unknown_exploitation_indicators.yml index 274b0c3b6..b1b036992 100644 --- a/rules-emerging-threats/2024/TA/SlashAndGrab-Exploitation-In-Wild/file_event_win_apt_unknown_exploitation_indicators.yml +++ b/rules-emerging-threats/2024/TA/SlashAndGrab-Exploitation-In-Wild/file_event_win_apt_unknown_exploitation_indicators.yml @@ -8,8 +8,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2024-02-23 tags: - - attack.defense-evasion - detection.emerging-threats + - attack.stealth logsource: product: windows category: file_event diff --git a/rules-emerging-threats/2025/Exploits/CVE-2025-33053/image_load_win_exploit_cve_2025_33053.yml b/rules-emerging-threats/2025/Exploits/CVE-2025-33053/image_load_win_exploit_cve_2025_33053.yml index a1b498c42..915eefa1f 100644 --- a/rules-emerging-threats/2025/Exploits/CVE-2025-33053/image_load_win_exploit_cve_2025_33053.yml +++ b/rules-emerging-threats/2025/Exploits/CVE-2025-33053/image_load_win_exploit_cve_2025_33053.yml @@ -18,7 +18,7 @@ date: 2025-06-13 tags: - attack.command-and-control - attack.execution - - attack.defense-evasion + - attack.stealth - attack.t1218 - attack.lateral-movement - attack.t1105 diff --git a/rules-emerging-threats/2025/Exploits/CVE-2025-33053/proc_access_win_exploit_cve_2025_33053.yml b/rules-emerging-threats/2025/Exploits/CVE-2025-33053/proc_access_win_exploit_cve_2025_33053.yml index e1919d9d9..99eb8daf5 100644 --- a/rules-emerging-threats/2025/Exploits/CVE-2025-33053/proc_access_win_exploit_cve_2025_33053.yml +++ b/rules-emerging-threats/2025/Exploits/CVE-2025-33053/proc_access_win_exploit_cve_2025_33053.yml @@ -21,7 +21,7 @@ date: 2025-06-13 tags: - attack.command-and-control - attack.execution - - attack.defense-evasion + - attack.stealth - attack.t1218 - attack.lateral-movement - attack.t1105 diff --git a/rules-emerging-threats/2025/Exploits/CVE-2025-33053/proc_creation_win_exploit_cve_2025_33053.yml b/rules-emerging-threats/2025/Exploits/CVE-2025-33053/proc_creation_win_exploit_cve_2025_33053.yml index be0a641ae..b52f6ed70 100644 --- a/rules-emerging-threats/2025/Exploits/CVE-2025-33053/proc_creation_win_exploit_cve_2025_33053.yml +++ b/rules-emerging-threats/2025/Exploits/CVE-2025-33053/proc_creation_win_exploit_cve_2025_33053.yml @@ -21,7 +21,7 @@ date: 2025-06-13 tags: - attack.command-and-control - attack.execution - - attack.defense-evasion + - attack.stealth - attack.t1218 - attack.lateral-movement - attack.t1105 diff --git a/rules-emerging-threats/2025/Exploits/CVE-2025-49144/proc_creation_win_exploit_cve_2025_49144.yml b/rules-emerging-threats/2025/Exploits/CVE-2025-49144/proc_creation_win_exploit_cve_2025_49144.yml index 57ecd307e..d5563e45b 100644 --- a/rules-emerging-threats/2025/Exploits/CVE-2025-49144/proc_creation_win_exploit_cve_2025_49144.yml +++ b/rules-emerging-threats/2025/Exploits/CVE-2025-49144/proc_creation_win_exploit_cve_2025_49144.yml @@ -13,7 +13,8 @@ date: 2025-06-26 tags: - attack.persistence - attack.privilege-escalation - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1574.008 - cve.2025-49144 - detection.emerging-threats diff --git a/rules-emerging-threats/2025/Exploits/CVE-2025-57788/proc_creation_win_exploit_cve_2025_57788.yml b/rules-emerging-threats/2025/Exploits/CVE-2025-57788/proc_creation_win_exploit_cve_2025_57788.yml index d23a97ea9..036dcf8a1 100644 --- a/rules-emerging-threats/2025/Exploits/CVE-2025-57788/proc_creation_win_exploit_cve_2025_57788.yml +++ b/rules-emerging-threats/2025/Exploits/CVE-2025-57788/proc_creation_win_exploit_cve_2025_57788.yml @@ -11,8 +11,8 @@ date: 2025-10-20 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion - attack.initial-access + - attack.stealth - attack.t1078.001 - detection.emerging-threats - cve.2025-57788 diff --git a/rules-emerging-threats/2025/Exploits/CVE_2025_4598/proc_creation_lnx_exploit_cve_2025_5054_or_cve_2025_4598.yml b/rules-emerging-threats/2025/Exploits/CVE_2025_4598/proc_creation_lnx_exploit_cve_2025_5054_or_cve_2025_4598.yml index b85d01090..abb5f5f42 100644 --- a/rules-emerging-threats/2025/Exploits/CVE_2025_4598/proc_creation_lnx_exploit_cve_2025_5054_or_cve_2025_4598.yml +++ b/rules-emerging-threats/2025/Exploits/CVE_2025_4598/proc_creation_lnx_exploit_cve_2025_5054_or_cve_2025_4598.yml @@ -15,7 +15,6 @@ author: Milad Cheraghi date: 2026-04-28 tags: - attack.privilege-escalation - - attack.defense-evasion - attack.credential-access - attack.t1548 - attack.t1003 diff --git a/rules-emerging-threats/2025/Malware/Atomic-MacOS-Stealer/file_event_macos_malware_amos_persistence.yml b/rules-emerging-threats/2025/Malware/Atomic-MacOS-Stealer/file_event_macos_malware_amos_persistence.yml index 7a398a291..57640f971 100644 --- a/rules-emerging-threats/2025/Malware/Atomic-MacOS-Stealer/file_event_macos_malware_amos_persistence.yml +++ b/rules-emerging-threats/2025/Malware/Atomic-MacOS-Stealer/file_event_macos_malware_amos_persistence.yml @@ -11,7 +11,7 @@ date: 2025-11-22 tags: - attack.persistence - attack.privilege-escalation - - attack.defense-evasion + - attack.stealth - attack.t1564.001 - attack.t1543.004 - detection.emerging-threats diff --git a/rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators.yml b/rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators.yml index 3e61111bd..8863a9de0 100644 --- a/rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators.yml +++ b/rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators.yml @@ -15,7 +15,7 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems), @unresolvedhost date: 2026-04-17 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036.005 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2026/Exploits/RedSun/pipe_created_win_exploit_redsun_named_pipe.yml b/rules-emerging-threats/2026/Exploits/RedSun/pipe_created_win_exploit_redsun_named_pipe.yml index a2e8e44db..7920c7f78 100644 --- a/rules-emerging-threats/2026/Exploits/RedSun/pipe_created_win_exploit_redsun_named_pipe.yml +++ b/rules-emerging-threats/2026/Exploits/RedSun/pipe_created_win_exploit_redsun_named_pipe.yml @@ -14,9 +14,10 @@ author: Swachchhanda Shrawan Poudel (Nextron Systems), @unresolvedhost date: 2026-04-17 tags: - attack.privilege-escalation + - attack.stealth + - attack.defense-impairment - attack.t1055 - - attack.t1562.001 - - attack.defense-evasion + - attack.t1685 - detection.emerging-threats logsource: category: pipe_created diff --git a/rules-emerging-threats/2026/Exploits/RedSun/proc_creation_win_redsun_conhost_via_tiering_engine.yml b/rules-emerging-threats/2026/Exploits/RedSun/proc_creation_win_redsun_conhost_via_tiering_engine.yml index 0ccae7c08..2b52fea5a 100644 --- a/rules-emerging-threats/2026/Exploits/RedSun/proc_creation_win_redsun_conhost_via_tiering_engine.yml +++ b/rules-emerging-threats/2026/Exploits/RedSun/proc_creation_win_redsun_conhost_via_tiering_engine.yml @@ -25,8 +25,8 @@ author: Swachchhanda Shrawan Poudel (Nextron Systems), @unresolvedhost date: 2026-04-17 tags: - attack.privilege-escalation + - attack.stealth - attack.t1134.002 - - attack.defense-evasion - attack.t1036.005 - detection.emerging-threats logsource: diff --git a/rules-emerging-threats/2026/Exploits/RedSun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar.yml b/rules-emerging-threats/2026/Exploits/RedSun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar.yml index e0e43bff1..ecc28552d 100644 --- a/rules-emerging-threats/2026/Exploits/RedSun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar.yml +++ b/rules-emerging-threats/2026/Exploits/RedSun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar.yml @@ -22,9 +22,10 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2026-04-17 tags: - - attack.defense-evasion + - attack.stealth + - attack.defense-impairment - attack.t1036.005 - - attack.t1562.001 + - attack.t1685 - attack.privilege-escalation - attack.t1055 - detection.emerging-threats diff --git a/rules-emerging-threats/2026/Malware/Axios-NPM-Compromise/proc_creation_lnx_axios_npm_compromise_indicators.yml b/rules-emerging-threats/2026/Malware/Axios-NPM-Compromise/proc_creation_lnx_axios_npm_compromise_indicators.yml index 9c641ef54..1edd84641 100644 --- a/rules-emerging-threats/2026/Malware/Axios-NPM-Compromise/proc_creation_lnx_axios_npm_compromise_indicators.yml +++ b/rules-emerging-threats/2026/Malware/Axios-NPM-Compromise/proc_creation_lnx_axios_npm_compromise_indicators.yml @@ -18,7 +18,6 @@ tags: - attack.t1195.002 - attack.execution - attack.command-and-control - - attack.defense-evasion - attack.t1059.006 - attack.t1059.004 - attack.t1105 diff --git a/rules-emerging-threats/2026/Malware/Axios-NPM-Compromise/proc_creation_macos_axios_npm_compromise_indicators.yml b/rules-emerging-threats/2026/Malware/Axios-NPM-Compromise/proc_creation_macos_axios_npm_compromise_indicators.yml index 24a21e19d..f1563f96c 100644 --- a/rules-emerging-threats/2026/Malware/Axios-NPM-Compromise/proc_creation_macos_axios_npm_compromise_indicators.yml +++ b/rules-emerging-threats/2026/Malware/Axios-NPM-Compromise/proc_creation_macos_axios_npm_compromise_indicators.yml @@ -16,7 +16,6 @@ tags: - attack.t1195.002 - attack.execution - attack.command-and-control - - attack.defense-evasion - attack.t1059.002 - attack.t1059.004 - attack.t1105 diff --git a/rules-emerging-threats/2026/Malware/Axios-NPM-Compromise/proc_creation_win_axios_npm_compromise_indicators.yml b/rules-emerging-threats/2026/Malware/Axios-NPM-Compromise/proc_creation_win_axios_npm_compromise_indicators.yml index a3ea3e82a..c497aef53 100644 --- a/rules-emerging-threats/2026/Malware/Axios-NPM-Compromise/proc_creation_win_axios_npm_compromise_indicators.yml +++ b/rules-emerging-threats/2026/Malware/Axios-NPM-Compromise/proc_creation_win_axios_npm_compromise_indicators.yml @@ -19,7 +19,6 @@ tags: - attack.t1195.002 - attack.execution - attack.command-and-control - - attack.defense-evasion - attack.t1059.003 - attack.t1059.005 - attack.t1105 diff --git a/rules-placeholder/cloud/aws/cloudtrail/aws_cloudtrail_console_login_success_from_susp_locations.yml b/rules-placeholder/cloud/aws/cloudtrail/aws_cloudtrail_console_login_success_from_susp_locations.yml index dc57d4148..848d00cae 100644 --- a/rules-placeholder/cloud/aws/cloudtrail/aws_cloudtrail_console_login_success_from_susp_locations.yml +++ b/rules-placeholder/cloud/aws/cloudtrail/aws_cloudtrail_console_login_success_from_susp_locations.yml @@ -10,9 +10,9 @@ author: Ivan Saakov date: 2025-10-19 tags: - attack.privilege-escalation - - attack.defense-evasion - attack.initial-access - attack.persistence + - attack.stealth - attack.t1078.004 logsource: product: aws diff --git a/rules-placeholder/cloud/azure/audit_logs/azure_ad_account_created_deleted_nonapproved_user.yml b/rules-placeholder/cloud/azure/audit_logs/azure_ad_account_created_deleted_nonapproved_user.yml index 7d6a24509..4b4947c4b 100644 --- a/rules-placeholder/cloud/azure/audit_logs/azure_ad_account_created_deleted_nonapproved_user.yml +++ b/rules-placeholder/cloud/azure/audit_logs/azure_ad_account_created_deleted_nonapproved_user.yml @@ -8,10 +8,10 @@ author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1' date: 2022-08-11 modified: 2023-12-15 tags: - - attack.defense-evasion - attack.initial-access - attack.persistence - attack.privilege-escalation + - attack.stealth - attack.t1078 logsource: product: azure diff --git a/rules-placeholder/cloud/azure/signin_logs/azure_ad_account_signin_outside_hours.yml b/rules-placeholder/cloud/azure/signin_logs/azure_ad_account_signin_outside_hours.yml index ad1ed1388..ffdf6ae5b 100644 --- a/rules-placeholder/cloud/azure/signin_logs/azure_ad_account_signin_outside_hours.yml +++ b/rules-placeholder/cloud/azure/signin_logs/azure_ad_account_signin_outside_hours.yml @@ -9,9 +9,9 @@ date: 2022-08-11 modified: 2023-12-15 tags: - attack.persistence - - attack.defense-evasion - attack.initial-access - attack.privilege-escalation + - attack.stealth - attack.t1078 logsource: product: azure diff --git a/rules-placeholder/cloud/azure/signin_logs/azure_privileged_account_no_saw_paw.yml b/rules-placeholder/cloud/azure/signin_logs/azure_privileged_account_no_saw_paw.yml index 12f7a11a1..062aa1465 100644 --- a/rules-placeholder/cloud/azure/signin_logs/azure_privileged_account_no_saw_paw.yml +++ b/rules-placeholder/cloud/azure/signin_logs/azure_privileged_account_no_saw_paw.yml @@ -8,10 +8,10 @@ author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' date: 2022-08-11 modified: 2023-12-15 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.initial-access - attack.persistence + - attack.stealth - attack.t1078 logsource: product: azure diff --git a/rules-placeholder/cloud/azure/signin_logs/azure_privileged_account_sigin_expected_controls.yml b/rules-placeholder/cloud/azure/signin_logs/azure_privileged_account_sigin_expected_controls.yml index 2fb3fc614..f2824a11b 100644 --- a/rules-placeholder/cloud/azure/signin_logs/azure_privileged_account_sigin_expected_controls.yml +++ b/rules-placeholder/cloud/azure/signin_logs/azure_privileged_account_sigin_expected_controls.yml @@ -8,10 +8,10 @@ author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' date: 2022-08-11 modified: 2023-12-15 tags: - - attack.defense-evasion - attack.initial-access - attack.persistence - attack.privilege-escalation + - attack.stealth - attack.t1078 logsource: product: azure diff --git a/rules-placeholder/cloud/azure/signin_logs/azure_privileged_account_signin_outside_hours.yml b/rules-placeholder/cloud/azure/signin_logs/azure_privileged_account_signin_outside_hours.yml index ec70d6ce6..3c99f6026 100644 --- a/rules-placeholder/cloud/azure/signin_logs/azure_privileged_account_signin_outside_hours.yml +++ b/rules-placeholder/cloud/azure/signin_logs/azure_privileged_account_signin_outside_hours.yml @@ -9,9 +9,9 @@ date: 2022-08-11 modified: 2023-12-15 tags: - attack.persistence - - attack.defense-evasion - attack.initial-access - attack.privilege-escalation + - attack.stealth - attack.t1078 logsource: product: azure diff --git a/rules-placeholder/identity/okta/okta_session_impersonation_granted.yml b/rules-placeholder/identity/okta/okta_session_impersonation_granted.yml index 90fefb783..7f72350c5 100644 --- a/rules-placeholder/identity/okta/okta_session_impersonation_granted.yml +++ b/rules-placeholder/identity/okta/okta_session_impersonation_granted.yml @@ -14,7 +14,7 @@ author: zendannyy date: 2026-04-28 tags: - attack.privilege-escalation - - attack.defense-evasion + - attack.defense-impairment - attack.t1484.002 - attack.initial-access - attack.t1199 diff --git a/rules-placeholder/windows/builtin/security/win_security_admin_logon.yml b/rules-placeholder/windows/builtin/security/win_security_admin_logon.yml index a2e3a7180..371a6664a 100644 --- a/rules-placeholder/windows/builtin/security/win_security_admin_logon.yml +++ b/rules-placeholder/windows/builtin/security/win_security_admin_logon.yml @@ -10,7 +10,6 @@ author: frack113 date: 2022-10-14 modified: 2023-12-14 tags: - - attack.defense-evasion - attack.lateral-movement - attack.credential-access - attack.t1558 diff --git a/rules-placeholder/windows/builtin/security/win_security_modification_of_msds_dmsa_link_attribute.yml b/rules-placeholder/windows/builtin/security/win_security_modification_of_msds_dmsa_link_attribute.yml index 4afb6e1bf..58d71aad4 100644 --- a/rules-placeholder/windows/builtin/security/win_security_modification_of_msds_dmsa_link_attribute.yml +++ b/rules-placeholder/windows/builtin/security/win_security_modification_of_msds_dmsa_link_attribute.yml @@ -16,8 +16,8 @@ date: 2025-05-24 tags: - attack.privilege-escalation - attack.initial-access - - attack.defense-evasion - attack.persistence + - attack.stealth - attack.t1078.002 - attack.t1098 logsource: diff --git a/rules-placeholder/windows/builtin/security/win_security_msds_dmsa_object_creation.yml b/rules-placeholder/windows/builtin/security/win_security_msds_dmsa_object_creation.yml index dd580cb96..2924fab4e 100644 --- a/rules-placeholder/windows/builtin/security/win_security_msds_dmsa_object_creation.yml +++ b/rules-placeholder/windows/builtin/security/win_security_msds_dmsa_object_creation.yml @@ -19,8 +19,8 @@ date: 2025-05-24 tags: - attack.privilege-escalation - attack.initial-access - - attack.defense-evasion - attack.persistence + - attack.stealth - attack.t1078.002 - attack.t1098 logsource: diff --git a/rules-placeholder/windows/builtin/security/win_security_potential_pass_the_hash.yml b/rules-placeholder/windows/builtin/security/win_security_potential_pass_the_hash.yml index f9bd1e2ad..b1bce3bb4 100644 --- a/rules-placeholder/windows/builtin/security/win_security_potential_pass_the_hash.yml +++ b/rules-placeholder/windows/builtin/security/win_security_potential_pass_the_hash.yml @@ -9,7 +9,6 @@ date: 2017-03-08 modified: 2023-12-15 tags: - attack.lateral-movement - - attack.defense-evasion - attack.t1550.002 - car.2016-04-004 logsource: diff --git a/rules-placeholder/windows/builtin/security/win_security_remote_registry_management_via_reg.yml b/rules-placeholder/windows/builtin/security/win_security_remote_registry_management_via_reg.yml index 89bd8872b..9208b7f5d 100644 --- a/rules-placeholder/windows/builtin/security/win_security_remote_registry_management_via_reg.yml +++ b/rules-placeholder/windows/builtin/security/win_security_remote_registry_management_via_reg.yml @@ -9,9 +9,9 @@ date: 2019-10-22 modified: 2023-12-15 tags: - attack.credential-access - - attack.defense-evasion - attack.persistence - attack.discovery + - attack.defense-impairment - attack.s0075 - attack.t1012 - attack.t1112 diff --git a/rules-placeholder/windows/builtin/security/win_security_susp_interactive_logons.yml b/rules-placeholder/windows/builtin/security/win_security_susp_interactive_logons.yml index 6467d75d7..519749e4c 100644 --- a/rules-placeholder/windows/builtin/security/win_security_susp_interactive_logons.yml +++ b/rules-placeholder/windows/builtin/security/win_security_susp_interactive_logons.yml @@ -9,10 +9,10 @@ date: 2017-03-17 modified: 2023-12-15 tags: - attack.lateral-movement - - attack.defense-evasion - attack.initial-access - attack.persistence - attack.privilege-escalation + - attack.stealth - attack.t1078 logsource: product: windows diff --git a/rules-threat-hunting/cloud/m365/audit/microsoft365_susp_email_forwarding_activity.yml b/rules-threat-hunting/cloud/m365/audit/microsoft365_susp_email_forwarding_activity.yml index 2eed77647..e8afe22be 100644 --- a/rules-threat-hunting/cloud/m365/audit/microsoft365_susp_email_forwarding_activity.yml +++ b/rules-threat-hunting/cloud/m365/audit/microsoft365_susp_email_forwarding_activity.yml @@ -10,8 +10,8 @@ date: 2023-10-11 modified: 2024-11-17 tags: - attack.collection + - attack.stealth - attack.t1114.003 - - attack.defense-evasion - attack.t1564.008 - attack.exfiltration - attack.t1020 diff --git a/rules-threat-hunting/cloud/m365/audit/microsoft365_susp_inbox_rule_creation_or_update_activity.yml b/rules-threat-hunting/cloud/m365/audit/microsoft365_susp_inbox_rule_creation_or_update_activity.yml index 91d165d37..2ee7690b1 100644 --- a/rules-threat-hunting/cloud/m365/audit/microsoft365_susp_inbox_rule_creation_or_update_activity.yml +++ b/rules-threat-hunting/cloud/m365/audit/microsoft365_susp_inbox_rule_creation_or_update_activity.yml @@ -12,7 +12,7 @@ references: author: Marco Pedrinazzi (@pedrinazziM) (InTheCyber) date: 2026-01-09 tags: - - attack.defense-evasion + - attack.stealth - attack.t1564.008 - attack.exfiltration - attack.collection diff --git a/rules-threat-hunting/linux/file/file_event/file_event_lnx_susp_long_filename_pattern.yml b/rules-threat-hunting/linux/file/file_event/file_event_lnx_susp_long_filename_pattern.yml index a587c2e4a..50ec424b0 100644 --- a/rules-threat-hunting/linux/file/file_event/file_event_lnx_susp_long_filename_pattern.yml +++ b/rules-threat-hunting/linux/file/file_event/file_event_lnx_susp_long_filename_pattern.yml @@ -11,8 +11,8 @@ author: '@kostastsale' date: 2025-11-22 tags: - attack.execution + - attack.stealth - attack.t1059.004 - - attack.defense-evasion - attack.t1027 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/linux/process_creation/proc_creation_lnx_susp_process_termination_via_kill.yml b/rules-threat-hunting/linux/process_creation/proc_creation_lnx_susp_process_termination_via_kill.yml index 78192617d..3aa364e23 100644 --- a/rules-threat-hunting/linux/process_creation/proc_creation_lnx_susp_process_termination_via_kill.yml +++ b/rules-threat-hunting/linux/process_creation/proc_creation_lnx_susp_process_termination_via_kill.yml @@ -10,8 +10,8 @@ author: Tuan Le (NCSGroup) date: 2023-03-16 modified: 2024-12-12 tags: - - attack.defense-evasion - - attack.t1562 + - attack.defense-impairment + - attack.t1685 - detection.threat-hunting logsource: product: linux diff --git a/rules-threat-hunting/windows/builtin/firewall_as/win_firewall_as_change_rule.yml b/rules-threat-hunting/windows/builtin/firewall_as/win_firewall_as_change_rule.yml index 29c492e43..fcb94a896 100644 --- a/rules-threat-hunting/windows/builtin/firewall_as/win_firewall_as_change_rule.yml +++ b/rules-threat-hunting/windows/builtin/firewall_as/win_firewall_as_change_rule.yml @@ -8,8 +8,8 @@ author: frack113 date: 2022-02-19 modified: 2024-01-22 tags: - - attack.defense-evasion - - attack.t1562.004 + - attack.defense-impairment + - attack.t1686.003 - detection.threat-hunting logsource: product: windows diff --git a/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml b/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml index ebae49d4b..0e155cefc 100644 --- a/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml +++ b/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml @@ -8,8 +8,8 @@ author: Roberto Rodriguez @Cyb3rWard0g date: 2019-08-11 modified: 2024-01-22 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth - attack.t1055.001 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_susp_target_shell_application.yml b/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_susp_target_shell_application.yml index 82033bae0..d2af7204c 100644 --- a/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_susp_target_shell_application.yml +++ b/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_susp_target_shell_application.yml @@ -11,8 +11,8 @@ author: Splunk Research Team date: 2024-07-29 modified: 2025-07-04 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth - attack.t1055 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/file/file_access/file_access_win_office_outlook_mail_credential.yml b/rules-threat-hunting/windows/file/file_access/file_access_win_office_outlook_mail_credential.yml index b9860563c..daaf94b0d 100644 --- a/rules-threat-hunting/windows/file/file_access/file_access_win_office_outlook_mail_credential.yml +++ b/rules-threat-hunting/windows/file/file_access/file_access_win_office_outlook_mail_credential.yml @@ -12,8 +12,8 @@ author: frack113 date: 2024-05-10 modified: 2024-07-29 tags: + - attack.stealth - attack.t1070.008 - - attack.defense-evasion - detection.threat-hunting logsource: category: file_access diff --git a/rules-threat-hunting/windows/file/file_access/file_access_win_susp_reg_and_hive.yml b/rules-threat-hunting/windows/file/file_access/file_access_win_susp_reg_and_hive.yml index c53dd2a43..365111892 100644 --- a/rules-threat-hunting/windows/file/file_access/file_access_win_susp_reg_and_hive.yml +++ b/rules-threat-hunting/windows/file/file_access/file_access_win_susp_reg_and_hive.yml @@ -8,8 +8,8 @@ author: frack113 date: 2023-09-15 modified: 2024-07-29 tags: + - attack.defense-impairment - attack.t1112 - - attack.defense-evasion - attack.persistence - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/file/file_change/file_change_win_date_changed_to_another_year.yml b/rules-threat-hunting/windows/file/file_change/file_change_win_date_changed_to_another_year.yml index 4e9efc4c6..b9dbca063 100644 --- a/rules-threat-hunting/windows/file/file_change/file_change_win_date_changed_to_another_year.yml +++ b/rules-threat-hunting/windows/file/file_change/file_change_win_date_changed_to_another_year.yml @@ -14,8 +14,8 @@ author: frack113, Florian Roth (Nextron Systems) date: 2022-08-12 modified: 2026-01-20 tags: + - attack.stealth - attack.t1070.006 - - attack.defense-evasion - detection.threat-hunting logsource: category: file_change diff --git a/rules-threat-hunting/windows/file/file_delete/file_delete_win_zone_identifier_ads.yml b/rules-threat-hunting/windows/file/file_delete/file_delete_win_zone_identifier_ads.yml index be652cdc8..46940cfdb 100644 --- a/rules-threat-hunting/windows/file/file_delete/file_delete_win_zone_identifier_ads.yml +++ b/rules-threat-hunting/windows/file/file_delete/file_delete_win_zone_identifier_ads.yml @@ -10,7 +10,7 @@ references: author: frack113 date: 2023-09-04 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070.004 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/file/file_event/file_event_win_dump_file_creation.yml b/rules-threat-hunting/windows/file/file_event/file_event_win_dump_file_creation.yml index cb40910c2..506637d8a 100644 --- a/rules-threat-hunting/windows/file/file_event/file_event_win_dump_file_creation.yml +++ b/rules-threat-hunting/windows/file/file_event/file_event_win_dump_file_creation.yml @@ -7,8 +7,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-09-07 tags: - - attack.defense-evasion - detection.threat-hunting + - attack.stealth logsource: category: file_event product: windows diff --git a/rules-threat-hunting/windows/file/file_event/file_event_win_wdac_policy_creation_in_codeintegrity_folder.yml b/rules-threat-hunting/windows/file/file_event/file_event_win_wdac_policy_creation_in_codeintegrity_folder.yml index 54ae1b45b..84ad8142d 100644 --- a/rules-threat-hunting/windows/file/file_event/file_event_win_wdac_policy_creation_in_codeintegrity_folder.yml +++ b/rules-threat-hunting/windows/file/file_event/file_event_win_wdac_policy_creation_in_codeintegrity_folder.yml @@ -9,8 +9,8 @@ references: author: Andreas Braathen (mnemonic.io) date: 2025-01-30 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 - detection.threat-hunting logsource: category: file_event diff --git a/rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml b/rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml index 4ef616ca9..1a551c2e4 100644 --- a/rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml +++ b/rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml @@ -10,7 +10,7 @@ author: frack113 date: 2022-02-19 modified: 2023-11-11 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036.008 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/image_load/image_load_dll_amsi_uncommon_process.yml b/rules-threat-hunting/windows/image_load/image_load_dll_amsi_uncommon_process.yml index 00a6ddecb..f7683986f 100644 --- a/rules-threat-hunting/windows/image_load/image_load_dll_amsi_uncommon_process.yml +++ b/rules-threat-hunting/windows/image_load/image_load_dll_amsi_uncommon_process.yml @@ -10,7 +10,6 @@ author: frack113 date: 2023-03-12 modified: 2025-02-24 tags: - - attack.defense-evasion - attack.impact - attack.t1490 - detection.threat-hunting diff --git a/rules-threat-hunting/windows/image_load/image_load_dll_bitsproxy_load_by_uncommon_process.yml b/rules-threat-hunting/windows/image_load/image_load_dll_bitsproxy_load_by_uncommon_process.yml index 0b703e898..d5647f474 100644 --- a/rules-threat-hunting/windows/image_load/image_load_dll_bitsproxy_load_by_uncommon_process.yml +++ b/rules-threat-hunting/windows/image_load/image_load_dll_bitsproxy_load_by_uncommon_process.yml @@ -9,8 +9,9 @@ references: author: UnicornOfHunt date: 2025-06-04 tags: - - attack.defense-evasion - attack.persistence + - attack.execution + - attack.stealth - attack.t1197 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load.yml b/rules-threat-hunting/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load.yml index 38841126f..a08447ae2 100644 --- a/rules-threat-hunting/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load.yml +++ b/rules-threat-hunting/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load.yml @@ -19,8 +19,8 @@ author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-11-27 modified: 2026-01-09 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 - detection.threat-hunting logsource: category: image_load diff --git a/rules-threat-hunting/windows/network_connection/net_connection_win_dllhost_non_local_ip.yml b/rules-threat-hunting/windows/network_connection/net_connection_win_dllhost_non_local_ip.yml index 2c2ddb189..d5c246d4c 100644 --- a/rules-threat-hunting/windows/network_connection/net_connection_win_dllhost_non_local_ip.yml +++ b/rules-threat-hunting/windows/network_connection/net_connection_win_dllhost_non_local_ip.yml @@ -12,7 +12,7 @@ author: bartblaze date: 2020-07-13 modified: 2024-07-16 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 - attack.execution - attack.t1559.001 diff --git a/rules-threat-hunting/windows/network_connection/net_connection_win_hh_http_connection.yml b/rules-threat-hunting/windows/network_connection/net_connection_win_hh_http_connection.yml index 5bdef359f..c14b24156 100644 --- a/rules-threat-hunting/windows/network_connection/net_connection_win_hh_http_connection.yml +++ b/rules-threat-hunting/windows/network_connection/net_connection_win_hh_http_connection.yml @@ -12,7 +12,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-10-05 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.001 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/network_connection/net_connection_win_msiexec_http.yml b/rules-threat-hunting/windows/network_connection/net_connection_win_msiexec_http.yml index a3a3c54f7..89e5bbc9e 100644 --- a/rules-threat-hunting/windows/network_connection/net_connection_win_msiexec_http.yml +++ b/rules-threat-hunting/windows/network_connection/net_connection_win_msiexec_http.yml @@ -12,7 +12,7 @@ author: frack113 date: 2022-01-16 modified: 2024-07-16 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.007 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_email_forwarding_activity.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_email_forwarding_activity.yml index 27c9d50e8..e5225b678 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_email_forwarding_activity.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_email_forwarding_activity.yml @@ -14,8 +14,8 @@ author: Nasreddine Bencherchali (Nextron Systems), Marco Pedrinazzi (@pedrinazzi date: 2026-03-01 tags: - attack.collection + - attack.stealth - attack.t1114.003 - - attack.defense-evasion - attack.t1564.008 - attack.exfiltration - attack.t1020 diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_inbox_rule_creation_or_update_activity.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_inbox_rule_creation_or_update_activity.yml index eea44f467..7424b5be6 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_inbox_rule_creation_or_update_activity.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_inbox_rule_creation_or_update_activity.yml @@ -15,7 +15,7 @@ references: author: Marco Pedrinazzi (@pedrinazziM) (InTheCyber) date: 2026-02-10 tags: - - attack.defense-evasion + - attack.stealth - attack.t1564.008 - attack.exfiltration - attack.collection diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_mailbox_access.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_mailbox_access.yml index 3246a0de3..9c5a966cb 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_mailbox_access.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_mailbox_access.yml @@ -7,7 +7,7 @@ references: author: frack113 date: 2023-07-08 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070.008 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_new_netfirewallrule_allow.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_new_netfirewallrule_allow.yml index 8b1da733a..0caadb48d 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_new_netfirewallrule_allow.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_new_netfirewallrule_allow.yml @@ -13,8 +13,8 @@ references: author: frack113 date: 2024-05-10 tags: - - attack.defense-evasion - - attack.t1562.004 + - attack.defense-impairment + - attack.t1686.003 - detection.threat-hunting logsource: product: windows diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_remove_item_path.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_remove_item_path.yml index 19dbde591..a841207ef 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_remove_item_path.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_remove_item_path.yml @@ -9,7 +9,7 @@ author: frack113 date: 2022-01-15 modified: 2022-03-17 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070.004 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml index 0703f49b7..3b4e14130 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml @@ -14,7 +14,7 @@ author: frack113 date: 2022-12-27 modified: 2025-10-19 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027.009 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/process_access/proc_access_win_susp_potential_shellcode_injection.yml b/rules-threat-hunting/windows/process_access/proc_access_win_susp_potential_shellcode_injection.yml index 9d5f38714..98723782a 100644 --- a/rules-threat-hunting/windows/process_access/proc_access_win_susp_potential_shellcode_injection.yml +++ b/rules-threat-hunting/windows/process_access/proc_access_win_susp_potential_shellcode_injection.yml @@ -8,8 +8,8 @@ author: Bhabesh Raj date: 2022-03-11 modified: 2024-07-02 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth - attack.t1055 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_attrib_system.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_attrib_system.yml index 91b43c386..a88e98e4b 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_attrib_system.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_attrib_system.yml @@ -13,7 +13,7 @@ author: frack113 date: 2022-02-04 modified: 2023-03-14 tags: - - attack.defense-evasion + - attack.stealth - attack.t1564.001 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_boinc_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_boinc_execution.yml index 43802c60a..450a66dcc 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_boinc_execution.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_boinc_execution.yml @@ -11,7 +11,7 @@ author: Matt Anderson (Huntress) date: 2024-07-23 tags: - attack.execution - - attack.defense-evasion + - attack.defense-impairment - attack.t1553 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_cmd_set_prompt_abuse.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_cmd_set_prompt_abuse.yml index 469408d61..0eef239bf 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_cmd_set_prompt_abuse.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_cmd_set_prompt_abuse.yml @@ -14,8 +14,8 @@ author: Nasreddine Bencherchali (Nextron Systems), MahirAli Khan (in/mahiralikha date: 2024-08-22 tags: - attack.execution - - attack.defense-evasion - detection.threat-hunting + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_conhost_headless_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_conhost_headless_execution.yml index d7ed21d40..93db86f4d 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_conhost_headless_execution.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_conhost_headless_execution.yml @@ -12,7 +12,6 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2024-07-23 tags: - - attack.defense-evasion - attack.execution - attack.t1059.001 - attack.t1059.003 diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_csc_compilation.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_csc_compilation.yml index 68dd42702..4e87dbb7b 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_csc_compilation.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_csc_compilation.yml @@ -13,7 +13,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-08-02 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027.004 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_dfsvc_child_processes.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_dfsvc_child_processes.yml index 8b60e8d80..f00af1ba3 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_dfsvc_child_processes.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_dfsvc_child_processes.yml @@ -8,8 +8,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-06-12 tags: - attack.execution - - attack.defense-evasion - detection.threat-hunting + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_child_process.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_child_process.yml index 153e3b3c4..e32414bb0 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_child_process.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_child_process.yml @@ -19,7 +19,7 @@ references: author: Harjot Singh @cyb3rjy0t date: 2023-09-15 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 - attack.execution - detection.threat-hunting diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_script_mode.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_script_mode.yml index baf4ce03a..3754a36ca 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_script_mode.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_script_mode.yml @@ -21,7 +21,7 @@ author: Ivan Dyachkov, oscd.community date: 2020-10-07 modified: 2024-03-13 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 - attack.execution - detection.threat-hunting diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_explorer_child_of_shell_process.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_explorer_child_of_shell_process.yml index 3d52b839a..b05019132 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_explorer_child_of_shell_process.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_explorer_child_of_shell_process.yml @@ -13,7 +13,7 @@ author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative date: 2020-10-05 modified: 2024-06-21 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_extexport_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_extexport_execution.yml index 836431d29..903d5a102 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_extexport_execution.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_extexport_execution.yml @@ -16,7 +16,7 @@ author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2021-11-26 modified: 2024-08-26 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_iexpress_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_iexpress_execution.yml index 867788915..5e1220234 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_iexpress_execution.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_iexpress_execution.yml @@ -13,7 +13,7 @@ references: author: Joseliyo Sanchez, @Joseliyo_Jstnk date: 2024-02-05 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_microsoft_workflow_compiler_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_microsoft_workflow_compiler_execution.yml index 2df26f9bb..23344f423 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_microsoft_workflow_compiler_execution.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_microsoft_workflow_compiler_execution.yml @@ -11,8 +11,8 @@ author: Nik Seetharaman, frack113 date: 2019-01-16 modified: 2023-02-03 tags: - - attack.defense-evasion - attack.execution + - attack.stealth - attack.t1127 - attack.t1218 - detection.threat-hunting diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_mode_codepage_change.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_mode_codepage_change.yml index c728e9e55..9cc44b6c6 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_mode_codepage_change.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_mode_codepage_change.yml @@ -15,7 +15,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems), Joseliyo Sanchez, @Joseliyo_Jstnk date: 2024-01-19 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_office_svchost_parent.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_office_svchost_parent.yml index 6846eb04b..b706c3fcd 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_office_svchost_parent.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_office_svchost_parent.yml @@ -12,8 +12,8 @@ date: 2022-10-13 modified: 2023-12-19 tags: - attack.execution - - attack.defense-evasion - detection.threat-hunting + - attack.stealth logsource: product: windows category: process_creation diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_crypto_namespace.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_crypto_namespace.yml index e3352f88f..0572c2944 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_crypto_namespace.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_crypto_namespace.yml @@ -12,8 +12,8 @@ references: author: Andreas Braathen (mnemonic.io) date: 2023-12-01 tags: - - attack.defense-evasion - attack.execution + - attack.stealth - attack.t1059.001 - attack.t1027.010 - detection.threat-hunting diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_new_netfirewallrule_allow.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_new_netfirewallrule_allow.yml index 4334b1c04..22bec3347 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_new_netfirewallrule_allow.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_new_netfirewallrule_allow.yml @@ -13,8 +13,8 @@ references: author: frack113 date: 2024-05-03 tags: - - attack.defense-evasion - - attack.t1562.004 + - attack.defense-impairment + - attack.t1686.003 - detection.threat-hunting logsource: category: process_creation diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml index c8ee47894..14720b30c 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml @@ -15,7 +15,7 @@ references: author: Andreas Braathen (mnemonic.io), Nasreddine Bencherchali (Nextron Systems) date: 2023-10-17 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml index 2ad6fc2d4..8379a7f82 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml @@ -11,7 +11,7 @@ author: Florian Roth (Nextron Systems) date: 2019-10-22 modified: 2024-07-16 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.011 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_dllregisterserver.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_dllregisterserver.yml index 065909254..4e7ead131 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_dllregisterserver.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_dllregisterserver.yml @@ -13,7 +13,7 @@ references: author: Andreas Braathen (mnemonic.io) date: 2023-10-17 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml index 515e4bd1a..0e61822c7 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml @@ -18,7 +18,7 @@ author: frack113, Florian Roth (Nextron Systems) date: 2022-01-15 modified: 2024-09-05 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml index fd0367f5a..0f622481a 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml @@ -13,7 +13,6 @@ date: 2023-11-23 modified: 2025-03-06 tags: - attack.privilege-escalation - - attack.defense-evasion - attack.execution - attack.t1059 - detection.threat-hunting diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml index 0aa298481..2255feea9 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml @@ -10,7 +10,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-09-01 modified: 2023-03-02 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml index 571c60200..1904196fa 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml @@ -10,7 +10,7 @@ author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron System date: 2019-10-23 modified: 2023-11-21 tags: - - attack.defense-evasion + - attack.defense-impairment - attack.t1222.001 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml index 8be9ac794..d2e70de04 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml @@ -20,7 +20,7 @@ author: frack113, Nasreddine Bencherchali date: 2022-08-07 modified: 2025-10-22 tags: - - attack.defense-evasion + - attack.stealth - attack.t1564.004 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_parent_execute_itself.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_parent_execute_itself.yml index f261a4abf..a7c851a3a 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_parent_execute_itself.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_parent_execute_itself.yml @@ -10,8 +10,8 @@ references: author: frack113 date: 2025-10-17 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth - attack.t1055 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_wsl_arbitrary_command_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_wsl_arbitrary_command_execution.yml index 279c5e148..62a42453f 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_wsl_arbitrary_command_execution.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_wsl_arbitrary_command_execution.yml @@ -14,7 +14,7 @@ date: 2020-10-05 modified: 2023-04-12 tags: - attack.execution - - attack.defense-evasion + - attack.stealth - attack.t1218 - attack.t1202 - detection.threat-hunting diff --git a/rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml b/rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml index d22744cc0..f9fe3d32b 100644 --- a/rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml +++ b/rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml @@ -11,8 +11,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-06-21 modified: 2023-08-17 tags: - - attack.defense-evasion - attack.persistence + - attack.defense-impairment - attack.t1112 - detection.threat-hunting logsource: diff --git a/rules-threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml b/rules-threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml index e761849b9..daa8a3db0 100644 --- a/rules-threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml +++ b/rules-threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml @@ -11,10 +11,10 @@ references: author: Andreas Braathen (mnemonic.io) date: 2023-12-01 tags: - - attack.defense-evasion - attack.execution - attack.persistence - attack.privilege-escalation + - attack.stealth - attack.t1059.001 - attack.t1027.010 - attack.t1547.001 diff --git a/rules-threat-hunting/windows/registry/registry_set/registry_set_service_image_path_user_controlled_folder.yml b/rules-threat-hunting/windows/registry/registry_set/registry_set_service_image_path_user_controlled_folder.yml index c49b58e8c..3af828155 100644 --- a/rules-threat-hunting/windows/registry/registry_set/registry_set_service_image_path_user_controlled_folder.yml +++ b/rules-threat-hunting/windows/registry/registry_set/registry_set_service_image_path_user_controlled_folder.yml @@ -15,8 +15,8 @@ author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems date: 2022-05-02 modified: 2024-03-25 tags: - - attack.defense-evasion - attack.persistence + - attack.defense-impairment - attack.t1112 - detection.threat-hunting logsource: diff --git a/rules/application/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted.yml b/rules/application/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted.yml index d85ad0009..03e1aafba 100644 --- a/rules/application/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted.yml +++ b/rules/application/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted.yml @@ -8,8 +8,8 @@ references: author: Muhammad Faisal (@faisalusuf) date: 2024-02-25 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: bitbucket service: audit diff --git a/rules/application/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected.yml b/rules/application/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected.yml index 88bb6f277..9c319376b 100644 --- a/rules/application/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected.yml +++ b/rules/application/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected.yml @@ -9,8 +9,8 @@ author: Muhammad Faisal (@faisalusuf) date: 2024-02-25 tags: - attack.lateral-movement - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 - attack.t1021.004 logsource: product: bitbucket diff --git a/rules/application/bitbucket/audit/bitbucket_audit_log_configuration_update_detected.yml b/rules/application/bitbucket/audit/bitbucket_audit_log_configuration_update_detected.yml index cb09d1cda..05e7db08d 100644 --- a/rules/application/bitbucket/audit/bitbucket_audit_log_configuration_update_detected.yml +++ b/rules/application/bitbucket/audit/bitbucket_audit_log_configuration_update_detected.yml @@ -7,8 +7,8 @@ references: author: Muhammad Faisal (@faisalusuf) date: 2024-02-25 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: bitbucket service: audit diff --git a/rules/application/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added.yml b/rules/application/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added.yml index 1b5a7a1fb..21407cfc2 100644 --- a/rules/application/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added.yml +++ b/rules/application/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added.yml @@ -8,8 +8,8 @@ references: author: Muhammad Faisal (@faisalusuf) date: 2024-02-25 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: bitbucket service: audit diff --git a/rules/application/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected.yml b/rules/application/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected.yml index 2b4c012ae..88144a16e 100644 --- a/rules/application/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected.yml +++ b/rules/application/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected.yml @@ -8,8 +8,8 @@ references: author: Muhammad Faisal (@faisalusuf) date: 2024-02-25 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: bitbucket service: audit diff --git a/rules/application/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted.yml b/rules/application/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted.yml index dce9a90f6..1bfa54987 100644 --- a/rules/application/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted.yml +++ b/rules/application/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted.yml @@ -8,8 +8,8 @@ references: author: Muhammad Faisal (@faisalusuf) date: 2024-02-25 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: bitbucket service: audit diff --git a/rules/application/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml b/rules/application/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml index bd758e045..a86c89cd5 100644 --- a/rules/application/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml +++ b/rules/application/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml @@ -12,8 +12,8 @@ tags: - attack.privilege-escalation - attack.persistence - attack.initial-access - - attack.defense-evasion - attack.credential-access + - attack.stealth - attack.t1078.004 - attack.t1110 logsource: diff --git a/rules/application/github/audit/github_disable_high_risk_configuration.yml b/rules/application/github/audit/github_disable_high_risk_configuration.yml index 1e9081c2c..9c47405c1 100644 --- a/rules/application/github/audit/github_disable_high_risk_configuration.yml +++ b/rules/application/github/audit/github_disable_high_risk_configuration.yml @@ -12,8 +12,8 @@ date: 2023-01-29 modified: 2024-07-22 tags: - attack.credential-access - - attack.defense-evasion - attack.persistence + - attack.defense-impairment - attack.t1556 logsource: product: github diff --git a/rules/application/github/audit/github_new_secret_created.yml b/rules/application/github/audit/github_new_secret_created.yml index 5658c6e95..ce68b826a 100644 --- a/rules/application/github/audit/github_new_secret_created.yml +++ b/rules/application/github/audit/github_new_secret_created.yml @@ -7,10 +7,10 @@ date: 2023-01-20 references: - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions tags: - - attack.defense-evasion - attack.persistence - attack.privilege-escalation - attack.initial-access + - attack.stealth - attack.t1078.004 logsource: product: github diff --git a/rules/application/github/audit/github_push_protection_bypass_detected.yml b/rules/application/github/audit/github_push_protection_bypass_detected.yml index a619e57d3..0728bfa40 100644 --- a/rules/application/github/audit/github_push_protection_bypass_detected.yml +++ b/rules/application/github/audit/github_push_protection_bypass_detected.yml @@ -8,8 +8,8 @@ references: author: Muhammad Faisal (@faisalusuf) date: 2024-03-07 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: github service: audit diff --git a/rules/application/github/audit/github_push_protection_disabled.yml b/rules/application/github/audit/github_push_protection_disabled.yml index 296b8125e..11811fe0a 100644 --- a/rules/application/github/audit/github_push_protection_disabled.yml +++ b/rules/application/github/audit/github_push_protection_disabled.yml @@ -8,8 +8,8 @@ references: author: Muhammad Faisal (@faisalusuf) date: 2024-03-07 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: github service: audit diff --git a/rules/application/github/audit/github_repository_archive_status_changed.yml b/rules/application/github/audit/github_repository_archive_status_changed.yml index 7a469e5f4..4942722ae 100644 --- a/rules/application/github/audit/github_repository_archive_status_changed.yml +++ b/rules/application/github/audit/github_repository_archive_status_changed.yml @@ -11,8 +11,8 @@ author: Ivan Saakov date: 2025-10-18 tags: - attack.persistence - - attack.defense-evasion - attack.impact + - attack.defense-impairment logsource: product: github service: audit diff --git a/rules/application/github/audit/github_secret_scanning_feature_disabled.yml b/rules/application/github/audit/github_secret_scanning_feature_disabled.yml index 248a304e4..d1a37a09c 100644 --- a/rules/application/github/audit/github_secret_scanning_feature_disabled.yml +++ b/rules/application/github/audit/github_secret_scanning_feature_disabled.yml @@ -8,8 +8,8 @@ author: Muhammad Faisal (@faisalusuf) date: 2024-03-07 modified: 2024-07-19 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: github service: audit diff --git a/rules/application/github/audit/github_self_hosted_runner_changes_detected.yml b/rules/application/github/audit/github_self_hosted_runner_changes_detected.yml index 581325863..80276f204 100644 --- a/rules/application/github/audit/github_self_hosted_runner_changes_detected.yml +++ b/rules/application/github/audit/github_self_hosted_runner_changes_detected.yml @@ -14,10 +14,10 @@ tags: - attack.impact - attack.discovery - attack.collection - - attack.defense-evasion - attack.persistence - attack.privilege-escalation - attack.initial-access + - attack.stealth - attack.t1526 - attack.t1213.003 - attack.t1078.004 diff --git a/rules/application/github/audit/github_ssh_certificate_config_changed.yml b/rules/application/github/audit/github_ssh_certificate_config_changed.yml index f0ab5a824..574b30883 100644 --- a/rules/application/github/audit/github_ssh_certificate_config_changed.yml +++ b/rules/application/github/audit/github_ssh_certificate_config_changed.yml @@ -9,9 +9,9 @@ author: Romain Gaillard (@romain-gaillard) date: 2024-07-29 tags: - attack.initial-access - - attack.defense-evasion - attack.persistence - attack.privilege-escalation + - attack.stealth - attack.t1078.004 logsource: product: github diff --git a/rules/application/kubernetes/audit/kubernetes_audit_change_admission_controller.yml b/rules/application/kubernetes/audit/kubernetes_audit_change_admission_controller.yml index 5c39f9f5e..e8a46fa4a 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_change_admission_controller.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_change_admission_controller.yml @@ -14,8 +14,8 @@ date: 2024-07-11 tags: - attack.privilege-escalation - attack.initial-access - - attack.defense-evasion - attack.persistence + - attack.stealth - attack.t1078 - attack.credential-access - attack.t1552 diff --git a/rules/application/kubernetes/audit/kubernetes_audit_events_deleted.yml b/rules/application/kubernetes/audit/kubernetes_audit_events_deleted.yml index 969e8b606..d1ae03aa9 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_events_deleted.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_events_deleted.yml @@ -12,7 +12,7 @@ references: author: Leo Tsaousis (@laripping) date: 2024-03-26 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070 logsource: category: application diff --git a/rules/application/kubernetes/audit/kubernetes_audit_pod_in_system_namespace.yml b/rules/application/kubernetes/audit/kubernetes_audit_pod_in_system_namespace.yml index d4b6ddde2..c226ad5d4 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_pod_in_system_namespace.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_pod_in_system_namespace.yml @@ -11,7 +11,7 @@ references: author: Leo Tsaousis (@laripping) date: 2024-03-26 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036.005 logsource: category: application diff --git a/rules/application/opencanary/opencanary_httpproxy_login_attempt.yml b/rules/application/opencanary/opencanary_httpproxy_login_attempt.yml index 7783bdff5..e69174dca 100644 --- a/rules/application/opencanary/opencanary_httpproxy_login_attempt.yml +++ b/rules/application/opencanary/opencanary_httpproxy_login_attempt.yml @@ -10,7 +10,6 @@ author: Security Onion Solutions date: 2024-03-08 tags: - attack.initial-access - - attack.defense-evasion - attack.command-and-control - attack.t1090 logsource: diff --git a/rules/application/opencanary/opencanary_ssh_login_attempt.yml b/rules/application/opencanary/opencanary_ssh_login_attempt.yml index 0704ee1ba..b99d27c5d 100644 --- a/rules/application/opencanary/opencanary_ssh_login_attempt.yml +++ b/rules/application/opencanary/opencanary_ssh_login_attempt.yml @@ -9,10 +9,10 @@ author: Security Onion Solutions date: 2024-03-08 tags: - attack.privilege-escalation - - attack.defense-evasion - attack.initial-access - attack.lateral-movement - attack.persistence + - attack.stealth - attack.t1133 - attack.t1021 - attack.t1078 diff --git a/rules/application/opencanary/opencanary_ssh_new_connection.yml b/rules/application/opencanary/opencanary_ssh_new_connection.yml index 34f7db373..dee346c71 100644 --- a/rules/application/opencanary/opencanary_ssh_new_connection.yml +++ b/rules/application/opencanary/opencanary_ssh_new_connection.yml @@ -9,10 +9,10 @@ author: Security Onion Solutions date: 2024-03-08 tags: - attack.privilege-escalation - - attack.defense-evasion - attack.initial-access - attack.lateral-movement - attack.persistence + - attack.stealth - attack.t1133 - attack.t1021 - attack.t1078 diff --git a/rules/application/opencanary/opencanary_telnet_login_attempt.yml b/rules/application/opencanary/opencanary_telnet_login_attempt.yml index d9c973047..aeba9224b 100644 --- a/rules/application/opencanary/opencanary_telnet_login_attempt.yml +++ b/rules/application/opencanary/opencanary_telnet_login_attempt.yml @@ -10,9 +10,9 @@ date: 2024-03-08 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion - attack.initial-access - attack.command-and-control + - attack.stealth - attack.t1133 - attack.t1078 logsource: diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml index 801d633ad..dc8441b4a 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml @@ -10,8 +10,8 @@ references: author: Sagie Dulce, Dekel Paz date: 2022-01-01 tags: - - attack.defense-evasion - attack.lateral-movement + - attack.defense-impairment - attack.t1112 - attack.persistence logsource: diff --git a/rules/cloud/aws/cloudtrail/aws_cloudtrail_bucket_deleted.yml b/rules/cloud/aws/cloudtrail/aws_cloudtrail_bucket_deleted.yml index 99230d6e8..abe663cca 100644 --- a/rules/cloud/aws/cloudtrail/aws_cloudtrail_bucket_deleted.yml +++ b/rules/cloud/aws/cloudtrail/aws_cloudtrail_bucket_deleted.yml @@ -10,7 +10,7 @@ references: author: Ivan Saakov, Nasreddine Bencherchali date: 2025-10-19 tags: - - attack.defense-evasion + - attack.stealth logsource: product: aws service: cloudtrail diff --git a/rules/cloud/aws/cloudtrail/aws_cloudtrail_console_login_success_without_mfa.yml b/rules/cloud/aws/cloudtrail/aws_cloudtrail_console_login_success_without_mfa.yml index b800b4f84..a891554e7 100644 --- a/rules/cloud/aws/cloudtrail/aws_cloudtrail_console_login_success_without_mfa.yml +++ b/rules/cloud/aws/cloudtrail/aws_cloudtrail_console_login_success_without_mfa.yml @@ -12,9 +12,9 @@ date: 2025-10-18 modified: 2025-10-21 tags: - attack.initial-access - - attack.defense-evasion - attack.persistence - attack.privilege-escalation + - attack.stealth - attack.t1078.004 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml b/rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml index 5ec6d2fd3..8c1b7a823 100644 --- a/rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml +++ b/rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml @@ -8,8 +8,8 @@ author: vitaliy0x1 date: 2020-01-21 modified: 2022-10-09 tags: - - attack.defense-evasion - - attack.t1562.008 + - attack.defense-impairment + - attack.t1685.002 logsource: product: aws service: cloudtrail diff --git a/rules/cloud/aws/cloudtrail/aws_cloudtrail_guardduty_detector_deleted_or_updated.yml b/rules/cloud/aws/cloudtrail/aws_cloudtrail_guardduty_detector_deleted_or_updated.yml index 2628eac8a..2332d5659 100644 --- a/rules/cloud/aws/cloudtrail/aws_cloudtrail_guardduty_detector_deleted_or_updated.yml +++ b/rules/cloud/aws/cloudtrail/aws_cloudtrail_guardduty_detector_deleted_or_updated.yml @@ -21,9 +21,9 @@ references: author: suktech24 date: 2025-11-27 tags: - - attack.defense-evasion - - attack.t1562.001 - - attack.t1562.008 + - attack.defense-impairment + - attack.t1685 + - attack.t1685.002 logsource: product: aws service: cloudtrail diff --git a/rules/cloud/aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml b/rules/cloud/aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml index b08c11de6..651616510 100644 --- a/rules/cloud/aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml +++ b/rules/cloud/aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml @@ -12,9 +12,9 @@ author: jamesc-grafana date: 2024-07-11 tags: - attack.privilege-escalation - - attack.defense-evasion - attack.initial-access - attack.persistence + - attack.stealth - attack.t1078 - attack.t1078.002 logsource: diff --git a/rules/cloud/aws/cloudtrail/aws_cloudtrail_new_acl_entries.yml b/rules/cloud/aws/cloudtrail/aws_cloudtrail_new_acl_entries.yml index d917d0ac5..a98c56533 100644 --- a/rules/cloud/aws/cloudtrail/aws_cloudtrail_new_acl_entries.yml +++ b/rules/cloud/aws/cloudtrail/aws_cloudtrail_new_acl_entries.yml @@ -8,8 +8,8 @@ references: author: jamesc-grafana date: 2024-07-11 tags: - - attack.defense-evasion - - attack.t1562.007 + - attack.defense-impairment + - attack.t1686.001 logsource: product: aws service: cloudtrail diff --git a/rules/cloud/aws/cloudtrail/aws_cloudtrail_new_route_added.yml b/rules/cloud/aws/cloudtrail/aws_cloudtrail_new_route_added.yml index 82be8e172..3990d720a 100644 --- a/rules/cloud/aws/cloudtrail/aws_cloudtrail_new_route_added.yml +++ b/rules/cloud/aws/cloudtrail/aws_cloudtrail_new_route_added.yml @@ -8,8 +8,8 @@ references: author: jamesc-grafana date: 2024-07-11 tags: - - attack.defense-evasion - - attack.t1562.007 + - attack.defense-impairment + - attack.t1686.001 logsource: product: aws service: cloudtrail diff --git a/rules/cloud/aws/cloudtrail/aws_cloudtrail_vpc_flow_logs_deleted.yml b/rules/cloud/aws/cloudtrail/aws_cloudtrail_vpc_flow_logs_deleted.yml index 69d813b95..263ef7539 100644 --- a/rules/cloud/aws/cloudtrail/aws_cloudtrail_vpc_flow_logs_deleted.yml +++ b/rules/cloud/aws/cloudtrail/aws_cloudtrail_vpc_flow_logs_deleted.yml @@ -11,7 +11,7 @@ references: author: Ivan Saakov date: 2025-10-19 tags: - - attack.defense-evasion + - attack.stealth logsource: product: aws service: cloudtrail diff --git a/rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml b/rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml index 7912181d0..3b9f9bded 100644 --- a/rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml +++ b/rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml @@ -8,8 +8,8 @@ author: vitaliy0x1 date: 2020-01-21 modified: 2022-10-09 tags: - - attack.defense-evasion - - attack.t1562.008 + - attack.defense-impairment + - attack.t1685.002 logsource: product: aws service: cloudtrail diff --git a/rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml b/rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml index e360d5d52..4c9e9d3de 100644 --- a/rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml +++ b/rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml @@ -11,7 +11,6 @@ author: Chester Le Bron (@123Le_Bron) date: 2024-02-26 tags: - attack.lateral-movement - - attack.defense-evasion - attack.t1021.007 - attack.t1550.001 logsource: diff --git a/rules/cloud/aws/cloudtrail/aws_delete_identity.yml b/rules/cloud/aws/cloudtrail/aws_delete_identity.yml index b4109e543..e39265718 100644 --- a/rules/cloud/aws/cloudtrail/aws_delete_identity.yml +++ b/rules/cloud/aws/cloudtrail/aws_delete_identity.yml @@ -8,7 +8,7 @@ author: Janantha Marasinghe date: 2022-12-13 modified: 2022-12-28 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_delete_saml_provider.yml b/rules/cloud/aws/cloudtrail/aws_delete_saml_provider.yml index b9f691ce7..67e571f59 100644 --- a/rules/cloud/aws/cloudtrail/aws_delete_saml_provider.yml +++ b/rules/cloud/aws/cloudtrail/aws_delete_saml_provider.yml @@ -9,9 +9,9 @@ references: author: Ivan Saakov date: 2024-12-19 tags: + - attack.stealth - attack.t1078.004 - attack.privilege-escalation - - attack.defense-evasion - attack.initial-access - attack.persistence - attack.t1531 diff --git a/rules/cloud/aws/cloudtrail/aws_ec2_import_key_pair_activity.yml b/rules/cloud/aws/cloudtrail/aws_ec2_import_key_pair_activity.yml index 18e6d4861..37d6b4f80 100644 --- a/rules/cloud/aws/cloudtrail/aws_ec2_import_key_pair_activity.yml +++ b/rules/cloud/aws/cloudtrail/aws_ec2_import_key_pair_activity.yml @@ -9,7 +9,7 @@ author: Ivan Saakov date: 2024-12-19 tags: - attack.initial-access - - attack.defense-evasion + - attack.stealth - attack.t1078 - attack.persistence - attack.privilege-escalation diff --git a/rules/cloud/aws/cloudtrail/aws_guardduty_disruption.yml b/rules/cloud/aws/cloudtrail/aws_guardduty_disruption.yml index cfa960aa0..131a8796a 100644 --- a/rules/cloud/aws/cloudtrail/aws_guardduty_disruption.yml +++ b/rules/cloud/aws/cloudtrail/aws_guardduty_disruption.yml @@ -8,8 +8,8 @@ author: faloker date: 2020-02-11 modified: 2022-10-09 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: aws service: cloudtrail diff --git a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml index 3fb226e36..1adb17778 100644 --- a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml +++ b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml @@ -9,9 +9,9 @@ date: 2023-05-17 tags: - attack.execution - attack.persistence - - attack.defense-evasion - attack.initial-access - attack.privilege-escalation + - attack.stealth - attack.t1059.009 - attack.t1078.004 logsource: diff --git a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml index a634c0a3c..7d3e74e60 100644 --- a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml +++ b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml @@ -8,9 +8,9 @@ author: daniel.bohannon@permiso.io (@danielhbohannon) date: 2023-05-17 tags: - attack.execution + - attack.stealth - attack.t1059.009 - attack.persistence - - attack.defense-evasion - attack.initial-access - attack.privilege-escalation - attack.t1078.004 diff --git a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml index 6e248f44b..e21c4f8cc 100644 --- a/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml +++ b/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml @@ -10,8 +10,8 @@ tags: - attack.privilege-escalation - attack.execution - attack.persistence - - attack.defense-evasion - attack.initial-access + - attack.stealth - attack.t1059.009 - attack.t1078.004 logsource: diff --git a/rules/cloud/aws/cloudtrail/aws_root_account_usage.yml b/rules/cloud/aws/cloudtrail/aws_root_account_usage.yml index 97d0a15b0..638a4e8a3 100644 --- a/rules/cloud/aws/cloudtrail/aws_root_account_usage.yml +++ b/rules/cloud/aws/cloudtrail/aws_root_account_usage.yml @@ -9,9 +9,9 @@ date: 2020-01-21 modified: 2022-10-09 tags: - attack.privilege-escalation - - attack.defense-evasion - attack.initial-access - attack.persistence + - attack.stealth - attack.t1078.004 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_securityhub_finding_evasion.yml b/rules/cloud/aws/cloudtrail/aws_securityhub_finding_evasion.yml index 105a7ce71..18a4316c2 100644 --- a/rules/cloud/aws/cloudtrail/aws_securityhub_finding_evasion.yml +++ b/rules/cloud/aws/cloudtrail/aws_securityhub_finding_evasion.yml @@ -7,8 +7,8 @@ references: author: Sittikorn S date: 2021-06-28 tags: - - attack.defense-evasion - - attack.t1562 + - attack.defense-impairment + - attack.t1685 logsource: product: aws service: cloudtrail diff --git a/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml b/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml index 36ee10fa3..2aeb19f6f 100644 --- a/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml +++ b/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml @@ -13,7 +13,7 @@ date: 2023-09-27 tags: - attack.persistence - attack.credential-access - - attack.defense-evasion + - attack.defense-impairment - attack.t1556 logsource: product: aws diff --git a/rules/cloud/aws/cloudtrail/aws_sts_assumerole_misuse.yml b/rules/cloud/aws/cloudtrail/aws_sts_assumerole_misuse.yml index cc02fccb1..88ce08bd6 100644 --- a/rules/cloud/aws/cloudtrail/aws_sts_assumerole_misuse.yml +++ b/rules/cloud/aws/cloudtrail/aws_sts_assumerole_misuse.yml @@ -11,7 +11,6 @@ modified: 2022-10-09 tags: - attack.lateral-movement - attack.privilege-escalation - - attack.defense-evasion - attack.t1548 - attack.t1550 - attack.t1550.001 diff --git a/rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml b/rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml index fac3dd9e9..a0dece9ed 100644 --- a/rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml +++ b/rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml @@ -11,7 +11,6 @@ modified: 2022-10-09 tags: - attack.lateral-movement - attack.privilege-escalation - - attack.defense-evasion - attack.t1548 - attack.t1550 - attack.t1550.001 diff --git a/rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml b/rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml index 39cca9da1..e63ad3c96 100644 --- a/rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml +++ b/rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml @@ -9,11 +9,11 @@ author: Austin Songer date: 2021-09-22 modified: 2022-12-18 tags: - - attack.defense-evasion - attack.initial-access - attack.lateral-movement - attack.persistence - attack.privilege-escalation + - attack.stealth - attack.t1078 - attack.t1548 - attack.t1550 diff --git a/rules/cloud/azure/activity_logs/azure_aadhybridhealth_adfs_new_server.yml b/rules/cloud/azure/activity_logs/azure_aadhybridhealth_adfs_new_server.yml index 6decf5e45..b8e4d1233 100644 --- a/rules/cloud/azure/activity_logs/azure_aadhybridhealth_adfs_new_server.yml +++ b/rules/cloud/azure/activity_logs/azure_aadhybridhealth_adfs_new_server.yml @@ -11,7 +11,7 @@ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC date: 2021-08-26 modified: 2023-10-11 tags: - - attack.defense-evasion + - attack.defense-impairment - attack.t1578 logsource: product: azure diff --git a/rules/cloud/azure/activity_logs/azure_aadhybridhealth_adfs_service_delete.yml b/rules/cloud/azure/activity_logs/azure_aadhybridhealth_adfs_service_delete.yml index 992e7deff..14b249c93 100644 --- a/rules/cloud/azure/activity_logs/azure_aadhybridhealth_adfs_service_delete.yml +++ b/rules/cloud/azure/activity_logs/azure_aadhybridhealth_adfs_service_delete.yml @@ -11,7 +11,7 @@ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC date: 2021-08-26 modified: 2023-10-11 tags: - - attack.defense-evasion + - attack.defense-impairment - attack.t1578.003 logsource: product: azure diff --git a/rules/cloud/azure/activity_logs/azure_ad_user_added_to_admin_role.yml b/rules/cloud/azure/activity_logs/azure_ad_user_added_to_admin_role.yml index 1c46196e5..e10007bf7 100644 --- a/rules/cloud/azure/activity_logs/azure_ad_user_added_to_admin_role.yml +++ b/rules/cloud/azure/activity_logs/azure_ad_user_added_to_admin_role.yml @@ -9,9 +9,9 @@ date: 2021-10-04 modified: 2022-10-09 tags: - attack.initial-access - - attack.defense-evasion - attack.persistence - attack.privilege-escalation + - attack.stealth - attack.t1098.003 - attack.t1078 logsource: diff --git a/rules/cloud/azure/activity_logs/azure_application_deleted.yml b/rules/cloud/azure/activity_logs/azure_application_deleted.yml index 40ca452bd..dce059143 100644 --- a/rules/cloud/azure/activity_logs/azure_application_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_application_deleted.yml @@ -8,7 +8,6 @@ author: Austin Songer @austinsonger date: 2021-09-03 modified: 2022-10-09 tags: - - attack.defense-evasion - attack.impact - attack.t1489 logsource: diff --git a/rules/cloud/azure/activity_logs/azure_firewall_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_firewall_modified_or_deleted.yml index 308a2ddf4..e3c1712df 100644 --- a/rules/cloud/azure/activity_logs/azure_firewall_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_firewall_modified_or_deleted.yml @@ -9,8 +9,8 @@ date: 2021-08-08 modified: 2022-08-23 tags: - attack.impact - - attack.defense-evasion - - attack.t1562.004 + - attack.defense-impairment + - attack.t1686.001 logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/activity_logs/azure_firewall_rule_collection_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_firewall_rule_collection_modified_or_deleted.yml index aa4959357..c3b623b22 100644 --- a/rules/cloud/azure/activity_logs/azure_firewall_rule_collection_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_firewall_rule_collection_modified_or_deleted.yml @@ -9,8 +9,8 @@ date: 2021-08-08 modified: 2022-08-23 tags: - attack.impact - - attack.defense-evasion - - attack.t1562.004 + - attack.defense-impairment + - attack.t1686.001 logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_admission_controller.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_admission_controller.yml index b9e05943f..7ef1e4750 100644 --- a/rules/cloud/azure/activity_logs/azure_kubernetes_admission_controller.yml +++ b/rules/cloud/azure/activity_logs/azure_kubernetes_admission_controller.yml @@ -17,8 +17,8 @@ modified: 2022-12-18 tags: - attack.privilege-escalation - attack.initial-access - - attack.defense-evasion - attack.persistence + - attack.stealth - attack.t1078 - attack.credential-access - attack.t1552 diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_events_deleted.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_events_deleted.yml index d62ee0cd5..d66756d21 100644 --- a/rules/cloud/azure/activity_logs/azure_kubernetes_events_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_kubernetes_events_deleted.yml @@ -9,9 +9,8 @@ author: Austin Songer @austinsonger date: 2021-07-24 modified: 2022-08-23 tags: - - attack.defense-evasion - - attack.t1562 - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/activity_logs/azure_mfa_disabled.yml b/rules/cloud/azure/activity_logs/azure_mfa_disabled.yml index 2dcffa0b3..cd6874f8a 100644 --- a/rules/cloud/azure/activity_logs/azure_mfa_disabled.yml +++ b/rules/cloud/azure/activity_logs/azure_mfa_disabled.yml @@ -7,9 +7,9 @@ references: author: '@ionsor' date: 2022-02-08 tags: - - attack.defense-evasion - attack.credential-access - attack.persistence + - attack.defense-impairment - attack.t1556 logsource: product: azure diff --git a/rules/cloud/azure/activity_logs/azure_network_firewall_policy_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_network_firewall_policy_modified_or_deleted.yml index 41b8038b3..1ee74d2cc 100644 --- a/rules/cloud/azure/activity_logs/azure_network_firewall_policy_modified_or_deleted.yml +++ b/rules/cloud/azure/activity_logs/azure_network_firewall_policy_modified_or_deleted.yml @@ -9,8 +9,8 @@ date: 2021-09-02 modified: 2022-08-23 tags: - attack.impact - - attack.defense-evasion - - attack.t1562.007 + - attack.defense-impairment + - attack.t1686.001 logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/activity_logs/azure_owner_removed_from_application_or_service_principal.yml b/rules/cloud/azure/activity_logs/azure_owner_removed_from_application_or_service_principal.yml index 7f2bf081c..998dbcb7c 100644 --- a/rules/cloud/azure/activity_logs/azure_owner_removed_from_application_or_service_principal.yml +++ b/rules/cloud/azure/activity_logs/azure_owner_removed_from_application_or_service_principal.yml @@ -8,7 +8,7 @@ author: Austin Songer @austinsonger date: 2021-09-03 modified: 2022-10-09 tags: - - attack.defense-evasion + - attack.stealth logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/activity_logs/azure_service_principal_created.yml b/rules/cloud/azure/activity_logs/azure_service_principal_created.yml index a1827b78b..7ccaa1364 100644 --- a/rules/cloud/azure/activity_logs/azure_service_principal_created.yml +++ b/rules/cloud/azure/activity_logs/azure_service_principal_created.yml @@ -8,7 +8,7 @@ author: Austin Songer @austinsonger date: 2021-09-02 modified: 2022-10-09 tags: - - attack.defense-evasion + - attack.stealth logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/activity_logs/azure_service_principal_removed.yml b/rules/cloud/azure/activity_logs/azure_service_principal_removed.yml index 66b134d7a..b48a8e106 100644 --- a/rules/cloud/azure/activity_logs/azure_service_principal_removed.yml +++ b/rules/cloud/azure/activity_logs/azure_service_principal_removed.yml @@ -8,7 +8,7 @@ author: Austin Songer @austinsonger date: 2021-09-03 modified: 2022-10-09 tags: - - attack.defense-evasion + - attack.stealth logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/activity_logs/azure_subscription_permissions_elevation_via_activitylogs.yml b/rules/cloud/azure/activity_logs/azure_subscription_permissions_elevation_via_activitylogs.yml index 0b7045ff9..46de62d13 100644 --- a/rules/cloud/azure/activity_logs/azure_subscription_permissions_elevation_via_activitylogs.yml +++ b/rules/cloud/azure/activity_logs/azure_subscription_permissions_elevation_via_activitylogs.yml @@ -13,8 +13,8 @@ modified: 2022-08-23 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion - attack.initial-access + - attack.stealth - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_removedby_bad_actor.yml b/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_removedby_bad_actor.yml index 39460f6d2..805c52102 100644 --- a/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_removedby_bad_actor.yml +++ b/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_removedby_bad_actor.yml @@ -9,8 +9,8 @@ date: 2022-07-19 tags: - attack.privilege-escalation - attack.credential-access - - attack.defense-evasion - attack.persistence + - attack.defense-impairment - attack.t1548 - attack.t1556 logsource: diff --git a/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_updatedby_bad_actor.yml b/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_updatedby_bad_actor.yml index c77434213..e5275e03e 100644 --- a/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_updatedby_bad_actor.yml +++ b/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_updatedby_bad_actor.yml @@ -10,8 +10,8 @@ modified: 2024-05-28 tags: - attack.privilege-escalation - attack.credential-access - - attack.defense-evasion - attack.persistence + - attack.defense-impairment - attack.t1548 - attack.t1556 logsource: diff --git a/rules/cloud/azure/audit_logs/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml b/rules/cloud/azure/audit_logs/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml index 5b317edd4..8fa1a869b 100644 --- a/rules/cloud/azure/audit_logs/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml +++ b/rules/cloud/azure/audit_logs/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml @@ -8,7 +8,6 @@ author: Corissa Koopmans, '@corissalea' date: 2022-07-18 tags: - attack.privilege-escalation - - attack.defense-evasion - attack.t1548 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_ad_account_created_deleted.yml b/rules/cloud/azure/audit_logs/azure_ad_account_created_deleted.yml index a35058e30..b62839d2e 100644 --- a/rules/cloud/azure/audit_logs/azure_ad_account_created_deleted.yml +++ b/rules/cloud/azure/audit_logs/azure_ad_account_created_deleted.yml @@ -11,7 +11,7 @@ tags: - attack.privilege-escalation - attack.persistence - attack.initial-access - - attack.defense-evasion + - attack.stealth - attack.t1078 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_ad_bitlocker_key_retrieval.yml b/rules/cloud/azure/audit_logs/azure_ad_bitlocker_key_retrieval.yml index 5b6db360b..c4233a39e 100644 --- a/rules/cloud/azure/audit_logs/azure_ad_bitlocker_key_retrieval.yml +++ b/rules/cloud/azure/audit_logs/azure_ad_bitlocker_key_retrieval.yml @@ -10,7 +10,7 @@ tags: - attack.privilege-escalation - attack.persistence - attack.initial-access - - attack.defense-evasion + - attack.stealth - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_ad_certificate_based_authencation_enabled.yml b/rules/cloud/azure/audit_logs/azure_ad_certificate_based_authencation_enabled.yml index e7159d27d..191862c4a 100644 --- a/rules/cloud/azure/audit_logs/azure_ad_certificate_based_authencation_enabled.yml +++ b/rules/cloud/azure/audit_logs/azure_ad_certificate_based_authencation_enabled.yml @@ -8,10 +8,10 @@ references: author: Harjot Shah Singh, '@cyb3rjy0t' date: 2024-03-26 tags: - - attack.defense-evasion - attack.credential-access - attack.persistence - attack.privilege-escalation + - attack.defense-impairment - attack.t1556 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_ad_device_registration_policy_changes.yml b/rules/cloud/azure/audit_logs/azure_ad_device_registration_policy_changes.yml index a1b25eac8..5705c382f 100644 --- a/rules/cloud/azure/audit_logs/azure_ad_device_registration_policy_changes.yml +++ b/rules/cloud/azure/audit_logs/azure_ad_device_registration_policy_changes.yml @@ -7,8 +7,8 @@ references: author: Michael Epping, '@mepples21' date: 2022-06-28 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.defense-impairment - attack.t1484 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml b/rules/cloud/azure/audit_logs/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml index 9961cff96..db1f40a66 100644 --- a/rules/cloud/azure/audit_logs/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml +++ b/rules/cloud/azure/audit_logs/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml @@ -9,8 +9,8 @@ date: 2022-07-28 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion - attack.initial-access + - attack.stealth - attack.t1078 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_ad_new_root_ca_added.yml b/rules/cloud/azure/audit_logs/azure_ad_new_root_ca_added.yml index 9c21a1164..08b6765e0 100644 --- a/rules/cloud/azure/audit_logs/azure_ad_new_root_ca_added.yml +++ b/rules/cloud/azure/audit_logs/azure_ad_new_root_ca_added.yml @@ -8,10 +8,10 @@ references: author: Harjot Shah Singh, '@cyb3rjy0t' date: 2024-03-26 tags: - - attack.defense-evasion - attack.credential-access - attack.persistence - attack.privilege-escalation + - attack.defense-impairment - attack.t1556 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_ad_users_added_to_device_admin_roles.yml b/rules/cloud/azure/audit_logs/azure_ad_users_added_to_device_admin_roles.yml index 5923f0a10..c235a20d1 100644 --- a/rules/cloud/azure/audit_logs/azure_ad_users_added_to_device_admin_roles.yml +++ b/rules/cloud/azure/audit_logs/azure_ad_users_added_to_device_admin_roles.yml @@ -9,8 +9,8 @@ date: 2022-06-28 tags: - attack.persistence - attack.initial-access - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_app_appid_uri_changes.yml b/rules/cloud/azure/audit_logs/azure_app_appid_uri_changes.yml index b3cda28b3..7a8353f30 100644 --- a/rules/cloud/azure/audit_logs/azure_app_appid_uri_changes.yml +++ b/rules/cloud/azure/audit_logs/azure_app_appid_uri_changes.yml @@ -8,10 +8,10 @@ author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' date: 2022-06-02 tags: - attack.initial-access - - attack.defense-evasion - attack.persistence - attack.credential-access - attack.privilege-escalation + - attack.stealth - attack.t1552 - attack.t1078.004 logsource: diff --git a/rules/cloud/azure/audit_logs/azure_app_uri_modifications.yml b/rules/cloud/azure/audit_logs/azure_app_uri_modifications.yml index ebe85c311..d0d040bab 100644 --- a/rules/cloud/azure/audit_logs/azure_app_uri_modifications.yml +++ b/rules/cloud/azure/audit_logs/azure_app_uri_modifications.yml @@ -10,7 +10,7 @@ author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' date: 2022-06-02 tags: - attack.initial-access - - attack.defense-evasion + - attack.stealth - attack.t1528 - attack.t1078.004 - attack.persistence diff --git a/rules/cloud/azure/audit_logs/azure_change_to_authentication_method.yml b/rules/cloud/azure/audit_logs/azure_change_to_authentication_method.yml index 160f1d519..efef6bbd7 100644 --- a/rules/cloud/azure/audit_logs/azure_change_to_authentication_method.yml +++ b/rules/cloud/azure/audit_logs/azure_change_to_authentication_method.yml @@ -10,9 +10,9 @@ modified: 2022-12-25 tags: - attack.privilege-escalation - attack.credential-access + - attack.defense-impairment - attack.t1556 - attack.persistence - - attack.defense-evasion - attack.t1098 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_federation_modified.yml b/rules/cloud/azure/audit_logs/azure_federation_modified.yml index 56a43c15f..bb5b4b700 100644 --- a/rules/cloud/azure/audit_logs/azure_federation_modified.yml +++ b/rules/cloud/azure/audit_logs/azure_federation_modified.yml @@ -10,8 +10,8 @@ modified: 2022-06-08 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion - attack.initial-access + - attack.stealth - attack.t1078 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_group_user_addition_ca_modification.yml b/rules/cloud/azure/audit_logs/azure_group_user_addition_ca_modification.yml index de4f5edb2..2f2d6e4b1 100644 --- a/rules/cloud/azure/audit_logs/azure_group_user_addition_ca_modification.yml +++ b/rules/cloud/azure/audit_logs/azure_group_user_addition_ca_modification.yml @@ -9,8 +9,8 @@ date: 2022-08-04 tags: - attack.privilege-escalation - attack.credential-access - - attack.defense-evasion - attack.persistence + - attack.defense-impairment - attack.t1548 - attack.t1556 logsource: diff --git a/rules/cloud/azure/audit_logs/azure_group_user_removal_ca_modification.yml b/rules/cloud/azure/audit_logs/azure_group_user_removal_ca_modification.yml index c465c2dbf..00238c372 100644 --- a/rules/cloud/azure/audit_logs/azure_group_user_removal_ca_modification.yml +++ b/rules/cloud/azure/audit_logs/azure_group_user_removal_ca_modification.yml @@ -9,8 +9,8 @@ date: 2022-08-04 tags: - attack.privilege-escalation - attack.credential-access - - attack.defense-evasion - attack.persistence + - attack.defense-impairment - attack.t1548 - attack.t1556 logsource: diff --git a/rules/cloud/azure/audit_logs/azure_guest_invite_failure.yml b/rules/cloud/azure/audit_logs/azure_guest_invite_failure.yml index 8e4fd8cd8..08b4e62b2 100644 --- a/rules/cloud/azure/audit_logs/azure_guest_invite_failure.yml +++ b/rules/cloud/azure/audit_logs/azure_guest_invite_failure.yml @@ -10,7 +10,7 @@ tags: - attack.privilege-escalation - attack.initial-access - attack.persistence - - attack.defense-evasion + - attack.stealth - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_guest_to_member.yml b/rules/cloud/azure/audit_logs/azure_guest_to_member.yml index 566a0e046..c2f95b1a0 100644 --- a/rules/cloud/azure/audit_logs/azure_guest_to_member.yml +++ b/rules/cloud/azure/audit_logs/azure_guest_to_member.yml @@ -8,9 +8,9 @@ author: MikeDuddington, '@dudders1' date: 2022-06-30 tags: - attack.persistence - - attack.defense-evasion - attack.privilege-escalation - attack.initial-access + - attack.stealth - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_pim_activation_approve_deny.yml b/rules/cloud/azure/audit_logs/azure_pim_activation_approve_deny.yml index 8e28844a8..0019cbfcf 100644 --- a/rules/cloud/azure/audit_logs/azure_pim_activation_approve_deny.yml +++ b/rules/cloud/azure/audit_logs/azure_pim_activation_approve_deny.yml @@ -9,8 +9,8 @@ date: 2022-08-09 tags: - attack.persistence - attack.initial-access - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_pim_alerts_disabled.yml b/rules/cloud/azure/audit_logs/azure_pim_alerts_disabled.yml index 07f90274a..f59f332cc 100644 --- a/rules/cloud/azure/audit_logs/azure_pim_alerts_disabled.yml +++ b/rules/cloud/azure/audit_logs/azure_pim_alerts_disabled.yml @@ -8,9 +8,9 @@ author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' date: 2022-08-09 tags: - attack.initial-access - - attack.defense-evasion - attack.persistence - attack.privilege-escalation + - attack.stealth - attack.t1078 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_pim_change_settings.yml b/rules/cloud/azure/audit_logs/azure_pim_change_settings.yml index 2a9112147..7b3868979 100644 --- a/rules/cloud/azure/audit_logs/azure_pim_change_settings.yml +++ b/rules/cloud/azure/audit_logs/azure_pim_change_settings.yml @@ -8,9 +8,9 @@ author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' date: 2022-08-09 tags: - attack.initial-access - - attack.defense-evasion - attack.privilege-escalation - attack.persistence + - attack.stealth - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_add.yml b/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_add.yml index 81f13baf2..38155d784 100644 --- a/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_add.yml +++ b/rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_add.yml @@ -10,7 +10,7 @@ tags: - attack.persistence - attack.initial-access - attack.privilege-escalation - - attack.defense-evasion + - attack.stealth - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_privileged_account_creation.yml b/rules/cloud/azure/audit_logs/azure_privileged_account_creation.yml index 7172839fe..f6ac48a98 100644 --- a/rules/cloud/azure/audit_logs/azure_privileged_account_creation.yml +++ b/rules/cloud/azure/audit_logs/azure_privileged_account_creation.yml @@ -9,9 +9,9 @@ date: 2022-08-11 modified: 2022-08-16 tags: - attack.initial-access - - attack.defense-evasion - attack.persistence - attack.privilege-escalation + - attack.stealth - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_subscription_permissions_elevation_via_auditlogs.yml b/rules/cloud/azure/audit_logs/azure_subscription_permissions_elevation_via_auditlogs.yml index 601cbd3cb..cc778b1e6 100644 --- a/rules/cloud/azure/audit_logs/azure_subscription_permissions_elevation_via_auditlogs.yml +++ b/rules/cloud/azure/audit_logs/azure_subscription_permissions_elevation_via_auditlogs.yml @@ -13,8 +13,8 @@ modified: 2022-12-25 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion - attack.initial-access + - attack.stealth - attack.t1078 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_tap_added.yml b/rules/cloud/azure/audit_logs/azure_tap_added.yml index acfb3c073..535815be4 100644 --- a/rules/cloud/azure/audit_logs/azure_tap_added.yml +++ b/rules/cloud/azure/audit_logs/azure_tap_added.yml @@ -9,8 +9,8 @@ date: 2022-08-10 tags: - attack.privilege-escalation - attack.initial-access - - attack.defense-evasion - attack.persistence + - attack.stealth - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/audit_logs/azure_user_password_change.yml b/rules/cloud/azure/audit_logs/azure_user_password_change.yml index ce6fb841a..e7b6c9092 100644 --- a/rules/cloud/azure/audit_logs/azure_user_password_change.yml +++ b/rules/cloud/azure/audit_logs/azure_user_password_change.yml @@ -9,9 +9,9 @@ date: 2022-08-03 tags: - attack.privilege-escalation - attack.initial-access - - attack.defense-evasion - attack.persistence - attack.credential-access + - attack.stealth - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml index e4e45b83f..9cf0a1768 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml @@ -8,9 +8,9 @@ references: author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023-09-03 tags: + - attack.stealth - attack.t1078 - attack.persistence - - attack.defense-evasion - attack.privilege-escalation - attack.initial-access logsource: diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml index 43a9039f3..0b5db87d8 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml @@ -8,9 +8,9 @@ references: author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023-09-03 tags: + - attack.stealth - attack.t1078 - attack.persistence - - attack.defense-evasion - attack.privilege-escalation - attack.initial-access logsource: diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml index 97ca81fa4..8c44a3d48 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml @@ -8,9 +8,9 @@ references: author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023-09-03 tags: + - attack.stealth - attack.t1078 - attack.persistence - - attack.defense-evasion - attack.privilege-escalation - attack.initial-access logsource: diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml index 9969d55f7..a10cb5110 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml @@ -8,8 +8,8 @@ references: author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023-09-03 tags: + - attack.stealth - attack.t1140 - - attack.defense-evasion logsource: product: azure service: riskdetection diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml index 4e6c6bc87..15d871a5f 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml @@ -8,9 +8,9 @@ references: author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023-09-03 tags: + - attack.stealth - attack.t1078 - attack.persistence - - attack.defense-evasion - attack.privilege-escalation - attack.initial-access logsource: diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml index 7f1ba0cb1..72f454f18 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml @@ -8,9 +8,9 @@ references: author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023-09-03 tags: + - attack.stealth - attack.t1078 - attack.persistence - - attack.defense-evasion - attack.privilege-escalation - attack.initial-access logsource: diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml index f8d49a138..1f508729b 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml @@ -9,9 +9,9 @@ references: author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023-09-07 tags: + - attack.stealth - attack.t1078 - attack.persistence - - attack.defense-evasion - attack.privilege-escalation - attack.initial-access logsource: diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml index d4f00afca..28f98a193 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml @@ -8,9 +8,9 @@ references: author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023-09-03 tags: + - attack.stealth - attack.t1078 - attack.persistence - - attack.defense-evasion - attack.privilege-escalation - attack.initial-access logsource: diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml index b17c8eb21..138f52656 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml @@ -8,7 +8,7 @@ author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023-09-14 tags: - attack.initial-access - - attack.defense-evasion + - attack.stealth - attack.t1078 - attack.persistence - attack.privilege-escalation diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml index c883a0995..0b7ea0576 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml @@ -8,7 +8,7 @@ author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023-09-14 tags: - attack.initial-access - - attack.defense-evasion + - attack.stealth - attack.t1078 - attack.persistence - attack.privilege-escalation diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml index abf5b40ea..13b29cc90 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml @@ -8,7 +8,7 @@ author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023-09-14 tags: - attack.initial-access - - attack.defense-evasion + - attack.stealth - attack.t1078 - attack.persistence - attack.privilege-escalation diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml index 023c7f534..25af1fea3 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml @@ -8,7 +8,7 @@ author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023-09-14 tags: - attack.initial-access - - attack.defense-evasion + - attack.stealth - attack.t1078 - attack.persistence - attack.privilege-escalation diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml index 3832dc4fd..c0a6a61a4 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml @@ -8,7 +8,7 @@ author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023-09-14 tags: - attack.initial-access - - attack.defense-evasion + - attack.stealth - attack.t1078 - attack.persistence - attack.privilege-escalation diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml index 66703cb1d..a13e8f19a 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml @@ -8,7 +8,7 @@ author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023-09-14 tags: - attack.initial-access - - attack.defense-evasion + - attack.stealth - attack.t1078 - attack.persistence - attack.privilege-escalation diff --git a/rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml b/rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml index e0882458c..2cd9c4df6 100644 --- a/rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml +++ b/rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml @@ -8,7 +8,7 @@ author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' date: 2023-09-14 tags: - attack.initial-access - - attack.defense-evasion + - attack.stealth - attack.t1078 - attack.persistence - attack.privilege-escalation diff --git a/rules/cloud/azure/signin_logs/azure_ad_auth_failure_increase.yml b/rules/cloud/azure/signin_logs/azure_ad_auth_failure_increase.yml index 2912d87b1..5b439849b 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_auth_failure_increase.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_auth_failure_increase.yml @@ -10,7 +10,7 @@ tags: - attack.privilege-escalation - attack.persistence - attack.initial-access - - attack.defense-evasion + - attack.stealth - attack.t1078 logsource: product: azure diff --git a/rules/cloud/azure/signin_logs/azure_ad_auth_sucess_increase.yml b/rules/cloud/azure/signin_logs/azure_ad_auth_sucess_increase.yml index 0d3fcd8da..17b2feb0c 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_auth_sucess_increase.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_auth_sucess_increase.yml @@ -11,7 +11,7 @@ tags: - attack.privilege-escalation - attack.persistence - attack.initial-access - - attack.defense-evasion + - attack.stealth - attack.t1078 logsource: product: azure diff --git a/rules/cloud/azure/signin_logs/azure_ad_auth_to_important_apps_using_single_factor_auth.yml b/rules/cloud/azure/signin_logs/azure_ad_auth_to_important_apps_using_single_factor_auth.yml index 08cadadcb..0c01686a6 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_auth_to_important_apps_using_single_factor_auth.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_auth_to_important_apps_using_single_factor_auth.yml @@ -9,8 +9,8 @@ date: 2022-07-28 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion - attack.initial-access + - attack.stealth - attack.t1078 logsource: product: azure diff --git a/rules/cloud/azure/signin_logs/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml b/rules/cloud/azure/signin_logs/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml index bb4e75667..866819206 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml @@ -9,9 +9,9 @@ date: 2022-07-28 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion - attack.initial-access - attack.credential-access + - attack.stealth - attack.t1078.004 - attack.t1110 logsource: diff --git a/rules/cloud/azure/signin_logs/azure_ad_device_registration_or_join_without_mfa.yml b/rules/cloud/azure/signin_logs/azure_ad_device_registration_or_join_without_mfa.yml index f7c248152..f086b8ce2 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_device_registration_or_join_without_mfa.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_device_registration_or_join_without_mfa.yml @@ -10,7 +10,7 @@ tags: - attack.privilege-escalation - attack.persistence - attack.initial-access - - attack.defense-evasion + - attack.stealth - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/signin_logs/azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml b/rules/cloud/azure/signin_logs/azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml index 1169640e3..77a349042 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml @@ -9,9 +9,9 @@ date: 2022-07-28 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion - attack.initial-access - attack.credential-access + - attack.stealth - attack.t1078.004 - attack.t1110 logsource: diff --git a/rules/cloud/azure/signin_logs/azure_ad_only_single_factor_auth_required.yml b/rules/cloud/azure/signin_logs/azure_ad_only_single_factor_auth_required.yml index b3a615aa8..10ea89947 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_only_single_factor_auth_required.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_only_single_factor_auth_required.yml @@ -9,9 +9,10 @@ date: 2022-07-27 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion - attack.initial-access - attack.credential-access + - attack.stealth + - attack.defense-impairment - attack.t1078.004 - attack.t1556.006 logsource: diff --git a/rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml b/rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml index 00434abe6..19192b800 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml @@ -11,7 +11,7 @@ tags: - attack.privilege-escalation - attack.persistence - attack.initial-access - - attack.defense-evasion + - attack.stealth - attack.t1078 logsource: product: azure diff --git a/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_noncompliant_devices.yml b/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_noncompliant_devices.yml index 526c1345c..74fea0dee 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_noncompliant_devices.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_noncompliant_devices.yml @@ -10,7 +10,7 @@ tags: - attack.privilege-escalation - attack.persistence - attack.initial-access - - attack.defense-evasion + - attack.stealth - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_unknown_devices.yml b/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_unknown_devices.yml index 5f02ec3fc..07b780ba9 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_unknown_devices.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_unknown_devices.yml @@ -11,7 +11,7 @@ tags: - attack.privilege-escalation - attack.persistence - attack.initial-access - - attack.defense-evasion + - attack.stealth - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml b/rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml index 80e68e1a8..f7f6692f0 100644 --- a/rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml +++ b/rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml @@ -10,9 +10,9 @@ date: 2023-03-20 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion - attack.initial-access - attack.credential-access + - attack.stealth - attack.t1078.004 - attack.t1110 logsource: diff --git a/rules/cloud/azure/signin_logs/azure_app_device_code_authentication.yml b/rules/cloud/azure/signin_logs/azure_app_device_code_authentication.yml index 7341517eb..a94240699 100644 --- a/rules/cloud/azure/signin_logs/azure_app_device_code_authentication.yml +++ b/rules/cloud/azure/signin_logs/azure_app_device_code_authentication.yml @@ -10,8 +10,8 @@ references: author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' date: 2022-06-01 tags: + - attack.stealth - attack.t1078 - - attack.defense-evasion - attack.persistence - attack.privilege-escalation - attack.initial-access diff --git a/rules/cloud/azure/signin_logs/azure_app_ropc_authentication.yml b/rules/cloud/azure/signin_logs/azure_app_ropc_authentication.yml index a7430a81f..ef2a31e58 100644 --- a/rules/cloud/azure/signin_logs/azure_app_ropc_authentication.yml +++ b/rules/cloud/azure/signin_logs/azure_app_ropc_authentication.yml @@ -9,8 +9,8 @@ references: author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' date: 2022-06-01 tags: + - attack.stealth - attack.t1078 - - attack.defense-evasion - attack.persistence - attack.privilege-escalation - attack.initial-access diff --git a/rules/cloud/azure/signin_logs/azure_blocked_account_attempt.yml b/rules/cloud/azure/signin_logs/azure_blocked_account_attempt.yml index c2efa92c3..a2a9babc3 100644 --- a/rules/cloud/azure/signin_logs/azure_blocked_account_attempt.yml +++ b/rules/cloud/azure/signin_logs/azure_blocked_account_attempt.yml @@ -9,8 +9,8 @@ date: 2022-06-17 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion - attack.initial-access + - attack.stealth - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/signin_logs/azure_conditional_access_failure.yml b/rules/cloud/azure/signin_logs/azure_conditional_access_failure.yml index 8321c18b9..fe62a2999 100644 --- a/rules/cloud/azure/signin_logs/azure_conditional_access_failure.yml +++ b/rules/cloud/azure/signin_logs/azure_conditional_access_failure.yml @@ -9,9 +9,9 @@ date: 2022-06-01 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion - attack.initial-access - attack.credential-access + - attack.stealth - attack.t1110 - attack.t1078.004 logsource: diff --git a/rules/cloud/azure/signin_logs/azure_legacy_authentication_protocols.yml b/rules/cloud/azure/signin_logs/azure_legacy_authentication_protocols.yml index 8219a0e4a..25bbda769 100644 --- a/rules/cloud/azure/signin_logs/azure_legacy_authentication_protocols.yml +++ b/rules/cloud/azure/signin_logs/azure_legacy_authentication_protocols.yml @@ -9,9 +9,9 @@ date: 2022-06-17 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion - attack.initial-access - attack.credential-access + - attack.stealth - attack.t1078.004 - attack.t1110 logsource: diff --git a/rules/cloud/azure/signin_logs/azure_login_to_disabled_account.yml b/rules/cloud/azure/signin_logs/azure_login_to_disabled_account.yml index ad08b7a46..4cf73efe3 100644 --- a/rules/cloud/azure/signin_logs/azure_login_to_disabled_account.yml +++ b/rules/cloud/azure/signin_logs/azure_login_to_disabled_account.yml @@ -10,8 +10,8 @@ modified: 2022-12-25 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion - attack.initial-access + - attack.stealth - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/azure/signin_logs/azure_mfa_denies.yml b/rules/cloud/azure/signin_logs/azure_mfa_denies.yml index 347691299..d01a9e163 100644 --- a/rules/cloud/azure/signin_logs/azure_mfa_denies.yml +++ b/rules/cloud/azure/signin_logs/azure_mfa_denies.yml @@ -9,9 +9,9 @@ date: 2022-03-24 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion - attack.initial-access - attack.credential-access + - attack.stealth - attack.t1078.004 - attack.t1110 - attack.t1621 diff --git a/rules/cloud/azure/signin_logs/azure_mfa_interrupted.yml b/rules/cloud/azure/signin_logs/azure_mfa_interrupted.yml index 673f50032..058551f36 100644 --- a/rules/cloud/azure/signin_logs/azure_mfa_interrupted.yml +++ b/rules/cloud/azure/signin_logs/azure_mfa_interrupted.yml @@ -10,9 +10,9 @@ modified: 2022-12-18 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion - attack.initial-access - attack.credential-access + - attack.stealth - attack.t1078.004 - attack.t1110 - attack.t1621 diff --git a/rules/cloud/azure/signin_logs/azure_unusual_authentication_interruption.yml b/rules/cloud/azure/signin_logs/azure_unusual_authentication_interruption.yml index 3833ad043..df9206504 100644 --- a/rules/cloud/azure/signin_logs/azure_unusual_authentication_interruption.yml +++ b/rules/cloud/azure/signin_logs/azure_unusual_authentication_interruption.yml @@ -10,8 +10,8 @@ modified: 2022-12-18 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion - attack.initial-access + - attack.stealth - attack.t1078 logsource: product: azure diff --git a/rules/cloud/azure/signin_logs/azure_user_login_blocked_by_conditional_access.yml b/rules/cloud/azure/signin_logs/azure_user_login_blocked_by_conditional_access.yml index 56441bfe2..ac331aeac 100644 --- a/rules/cloud/azure/signin_logs/azure_user_login_blocked_by_conditional_access.yml +++ b/rules/cloud/azure/signin_logs/azure_user_login_blocked_by_conditional_access.yml @@ -12,9 +12,9 @@ modified: 2022-12-25 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion - attack.credential-access - attack.initial-access + - attack.stealth - attack.t1110 - attack.t1078.004 logsource: diff --git a/rules/cloud/azure/signin_logs/azure_users_authenticating_to_other_azure_ad_tenants.yml b/rules/cloud/azure/signin_logs/azure_users_authenticating_to_other_azure_ad_tenants.yml index 4afdee73f..9227b0961 100644 --- a/rules/cloud/azure/signin_logs/azure_users_authenticating_to_other_azure_ad_tenants.yml +++ b/rules/cloud/azure/signin_logs/azure_users_authenticating_to_other_azure_ad_tenants.yml @@ -9,8 +9,8 @@ date: 2022-06-30 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion - attack.initial-access + - attack.stealth - attack.t1078.004 logsource: product: azure diff --git a/rules/cloud/gcp/audit/gcp_breakglass_container_workload_deployed.yml b/rules/cloud/gcp/audit/gcp_breakglass_container_workload_deployed.yml index 97322b641..57fc8020c 100644 --- a/rules/cloud/gcp/audit/gcp_breakglass_container_workload_deployed.yml +++ b/rules/cloud/gcp/audit/gcp_breakglass_container_workload_deployed.yml @@ -9,7 +9,6 @@ author: Bryan Lim date: 2024-01-12 tags: - attack.privilege-escalation - - attack.defense-evasion - attack.t1548 logsource: product: gcp diff --git a/rules/cloud/gcp/audit/gcp_firewall_rule_modified_or_deleted.yml b/rules/cloud/gcp/audit/gcp_firewall_rule_modified_or_deleted.yml index 67178b20f..77c16b1cd 100644 --- a/rules/cloud/gcp/audit/gcp_firewall_rule_modified_or_deleted.yml +++ b/rules/cloud/gcp/audit/gcp_firewall_rule_modified_or_deleted.yml @@ -9,8 +9,8 @@ author: Austin Songer @austinsonger date: 2021-08-13 modified: 2022-10-09 tags: - - attack.defense-evasion - - attack.t1562 + - attack.defense-impairment + - attack.t1685 logsource: product: gcp service: gcp.audit diff --git a/rules/cloud/gcp/audit/gcp_kubernetes_admission_controller.yml b/rules/cloud/gcp/audit/gcp_kubernetes_admission_controller.yml index 4b952588a..d39b9e0e3 100644 --- a/rules/cloud/gcp/audit/gcp_kubernetes_admission_controller.yml +++ b/rules/cloud/gcp/audit/gcp_kubernetes_admission_controller.yml @@ -16,8 +16,8 @@ modified: 2022-12-18 tags: - attack.privilege-escalation - attack.initial-access - - attack.defense-evasion - attack.persistence + - attack.stealth - attack.t1078 - attack.credential-access - attack.t1552 diff --git a/rules/cloud/gcp/gworkspace/login/gcp_gworkspace_govattack.yml b/rules/cloud/gcp/gworkspace/login/gcp_gworkspace_govattack.yml index 814eb03db..b4dcedd10 100644 --- a/rules/cloud/gcp/gworkspace/login/gcp_gworkspace_govattack.yml +++ b/rules/cloud/gcp/gworkspace/login/gcp_gworkspace_govattack.yml @@ -10,10 +10,10 @@ author: Tom Kluter date: 2026-04-28 tags: - attack.privilege-escalation - - attack.defense-evasion - attack.persistence - attack.initial-access - attack.impact + - attack.stealth - attack.t1078 logsource: product: gcp diff --git a/rules/cloud/gcp/gworkspace/login/gcp_gworkspace_suspicious_login.yml b/rules/cloud/gcp/gworkspace/login/gcp_gworkspace_suspicious_login.yml index 9aeec57ea..8b8685a82 100644 --- a/rules/cloud/gcp/gworkspace/login/gcp_gworkspace_suspicious_login.yml +++ b/rules/cloud/gcp/gworkspace/login/gcp_gworkspace_suspicious_login.yml @@ -13,8 +13,8 @@ date: 2026-04-28 tags: - attack.initial-access - attack.privilege-escalation - - attack.defense-evasion - attack.persistence + - attack.stealth - attack.t1078.004 logsource: product: gcp diff --git a/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml b/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml index 1c79ddd38..60e8886fa 100644 --- a/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml +++ b/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml @@ -12,7 +12,7 @@ tags: - attack.privilege-escalation - attack.persistence - attack.initial-access - - attack.defense-evasion + - attack.stealth - attack.t1078 logsource: service: audit diff --git a/rules/cloud/m365/audit/microsoft365_disabling_mfa.yml b/rules/cloud/m365/audit/microsoft365_disabling_mfa.yml index 6e4babb4b..d67f1e4e4 100644 --- a/rules/cloud/m365/audit/microsoft365_disabling_mfa.yml +++ b/rules/cloud/m365/audit/microsoft365_disabling_mfa.yml @@ -8,8 +8,8 @@ author: Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (si date: 2023-09-18 tags: - attack.persistence - - attack.defense-evasion - attack.credential-access + - attack.defense-impairment - attack.t1556.006 logsource: service: audit diff --git a/rules/cloud/m365/audit/microsoft365_new_federated_domain_added_audit.yml b/rules/cloud/m365/audit/microsoft365_new_federated_domain_added_audit.yml index 0ce479769..9f5821c02 100644 --- a/rules/cloud/m365/audit/microsoft365_new_federated_domain_added_audit.yml +++ b/rules/cloud/m365/audit/microsoft365_new_federated_domain_added_audit.yml @@ -11,8 +11,8 @@ references: author: Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule) date: 2023-09-18 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.defense-impairment - attack.t1484.002 logsource: service: audit diff --git a/rules/cloud/m365/threat_management/microsoft365_impossible_travel_activity.yml b/rules/cloud/m365/threat_management/microsoft365_impossible_travel_activity.yml index 4a67a1230..d71bd6c16 100644 --- a/rules/cloud/m365/threat_management/microsoft365_impossible_travel_activity.yml +++ b/rules/cloud/m365/threat_management/microsoft365_impossible_travel_activity.yml @@ -11,8 +11,8 @@ modified: 2021-11-27 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion - attack.initial-access + - attack.stealth - attack.t1078 logsource: service: threat_management diff --git a/rules/cloud/m365/threat_management/microsoft365_logon_from_risky_ip_address.yml b/rules/cloud/m365/threat_management/microsoft365_logon_from_risky_ip_address.yml index d58a715ac..c6901f2da 100644 --- a/rules/cloud/m365/threat_management/microsoft365_logon_from_risky_ip_address.yml +++ b/rules/cloud/m365/threat_management/microsoft365_logon_from_risky_ip_address.yml @@ -11,8 +11,8 @@ modified: 2022-10-09 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion - attack.initial-access + - attack.stealth - attack.t1078 logsource: service: threat_management diff --git a/rules/identity/cisco_duo/cisco_duo_mfa_bypass_via_bypass_code.yml b/rules/identity/cisco_duo/cisco_duo_mfa_bypass_via_bypass_code.yml index 7a8d9aac7..9d870bd5b 100644 --- a/rules/identity/cisco_duo/cisco_duo_mfa_bypass_via_bypass_code.yml +++ b/rules/identity/cisco_duo/cisco_duo_mfa_bypass_via_bypass_code.yml @@ -11,8 +11,8 @@ author: Nikita Khalimonenkov date: 2024-04-17 tags: - attack.credential-access - - attack.defense-evasion - attack.initial-access + - attack.stealth logsource: product: cisco service: duo diff --git a/rules/identity/okta/okta_mfa_reset_or_deactivated.yml b/rules/identity/okta/okta_mfa_reset_or_deactivated.yml index ac9417ac8..dfc41b94b 100644 --- a/rules/identity/okta/okta_mfa_reset_or_deactivated.yml +++ b/rules/identity/okta/okta_mfa_reset_or_deactivated.yml @@ -11,7 +11,7 @@ modified: 2026-04-27 tags: - attack.persistence - attack.credential-access - - attack.defense-evasion + - attack.defense-impairment - attack.t1556.006 logsource: product: okta diff --git a/rules/identity/okta/okta_new_behaviours_admin_console.yml b/rules/identity/okta/okta_new_behaviours_admin_console.yml index f9e35c486..445e70b41 100644 --- a/rules/identity/okta/okta_new_behaviours_admin_console.yml +++ b/rules/identity/okta/okta_new_behaviours_admin_console.yml @@ -11,8 +11,8 @@ modified: 2026-04-27 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion - attack.initial-access + - attack.stealth - attack.t1078.004 logsource: product: okta diff --git a/rules/identity/okta/okta_user_session_start_via_anonymised_proxy.yml b/rules/identity/okta/okta_user_session_start_via_anonymised_proxy.yml index bdc2b7a4b..f21a1569b 100644 --- a/rules/identity/okta/okta_user_session_start_via_anonymised_proxy.yml +++ b/rules/identity/okta/okta_user_session_start_via_anonymised_proxy.yml @@ -9,8 +9,8 @@ author: kelnage date: 2023-09-07 modified: 2026-04-27 tags: - - attack.defense-evasion - - attack.t1562.006 + - attack.defense-impairment + - attack.t1685 logsource: product: okta service: okta diff --git a/rules/linux/auditd/execve/lnx_auditd_binary_padding.yml b/rules/linux/auditd/execve/lnx_auditd_binary_padding.yml index b8309f04f..cb4aa4e6e 100644 --- a/rules/linux/auditd/execve/lnx_auditd_binary_padding.yml +++ b/rules/linux/auditd/execve/lnx_auditd_binary_padding.yml @@ -10,7 +10,7 @@ author: Igor Fits, oscd.community date: 2020-10-13 modified: 2023-05-03 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027.001 logsource: product: linux diff --git a/rules/linux/auditd/execve/lnx_auditd_bpfdoor_port_redirect.yml b/rules/linux/auditd/execve/lnx_auditd_bpfdoor_port_redirect.yml index 20d3adf0b..82558bd41 100644 --- a/rules/linux/auditd/execve/lnx_auditd_bpfdoor_port_redirect.yml +++ b/rules/linux/auditd/execve/lnx_auditd_bpfdoor_port_redirect.yml @@ -10,8 +10,8 @@ references: author: Rafal Piasecki date: 2022-08-10 tags: - - attack.defense-evasion - - attack.t1562.004 + - attack.defense-impairment + - attack.t1686 logsource: product: linux service: auditd diff --git a/rules/linux/auditd/execve/lnx_auditd_capabilities_discovery.yml b/rules/linux/auditd/execve/lnx_auditd_capabilities_discovery.yml index caa106743..f6b76ba1d 100644 --- a/rules/linux/auditd/execve/lnx_auditd_capabilities_discovery.yml +++ b/rules/linux/auditd/execve/lnx_auditd_capabilities_discovery.yml @@ -12,7 +12,6 @@ date: 2021-11-28 modified: 2022-12-25 tags: - attack.discovery - - attack.defense-evasion - attack.privilege-escalation - attack.t1083 - attack.t1548 diff --git a/rules/linux/auditd/execve/lnx_auditd_change_file_time_attr.yml b/rules/linux/auditd/execve/lnx_auditd_change_file_time_attr.yml index 6cfcea06b..673dc3ff7 100644 --- a/rules/linux/auditd/execve/lnx_auditd_change_file_time_attr.yml +++ b/rules/linux/auditd/execve/lnx_auditd_change_file_time_attr.yml @@ -8,7 +8,7 @@ author: 'Igor Fits, oscd.community' date: 2020-10-15 modified: 2022-11-28 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070.006 logsource: product: linux diff --git a/rules/linux/auditd/execve/lnx_auditd_chattr_immutable_removal.yml b/rules/linux/auditd/execve/lnx_auditd_chattr_immutable_removal.yml index 4ca7d8d20..ed1957f11 100644 --- a/rules/linux/auditd/execve/lnx_auditd_chattr_immutable_removal.yml +++ b/rules/linux/auditd/execve/lnx_auditd_chattr_immutable_removal.yml @@ -8,7 +8,7 @@ author: Jakob Weinzettl, oscd.community date: 2019-09-23 modified: 2022-11-26 tags: - - attack.defense-evasion + - attack.defense-impairment - attack.t1222.002 logsource: product: linux diff --git a/rules/linux/auditd/execve/lnx_auditd_file_or_folder_permissions.yml b/rules/linux/auditd/execve/lnx_auditd_file_or_folder_permissions.yml index b6a6f107c..596d0e03d 100644 --- a/rules/linux/auditd/execve/lnx_auditd_file_or_folder_permissions.yml +++ b/rules/linux/auditd/execve/lnx_auditd_file_or_folder_permissions.yml @@ -8,7 +8,7 @@ author: Jakob Weinzettl, oscd.community date: 2019-09-23 modified: 2021-11-27 tags: - - attack.defense-evasion + - attack.defense-impairment - attack.t1222.002 logsource: product: linux diff --git a/rules/linux/auditd/execve/lnx_auditd_hidden_files_directories.yml b/rules/linux/auditd/execve/lnx_auditd_hidden_files_directories.yml index e5d821465..c68eb4dfc 100644 --- a/rules/linux/auditd/execve/lnx_auditd_hidden_files_directories.yml +++ b/rules/linux/auditd/execve/lnx_auditd_hidden_files_directories.yml @@ -8,7 +8,7 @@ author: 'Pawel Mazur' date: 2021-09-06 modified: 2025-06-16 tags: - - attack.defense-evasion + - attack.stealth - attack.t1564.001 logsource: product: linux diff --git a/rules/linux/auditd/execve/lnx_auditd_hidden_zip_files_steganography.yml b/rules/linux/auditd/execve/lnx_auditd_hidden_zip_files_steganography.yml index 54699ee35..ea6f7bb12 100644 --- a/rules/linux/auditd/execve/lnx_auditd_hidden_zip_files_steganography.yml +++ b/rules/linux/auditd/execve/lnx_auditd_hidden_zip_files_steganography.yml @@ -8,7 +8,7 @@ author: 'Pawel Mazur' date: 2021-09-09 modified: 2022-10-09 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027.003 logsource: product: linux diff --git a/rules/linux/auditd/execve/lnx_auditd_masquerading_crond.yml b/rules/linux/auditd/execve/lnx_auditd_masquerading_crond.yml index 2f3378f77..2d3257448 100644 --- a/rules/linux/auditd/execve/lnx_auditd_masquerading_crond.yml +++ b/rules/linux/auditd/execve/lnx_auditd_masquerading_crond.yml @@ -10,7 +10,7 @@ author: Timur Zinniatullin, oscd.community date: 2019-10-21 modified: 2023-08-22 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036.003 logsource: product: linux diff --git a/rules/linux/auditd/execve/lnx_auditd_modify_system_firewall.yml b/rules/linux/auditd/execve/lnx_auditd_modify_system_firewall.yml index fc41df784..1fe878bb5 100644 --- a/rules/linux/auditd/execve/lnx_auditd_modify_system_firewall.yml +++ b/rules/linux/auditd/execve/lnx_auditd_modify_system_firewall.yml @@ -15,8 +15,8 @@ author: IAI date: 2023-03-06 modified: 2025-10-12 tags: - - attack.t1562.004 - - attack.defense-evasion + - attack.defense-impairment + - attack.t1686 logsource: product: linux service: auditd diff --git a/rules/linux/auditd/execve/lnx_auditd_steghide_embed_steganography.yml b/rules/linux/auditd/execve/lnx_auditd_steghide_embed_steganography.yml index ff5ed5d24..1eeeca3d2 100644 --- a/rules/linux/auditd/execve/lnx_auditd_steghide_embed_steganography.yml +++ b/rules/linux/auditd/execve/lnx_auditd_steghide_embed_steganography.yml @@ -8,7 +8,7 @@ author: 'Pawel Mazur' date: 2021-09-11 modified: 2022-10-09 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027.003 logsource: product: linux diff --git a/rules/linux/auditd/execve/lnx_auditd_steghide_extract_steganography.yml b/rules/linux/auditd/execve/lnx_auditd_steghide_extract_steganography.yml index e9d6cf6d2..539d51f58 100644 --- a/rules/linux/auditd/execve/lnx_auditd_steghide_extract_steganography.yml +++ b/rules/linux/auditd/execve/lnx_auditd_steghide_extract_steganography.yml @@ -8,7 +8,7 @@ author: 'Pawel Mazur' date: 2021-09-11 modified: 2022-10-09 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027.003 logsource: product: linux diff --git a/rules/linux/auditd/execve/lnx_auditd_unzip_hidden_zip_files_steganography.yml b/rules/linux/auditd/execve/lnx_auditd_unzip_hidden_zip_files_steganography.yml index 2f053b55a..76fb2cfda 100644 --- a/rules/linux/auditd/execve/lnx_auditd_unzip_hidden_zip_files_steganography.yml +++ b/rules/linux/auditd/execve/lnx_auditd_unzip_hidden_zip_files_steganography.yml @@ -8,7 +8,7 @@ author: 'Pawel Mazur' date: 2021-09-09 modified: 2022-10-09 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027.003 logsource: product: linux diff --git a/rules/linux/auditd/lnx_auditd_disable_aslr_protection.yml b/rules/linux/auditd/lnx_auditd_disable_aslr_protection.yml index 2f63aa8a1..225013495 100644 --- a/rules/linux/auditd/lnx_auditd_disable_aslr_protection.yml +++ b/rules/linux/auditd/lnx_auditd_disable_aslr_protection.yml @@ -18,8 +18,9 @@ date: 2025-05-26 modified: 2025-12-05 tags: - attack.privilege-escalation - - attack.defense-evasion - - attack.t1562.001 + - attack.stealth + - attack.defense-impairment + - attack.t1685 - attack.t1055.009 logsource: product: linux diff --git a/rules/linux/auditd/path/lnx_auditd_auditing_config_change.yml b/rules/linux/auditd/path/lnx_auditd_auditing_config_change.yml index f49e1071c..74a26bac2 100644 --- a/rules/linux/auditd/path/lnx_auditd_auditing_config_change.yml +++ b/rules/linux/auditd/path/lnx_auditd_auditing_config_change.yml @@ -9,8 +9,8 @@ author: Mikhail Larin, oscd.community date: 2019-10-25 modified: 2021-11-27 tags: - - attack.defense-evasion - - attack.t1562.006 + - attack.defense-impairment + - attack.t1685 logsource: product: linux service: auditd diff --git a/rules/linux/auditd/path/lnx_auditd_hidden_binary_execution.yml b/rules/linux/auditd/path/lnx_auditd_hidden_binary_execution.yml index 8e3c766e0..1d39161cc 100644 --- a/rules/linux/auditd/path/lnx_auditd_hidden_binary_execution.yml +++ b/rules/linux/auditd/path/lnx_auditd_hidden_binary_execution.yml @@ -12,7 +12,8 @@ date: 2022-12-30 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1574.001 logsource: product: linux diff --git a/rules/linux/auditd/path/lnx_auditd_ld_so_preload_mod.yml b/rules/linux/auditd/path/lnx_auditd_ld_so_preload_mod.yml index fc2ae8ece..56e0648f1 100644 --- a/rules/linux/auditd/path/lnx_auditd_ld_so_preload_mod.yml +++ b/rules/linux/auditd/path/lnx_auditd_ld_so_preload_mod.yml @@ -11,7 +11,8 @@ modified: 2021-11-27 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1574.006 logsource: product: linux diff --git a/rules/linux/auditd/path/lnx_auditd_logging_config_change.yml b/rules/linux/auditd/path/lnx_auditd_logging_config_change.yml index b7fb71d2a..7bd67fa7f 100644 --- a/rules/linux/auditd/path/lnx_auditd_logging_config_change.yml +++ b/rules/linux/auditd/path/lnx_auditd_logging_config_change.yml @@ -8,8 +8,8 @@ author: Mikhail Larin, oscd.community date: 2019-10-25 modified: 2021-11-27 tags: - - attack.defense-evasion - - attack.t1562.006 + - attack.defense-impairment + - attack.t1685 logsource: product: linux service: auditd diff --git a/rules/linux/auditd/service_stop/lnx_auditd_disable_system_firewall.yml b/rules/linux/auditd/service_stop/lnx_auditd_disable_system_firewall.yml index 85f985e30..a1663dad2 100644 --- a/rules/linux/auditd/service_stop/lnx_auditd_disable_system_firewall.yml +++ b/rules/linux/auditd/service_stop/lnx_auditd_disable_system_firewall.yml @@ -8,8 +8,8 @@ references: author: 'Pawel Mazur' date: 2022-01-22 tags: - - attack.t1562.004 - - attack.defense-evasion + - attack.defense-impairment + - attack.t1686 logsource: product: linux service: auditd diff --git a/rules/linux/auditd/syscall/lnx_auditd_clean_disable_dmesg_logs_via_syslog.yml b/rules/linux/auditd/syscall/lnx_auditd_clean_disable_dmesg_logs_via_syslog.yml index 2af4b1f67..9bc29ae98 100644 --- a/rules/linux/auditd/syscall/lnx_auditd_clean_disable_dmesg_logs_via_syslog.yml +++ b/rules/linux/auditd/syscall/lnx_auditd_clean_disable_dmesg_logs_via_syslog.yml @@ -13,8 +13,8 @@ author: Milad Cheraghi date: 2025-05-27 modified: 2025-12-05 tags: - - attack.defense-evasion - - attack.t1070.002 + - attack.defense-impairment + - attack.t1685.006 logsource: product: linux service: auditd diff --git a/rules/linux/builtin/lnx_ldso_preload_injection.yml b/rules/linux/builtin/lnx_ldso_preload_injection.yml index f40de8728..6f0f2177a 100644 --- a/rules/linux/builtin/lnx_ldso_preload_injection.yml +++ b/rules/linux/builtin/lnx_ldso_preload_injection.yml @@ -8,9 +8,10 @@ author: Christian Burkard (Nextron Systems) date: 2021-05-05 modified: 2022-10-09 tags: - - attack.defense-evasion - attack.persistence - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.006 logsource: product: linux diff --git a/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml b/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml index 00fa9e19a..adaad0bcc 100644 --- a/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml +++ b/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml @@ -9,7 +9,7 @@ author: Red Canary (idea), Nasreddine Bencherchali date: 2023-01-25 tags: - attack.persistence - - attack.defense-evasion + - attack.stealth logsource: product: linux detection: diff --git a/rules/linux/builtin/lnx_shell_clear_cmd_history.yml b/rules/linux/builtin/lnx_shell_clear_cmd_history.yml index 72009ad14..c473aee0e 100644 --- a/rules/linux/builtin/lnx_shell_clear_cmd_history.yml +++ b/rules/linux/builtin/lnx_shell_clear_cmd_history.yml @@ -12,15 +12,8 @@ author: Patrick Bareiss date: 2019-03-24 modified: 2024-04-17 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070.003 -# Example config for this one (place it in .bash_profile): -# (is_empty=false; inotifywait -m .bash_history | while read file; do if [ $(wc -l <.bash_history) -lt 1 ]; then if [ "$is_empty" = false ]; then logger -i -p local5.info -t empty_bash_history "$USER : ~/.bash_history is empty "; is_empty=true; fi; else is_empty=false; fi; done ) & -# It monitors the size of .bash_history and log the words "empty_bash_history" whenever a previously not empty bash_history becomes empty -# We define an empty file as a document with 0 or 1 lines (it can be a line with only one space character for example) -# It has two advantages over the version suggested by Patrick Bareiss : -# - it is not relative to the exact command used to clear .bash_history : for instance Caldera uses "> .bash_history" to clear the history and this is not one the commands listed here. We can't be exhaustive for all the possibilities ! -# - the method suggested by Patrick Bareiss logs all the commands entered directly in a bash shell. therefore it may miss some events (for instance it doesn't log the commands launched from a Caldera agent). Here if .bash_history is cleared, it will always be detected logsource: product: linux detection: diff --git a/rules/linux/builtin/syslog/lnx_syslog_security_tools_disabling_syslog.yml b/rules/linux/builtin/syslog/lnx_syslog_security_tools_disabling_syslog.yml index 76ec9b5b5..38fb7badc 100644 --- a/rules/linux/builtin/syslog/lnx_syslog_security_tools_disabling_syslog.yml +++ b/rules/linux/builtin/syslog/lnx_syslog_security_tools_disabling_syslog.yml @@ -11,8 +11,8 @@ author: Ömer Günal, Alejandro Ortuno, oscd.community date: 2020-06-17 modified: 2022-11-26 tags: - - attack.defense-evasion - - attack.t1562.004 + - attack.defense-impairment + - attack.t1686 logsource: product: linux service: syslog diff --git a/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml b/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml index a4f7365e4..f92735f30 100644 --- a/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml +++ b/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml @@ -9,7 +9,6 @@ author: Sittikorn S, Teoderick Contreras date: 2022-01-20 modified: 2022-12-31 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548 logsource: diff --git a/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml b/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml index cd8cba5aa..661be8fd4 100644 --- a/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml +++ b/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml @@ -13,7 +13,6 @@ modified: 2026-03-18 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion - attack.t1548.003 logsource: product: linux diff --git a/rules/linux/file_event/file_event_lnx_susp_filename_with_embedded_base64_command.yml b/rules/linux/file_event/file_event_lnx_susp_filename_with_embedded_base64_command.yml index 679b14980..89805db3c 100644 --- a/rules/linux/file_event/file_event_lnx_susp_filename_with_embedded_base64_command.yml +++ b/rules/linux/file_event/file_event_lnx_susp_filename_with_embedded_base64_command.yml @@ -10,8 +10,8 @@ author: '@kostastsale' date: 2025-11-22 tags: - attack.execution + - attack.stealth - attack.t1059.004 - - attack.defense-evasion - attack.t1027 logsource: product: linux diff --git a/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml b/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml index 426c2a1f0..e8924016f 100644 --- a/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml +++ b/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml @@ -8,7 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-07-05 modified: 2022-12-31 tags: - - attack.defense-evasion + - attack.stealth logsource: product: linux category: file_event diff --git a/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml b/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml index 456375856..dbe96d6b2 100644 --- a/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml +++ b/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml @@ -11,9 +11,7 @@ tags: - attack.privilege-escalation - attack.execution - attack.persistence - - attack.defense-evasion - attack.t1053.003 - logsource: product: linux category: file_event diff --git a/rules/linux/process_creation/proc_creation_lnx_auditctl_clear_rules.yml b/rules/linux/process_creation/proc_creation_lnx_auditctl_clear_rules.yml index d54c30732..dbe01c1fe 100644 --- a/rules/linux/process_creation/proc_creation_lnx_auditctl_clear_rules.yml +++ b/rules/linux/process_creation/proc_creation_lnx_auditctl_clear_rules.yml @@ -11,8 +11,8 @@ references: author: Mohamed LAKRI date: 2025-10-17 tags: - - attack.defense-evasion - - attack.t1562.012 + - attack.defense-impairment + - attack.t1685.004 logsource: product: linux category: process_creation diff --git a/rules/linux/process_creation/proc_creation_lnx_av_kaspersky_av_disabled.yml b/rules/linux/process_creation/proc_creation_lnx_av_kaspersky_av_disabled.yml index 1d026e9a2..067a63a2e 100644 --- a/rules/linux/process_creation/proc_creation_lnx_av_kaspersky_av_disabled.yml +++ b/rules/linux/process_creation/proc_creation_lnx_av_kaspersky_av_disabled.yml @@ -10,8 +10,8 @@ author: Milad Cheraghi date: 2025-10-18 tags: - attack.execution - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: linux category: process_creation diff --git a/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml b/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml index 11b1943f6..1b3d69065 100644 --- a/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml +++ b/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml @@ -8,7 +8,7 @@ author: Daniil Yugoslavskiy, oscd.community date: 2020-10-19 modified: 2021-11-27 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 logsource: category: process_creation diff --git a/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml b/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml index 71af7da3b..c72c39174 100644 --- a/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml +++ b/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml @@ -9,7 +9,7 @@ author: pH-T (Nextron Systems) date: 2022-07-26 modified: 2023-06-16 tags: - - attack.defense-evasion + - attack.stealth - attack.t1140 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml b/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml index 35be59a78..4c4ce411d 100644 --- a/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml +++ b/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml @@ -8,7 +8,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-09-15 tags: - - attack.defense-evasion + - attack.stealth - attack.t1140 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml b/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml index 8c1535caf..712e18c83 100644 --- a/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml +++ b/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml @@ -10,7 +10,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-01-25 tags: - attack.execution - - attack.defense-evasion + - attack.stealth logsource: category: process_creation product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_cap_setgid.yml b/rules/linux/process_creation/proc_creation_lnx_cap_setgid.yml index 028af5e7a..fb9473131 100644 --- a/rules/linux/process_creation/proc_creation_lnx_cap_setgid.yml +++ b/rules/linux/process_creation/proc_creation_lnx_cap_setgid.yml @@ -13,7 +13,6 @@ author: Luc Génaux date: 2026-01-24 tags: - attack.privilege-escalation - - attack.defense-evasion - attack.persistence - attack.t1548 - attack.t1554 diff --git a/rules/linux/process_creation/proc_creation_lnx_cap_setuid.yml b/rules/linux/process_creation/proc_creation_lnx_cap_setuid.yml index 753668d95..535fa6ebe 100644 --- a/rules/linux/process_creation/proc_creation_lnx_cap_setuid.yml +++ b/rules/linux/process_creation/proc_creation_lnx_cap_setuid.yml @@ -13,7 +13,6 @@ author: Luc Génaux date: 2026-01-24 tags: - attack.privilege-escalation - - attack.defense-evasion - attack.persistence - attack.t1548 - attack.t1554 diff --git a/rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml b/rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml index 41186cae0..dfda868de 100644 --- a/rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml +++ b/rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml @@ -10,7 +10,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-09-15 tags: - - attack.defense-evasion + - attack.defense-impairment - attack.t1222.002 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_chmod_targeting_sensitive_directories.yml b/rules/linux/process_creation/proc_creation_lnx_chmod_targeting_sensitive_directories.yml index e546b8b02..d8cf7d478 100644 --- a/rules/linux/process_creation/proc_creation_lnx_chmod_targeting_sensitive_directories.yml +++ b/rules/linux/process_creation/proc_creation_lnx_chmod_targeting_sensitive_directories.yml @@ -11,7 +11,7 @@ author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io' date: 2022-06-03 modified: 2026-03-18 tags: - - attack.defense-evasion + - attack.defense-impairment - attack.t1222.002 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml b/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml index 6eb667775..f27d1e1bf 100644 --- a/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml +++ b/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml @@ -10,8 +10,8 @@ author: Ömer Günal, oscd.community date: 2020-10-07 modified: 2026-03-18 tags: - - attack.defense-evasion - - attack.t1070.002 + - attack.defense-impairment + - attack.t1685.006 logsource: product: linux category: process_creation diff --git a/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml b/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml index e058aaead..420a5a713 100644 --- a/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml +++ b/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml @@ -10,8 +10,8 @@ author: Max Altgelt (Nextron Systems), Roberto Rodriguez (Cyb3rWard0g), OTR (Ope date: 2021-10-15 modified: 2025-10-15 tags: - - attack.defense-evasion - - attack.t1070.002 + - attack.defense-impairment + - attack.t1685.006 logsource: product: linux category: process_creation diff --git a/rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml b/rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml index 1b9559e50..07c844e3e 100644 --- a/rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml +++ b/rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml @@ -9,7 +9,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-09-15 tags: - - attack.defense-evasion + - attack.stealth logsource: category: process_creation product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml b/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml index 2dab16776..178abf47c 100644 --- a/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml +++ b/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml @@ -9,7 +9,7 @@ author: Joseph Kamau date: 2023-12-01 tags: - attack.privilege-escalation - - attack.defense-evasion + - attack.stealth - attack.t1055.009 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml b/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml index 8cf9eb0f2..1e66fcc7e 100644 --- a/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml +++ b/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml @@ -8,8 +8,8 @@ references: author: Joseliyo Sanchez, @Joseliyo_Jstnk date: 2023-01-18 tags: - - attack.defense-evasion - - attack.t1562.004 + - attack.defense-impairment + - attack.t1686 logsource: product: linux category: process_creation diff --git a/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml b/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml index 9b786a75a..900d56296 100644 --- a/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml +++ b/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml @@ -8,7 +8,6 @@ references: author: Sittikorn S, Teoderick Contreras date: 2022-01-20 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548 logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml index d17a3a715..05f5ba836 100644 --- a/rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml +++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml @@ -8,10 +8,10 @@ references: author: Cedric Maurugeon date: 2023-09-04 tags: - - attack.defense-evasion - attack.execution - - attack.t1562.001 - - attack.t1562.003 + - attack.defense-impairment + - attack.t1685 + - attack.t1690 - attack.t1059.012 logsource: category: process_creation diff --git a/rules/linux/process_creation/proc_creation_lnx_file_deletion.yml b/rules/linux/process_creation/proc_creation_lnx_file_deletion.yml index 6f3a01262..4f80c1d9f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_file_deletion.yml +++ b/rules/linux/process_creation/proc_creation_lnx_file_deletion.yml @@ -8,7 +8,7 @@ author: Ömer Günal, oscd.community date: 2020-10-07 modified: 2022-09-15 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070.004 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_install_root_certificate.yml b/rules/linux/process_creation/proc_creation_lnx_install_root_certificate.yml index 8e7bdba0b..14412b982 100644 --- a/rules/linux/process_creation/proc_creation_lnx_install_root_certificate.yml +++ b/rules/linux/process_creation/proc_creation_lnx_install_root_certificate.yml @@ -8,7 +8,7 @@ author: Ömer Günal, oscd.community date: 2020-10-05 modified: 2022-07-07 tags: - - attack.defense-evasion + - attack.defense-impairment - attack.t1553.004 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_install_suspicious_packages.yml b/rules/linux/process_creation/proc_creation_lnx_install_suspicious_packages.yml index dd622af8e..6b10b089f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_install_suspicious_packages.yml +++ b/rules/linux/process_creation/proc_creation_lnx_install_suspicious_packages.yml @@ -8,7 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-01-03 modified: 2026-01-01 tags: - - attack.defense-evasion + - attack.defense-impairment - attack.t1553.004 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml b/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml index d4524534f..1692d1d4b 100644 --- a/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml +++ b/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml @@ -9,8 +9,8 @@ references: author: Joseliyo Sanchez, @Joseliyo_Jstnk date: 2023-01-18 tags: - - attack.defense-evasion - - attack.t1562.004 + - attack.defense-impairment + - attack.t1686 logsource: product: linux category: process_creation diff --git a/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml b/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml index dde662dd8..1c54fd72a 100644 --- a/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml +++ b/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml @@ -10,7 +10,7 @@ author: Joseliyo Sanchez, @Joseliyo_Jstnk date: 2023-01-12 tags: - attack.credential-access - - attack.defense-evasion + - attack.stealth - attack.t1564 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_proxy_connection.yml b/rules/linux/process_creation/proc_creation_lnx_proxy_connection.yml index 4fc105c4b..03cc352a7 100644 --- a/rules/linux/process_creation/proc_creation_lnx_proxy_connection.yml +++ b/rules/linux/process_creation/proc_creation_lnx_proxy_connection.yml @@ -6,7 +6,6 @@ author: Ömer Günal date: 2020-06-17 modified: 2022-10-05 tags: - - attack.defense-evasion - attack.command-and-control - attack.t1090 logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_python_base64_encoded_execution.yml b/rules/linux/process_creation/proc_creation_lnx_python_base64_encoded_execution.yml index 3b8ab758b..9ab1fdc3f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_python_base64_encoded_execution.yml +++ b/rules/linux/process_creation/proc_creation_lnx_python_base64_encoded_execution.yml @@ -15,8 +15,8 @@ author: Hugh Ryan (HueCodes), Swachchhanda Shrawan Poudel (Nextron Systems) date: 2026-03-09 tags: - attack.execution + - attack.stealth - attack.t1059.006 - - attack.defense-evasion - attack.t1027.010 logsource: category: process_creation diff --git a/rules/linux/process_creation/proc_creation_lnx_remove_package.yml b/rules/linux/process_creation/proc_creation_lnx_remove_package.yml index 5dd05a157..623972981 100644 --- a/rules/linux/process_creation/proc_creation_lnx_remove_package.yml +++ b/rules/linux/process_creation/proc_creation_lnx_remove_package.yml @@ -10,7 +10,7 @@ references: author: Tuan Le (NCSGroup), Nasreddine Bencherchali (Nextron Systems) date: 2023-03-09 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml b/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml index 8e5539100..ebd91a4fc 100644 --- a/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml +++ b/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml @@ -8,8 +8,8 @@ author: Ömer Günal, Alejandro Ortuno, oscd.community date: 2020-06-17 modified: 2022-10-09 tags: - - attack.defense-evasion - - attack.t1562.004 + - attack.defense-impairment + - attack.t1686 logsource: category: process_creation product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml b/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml index 27f84ad35..5c948996b 100644 --- a/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml +++ b/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml @@ -10,8 +10,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-09-15 modified: 2025-03-18 tags: - - attack.defense-evasion - - attack.t1562 + - attack.defense-impairment + - attack.t1685 - attack.impact - attack.t1489 logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml b/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml index d9e77b3db..723a15990 100644 --- a/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml +++ b/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml @@ -8,7 +8,6 @@ author: Ömer Günal date: 2020-06-16 modified: 2022-10-05 tags: - - attack.defense-evasion - attack.persistence - attack.privilege-escalation - attack.t1548.001 diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml b/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml index deef30016..dd6c422ea 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml @@ -11,7 +11,7 @@ author: Joseliyo Sanchez, @Joseliyo_Jstnk date: 2023-06-02 modified: 2025-08-05 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml b/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml index f7314d15c..720b66fae 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml @@ -8,7 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2022-03-14 tags: - attack.execution - - attack.defense-evasion + - attack.stealth - attack.t1059.004 - attack.t1036 logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml b/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml index 558728a33..a687fadbf 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml @@ -8,7 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2022-03-14 modified: 2022-07-26 tags: - - attack.defense-evasion + - attack.stealth - attack.t1140 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml b/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml index b3ed4dc1b..c8e330d9a 100644 --- a/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml +++ b/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml @@ -8,7 +8,7 @@ references: author: Joseliyo Sanchez, @Joseliyo_Jstnk date: 2023-01-11 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070.006 logsource: product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml b/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml index cbf357168..52a0a98de 100644 --- a/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml +++ b/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml @@ -7,8 +7,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-07-05 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth logsource: category: process_creation product: linux diff --git a/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml b/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml index 40b2fc6dc..b5aacae54 100644 --- a/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml +++ b/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml @@ -7,7 +7,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-07-05 tags: - - attack.defense-evasion + - attack.stealth - attack.t1014 logsource: category: process_creation diff --git a/rules/macos/process_creation/proc_creation_macos_base64_decode.yml b/rules/macos/process_creation/proc_creation_macos_base64_decode.yml index 7c0cd7b35..0f911b3c2 100644 --- a/rules/macos/process_creation/proc_creation_macos_base64_decode.yml +++ b/rules/macos/process_creation/proc_creation_macos_base64_decode.yml @@ -8,7 +8,7 @@ author: Daniil Yugoslavskiy, oscd.community date: 2020-10-19 modified: 2022-11-26 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 logsource: category: process_creation diff --git a/rules/macos/process_creation/proc_creation_macos_binary_padding.yml b/rules/macos/process_creation/proc_creation_macos_binary_padding.yml index 6e3aa15f9..f132e6f79 100644 --- a/rules/macos/process_creation/proc_creation_macos_binary_padding.yml +++ b/rules/macos/process_creation/proc_creation_macos_binary_padding.yml @@ -10,7 +10,7 @@ author: 'Igor Fits, Mikhail Larin, oscd.community' date: 2020-10-19 modified: 2023-02-17 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027.001 logsource: product: macos diff --git a/rules/macos/process_creation/proc_creation_macos_change_file_time_attr.yml b/rules/macos/process_creation/proc_creation_macos_change_file_time_attr.yml index ceb3df825..feda553ed 100644 --- a/rules/macos/process_creation/proc_creation_macos_change_file_time_attr.yml +++ b/rules/macos/process_creation/proc_creation_macos_change_file_time_attr.yml @@ -8,7 +8,7 @@ author: Igor Fits, Mikhail Larin, oscd.community date: 2020-10-19 modified: 2022-01-12 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070.006 logsource: product: macos diff --git a/rules/macos/process_creation/proc_creation_macos_chflags_hidden_flag.yml b/rules/macos/process_creation/proc_creation_macos_chflags_hidden_flag.yml index aab62144f..075fad3c9 100644 --- a/rules/macos/process_creation/proc_creation_macos_chflags_hidden_flag.yml +++ b/rules/macos/process_creation/proc_creation_macos_chflags_hidden_flag.yml @@ -12,9 +12,9 @@ references: author: Omar Khaled (@beacon_exe) date: 2024-08-21 tags: - - attack.defense-evasion - attack.credential-access - attack.command-and-control + - attack.stealth - attack.t1218 - attack.t1564.004 - attack.t1552.001 diff --git a/rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml b/rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml index 121e3a8f9..fd149d79d 100644 --- a/rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml +++ b/rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml @@ -8,8 +8,8 @@ author: remotephone, oscd.community date: 2020-10-11 modified: 2022-09-16 tags: - - attack.defense-evasion - - attack.t1070.002 + - attack.defense-impairment + - attack.t1685.006 logsource: product: macos category: process_creation diff --git a/rules/macos/process_creation/proc_creation_macos_create_hidden_account.yml b/rules/macos/process_creation/proc_creation_macos_create_hidden_account.yml index 1b87357e6..31f1e0c90 100644 --- a/rules/macos/process_creation/proc_creation_macos_create_hidden_account.yml +++ b/rules/macos/process_creation/proc_creation_macos_create_hidden_account.yml @@ -8,7 +8,7 @@ author: Daniil Yugoslavskiy, oscd.community date: 2020-10-10 modified: 2021-11-27 tags: - - attack.defense-evasion + - attack.stealth - attack.t1564.002 logsource: category: process_creation diff --git a/rules/macos/process_creation/proc_creation_macos_disable_security_tools.yml b/rules/macos/process_creation/proc_creation_macos_disable_security_tools.yml index 651aaac82..79ea9a318 100644 --- a/rules/macos/process_creation/proc_creation_macos_disable_security_tools.yml +++ b/rules/macos/process_creation/proc_creation_macos_disable_security_tools.yml @@ -8,8 +8,8 @@ author: Daniil Yugoslavskiy, oscd.community date: 2020-10-19 modified: 2021-11-27 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: process_creation product: macos diff --git a/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml b/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml index d97f66fa3..147f95b56 100644 --- a/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml +++ b/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml @@ -12,9 +12,9 @@ author: Sohan G (D4rkCiph3r) date: 2023-03-19 tags: - attack.persistence - - attack.defense-evasion - attack.initial-access - attack.privilege-escalation + - attack.stealth - attack.t1078.003 logsource: category: process_creation diff --git a/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml b/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml index 0ef190f50..ddf2d3d4c 100644 --- a/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml +++ b/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml @@ -9,9 +9,9 @@ author: Sohan G (D4rkCiph3r) date: 2023-08-22 tags: - attack.persistence - - attack.defense-evasion - attack.initial-access - attack.privilege-escalation + - attack.stealth - attack.t1078.003 logsource: category: process_creation diff --git a/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml b/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml index cea9afe80..53c8445bd 100644 --- a/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml +++ b/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml @@ -10,7 +10,7 @@ author: Sohan G (D4rkCiph3r) date: 2023-08-22 tags: - attack.privilege-escalation - - attack.defense-evasion + - attack.stealth - attack.t1078 - attack.t1078.001 - attack.t1078.003 diff --git a/rules/macos/process_creation/proc_creation_macos_nscurl_usage.yml b/rules/macos/process_creation/proc_creation_macos_nscurl_usage.yml index 59b841f62..4e4393be0 100644 --- a/rules/macos/process_creation/proc_creation_macos_nscurl_usage.yml +++ b/rules/macos/process_creation/proc_creation_macos_nscurl_usage.yml @@ -9,7 +9,6 @@ references: author: Daniel Cortez date: 2024-06-04 tags: - - attack.defense-evasion - attack.command-and-control - attack.t1105 logsource: diff --git a/rules/macos/process_creation/proc_creation_macos_payload_decoded_and_decrypted.yml b/rules/macos/process_creation/proc_creation_macos_payload_decoded_and_decrypted.yml index 87eda5e0b..d0abf2394 100644 --- a/rules/macos/process_creation/proc_creation_macos_payload_decoded_and_decrypted.yml +++ b/rules/macos/process_creation/proc_creation_macos_payload_decoded_and_decrypted.yml @@ -7,11 +7,11 @@ references: author: Tim Rauch (rule), Elastic (idea) date: 2022-10-17 tags: + - attack.stealth - attack.t1059 - attack.t1204 - attack.execution - attack.t1140 - - attack.defense-evasion - attack.s0482 - attack.s0402 logsource: diff --git a/rules/macos/process_creation/proc_creation_macos_remote_access_tools_renamed_meshagent_execution.yml b/rules/macos/process_creation/proc_creation_macos_remote_access_tools_renamed_meshagent_execution.yml index e39657517..54fcdb4c5 100644 --- a/rules/macos/process_creation/proc_creation_macos_remote_access_tools_renamed_meshagent_execution.yml +++ b/rules/macos/process_creation/proc_creation_macos_remote_access_tools_renamed_meshagent_execution.yml @@ -19,7 +19,7 @@ author: Norbert Jaśniewicz (AlphaSOC) date: 2025-05-19 tags: - attack.command-and-control - - attack.defense-evasion + - attack.stealth - attack.t1219.002 - attack.t1036.003 logsource: diff --git a/rules/macos/process_creation/proc_creation_macos_space_after_filename.yml b/rules/macos/process_creation/proc_creation_macos_space_after_filename.yml index 781e0f0ac..e105779b0 100644 --- a/rules/macos/process_creation/proc_creation_macos_space_after_filename.yml +++ b/rules/macos/process_creation/proc_creation_macos_space_after_filename.yml @@ -8,7 +8,7 @@ author: remotephone date: 2021-11-20 modified: 2023-01-04 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036.006 logsource: product: macos diff --git a/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml b/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml index 5f031bcb9..546e48554 100644 --- a/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml +++ b/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml @@ -12,6 +12,7 @@ logsource: category: process_creation product: macos tags: + - attack.defense-impairment - attack.t1566 - attack.t1566.002 - attack.initial-access @@ -22,7 +23,6 @@ tags: - attack.execution - attack.persistence - attack.t1553 - - attack.defense-evasion detection: selection_parent: ParentImage|endswith: '/Script Editor' diff --git a/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml b/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml index f78c22dc8..14859deca 100644 --- a/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml +++ b/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml @@ -12,9 +12,9 @@ author: Sohan G (D4rkCiph3r) date: 2023-03-19 tags: - attack.persistence - - attack.defense-evasion - attack.initial-access - attack.privilege-escalation + - attack.stealth - attack.t1078.003 logsource: category: process_creation diff --git a/rules/macos/process_creation/proc_creation_macos_sysadminctl_enable_guest_account.yml b/rules/macos/process_creation/proc_creation_macos_sysadminctl_enable_guest_account.yml index 1545bd73a..011c853a4 100644 --- a/rules/macos/process_creation/proc_creation_macos_sysadminctl_enable_guest_account.yml +++ b/rules/macos/process_creation/proc_creation_macos_sysadminctl_enable_guest_account.yml @@ -9,8 +9,8 @@ date: 2023-02-18 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion - attack.initial-access + - attack.stealth - attack.t1078 - attack.t1078.001 logsource: diff --git a/rules/macos/process_creation/proc_creation_macos_sysctl_discovery.yml b/rules/macos/process_creation/proc_creation_macos_sysctl_discovery.yml index ed710943f..0b936cb72 100644 --- a/rules/macos/process_creation/proc_creation_macos_sysctl_discovery.yml +++ b/rules/macos/process_creation/proc_creation_macos_sysctl_discovery.yml @@ -15,7 +15,7 @@ references: author: Pratinav Chandra date: 2024-05-27 tags: - - attack.defense-evasion + - attack.stealth - attack.t1497.001 - attack.discovery - attack.t1082 diff --git a/rules/macos/process_creation/proc_creation_macos_system_profiler_discovery.yml b/rules/macos/process_creation/proc_creation_macos_system_profiler_discovery.yml index 96407361e..303c4d12b 100644 --- a/rules/macos/process_creation/proc_creation_macos_system_profiler_discovery.yml +++ b/rules/macos/process_creation/proc_creation_macos_system_profiler_discovery.yml @@ -15,7 +15,7 @@ author: Stephen Lincoln `@slincoln_aiq` (AttackIQ) date: 2024-01-02 tags: - attack.discovery - - attack.defense-evasion + - attack.stealth - attack.t1082 - attack.t1497.001 logsource: diff --git a/rules/macos/process_creation/proc_creation_macos_tail_base64_decode_from_image.yml b/rules/macos/process_creation/proc_creation_macos_tail_base64_decode_from_image.yml index 2723b5f94..1407d3c25 100644 --- a/rules/macos/process_creation/proc_creation_macos_tail_base64_decode_from_image.yml +++ b/rules/macos/process_creation/proc_creation_macos_tail_base64_decode_from_image.yml @@ -9,7 +9,7 @@ references: author: Joseliyo Sanchez, @Joseliyo_Jstnk date: 2023-12-20 tags: - - attack.defense-evasion + - attack.stealth - attack.t1140 logsource: product: macos diff --git a/rules/macos/process_creation/proc_creation_macos_xattr_gatekeeper_bypass.yml b/rules/macos/process_creation/proc_creation_macos_xattr_gatekeeper_bypass.yml index 1525ff58c..14ed4ac49 100644 --- a/rules/macos/process_creation/proc_creation_macos_xattr_gatekeeper_bypass.yml +++ b/rules/macos/process_creation/proc_creation_macos_xattr_gatekeeper_bypass.yml @@ -9,7 +9,7 @@ author: Daniil Yugoslavskiy, oscd.community date: 2020-10-19 modified: 2024-04-18 tags: - - attack.defense-evasion + - attack.defense-impairment - attack.t1553.001 logsource: category: process_creation diff --git a/rules/network/cisco/aaa/cisco_cli_clear_logs.yml b/rules/network/cisco/aaa/cisco_cli_clear_logs.yml index 543be076f..017aa7a87 100644 --- a/rules/network/cisco/aaa/cisco_cli_clear_logs.yml +++ b/rules/network/cisco/aaa/cisco_cli_clear_logs.yml @@ -9,7 +9,7 @@ author: Austin Clark date: 2019-08-12 modified: 2023-05-26 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070.003 logsource: product: cisco diff --git a/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml b/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml index 6656c54df..829b8a804 100644 --- a/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml +++ b/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml @@ -9,7 +9,7 @@ date: 2019-08-12 modified: 2023-01-04 tags: - attack.credential-access - - attack.defense-evasion + - attack.defense-impairment - attack.t1553.004 - attack.t1552.004 logsource: diff --git a/rules/network/cisco/aaa/cisco_cli_disable_logging.yml b/rules/network/cisco/aaa/cisco_cli_disable_logging.yml index accdf0680..1758fd623 100644 --- a/rules/network/cisco/aaa/cisco_cli_disable_logging.yml +++ b/rules/network/cisco/aaa/cisco_cli_disable_logging.yml @@ -8,8 +8,8 @@ author: Austin Clark date: 2019-08-11 modified: 2023-01-04 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: cisco service: aaa diff --git a/rules/network/cisco/aaa/cisco_cli_dot1x_disabled.yml b/rules/network/cisco/aaa/cisco_cli_dot1x_disabled.yml index 9665a11da..64c1168bd 100644 --- a/rules/network/cisco/aaa/cisco_cli_dot1x_disabled.yml +++ b/rules/network/cisco/aaa/cisco_cli_dot1x_disabled.yml @@ -12,10 +12,10 @@ references: author: Luc Génaux date: 2026-04-28 tags: - - attack.defense-evasion - attack.persistence - attack.credential-access - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 - attack.t1556.004 logsource: product: cisco diff --git a/rules/network/cisco/aaa/cisco_cli_file_deletion.yml b/rules/network/cisco/aaa/cisco_cli_file_deletion.yml index 6d49de90a..c3ae918c8 100644 --- a/rules/network/cisco/aaa/cisco_cli_file_deletion.yml +++ b/rules/network/cisco/aaa/cisco_cli_file_deletion.yml @@ -6,8 +6,8 @@ author: Austin Clark date: 2019-08-12 modified: 2023-01-04 tags: - - attack.defense-evasion - attack.impact + - attack.stealth - attack.t1070.004 - attack.t1561.001 - attack.t1561.002 diff --git a/rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml b/rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml index 230743e50..9a850f086 100644 --- a/rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml +++ b/rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml @@ -11,9 +11,9 @@ tags: - attack.initial-access - attack.persistence - attack.privilege-escalation - - attack.defense-evasion - attack.credential-access - attack.collection + - attack.stealth - attack.t1078 - attack.t1110 - attack.t1557 diff --git a/rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml b/rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml index 680d00905..ff11dcfcc 100644 --- a/rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml +++ b/rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml @@ -10,9 +10,9 @@ tags: - attack.initial-access - attack.persistence - attack.privilege-escalation - - attack.defense-evasion - attack.credential-access - attack.collection + - attack.stealth - attack.t1078 - attack.t1110 - attack.t1557 diff --git a/rules/network/fortinet/fortigate/fortinet_fortigate_new_firewall_address_object.yml b/rules/network/fortinet/fortigate/fortinet_fortigate_new_firewall_address_object.yml index 9c293cfd2..524d89e83 100644 --- a/rules/network/fortinet/fortigate/fortinet_fortigate_new_firewall_address_object.yml +++ b/rules/network/fortinet/fortigate/fortinet_fortigate_new_firewall_address_object.yml @@ -10,8 +10,8 @@ references: author: Marco Pedrinazzi @pedrinazziM (InTheCyber) date: 2025-11-01 tags: - - attack.defense-evasion - - attack.t1562 + - attack.defense-impairment + - attack.t1685 logsource: product: fortigate service: event diff --git a/rules/network/fortinet/fortigate/fortinet_fortigate_new_firewall_policy_added.yml b/rules/network/fortinet/fortigate/fortinet_fortigate_new_firewall_policy_added.yml index 822152936..6e55c5e40 100644 --- a/rules/network/fortinet/fortigate/fortinet_fortigate_new_firewall_policy_added.yml +++ b/rules/network/fortinet/fortigate/fortinet_fortigate_new_firewall_policy_added.yml @@ -10,8 +10,8 @@ references: author: Marco Pedrinazzi @pedrinazziM (InTheCyber) date: 2025-11-01 tags: - - attack.defense-evasion - - attack.t1562 + - attack.defense-impairment + - attack.t1685 logsource: product: fortigate service: event diff --git a/rules/network/huawei/bgp/huawei_bgp_auth_failed.yml b/rules/network/huawei/bgp/huawei_bgp_auth_failed.yml index a882f2ff8..f1db4f22b 100644 --- a/rules/network/huawei/bgp/huawei_bgp_auth_failed.yml +++ b/rules/network/huawei/bgp/huawei_bgp_auth_failed.yml @@ -11,9 +11,9 @@ tags: - attack.initial-access - attack.persistence - attack.privilege-escalation - - attack.defense-evasion - attack.credential-access - attack.collection + - attack.stealth - attack.t1078 - attack.t1110 - attack.t1557 diff --git a/rules/network/juniper/bgp/juniper_bgp_missing_md5.yml b/rules/network/juniper/bgp/juniper_bgp_missing_md5.yml index a912c70b2..55c8e7451 100644 --- a/rules/network/juniper/bgp/juniper_bgp_missing_md5.yml +++ b/rules/network/juniper/bgp/juniper_bgp_missing_md5.yml @@ -11,9 +11,9 @@ tags: - attack.initial-access - attack.persistence - attack.privilege-escalation - - attack.defense-evasion - attack.credential-access - attack.collection + - attack.stealth - attack.t1078 - attack.t1110 - attack.t1557 diff --git a/rules/web/proxy_generic/proxy_download_susp_dyndns.yml b/rules/web/proxy_generic/proxy_download_susp_dyndns.yml index 802b70f9c..27d0620fa 100644 --- a/rules/web/proxy_generic/proxy_download_susp_dyndns.yml +++ b/rules/web/proxy_generic/proxy_download_susp_dyndns.yml @@ -8,7 +8,6 @@ author: Florian Roth (Nextron Systems) date: 2017-11-08 modified: 2023-05-18 tags: - - attack.defense-evasion - attack.command-and-control - attack.t1105 - attack.t1568 diff --git a/rules/web/proxy_generic/proxy_hktl_cobalt_strike_malleable_c2_requests.yml b/rules/web/proxy_generic/proxy_hktl_cobalt_strike_malleable_c2_requests.yml index e758a8281..f033ecd5b 100644 --- a/rules/web/proxy_generic/proxy_hktl_cobalt_strike_malleable_c2_requests.yml +++ b/rules/web/proxy_generic/proxy_hktl_cobalt_strike_malleable_c2_requests.yml @@ -20,7 +20,6 @@ references: author: Markus Neis, Florian Roth (Nextron Systems) date: 2024-02-15 tags: - - attack.defense-evasion - attack.command-and-control - attack.t1071.001 logsource: diff --git a/rules/web/proxy_generic/proxy_hktl_empire_ua_uri_patterns.yml b/rules/web/proxy_generic/proxy_hktl_empire_ua_uri_patterns.yml index 8e91d7e61..74216dc88 100644 --- a/rules/web/proxy_generic/proxy_hktl_empire_ua_uri_patterns.yml +++ b/rules/web/proxy_generic/proxy_hktl_empire_ua_uri_patterns.yml @@ -8,7 +8,6 @@ author: Florian Roth (Nextron Systems) date: 2020-07-13 modified: 2024-02-26 tags: - - attack.defense-evasion - attack.command-and-control - attack.t1071.001 logsource: diff --git a/rules/web/proxy_generic/proxy_raw_paste_service_access.yml b/rules/web/proxy_generic/proxy_raw_paste_service_access.yml index c0443c5ff..f39471d70 100644 --- a/rules/web/proxy_generic/proxy_raw_paste_service_access.yml +++ b/rules/web/proxy_generic/proxy_raw_paste_service_access.yml @@ -12,7 +12,6 @@ tags: - attack.t1071.001 - attack.t1102.001 - attack.t1102.003 - - attack.defense-evasion logsource: category: proxy detection: diff --git a/rules/web/proxy_generic/proxy_susp_flash_download_loc.yml b/rules/web/proxy_generic/proxy_susp_flash_download_loc.yml index 5a49114b9..9277977ac 100644 --- a/rules/web/proxy_generic/proxy_susp_flash_download_loc.yml +++ b/rules/web/proxy_generic/proxy_susp_flash_download_loc.yml @@ -9,10 +9,10 @@ date: 2017-10-25 modified: 2022-08-08 tags: - attack.initial-access + - attack.stealth - attack.t1189 - attack.execution - attack.t1204.002 - - attack.defense-evasion - attack.t1036.005 logsource: category: proxy diff --git a/rules/web/proxy_generic/proxy_telegram_api.yml b/rules/web/proxy_generic/proxy_telegram_api.yml index 14bfb9b4f..c769a8c9f 100644 --- a/rules/web/proxy_generic/proxy_telegram_api.yml +++ b/rules/web/proxy_generic/proxy_telegram_api.yml @@ -10,7 +10,6 @@ author: Florian Roth (Nextron Systems) date: 2018-06-05 modified: 2023-05-18 tags: - - attack.defense-evasion - attack.command-and-control - attack.t1071.001 - attack.t1102.002 diff --git a/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_ip.yml b/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_ip.yml index e7d0cb2f8..018e8256e 100644 --- a/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_ip.yml +++ b/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_ip.yml @@ -9,8 +9,9 @@ date: 2022-06-10 modified: 2022-08-24 tags: - attack.command-and-control + - attack.execution + - attack.stealth - attack.t1071.001 - - attack.defense-evasion - attack.persistence - attack.t1197 - attack.s0190 diff --git a/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml b/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml index 59f98a317..fc7f688a9 100644 --- a/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml +++ b/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml @@ -10,8 +10,9 @@ date: 2019-03-07 modified: 2023-05-17 tags: - attack.command-and-control + - attack.execution + - attack.stealth - attack.t1071.001 - - attack.defense-evasion - attack.persistence - attack.t1197 - attack.s0190 diff --git a/rules/web/proxy_generic/proxy_ua_empty.yml b/rules/web/proxy_generic/proxy_ua_empty.yml index 70b50e0d7..f28d3d9f7 100644 --- a/rules/web/proxy_generic/proxy_ua_empty.yml +++ b/rules/web/proxy_generic/proxy_ua_empty.yml @@ -10,7 +10,6 @@ author: Florian Roth (Nextron Systems) date: 2017-07-08 modified: 2021-11-27 tags: - - attack.defense-evasion - attack.command-and-control - attack.t1071.001 logsource: diff --git a/rules/web/proxy_generic/proxy_ua_powershell.yml b/rules/web/proxy_generic/proxy_ua_powershell.yml index 59e9ab91c..1932ad561 100644 --- a/rules/web/proxy_generic/proxy_ua_powershell.yml +++ b/rules/web/proxy_generic/proxy_ua_powershell.yml @@ -8,7 +8,6 @@ author: Florian Roth (Nextron Systems) date: 2017-03-13 modified: 2021-11-27 tags: - - attack.defense-evasion - attack.command-and-control - attack.t1071.001 logsource: diff --git a/rules/web/webserver_generic/web_ssti_in_access_logs.yml b/rules/web/webserver_generic/web_ssti_in_access_logs.yml index ae334e32e..c41947b71 100644 --- a/rules/web/webserver_generic/web_ssti_in_access_logs.yml +++ b/rules/web/webserver_generic/web_ssti_in_access_logs.yml @@ -8,7 +8,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-06-14 tags: - - attack.defense-evasion + - attack.stealth - attack.t1221 logsource: category: webserver diff --git a/rules/windows/builtin/application/application_error/win_application_error_msmpeng_crash.yml b/rules/windows/builtin/application/application_error/win_application_error_msmpeng_crash.yml index fd5c9af50..ffc057463 100644 --- a/rules/windows/builtin/application/application_error/win_application_error_msmpeng_crash.yml +++ b/rules/windows/builtin/application/application_error/win_application_error_msmpeng_crash.yml @@ -12,9 +12,10 @@ author: Florian Roth (Nextron Systems) date: 2017-05-09 modified: 2023-04-14 tags: - - attack.defense-evasion + - attack.stealth + - attack.defense-impairment - attack.t1211 - - attack.t1562.001 + - attack.t1685 logsource: product: windows service: application diff --git a/rules/windows/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml b/rules/windows/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml index 590805da3..5610cd33c 100644 --- a/rules/windows/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml +++ b/rules/windows/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml @@ -16,10 +16,10 @@ date: 2020-01-15 modified: 2022-10-22 tags: - attack.execution + - attack.stealth - attack.t1203 - attack.privilege-escalation - attack.t1068 - - attack.defense-evasion - attack.t1211 - attack.credential-access - attack.t1212 diff --git a/rules/windows/builtin/application/microsoft_windows_backup/win_susp_backup_delete.yml b/rules/windows/builtin/application/microsoft_windows_backup/win_susp_backup_delete.yml index 72dad5d0f..8166127df 100644 --- a/rules/windows/builtin/application/microsoft_windows_backup/win_susp_backup_delete.yml +++ b/rules/windows/builtin/application/microsoft_windows_backup/win_susp_backup_delete.yml @@ -9,7 +9,7 @@ author: Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection) date: 2017-05-12 modified: 2022-12-25 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070.004 logsource: product: windows diff --git a/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml b/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml index 7c9da1ca0..930473d88 100644 --- a/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml +++ b/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml @@ -10,7 +10,6 @@ date: 2023-01-12 tags: - attack.lateral-movement - attack.execution - - attack.defense-evasion - attack.t1072 logsource: product: windows diff --git a/rules/windows/builtin/application/msiinstaller/win_msi_install_from_web.yml b/rules/windows/builtin/application/msiinstaller/win_msi_install_from_web.yml index 36cc5b87e..308a54366 100644 --- a/rules/windows/builtin/application/msiinstaller/win_msi_install_from_web.yml +++ b/rules/windows/builtin/application/msiinstaller/win_msi_install_from_web.yml @@ -7,7 +7,7 @@ references: author: Stamatis Chatzimangou date: 2022-10-23 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 - attack.t1218.007 logsource: diff --git a/rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml b/rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml index ded6786fd..a3b767f7b 100644 --- a/rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml +++ b/rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml @@ -10,7 +10,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-07-13 modified: 2024-06-26 tags: - - attack.defense-evasion + - attack.defense-impairment logsource: product: windows service: application diff --git a/rules/windows/builtin/application/windows_error_reporting/win_application_msmpeng_crash_wer.yml b/rules/windows/builtin/application/windows_error_reporting/win_application_msmpeng_crash_wer.yml index 5e5ca6ee1..45f4d4485 100644 --- a/rules/windows/builtin/application/windows_error_reporting/win_application_msmpeng_crash_wer.yml +++ b/rules/windows/builtin/application/windows_error_reporting/win_application_msmpeng_crash_wer.yml @@ -9,9 +9,10 @@ author: Florian Roth (Nextron Systems) date: 2017-05-09 modified: 2023-04-14 tags: - - attack.defense-evasion + - attack.stealth + - attack.defense-impairment - attack.t1211 - - attack.t1562.001 + - attack.t1685 logsource: product: windows service: application diff --git a/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml b/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml index 39c9bfefa..083cb52db 100644 --- a/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml +++ b/rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml @@ -10,8 +10,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-01-16 modified: 2023-09-12 tags: - - attack.defense-evasion - attack.execution + - attack.stealth logsource: product: windows service: appmodel-runtime diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml index 820110e73..dc592a67f 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml @@ -8,7 +8,7 @@ references: author: frack113 date: 2023-01-11 tags: - - attack.defense-evasion + - attack.stealth logsource: product: windows service: appxdeployment-server diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_appx_downloaded_from_file_sharing_domains.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_appx_downloaded_from_file_sharing_domains.yml index 349445edf..81d264491 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_appx_downloaded_from_file_sharing_domains.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_appx_downloaded_from_file_sharing_domains.yml @@ -11,7 +11,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-01-11 modified: 2025-12-10 tags: - - attack.defense-evasion + - attack.stealth logsource: product: windows service: appxdeployment-server diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_appx_package_deployment_failed_signing_requirements.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_appx_package_deployment_failed_signing_requirements.yml index 3c152456b..6daaef412 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_appx_package_deployment_failed_signing_requirements.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_appx_package_deployment_failed_signing_requirements.yml @@ -11,7 +11,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-01-11 modified: 2025-12-03 tags: - - attack.defense-evasion + - attack.stealth logsource: product: windows service: appxdeployment-server diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_appx_package_in_staging_directory.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_appx_package_in_staging_directory.yml index 3e3733743..c5f94098d 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_appx_package_in_staging_directory.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_appx_package_in_staging_directory.yml @@ -10,7 +10,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-01-11 tags: - - attack.defense-evasion + - attack.stealth logsource: product: windows service: appxdeployment-server diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml index 2f3f0f749..bae66ccc0 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml @@ -10,7 +10,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-01-11 modified: 2023-01-12 tags: - - attack.defense-evasion + - attack.stealth logsource: product: windows service: appxdeployment-server diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml index a52ae4a1a..fdbc423fc 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml @@ -14,7 +14,7 @@ references: author: frack113 date: 2023-01-11 tags: - - attack.defense-evasion + - attack.defense-impairment logsource: product: windows service: appxdeployment-server diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml index 4cfab5ba2..7c6d5a785 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml @@ -12,7 +12,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-01-11 modified: 2025-12-03 tags: - - attack.defense-evasion + - attack.stealth logsource: product: windows service: appxdeployment-server diff --git a/rules/windows/builtin/appxdeployment_server/win_appxpackaging_server_full_trust_package_installation.yml b/rules/windows/builtin/appxdeployment_server/win_appxpackaging_server_full_trust_package_installation.yml index 3ff183ec0..67f8829f1 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxpackaging_server_full_trust_package_installation.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxpackaging_server_full_trust_package_installation.yml @@ -7,8 +7,8 @@ references: author: Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-11-03 tags: - - attack.defense-evasion - attack.execution + - attack.defense-impairment - attack.t1204.002 - attack.t1553.005 logsource: diff --git a/rules/windows/builtin/appxdeployment_server/win_appxpackaging_server_unsigned_package_installation.yml b/rules/windows/builtin/appxdeployment_server/win_appxpackaging_server_unsigned_package_installation.yml index 3d4a600c2..eaba5bbcd 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxpackaging_server_unsigned_package_installation.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxpackaging_server_unsigned_package_installation.yml @@ -13,8 +13,8 @@ references: author: Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-11-03 tags: - - attack.defense-evasion - attack.execution + - attack.defense-impairment - attack.t1204.002 - attack.t1553.005 logsource: diff --git a/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml b/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml index c5bf6d39f..c3bae0d03 100644 --- a/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml +++ b/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml @@ -8,8 +8,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-01-16 tags: - - attack.defense-evasion - attack.execution + - attack.stealth logsource: product: windows service: appxpackaging-om diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_job_via_bitsadmin.yml b/rules/windows/builtin/bits_client/win_bits_client_new_job_via_bitsadmin.yml index 7ab2c3529..540c47b28 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_new_job_via_bitsadmin.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_new_job_via_bitsadmin.yml @@ -8,8 +8,9 @@ author: frack113 date: 2022-03-01 modified: 2023-03-27 tags: - - attack.defense-evasion - attack.persistence + - attack.execution + - attack.stealth - attack.t1197 logsource: product: windows diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_job_via_powershell.yml b/rules/windows/builtin/bits_client/win_bits_client_new_job_via_powershell.yml index b5becafe0..c532c8af3 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_new_job_via_powershell.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_new_job_via_powershell.yml @@ -8,8 +8,9 @@ author: frack113 date: 2022-03-01 modified: 2023-03-27 tags: - - attack.defense-evasion - attack.persistence + - attack.execution + - attack.stealth - attack.t1197 logsource: product: windows diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_saving_susp_extensions.yml b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_saving_susp_extensions.yml index 493d667ab..380b99342 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_saving_susp_extensions.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_saving_susp_extensions.yml @@ -8,8 +8,9 @@ author: frack113 date: 2022-03-01 modified: 2023-03-27 tags: - - attack.defense-evasion - attack.persistence + - attack.execution + - attack.stealth - attack.t1197 logsource: product: windows diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml index 1c7fff77b..c9958f3ea 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml @@ -11,8 +11,9 @@ author: Florian Roth (Nextron Systems) date: 2022-06-28 modified: 2025-12-10 tags: - - attack.defense-evasion - attack.persistence + - attack.execution + - attack.stealth - attack.t1197 logsource: product: windows diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml index 9bcdf087d..efebe1526 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml @@ -14,8 +14,9 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-01-11 modified: 2023-03-27 tags: - - attack.defense-evasion - attack.persistence + - attack.execution + - attack.stealth - attack.t1197 logsource: product: windows diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml index 6cd590f0d..328291637 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml @@ -9,8 +9,9 @@ author: Florian Roth (Nextron Systems) date: 2022-06-10 modified: 2025-02-28 tags: - - attack.defense-evasion - attack.persistence + - attack.execution + - attack.stealth - attack.t1197 logsource: product: windows diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_trasnfer_susp_local_folder.yml b/rules/windows/builtin/bits_client/win_bits_client_new_trasnfer_susp_local_folder.yml index 1aedba92c..cc921220f 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_new_trasnfer_susp_local_folder.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_new_trasnfer_susp_local_folder.yml @@ -8,8 +8,9 @@ author: Florian Roth (Nextron Systems) date: 2022-06-28 modified: 2023-03-27 tags: - - attack.defense-evasion - attack.persistence + - attack.execution + - attack.stealth - attack.t1197 logsource: product: windows diff --git a/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml b/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml index cb15f1d81..12446feec 100644 --- a/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml +++ b/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml @@ -17,7 +17,8 @@ modified: 2023-02-05 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1574.001 logsource: product: windows diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml index dd4fcd41c..c1787b1c5 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml @@ -8,8 +8,8 @@ author: frack113 date: 2022-02-19 modified: 2025-10-08 tags: - - attack.defense-evasion - - attack.t1562.004 + - attack.defense-impairment + - attack.t1686.003 logsource: product: windows service: firewall-as diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml index 4b4aa715b..996420d47 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml @@ -12,8 +12,8 @@ author: frack113 date: 2023-02-26 modified: 2024-05-10 tags: - - attack.defense-evasion - - attack.t1562.004 + - attack.defense-impairment + - attack.t1686.003 logsource: product: windows service: firewall-as diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_wmiprvse.yml b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_wmiprvse.yml index a4a78df57..d5eae54a9 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_wmiprvse.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_wmiprvse.yml @@ -11,8 +11,8 @@ references: author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2024-05-10 tags: - - attack.defense-evasion - - attack.t1562.004 + - attack.defense-impairment + - attack.t1686.003 logsource: product: windows service: firewall-as diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml b/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml index c5e1d274f..d69ce5fa3 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml @@ -8,8 +8,8 @@ author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2023-01-17 modified: 2024-01-22 tags: - - attack.defense-evasion - - attack.t1562.004 + - attack.defense-impairment + - attack.t1686.003 logsource: product: windows service: firewall-as diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml b/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml index f7992f8f1..2048be378 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml @@ -8,8 +8,8 @@ author: frack113 date: 2022-02-19 modified: 2024-08-29 tags: - - attack.defense-evasion - - attack.t1562.004 + - attack.defense-impairment + - attack.t1686.003 logsource: product: windows service: firewall-as diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml b/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml index 208954b53..be5bf9858 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml @@ -8,8 +8,8 @@ author: frack113 date: 2022-02-19 modified: 2023-01-17 tags: - - attack.defense-evasion - - attack.t1562.004 + - attack.defense-impairment + - attack.t1686.003 logsource: product: windows service: firewall-as diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml b/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml index 7ee0b2918..169a24342 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml @@ -8,8 +8,8 @@ author: frack113 date: 2022-02-19 modified: 2023-04-21 tags: - - attack.defense-evasion - - attack.t1562.004 + - attack.defense-impairment + - attack.t1686.003 logsource: product: windows service: firewall-as diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml b/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml index fd8ed1f8b..6ffcb2756 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml @@ -8,8 +8,8 @@ author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2022-02-19 modified: 2023-04-21 tags: - - attack.defense-evasion - - attack.t1562.004 + - attack.defense-impairment + - attack.t1686.003 logsource: product: windows service: firewall-as diff --git a/rules/windows/builtin/iis-configuration/win_iis_logging_etw_disabled.yml b/rules/windows/builtin/iis-configuration/win_iis_logging_etw_disabled.yml index f80d82d27..626dcbaa5 100644 --- a/rules/windows/builtin/iis-configuration/win_iis_logging_etw_disabled.yml +++ b/rules/windows/builtin/iis-configuration/win_iis_logging_etw_disabled.yml @@ -9,9 +9,9 @@ references: author: frack113, Nasreddine Bencherchali date: 2024-10-06 tags: - - attack.defense-evasion - attack.persistence - - attack.t1562.002 + - attack.defense-impairment + - attack.t1685.001 - attack.t1505.004 logsource: product: windows diff --git a/rules/windows/builtin/iis-configuration/win_iis_logging_http_disabled.yml b/rules/windows/builtin/iis-configuration/win_iis_logging_http_disabled.yml index 694943b02..4cc22286b 100644 --- a/rules/windows/builtin/iis-configuration/win_iis_logging_http_disabled.yml +++ b/rules/windows/builtin/iis-configuration/win_iis_logging_http_disabled.yml @@ -9,9 +9,9 @@ references: author: frack113 date: 2024-10-06 tags: - - attack.defense-evasion - attack.persistence - - attack.t1562.002 + - attack.defense-impairment + - attack.t1685.001 - attack.t1505.004 logsource: product: windows diff --git a/rules/windows/builtin/iis-configuration/win_iis_module_added.yml b/rules/windows/builtin/iis-configuration/win_iis_module_added.yml index 727421ac6..d59669b78 100644 --- a/rules/windows/builtin/iis-configuration/win_iis_module_added.yml +++ b/rules/windows/builtin/iis-configuration/win_iis_module_added.yml @@ -10,9 +10,9 @@ references: author: frack113 date: 2024-10-06 tags: - - attack.defense-evasion - attack.persistence - - attack.t1562.002 + - attack.defense-impairment + - attack.t1685.001 - attack.t1505.004 logsource: product: windows diff --git a/rules/windows/builtin/iis-configuration/win_iis_module_removed.yml b/rules/windows/builtin/iis-configuration/win_iis_module_removed.yml index 9db167c47..b3e99a287 100644 --- a/rules/windows/builtin/iis-configuration/win_iis_module_removed.yml +++ b/rules/windows/builtin/iis-configuration/win_iis_module_removed.yml @@ -10,9 +10,9 @@ references: author: Nasreddine Bencherchali date: 2024-10-06 tags: - - attack.defense-evasion - attack.persistence - - attack.t1562.002 + - attack.defense-impairment + - attack.t1685.001 - attack.t1505.004 logsource: product: windows diff --git a/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml b/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml index a7ad1d022..ef0c7b01a 100644 --- a/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml +++ b/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml @@ -8,7 +8,7 @@ author: Christian Burkard (Nextron Systems) date: 2021-08-27 modified: 2023-01-23 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070 logsource: service: msexchange-management diff --git a/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml b/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml index 1dd486c61..856952d4e 100644 --- a/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml +++ b/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml @@ -8,7 +8,6 @@ author: Florian Roth (Nextron Systems) date: 2018-06-08 modified: 2024-07-22 tags: - - attack.defense-evasion - attack.lateral-movement - attack.t1550.002 logsource: diff --git a/rules/windows/builtin/security/account_management/win_security_access_token_abuse.yml b/rules/windows/builtin/security/account_management/win_security_access_token_abuse.yml index 9d9da74b0..054e95a6f 100644 --- a/rules/windows/builtin/security/account_management/win_security_access_token_abuse.yml +++ b/rules/windows/builtin/security/account_management/win_security_access_token_abuse.yml @@ -9,8 +9,8 @@ author: Michaela Adams, Zach Mathis date: 2022-11-06 modified: 2023-04-26 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth - attack.t1134.001 - stp.4u logsource: diff --git a/rules/windows/builtin/security/account_management/win_security_admin_rdp_login.yml b/rules/windows/builtin/security/account_management/win_security_admin_rdp_login.yml index 9fd93bb13..e3cc51ab9 100644 --- a/rules/windows/builtin/security/account_management/win_security_admin_rdp_login.yml +++ b/rules/windows/builtin/security/account_management/win_security_admin_rdp_login.yml @@ -10,9 +10,9 @@ modified: 2022-10-09 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion - attack.lateral-movement - attack.initial-access + - attack.stealth - attack.t1078.001 - attack.t1078.002 - attack.t1078.003 diff --git a/rules/windows/builtin/security/account_management/win_security_overpass_the_hash.yml b/rules/windows/builtin/security/account_management/win_security_overpass_the_hash.yml index c0aad5df7..1983e0316 100644 --- a/rules/windows/builtin/security/account_management/win_security_overpass_the_hash.yml +++ b/rules/windows/builtin/security/account_management/win_security_overpass_the_hash.yml @@ -8,7 +8,6 @@ author: Roberto Rodriguez (source), Dominik Schaudel (rule) date: 2018-02-12 modified: 2021-11-27 tags: - - attack.defense-evasion - attack.lateral-movement - attack.s0002 - attack.t1550.002 diff --git a/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml b/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml index 1ce63f070..9a011cfe1 100644 --- a/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml +++ b/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml @@ -10,7 +10,6 @@ author: Dave Kennedy, Jeff Warren (method) / David Vassallo (rule) date: 2019-06-14 modified: 2022-10-05 tags: - - attack.defense-evasion - attack.lateral-movement - attack.t1550.002 logsource: diff --git a/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml b/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml index ac86bbbe6..5464a15c3 100644 --- a/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml +++ b/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml @@ -14,9 +14,9 @@ modified: 2024-03-11 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion - attack.initial-access - attack.credential-access + - attack.stealth - attack.t1133 - attack.t1078 - attack.t1110 diff --git a/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml b/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml index dafa835a0..6257c27a9 100644 --- a/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml +++ b/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml @@ -14,9 +14,9 @@ modified: 2024-03-11 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion - attack.initial-access - attack.credential-access + - attack.stealth - attack.t1133 - attack.t1078 - attack.t1110 diff --git a/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml b/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml index 57dddbe73..61ec61b4d 100644 --- a/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml +++ b/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml @@ -9,9 +9,9 @@ date: 2020-05-06 modified: 2024-03-11 tags: - attack.privilege-escalation - - attack.defense-evasion - attack.initial-access - attack.persistence + - attack.stealth - attack.t1078 - attack.t1190 - attack.t1133 diff --git a/rules/windows/builtin/security/account_management/win_security_susp_logon_newcredentials.yml b/rules/windows/builtin/security/account_management/win_security_susp_logon_newcredentials.yml index 4a95af66d..c142da2bd 100644 --- a/rules/windows/builtin/security/account_management/win_security_susp_logon_newcredentials.yml +++ b/rules/windows/builtin/security/account_management/win_security_susp_logon_newcredentials.yml @@ -7,7 +7,6 @@ references: author: Max Altgelt (Nextron Systems) date: 2022-04-06 tags: - - attack.defense-evasion - attack.lateral-movement - attack.t1550 logsource: diff --git a/rules/windows/builtin/security/account_management/win_security_susp_privesc_kerberos_relay_over_ldap.yml b/rules/windows/builtin/security/account_management/win_security_susp_privesc_kerberos_relay_over_ldap.yml index 992e0f464..b1694d3d2 100644 --- a/rules/windows/builtin/security/account_management/win_security_susp_privesc_kerberos_relay_over_ldap.yml +++ b/rules/windows/builtin/security/account_management/win_security_susp_privesc_kerberos_relay_over_ldap.yml @@ -11,7 +11,6 @@ author: Elastic, @SBousseaden date: 2022-04-27 modified: 2024-08-13 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.credential-access - attack.t1548 diff --git a/rules/windows/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml b/rules/windows/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml index 3e181b0c0..d053e0559 100644 --- a/rules/windows/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml +++ b/rules/windows/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml @@ -11,8 +11,8 @@ references: author: '@gott_cyber' date: 2024-01-08 tags: - - attack.defense-evasion - - attack.t1562 + - attack.defense-impairment + - attack.t1685 logsource: product: windows service: security diff --git a/rules/windows/builtin/security/win_security_ad_object_writedac_access.yml b/rules/windows/builtin/security/win_security_ad_object_writedac_access.yml index ed8afb063..63e126911 100644 --- a/rules/windows/builtin/security/win_security_ad_object_writedac_access.yml +++ b/rules/windows/builtin/security/win_security_ad_object_writedac_access.yml @@ -10,7 +10,7 @@ author: Roberto Rodriguez @Cyb3rWard0g date: 2019-09-12 modified: 2021-11-27 tags: - - attack.defense-evasion + - attack.defense-impairment - attack.t1222.001 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_add_remove_computer.yml b/rules/windows/builtin/security/win_security_add_remove_computer.yml index 41dce43e6..42048ac8e 100644 --- a/rules/windows/builtin/security/win_security_add_remove_computer.yml +++ b/rules/windows/builtin/security/win_security_add_remove_computer.yml @@ -9,7 +9,7 @@ references: author: frack113 date: 2022-10-14 tags: - - attack.defense-evasion + - attack.defense-impairment - attack.t1207 logsource: service: security diff --git a/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml b/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml index 1716d8ae9..d07bf314e 100644 --- a/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml +++ b/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml @@ -9,8 +9,8 @@ author: '@neu5ron' date: 2017-07-30 modified: 2021-11-27 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: windows service: security diff --git a/rules/windows/builtin/security/win_security_alert_ruler.yml b/rules/windows/builtin/security/win_security_alert_ruler.yml index 4bc220a0f..8db4d5e5e 100644 --- a/rules/windows/builtin/security/win_security_alert_ruler.yml +++ b/rules/windows/builtin/security/win_security_alert_ruler.yml @@ -12,7 +12,6 @@ author: Florian Roth (Nextron Systems) date: 2017-05-31 modified: 2022-10-09 tags: - - attack.defense-evasion - attack.discovery - attack.execution - attack.collection diff --git a/rules/windows/builtin/security/win_security_audit_log_cleared.yml b/rules/windows/builtin/security/win_security_audit_log_cleared.yml index 4847955f7..0cb260c4b 100644 --- a/rules/windows/builtin/security/win_security_audit_log_cleared.yml +++ b/rules/windows/builtin/security/win_security_audit_log_cleared.yml @@ -15,8 +15,8 @@ author: Florian Roth (Nextron Systems) date: 2017-01-10 modified: 2022-02-24 tags: - - attack.defense-evasion - - attack.t1070.001 + - attack.defense-impairment + - attack.t1685.005 - car.2016-04-002 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_codeintegrity_check_failure.yml b/rules/windows/builtin/security/win_security_codeintegrity_check_failure.yml index 791d5605c..b98014ad8 100644 --- a/rules/windows/builtin/security/win_security_codeintegrity_check_failure.yml +++ b/rules/windows/builtin/security/win_security_codeintegrity_check_failure.yml @@ -10,7 +10,7 @@ author: Thomas Patzke date: 2019-12-03 modified: 2025-01-19 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027.001 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_default_domain_gpo_modification.yml b/rules/windows/builtin/security/win_security_default_domain_gpo_modification.yml index f28088834..03e1b1654 100644 --- a/rules/windows/builtin/security/win_security_default_domain_gpo_modification.yml +++ b/rules/windows/builtin/security/win_security_default_domain_gpo_modification.yml @@ -15,8 +15,8 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-11-22 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.defense-impairment - attack.t1484.001 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_disable_event_auditing.yml b/rules/windows/builtin/security/win_security_disable_event_auditing.yml index 037f2e5f4..8455fa9d3 100644 --- a/rules/windows/builtin/security/win_security_disable_event_auditing.yml +++ b/rules/windows/builtin/security/win_security_disable_event_auditing.yml @@ -15,8 +15,8 @@ author: '@neu5ron, Nasreddine Bencherchali (Nextron Systems)' date: 2017-11-19 modified: 2023-11-15 tags: - - attack.defense-evasion - - attack.t1562.002 + - attack.defense-impairment + - attack.t1685.001 logsource: product: windows service: security diff --git a/rules/windows/builtin/security/win_security_disable_event_auditing_critical.yml b/rules/windows/builtin/security/win_security_disable_event_auditing_critical.yml index c10e645cf..ff524931b 100644 --- a/rules/windows/builtin/security/win_security_disable_event_auditing_critical.yml +++ b/rules/windows/builtin/security/win_security_disable_event_auditing_critical.yml @@ -12,8 +12,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-06-20 modified: 2023-11-17 tags: - - attack.defense-evasion - - attack.t1562.002 + - attack.defense-impairment + - attack.t1685.001 logsource: product: windows service: security diff --git a/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml b/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml index 06b0cbd73..8c6233aaa 100644 --- a/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml +++ b/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml @@ -21,9 +21,9 @@ date: 2020-06-05 modified: 2022-12-20 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 - - attack.t1562 + - attack.t1685 logsource: product: windows service: security diff --git a/rules/windows/builtin/security/win_security_hktl_edr_silencer.yml b/rules/windows/builtin/security/win_security_hktl_edr_silencer.yml index 4a3cc876c..7bdbe6022 100644 --- a/rules/windows/builtin/security/win_security_hktl_edr_silencer.yml +++ b/rules/windows/builtin/security/win_security_hktl_edr_silencer.yml @@ -9,8 +9,8 @@ author: Thodoris Polyzos (@SmoothDeploy) date: 2024-01-29 modified: 2024-01-30 tags: - - attack.defense-evasion - - attack.t1562 + - attack.defense-impairment + - attack.t1685 logsource: product: windows service: security diff --git a/rules/windows/builtin/security/win_security_hktl_nofilter.yml b/rules/windows/builtin/security/win_security_hktl_nofilter.yml index 12d1d0a00..4763e971f 100644 --- a/rules/windows/builtin/security/win_security_hktl_nofilter.yml +++ b/rules/windows/builtin/security/win_security_hktl_nofilter.yml @@ -11,8 +11,8 @@ references: author: Stamatis Chatzimangou (st0pp3r) date: 2024-01-05 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth - attack.t1134 - attack.t1134.001 logsource: diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_clip_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_clip_services_security.yml index 46458e5de..c9f1b7102 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_clip_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_clip_services_security.yml @@ -11,11 +11,10 @@ author: Jonathan Cheong, oscd.community date: 2020-10-13 modified: 2022-11-27 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 - logsource: product: windows service: security diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_obfuscated_iex_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_obfuscated_iex_services_security.yml index 9b525d715..52749c2c1 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_obfuscated_iex_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_obfuscated_iex_services_security.yml @@ -11,7 +11,7 @@ author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community date: 2019-11-08 modified: 2022-11-27 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yml index 4af12b8ef..5e8b9c4a2 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yml @@ -11,7 +11,7 @@ author: Jonathan Cheong, oscd.community date: 2020-10-15 modified: 2022-11-29 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml index 60440bf5f..c4587aa20 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml @@ -11,7 +11,7 @@ author: Jonathan Cheong, oscd.community date: 2020-10-15 modified: 2022-11-29 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml index ec98587c5..d31e72115 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml @@ -11,7 +11,7 @@ author: Timur Zinniatullin, oscd.community date: 2020-10-18 modified: 2022-11-29 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml index c06c13a9a..e8e4ee19f 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml @@ -11,7 +11,7 @@ author: Timur Zinniatullin, oscd.community date: 2020-10-18 modified: 2022-11-29 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml index 9be906856..eebc9d6ad 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml @@ -11,7 +11,7 @@ author: Nikita Nazarov, oscd.community date: 2020-10-12 modified: 2022-11-29 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml index 2458ab037..7a358096d 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml @@ -11,7 +11,7 @@ author: Nikita Nazarov, oscd.community date: 2020-10-09 modified: 2022-11-29 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml index e9422f5bd..4740621f8 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml @@ -11,7 +11,7 @@ author: Nikita Nazarov, oscd.community date: 2020-10-09 modified: 2022-11-29 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml index fcbdcf833..12092441b 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml @@ -11,7 +11,7 @@ author: Nikita Nazarov, oscd.community date: 2020-10-09 modified: 2022-11-29 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml index f1b060d27..ab7cabbdb 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml @@ -11,7 +11,7 @@ author: Timur Zinniatullin, oscd.community date: 2020-10-13 modified: 2022-11-29 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml b/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml index 489e46825..34c0d1c36 100644 --- a/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml +++ b/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml @@ -12,8 +12,8 @@ author: Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems) date: 2019-10-26 modified: 2023-11-15 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth - attack.t1134.001 - attack.t1134.002 logsource: diff --git a/rules/windows/builtin/security/win_security_net_ntlm_downgrade.yml b/rules/windows/builtin/security/win_security_net_ntlm_downgrade.yml index 21ef19f0e..06dae365d 100644 --- a/rules/windows/builtin/security/win_security_net_ntlm_downgrade.yml +++ b/rules/windows/builtin/security/win_security_net_ntlm_downgrade.yml @@ -12,10 +12,9 @@ date: 2018-03-20 modified: 2022-10-09 tags: - attack.persistence - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 - attack.t1112 -# Windows Security Eventlog: Process Creation with Full Command Line logsource: product: windows service: security diff --git a/rules/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml b/rules/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml index 1b985f452..6de93b98c 100644 --- a/rules/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml +++ b/rules/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml @@ -9,7 +9,7 @@ author: Ilyas Ochkov, oscd.community date: 2019-10-25 modified: 2024-01-16 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_possible_dc_shadow.yml b/rules/windows/builtin/security/win_security_possible_dc_shadow.yml index 3d8efe493..9ab3089b6 100644 --- a/rules/windows/builtin/security/win_security_possible_dc_shadow.yml +++ b/rules/windows/builtin/security/win_security_possible_dc_shadow.yml @@ -14,7 +14,7 @@ date: 2019-10-25 modified: 2022-10-17 tags: - attack.credential-access - - attack.defense-evasion + - attack.defense-impairment - attack.t1207 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml b/rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml index 9e00ce5c9..308bbba3c 100644 --- a/rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml +++ b/rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml @@ -9,7 +9,6 @@ author: Samir Bousseaden date: 2019-02-16 modified: 2022-09-02 tags: - - attack.defense-evasion - attack.command-and-control - attack.lateral-movement - attack.t1090.001 diff --git a/rules/windows/builtin/security/win_security_registry_permissions_weakness_check.yml b/rules/windows/builtin/security/win_security_registry_permissions_weakness_check.yml index 5c0f306c9..27536529b 100644 --- a/rules/windows/builtin/security/win_security_registry_permissions_weakness_check.yml +++ b/rules/windows/builtin/security/win_security_registry_permissions_weakness_check.yml @@ -11,9 +11,10 @@ references: author: Center for Threat Informed Defense (CTID) Summiting the Pyramid Team date: 2023-09-28 tags: - - attack.defense-evasion - attack.persistence - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.011 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_scm_database_privileged_operation.yml b/rules/windows/builtin/security/win_security_scm_database_privileged_operation.yml index def8aac3b..4fe9c2da3 100644 --- a/rules/windows/builtin/security/win_security_scm_database_privileged_operation.yml +++ b/rules/windows/builtin/security/win_security_scm_database_privileged_operation.yml @@ -8,7 +8,6 @@ author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton date: 2019-08-15 modified: 2022-09-18 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548 logsource: diff --git a/rules/windows/builtin/security/win_security_sdelete_potential_secure_deletion.yml b/rules/windows/builtin/security/win_security_sdelete_potential_secure_deletion.yml index 23923fcb3..75ad648b9 100644 --- a/rules/windows/builtin/security/win_security_sdelete_potential_secure_deletion.yml +++ b/rules/windows/builtin/security/win_security_sdelete_potential_secure_deletion.yml @@ -11,7 +11,8 @@ date: 2017-06-14 modified: 2024-12-13 tags: - attack.impact - - attack.defense-evasion + - attack.stealth + - attack.defense-impairment - attack.t1070.004 - attack.t1027.005 - attack.t1485 diff --git a/rules/windows/builtin/security/win_security_susp_add_sid_history.yml b/rules/windows/builtin/security/win_security_susp_add_sid_history.yml index 0420eb090..ca6363f62 100644 --- a/rules/windows/builtin/security/win_security_susp_add_sid_history.yml +++ b/rules/windows/builtin/security/win_security_susp_add_sid_history.yml @@ -7,9 +7,9 @@ references: author: Thomas Patzke, @atc_project (improvements) date: 2017-02-19 tags: - - attack.defense-evasion - attack.persistence - attack.privilege-escalation + - attack.stealth - attack.t1134.005 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_susp_computer_name.yml b/rules/windows/builtin/security/win_security_susp_computer_name.yml index be666e886..874859c4b 100644 --- a/rules/windows/builtin/security/win_security_susp_computer_name.yml +++ b/rules/windows/builtin/security/win_security_susp_computer_name.yml @@ -10,11 +10,11 @@ date: 2022-09-09 modified: 2023-01-04 tags: - attack.initial-access - - attack.defense-evasion - cve.2021-42278 - cve.2021-42287 - attack.persistence - attack.privilege-escalation + - attack.stealth - attack.t1078 logsource: service: security diff --git a/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml b/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml index 18a808de4..f9f0a753d 100644 --- a/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml +++ b/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml @@ -10,9 +10,9 @@ date: 2017-02-19 modified: 2025-10-17 tags: - attack.persistence - - attack.defense-evasion - attack.privilege-escalation - attack.initial-access + - attack.stealth - attack.t1078 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_susp_group_policy_abuse_privilege_addition.yml b/rules/windows/builtin/security/win_security_susp_group_policy_abuse_privilege_addition.yml index 13b375918..2292997d5 100644 --- a/rules/windows/builtin/security/win_security_susp_group_policy_abuse_privilege_addition.yml +++ b/rules/windows/builtin/security/win_security_susp_group_policy_abuse_privilege_addition.yml @@ -8,8 +8,8 @@ references: - https://www.elastic.co/guide/en/security/current/group-policy-abuse-for-privilege-addition.html#_setup_275 date: 2024-09-04 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.defense-impairment - attack.t1484.001 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_susp_group_policy_startup_script_added_to_gpo.yml b/rules/windows/builtin/security/win_security_susp_group_policy_startup_script_added_to_gpo.yml index 3578a7fb2..739de841a 100644 --- a/rules/windows/builtin/security/win_security_susp_group_policy_startup_script_added_to_gpo.yml +++ b/rules/windows/builtin/security/win_security_susp_group_policy_startup_script_added_to_gpo.yml @@ -9,8 +9,8 @@ author: Elastic, Josh Nickels, Marius Rothenbücher date: 2024-09-06 tags: - attack.persistence - - attack.defense-evasion - attack.privilege-escalation + - attack.defense-impairment - attack.t1484.001 - attack.t1547 logsource: diff --git a/rules/windows/builtin/security/win_security_susp_logon_explicit_credentials.yml b/rules/windows/builtin/security/win_security_susp_logon_explicit_credentials.yml index 06138f399..1f29710aa 100644 --- a/rules/windows/builtin/security/win_security_susp_logon_explicit_credentials.yml +++ b/rules/windows/builtin/security/win_security_susp_logon_explicit_credentials.yml @@ -11,7 +11,7 @@ tags: - attack.privilege-escalation - attack.persistence - attack.initial-access - - attack.defense-evasion + - attack.stealth - attack.t1078 - attack.lateral-movement logsource: diff --git a/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip.yml b/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip.yml index 721a83638..bdcb3c83a 100644 --- a/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip.yml +++ b/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip.yml @@ -7,7 +7,7 @@ references: author: Florian Roth (Nextron Systems) date: 2022-05-09 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_filename.yml b/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_filename.yml index 03c9c7ef6..55e97b0dd 100644 --- a/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_filename.yml +++ b/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_filename.yml @@ -8,7 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2022-05-09 tags: - attack.command-and-control - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.t1105 - attack.t1036 diff --git a/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_outlook.yml b/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_outlook.yml index e6b90b3f5..fb2aa3809 100644 --- a/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_outlook.yml +++ b/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_outlook.yml @@ -7,8 +7,8 @@ references: author: Florian Roth (Nextron Systems) date: 2022-05-09 tags: - - attack.defense-evasion - attack.initial-access + - attack.stealth - attack.t1027 - attack.t1566.001 logsource: diff --git a/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml b/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml index b3dabac22..32ebbd254 100644 --- a/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml +++ b/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml @@ -10,8 +10,8 @@ author: Nasreddine Bencherchali (Nextron Systems), Elastic (idea) date: 2022-10-17 tags: - attack.persistence - - attack.defense-evasion - attack.credential-access + - attack.defense-impairment - attack.t1556 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_susp_time_modification.yml b/rules/windows/builtin/security/win_security_susp_time_modification.yml index 0793fcd2f..4211052d9 100644 --- a/rules/windows/builtin/security/win_security_susp_time_modification.yml +++ b/rules/windows/builtin/security/win_security_susp_time_modification.yml @@ -10,7 +10,7 @@ author: '@neu5ron' date: 2019-02-05 modified: 2025-12-03 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070.006 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml b/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml index a6e0ac7fa..a7b84ddd6 100644 --- a/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml +++ b/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml @@ -12,7 +12,7 @@ date: 2020-07-14 modified: 2025-10-22 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 logsource: product: windows diff --git a/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml b/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml index 017d69c16..f223fa7ff 100644 --- a/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml +++ b/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml @@ -10,8 +10,8 @@ date: 2017-03-14 modified: 2021-01-17 tags: - attack.initial-access - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth - attack.t1078 - attack.persistence - attack.t1098 diff --git a/rules/windows/builtin/security/win_security_user_driver_loaded.yml b/rules/windows/builtin/security/win_security_user_driver_loaded.yml index d951be519..a84fe9b8c 100644 --- a/rules/windows/builtin/security/win_security_user_driver_loaded.yml +++ b/rules/windows/builtin/security/win_security_user_driver_loaded.yml @@ -14,8 +14,8 @@ author: xknow (@xknow_infosec), xorxes (@xor_xes) date: 2019-04-08 modified: 2026-03-29 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: windows service: security diff --git a/rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml b/rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml index 0ab0d4de0..8e06f9c8e 100644 --- a/rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml +++ b/rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml @@ -14,8 +14,8 @@ author: '@BarryShooshooga' date: 2019-10-26 modified: 2023-11-11 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: windows service: security diff --git a/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml b/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml index 3c2c53716..969f26503 100644 --- a/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml +++ b/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml @@ -14,8 +14,8 @@ author: '@BarryShooshooga, Nasreddine Bencherchali (Nextron Systems)' date: 2019-10-26 modified: 2023-11-11 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: windows service: security diff --git a/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml b/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml index 8bb7aa63f..7e853acd0 100644 --- a/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml +++ b/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml @@ -10,7 +10,8 @@ modified: 2022-09-28 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1574.001 logsource: product: windows diff --git a/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml b/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml index 66857f237..6e45a0669 100644 --- a/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml +++ b/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml @@ -10,7 +10,8 @@ modified: 2022-09-28 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1574.001 logsource: product: windows diff --git a/rules/windows/builtin/system/application_popup/win_system_application_sysmon_crash.yml b/rules/windows/builtin/system/application_popup/win_system_application_sysmon_crash.yml index b3e83bfc5..d8f9f9d92 100644 --- a/rules/windows/builtin/system/application_popup/win_system_application_sysmon_crash.yml +++ b/rules/windows/builtin/system/application_popup/win_system_application_sysmon_crash.yml @@ -8,8 +8,8 @@ author: Tim Shelton date: 2022-04-26 modified: 2024-01-17 tags: - - attack.defense-evasion - - attack.t1562 + - attack.defense-impairment + - attack.t1685 logsource: product: windows service: system diff --git a/rules/windows/builtin/system/lsasrv/win_system_lsasrv_ntlmv1.yml b/rules/windows/builtin/system/lsasrv/win_system_lsasrv_ntlmv1.yml index d5e0fa909..5f28e128d 100644 --- a/rules/windows/builtin/system/lsasrv/win_system_lsasrv_ntlmv1.yml +++ b/rules/windows/builtin/system/lsasrv/win_system_lsasrv_ntlmv1.yml @@ -8,7 +8,6 @@ author: Tim Shelton, Nasreddine Bencherchali (Nextron Systems) date: 2022-04-26 modified: 2023-06-06 tags: - - attack.defense-evasion - attack.lateral-movement - attack.t1550.002 logsource: diff --git a/rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml b/rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml index 28bab5325..98ba29b6c 100644 --- a/rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml +++ b/rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml @@ -11,7 +11,7 @@ author: '@SerkinValery' date: 2024-03-07 tags: - attack.credential-access - - attack.defense-evasion + - attack.defense-impairment - attack.t1553.004 logsource: product: windows diff --git a/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml b/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml index b19d4ac95..c26df6d6e 100644 --- a/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml +++ b/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml @@ -12,7 +12,8 @@ modified: 2022-12-25 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1574.001 logsource: product: windows diff --git a/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml b/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml index f158ddb98..650c57d2e 100644 --- a/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml +++ b/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml @@ -12,7 +12,8 @@ modified: 2022-12-25 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1574.001 logsource: product: windows diff --git a/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml b/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml index 853e5c76a..037d2c065 100644 --- a/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml +++ b/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml @@ -16,8 +16,8 @@ author: Florian Roth (Nextron Systems) date: 2017-01-10 modified: 2023-11-15 tags: - - attack.defense-evasion - - attack.t1070.001 + - attack.defense-impairment + - attack.t1685.005 - car.2016-04-002 logsource: product: windows diff --git a/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml b/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml index 4899504cd..462e00a2f 100644 --- a/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml @@ -12,8 +12,8 @@ author: Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Ne date: 2022-05-17 modified: 2023-11-15 tags: - - attack.defense-evasion - - attack.t1070.001 + - attack.defense-impairment + - attack.t1685.005 - car.2016-04-002 logsource: product: windows diff --git a/rules/windows/builtin/system/netlogon/win_system_vul_cve_2020_1472.yml b/rules/windows/builtin/system/netlogon/win_system_vul_cve_2020_1472.yml index 1120f3892..2e54c155a 100644 --- a/rules/windows/builtin/system/netlogon/win_system_vul_cve_2020_1472.yml +++ b/rules/windows/builtin/system/netlogon/win_system_vul_cve_2020_1472.yml @@ -8,7 +8,6 @@ author: NVISO date: 2020-09-15 modified: 2022-12-25 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548 logsource: diff --git a/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml b/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml index 411f95eab..7fd58691b 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml @@ -12,8 +12,8 @@ author: Ján Trenčanský, frack113 date: 2020-07-28 modified: 2024-07-02 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: windows service: system diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_clip_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_clip_services.yml index 39b32fed4..b34ca9f21 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_clip_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_clip_services.yml @@ -8,7 +8,7 @@ author: Jonathan Cheong, oscd.community date: 2020-10-13 modified: 2023-02-20 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_obfuscated_iex_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_obfuscated_iex_services.yml index e8027d7cc..74b03b3c6 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_obfuscated_iex_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_obfuscated_iex_services.yml @@ -8,7 +8,7 @@ author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community date: 2019-11-08 modified: 2022-11-27 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 logsource: product: windows diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_stdin_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_stdin_services.yml index 54dcd16fe..6e05e441b 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_stdin_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_stdin_services.yml @@ -8,7 +8,7 @@ author: Jonathan Cheong, oscd.community date: 2020-10-15 modified: 2022-11-29 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_var_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_var_services.yml index e93da25ac..21faa7ca6 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_var_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_var_services.yml @@ -8,7 +8,7 @@ author: Jonathan Cheong, oscd.community date: 2020-10-15 modified: 2022-11-29 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_compress_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_compress_services.yml index 62c23a05d..dccafdaef 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_compress_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_compress_services.yml @@ -8,7 +8,7 @@ author: Timur Zinniatullin, oscd.community date: 2020-10-18 modified: 2022-11-29 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_rundll_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_rundll_services.yml index 840afa85b..110e5ba41 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_rundll_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_rundll_services.yml @@ -8,7 +8,7 @@ author: Timur Zinniatullin, oscd.community date: 2020-10-18 modified: 2022-11-29 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_stdin_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_stdin_services.yml index 2c8f22e30..fc623e429 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_stdin_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_stdin_services.yml @@ -8,7 +8,7 @@ author: Nikita Nazarov, oscd.community date: 2020-10-12 modified: 2022-11-29 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_clip_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_clip_services.yml index d765a34e3..dbaf52f7c 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_clip_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_clip_services.yml @@ -8,7 +8,7 @@ author: Nikita Nazarov, oscd.community date: 2020-10-09 modified: 2022-11-29 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_mshta_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_mshta_services.yml index 3c651c983..c04787a12 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_mshta_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_mshta_services.yml @@ -8,7 +8,7 @@ author: Nikita Nazarov, oscd.community date: 2020-10-09 modified: 2022-11-29 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_rundll32_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_rundll32_services.yml index 0cc6d9f90..50c027d09 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_rundll32_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_rundll32_services.yml @@ -8,7 +8,7 @@ author: Nikita Nazarov, oscd.community date: 2020-10-09 modified: 2022-11-29 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_var_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_var_services.yml index 36f4c36ec..25f730026 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_var_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_var_services.yml @@ -8,7 +8,7 @@ author: Timur Zinniatullin, oscd.community date: 2020-10-13 modified: 2022-11-29 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index c47ac6f59..99012723c 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -9,8 +9,8 @@ author: Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems) date: 2019-10-26 modified: 2023-11-15 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth - attack.t1134.001 - attack.t1134.002 logsource: diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_generic.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_generic.yml index 6115cacc4..0dc2b87a1 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_generic.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_generic.yml @@ -10,7 +10,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-04-14 tags: - - attack.defense-evasion + - attack.stealth logsource: product: windows service: system diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_important.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_important.yml index 3eb452ea3..97d098859 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_important.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_important.yml @@ -10,7 +10,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-04-14 tags: - - attack.defense-evasion + - attack.stealth logsource: product: windows service: system diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml index e44829b32..636ec0726 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml @@ -7,7 +7,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-04-14 tags: - - attack.defense-evasion + - attack.stealth logsource: product: windows service: system diff --git a/rules/windows/builtin/windefend/win_defender_antimalware_platform_expired.yml b/rules/windows/builtin/windefend/win_defender_antimalware_platform_expired.yml index beba99457..11ff7220d 100644 --- a/rules/windows/builtin/windefend/win_defender_antimalware_platform_expired.yml +++ b/rules/windows/builtin/windefend/win_defender_antimalware_platform_expired.yml @@ -14,8 +14,8 @@ author: Ján Trenčanský, frack113 date: 2020-07-28 modified: 2023-11-22 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: windows service: windefend diff --git a/rules/windows/builtin/windefend/win_defender_config_change_exclusion_added.yml b/rules/windows/builtin/windefend/win_defender_config_change_exclusion_added.yml index 9c8054db6..d35226323 100644 --- a/rules/windows/builtin/windefend/win_defender_config_change_exclusion_added.yml +++ b/rules/windows/builtin/windefend/win_defender_config_change_exclusion_added.yml @@ -8,8 +8,8 @@ author: Christian Burkard (Nextron Systems) date: 2021-07-06 modified: 2022-12-06 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: windows service: windefend diff --git a/rules/windows/builtin/windefend/win_defender_config_change_exploit_guard_tamper.yml b/rules/windows/builtin/windefend/win_defender_config_change_exploit_guard_tamper.yml index 64df6be55..09ecb316d 100644 --- a/rules/windows/builtin/windefend/win_defender_config_change_exploit_guard_tamper.yml +++ b/rules/windows/builtin/windefend/win_defender_config_change_exploit_guard_tamper.yml @@ -9,8 +9,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-05 modified: 2022-12-06 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: windows service: windefend diff --git a/rules/windows/builtin/windefend/win_defender_config_change_sample_submission_consent.yml b/rules/windows/builtin/windefend/win_defender_config_change_sample_submission_consent.yml index 06b772675..7a1e5eeec 100644 --- a/rules/windows/builtin/windefend/win_defender_config_change_sample_submission_consent.yml +++ b/rules/windows/builtin/windefend/win_defender_config_change_sample_submission_consent.yml @@ -15,8 +15,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-12-06 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: windows service: windefend diff --git a/rules/windows/builtin/windefend/win_defender_history_delete.yml b/rules/windows/builtin/windefend/win_defender_history_delete.yml index e035f90d5..d973f1ab9 100644 --- a/rules/windows/builtin/windefend/win_defender_history_delete.yml +++ b/rules/windows/builtin/windefend/win_defender_history_delete.yml @@ -9,7 +9,7 @@ author: Cian Heasley date: 2020-08-13 modified: 2023-11-24 tags: - - attack.defense-evasion + - attack.defense-impairment logsource: product: windows service: windefend diff --git a/rules/windows/builtin/windefend/win_defender_malware_and_pua_scan_disabled.yml b/rules/windows/builtin/windefend/win_defender_malware_and_pua_scan_disabled.yml index 9250b54ae..2917b14ce 100644 --- a/rules/windows/builtin/windefend/win_defender_malware_and_pua_scan_disabled.yml +++ b/rules/windows/builtin/windefend/win_defender_malware_and_pua_scan_disabled.yml @@ -13,8 +13,8 @@ author: Ján Trenčanský, frack113 date: 2020-07-28 modified: 2023-11-22 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: windows service: windefend diff --git a/rules/windows/builtin/windefend/win_defender_real_time_protection_disabled.yml b/rules/windows/builtin/windefend/win_defender_real_time_protection_disabled.yml index 811ead3fd..b7ac96459 100644 --- a/rules/windows/builtin/windefend/win_defender_real_time_protection_disabled.yml +++ b/rules/windows/builtin/windefend/win_defender_real_time_protection_disabled.yml @@ -14,8 +14,8 @@ author: Ján Trenčanský, frack113 date: 2020-07-28 modified: 2023-11-22 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: windows service: windefend diff --git a/rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml b/rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml index cf7a8b231..5eb4b97ec 100644 --- a/rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml +++ b/rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml @@ -10,8 +10,8 @@ author: Nasreddine Bencherchali (Nextron Systems), Christopher Peacock '@securep date: 2023-03-28 modified: 2023-05-05 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: windows service: windefend diff --git a/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml b/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml index 71b80b1c4..154e252d6 100644 --- a/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml +++ b/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml @@ -7,8 +7,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-12-06 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: windows service: windefend diff --git a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml index 0f0674191..349673106 100644 --- a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml +++ b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml @@ -16,8 +16,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-12-06 modified: 2023-11-24 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: windows service: windefend diff --git a/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml b/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml index eff4df194..e3e9503ad 100644 --- a/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml +++ b/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml @@ -9,8 +9,8 @@ author: Bhabesh Raj, Nasreddine Bencherchali date: 2021-07-05 modified: 2022-12-06 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: windows service: windefend diff --git a/rules/windows/builtin/windefend/win_defender_virus_scan_disabled.yml b/rules/windows/builtin/windefend/win_defender_virus_scan_disabled.yml index e21d92c09..0baa81a26 100644 --- a/rules/windows/builtin/windefend/win_defender_virus_scan_disabled.yml +++ b/rules/windows/builtin/windefend/win_defender_virus_scan_disabled.yml @@ -13,8 +13,8 @@ author: Ján Trenčanský, frack113 date: 2020-07-28 modified: 2023-11-22 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: windows service: windefend diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml b/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml index 6b4f84977..7461ea4e4 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml @@ -10,8 +10,8 @@ date: 2019-02-01 modified: 2023-05-05 tags: - attack.privilege-escalation - - attack.defense-evasion - attack.execution + - attack.stealth - attack.t1055.012 - attack.t1059.005 - attack.t1059.007 diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml b/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml index d3810300a..5eaa9fd8c 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml @@ -10,7 +10,7 @@ date: 2018-11-30 modified: 2023-05-05 tags: - attack.privilege-escalation - - attack.defense-evasion + - attack.stealth - attack.t1055.001 logsource: product: windows diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml b/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml index cdb746f70..723f2cb38 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml @@ -11,8 +11,8 @@ author: Florian Roth (Nextron Systems) date: 2018-06-25 modified: 2023-11-10 tags: - - attack.defense-evasion - attack.execution + - attack.stealth - attack.t1218.011 - attack.t1059.001 logsource: diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml index 4036b5fdb..05c8c6da3 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml @@ -13,7 +13,7 @@ date: 2019-10-27 modified: 2025-12-08 tags: - attack.privilege-escalation - - attack.defense-evasion + - attack.stealth - attack.t1055 logsource: product: windows diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image.yml index 373383eb3..9f92d9227 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image.yml @@ -13,7 +13,7 @@ date: 2019-10-27 modified: 2025-07-08 tags: - attack.privilege-escalation - - attack.defense-evasion + - attack.stealth - attack.t1055 logsource: product: windows diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_target_image.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_target_image.yml index 9cd44278c..48c30fd43 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_target_image.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_target_image.yml @@ -11,8 +11,8 @@ author: Florian Roth (Nextron Systems) date: 2022-03-16 modified: 2025-07-04 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth - attack.t1055.003 logsource: product: windows diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml b/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml index 461eb0ae4..08f269323 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml @@ -8,7 +8,8 @@ author: frack113 date: 2022-05-16 modified: 2022-06-02 tags: - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1127 logsource: product: windows diff --git a/rules/windows/create_stream_hash/create_stream_hash_ads_executable.yml b/rules/windows/create_stream_hash/create_stream_hash_ads_executable.yml index 0b6669d97..10e420850 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_ads_executable.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_ads_executable.yml @@ -8,7 +8,7 @@ author: Florian Roth (Nextron Systems), @0xrawsec date: 2018-06-03 modified: 2023-02-10 tags: - - attack.defense-evasion + - attack.stealth - attack.s0139 - attack.t1564.004 logsource: diff --git a/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml b/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml index a23a650d3..c75d5ba81 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml @@ -8,7 +8,7 @@ author: frack113 date: 2022-10-22 modified: 2023-06-12 tags: - - attack.defense-evasion + - attack.stealth logsource: product: windows category: create_stream_hash diff --git a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml index d26b658bd..c0d9cda76 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml @@ -14,7 +14,7 @@ author: Florian Roth (Nextron Systems) date: 2022-08-24 modified: 2025-12-10 tags: - - attack.defense-evasion + - attack.stealth - attack.s0139 - attack.t1564.004 logsource: diff --git a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml index c0d6b0107..b6ee91a54 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml @@ -13,7 +13,7 @@ author: Florian Roth (Nextron Systems) date: 2022-08-24 modified: 2025-12-10 tags: - - attack.defense-evasion + - attack.stealth - attack.s0139 - attack.t1564.004 logsource: diff --git a/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml b/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml index eb61e2c69..0c7c89770 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml @@ -18,7 +18,7 @@ author: Florian Roth (Nextron Systems) date: 2022-08-24 modified: 2024-11-23 tags: - - attack.defense-evasion + - attack.stealth - attack.s0139 - attack.t1564.004 logsource: diff --git a/rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml b/rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml index 58aea4a08..db86d8dd3 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml @@ -9,7 +9,7 @@ author: Oddvar Moe, Sander Wiebing, oscd.community date: 2020-10-07 modified: 2021-11-27 tags: - - attack.defense-evasion + - attack.stealth - attack.t1564.004 logsource: product: windows diff --git a/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml b/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml index 608e8a121..f81dfc656 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml @@ -9,7 +9,7 @@ author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems date: 2022-09-07 modified: 2023-02-10 tags: - - attack.defense-evasion + - attack.stealth - attack.t1564.004 logsource: product: windows diff --git a/rules/windows/create_stream_hash/create_stream_hash_winget_susp_package_source.yml b/rules/windows/create_stream_hash/create_stream_hash_winget_susp_package_source.yml index 2451eccd3..a03939a52 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_winget_susp_package_source.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_winget_susp_package_source.yml @@ -7,8 +7,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-04-18 tags: - - attack.defense-evasion - attack.persistence + - attack.stealth logsource: product: windows category: create_stream_hash diff --git a/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml b/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml index b8187973a..8069106a1 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml @@ -8,7 +8,7 @@ references: author: Florian Roth (Nextron Systems) date: 2023-05-18 tags: - - attack.defense-evasion + - attack.stealth logsource: product: windows category: create_stream_hash diff --git a/rules/windows/dns_query/dns_query_win_regsvr32_dns_query.yml b/rules/windows/dns_query/dns_query_win_regsvr32_dns_query.yml index 0cfff5a53..2a7db60cf 100644 --- a/rules/windows/dns_query/dns_query_win_regsvr32_dns_query.yml +++ b/rules/windows/dns_query/dns_query_win_regsvr32_dns_query.yml @@ -13,8 +13,8 @@ date: 2019-10-25 modified: 2023-09-18 tags: - attack.execution + - attack.stealth - attack.t1559.001 - - attack.defense-evasion - attack.t1218.010 logsource: category: dns_query diff --git a/rules/windows/driver_load/driver_load_win_windivert.yml b/rules/windows/driver_load/driver_load_win_windivert.yml index 68e1757c3..62c56fac4 100644 --- a/rules/windows/driver_load/driver_load_win_windivert.yml +++ b/rules/windows/driver_load/driver_load_win_windivert.yml @@ -11,7 +11,7 @@ modified: 2024-11-23 tags: - attack.credential-access - attack.collection - - attack.defense-evasion + - attack.defense-impairment - attack.t1599.001 - attack.t1557.001 logsource: diff --git a/rules/windows/file/file_delete/file_delete_win_delete_event_log_files.yml b/rules/windows/file/file_delete/file_delete_win_delete_event_log_files.yml index 403a5e460..505c2bf33 100644 --- a/rules/windows/file/file_delete/file_delete_win_delete_event_log_files.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_event_log_files.yml @@ -7,7 +7,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-02-15 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070 logsource: category: file_delete diff --git a/rules/windows/file/file_delete/file_delete_win_delete_exchange_powershell_logs.yml b/rules/windows/file/file_delete/file_delete_win_delete_exchange_powershell_logs.yml index bb89e948a..bb540e0e1 100644 --- a/rules/windows/file/file_delete/file_delete_win_delete_exchange_powershell_logs.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_exchange_powershell_logs.yml @@ -8,7 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-10-26 modified: 2022-12-30 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070 logsource: category: file_delete diff --git a/rules/windows/file/file_delete/file_delete_win_delete_iis_access_logs.yml b/rules/windows/file/file_delete/file_delete_win_delete_iis_access_logs.yml index f2b9490ce..90dbc0fc0 100644 --- a/rules/windows/file/file_delete/file_delete_win_delete_iis_access_logs.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_iis_access_logs.yml @@ -11,7 +11,7 @@ author: Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2022-09-16 modified: 2023-02-15 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070 logsource: category: file_delete diff --git a/rules/windows/file/file_delete/file_delete_win_delete_own_image.yml b/rules/windows/file/file_delete/file_delete_win_delete_own_image.yml index ce78f28fd..f829be542 100644 --- a/rules/windows/file/file_delete/file_delete_win_delete_own_image.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_own_image.yml @@ -8,7 +8,7 @@ references: author: Max Altgelt (Nextron Systems) date: 2024-09-03 tags: - - attack.defense-evasion + - attack.stealth logsource: product: windows category: file_delete diff --git a/rules/windows/file/file_delete/file_delete_win_delete_powershell_command_history.yml b/rules/windows/file/file_delete/file_delete_win_delete_powershell_command_history.yml index 0308f4c6a..c4735713d 100644 --- a/rules/windows/file/file_delete/file_delete_win_delete_powershell_command_history.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_powershell_command_history.yml @@ -7,7 +7,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-02-15 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070 logsource: category: file_delete diff --git a/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml b/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml index 04fb469d1..c1755bc1b 100755 --- a/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml @@ -9,7 +9,7 @@ author: Cedric MAURUGEON date: 2021-09-29 modified: 2024-01-25 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070.004 logsource: product: windows diff --git a/rules/windows/file/file_delete/file_delete_win_delete_teamviewer_logs.yml b/rules/windows/file/file_delete/file_delete_win_delete_teamviewer_logs.yml index 85992dd16..5067aa890 100644 --- a/rules/windows/file/file_delete/file_delete_win_delete_teamviewer_logs.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_teamviewer_logs.yml @@ -8,7 +8,7 @@ author: frack113 date: 2022-01-16 modified: 2023-02-15 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070.004 logsource: product: windows diff --git a/rules/windows/file/file_delete/file_delete_win_delete_tomcat_logs.yml b/rules/windows/file/file_delete/file_delete_win_delete_tomcat_logs.yml index fe35182c2..5ddff0043 100644 --- a/rules/windows/file/file_delete/file_delete_win_delete_tomcat_logs.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_tomcat_logs.yml @@ -8,7 +8,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-02-16 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070 logsource: category: file_delete diff --git a/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml b/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml index f96df7ebf..ecd9572eb 100644 --- a/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml +++ b/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml @@ -9,7 +9,7 @@ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020-05-02 modified: 2023-02-15 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070.004 logsource: product: windows diff --git a/rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml b/rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml index 5cdc23c28..7156df5df 100644 --- a/rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml +++ b/rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml @@ -12,7 +12,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-09-04 modified: 2025-07-04 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070.004 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_arcsoc_susp_file_created.yml b/rules/windows/file/file_event/file_event_win_arcsoc_susp_file_created.yml index 8ba24abe5..7a8658208 100644 --- a/rules/windows/file/file_event/file_event_win_arcsoc_susp_file_created.yml +++ b/rules/windows/file/file_event/file_event_win_arcsoc_susp_file_created.yml @@ -11,10 +11,11 @@ references: author: Micah Babinski date: 2025-11-25 tags: - - attack.defense-evasion - attack.command-and-control - attack.persistence - attack.initial-access + - attack.execution + - attack.stealth - attack.t1127 - attack.t1105 - attack.t1133 diff --git a/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml b/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml index ce3e36af5..38e0be2d7 100644 --- a/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml +++ b/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml @@ -11,8 +11,8 @@ author: D3F7A5105 date: 2023-01-02 modified: 2024-03-26 tags: - - attack.defense-evasion - - attack.t1562.002 + - attack.defense-impairment + - attack.t1685.001 logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml index 068a3d1cb..9e5c76a12 100644 --- a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml +++ b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml @@ -26,9 +26,10 @@ author: Nasreddine Bencherchali (Nextron Systems), fornotes date: 2022-12-01 modified: 2026-01-24 tags: - - attack.defense-evasion - attack.persistence - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_creation_system_dll_files.yml b/rules/windows/file/file_event/file_event_win_creation_system_dll_files.yml index d2e120115..764126cad 100644 --- a/rules/windows/file/file_event/file_event_win_creation_system_dll_files.yml +++ b/rules/windows/file/file_event/file_event_win_creation_system_dll_files.yml @@ -9,7 +9,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2024-06-24 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036.005 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_creation_system_file.yml b/rules/windows/file/file_event/file_event_win_creation_system_file.yml index 0f3b78e78..d3fd91329 100644 --- a/rules/windows/file/file_event/file_event_win_creation_system_file.yml +++ b/rules/windows/file/file_event/file_event_win_creation_system_file.yml @@ -10,7 +10,7 @@ author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) date: 2020-05-26 modified: 2026-02-04 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036.005 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_csharp_compile_artefact.yml b/rules/windows/file/file_event/file_event_win_csharp_compile_artefact.yml index 210294d66..f5b8ef7d6 100644 --- a/rules/windows/file/file_event/file_event_win_csharp_compile_artefact.yml +++ b/rules/windows/file/file_event/file_event_win_csharp_compile_artefact.yml @@ -11,7 +11,7 @@ author: frack113 date: 2022-01-09 modified: 2023-02-17 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027.004 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml b/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml index 21f9070b0..e5ec8c628 100644 --- a/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml +++ b/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml @@ -12,7 +12,8 @@ date: 2022-07-30 tags: - attack.persistence - attack.privilege-escalation - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml b/rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml index bf61bd36a..830a7c61a 100644 --- a/rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml +++ b/rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml @@ -10,7 +10,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-09-07 tags: - - attack.defense-evasion + - attack.stealth logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_hktl_powerup_dllhijacking.yml b/rules/windows/file/file_event/file_event_win_hktl_powerup_dllhijacking.yml index 805602972..59cd52efc 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_powerup_dllhijacking.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_powerup_dllhijacking.yml @@ -13,7 +13,8 @@ modified: 2024-06-27 tags: - attack.persistence - attack.privilege-escalation - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml b/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml index 5b73a99e4..ede1e9fba 100644 --- a/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml +++ b/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml @@ -10,12 +10,13 @@ date: 2022-10-21 tags: - attack.privilege-escalation - attack.persistence + - attack.execution + - attack.stealth - attack.t1566 - attack.t1566.001 - attack.initial-access - attack.t1574 - attack.t1574.001 - - attack.defense-evasion logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_iphlpapi_dll_sideloading.yml b/rules/windows/file/file_event/file_event_win_iphlpapi_dll_sideloading.yml index 1660e6bb0..7e8423cde 100644 --- a/rules/windows/file/file_event/file_event_win_iphlpapi_dll_sideloading.yml +++ b/rules/windows/file/file_event/file_event_win_iphlpapi_dll_sideloading.yml @@ -11,7 +11,8 @@ date: 2022-08-12 tags: - attack.persistence - attack.privilege-escalation - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_mysqld_uncommon_file_creation.yml b/rules/windows/file/file_event/file_event_win_mysqld_uncommon_file_creation.yml index 2c7c07fc1..621b80ed1 100644 --- a/rules/windows/file/file_event/file_event_win_mysqld_uncommon_file_creation.yml +++ b/rules/windows/file/file_event/file_event_win_mysqld_uncommon_file_creation.yml @@ -10,7 +10,7 @@ references: author: Joseph Kamau date: 2024-05-27 tags: - - attack.defense-evasion + - attack.stealth logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml b/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml index 812acbba7..9917e9e07 100644 --- a/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml +++ b/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml @@ -16,7 +16,7 @@ author: frack113, omkar72, oscd.community, Wojciech Lesicki date: 2022-11-18 modified: 2023-02-23 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml b/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml index 98b0334b4..469fd036b 100644 --- a/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml +++ b/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml @@ -8,8 +8,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-05 modified: 2023-02-23 tags: - - attack.defense-evasion - attack.execution + - attack.stealth logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_new_scr_file.yml b/rules/windows/file/file_event/file_event_win_new_scr_file.yml index 1a1077332..5b6a9dd57 100644 --- a/rules/windows/file/file_event/file_event_win_new_scr_file.yml +++ b/rules/windows/file/file_event/file_event_win_new_scr_file.yml @@ -8,7 +8,7 @@ author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io' date: 2022-04-27 modified: 2023-08-23 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.011 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml b/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml index 993e86e2e..961d710a3 100644 --- a/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml +++ b/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml @@ -9,7 +9,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-01-22 modified: 2023-09-19 tags: - - attack.defense-evasion + - attack.stealth logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml b/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml index 5d5c4dea3..95c48c808 100644 --- a/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml +++ b/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml @@ -13,7 +13,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-02-09 modified: 2023-02-27 tags: - - attack.defense-evasion + - attack.stealth logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_office_publisher_files_in_susp_locations.yml b/rules/windows/file/file_event/file_event_win_office_publisher_files_in_susp_locations.yml index 726a3c376..0971e6d0d 100644 --- a/rules/windows/file/file_event/file_event_win_office_publisher_files_in_susp_locations.yml +++ b/rules/windows/file/file_event/file_event_win_office_publisher_files_in_susp_locations.yml @@ -7,7 +7,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-02-08 tags: - - attack.defense-evasion + - attack.stealth logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml b/rules/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml index ca184a5ee..6714f5d50 100644 --- a/rules/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml +++ b/rules/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml @@ -8,7 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-06-01 modified: 2025-10-07 tags: - - attack.defense-evasion + - attack.stealth logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml b/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml index 760c848d7..004ca9903 100644 --- a/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml +++ b/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml @@ -13,7 +13,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-04-18 modified: 2024-11-01 tags: - - attack.defense-evasion + - attack.stealth logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_redmimicry_winnti_filedrop.yml b/rules/windows/file/file_event/file_event_win_redmimicry_winnti_filedrop.yml index afa4893ec..88d7b98d9 100644 --- a/rules/windows/file/file_event/file_event_win_redmimicry_winnti_filedrop.yml +++ b/rules/windows/file/file_event/file_event_win_redmimicry_winnti_filedrop.yml @@ -8,7 +8,7 @@ author: Alexander Rausch date: 2020-06-24 modified: 2023-01-05 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_regedit_print_as_pdf.yml b/rules/windows/file/file_event/file_event_win_regedit_print_as_pdf.yml index d2f962112..5611d09ea 100644 --- a/rules/windows/file/file_event/file_event_win_regedit_print_as_pdf.yml +++ b/rules/windows/file/file_event/file_event_win_regedit_print_as_pdf.yml @@ -9,7 +9,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2024-07-08 tags: - - attack.defense-evasion + - attack.stealth logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_sed_file_creation.yml b/rules/windows/file/file_event/file_event_win_sed_file_creation.yml index bff66ec2a..c27db633f 100644 --- a/rules/windows/file/file_event/file_event_win_sed_file_creation.yml +++ b/rules/windows/file/file_event/file_event_win_sed_file_creation.yml @@ -15,7 +15,7 @@ references: author: Joseliyo Sanchez, @Joseliyo_Jstnk date: 2024-02-05 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml b/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml index 3942ab79b..611066fc8 100644 --- a/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml +++ b/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml @@ -11,7 +11,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-12 modified: 2025-10-07 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml b/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml index e1c77f717..16334baf1 100644 --- a/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml +++ b/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml @@ -8,7 +8,7 @@ author: frack113 date: 2022-01-21 modified: 2023-01-05 tags: - - attack.defense-evasion + - attack.stealth - attack.t1564 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yml b/rules/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yml index 24fe4d9a7..b5778c5d9 100644 --- a/rules/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yml +++ b/rules/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yml @@ -9,10 +9,10 @@ date: 2022-04-28 modified: 2022-06-02 tags: - attack.privilege-escalation + - attack.stealth - attack.t1055 - attack.t1218 - attack.execution - - attack.defense-evasion logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_susp_default_gpo_dir_write.yml b/rules/windows/file/file_event/file_event_win_susp_default_gpo_dir_write.yml index b2f55b1e9..b501056df 100644 --- a/rules/windows/file/file_event/file_event_win_susp_default_gpo_dir_write.yml +++ b/rules/windows/file/file_event/file_event_win_susp_default_gpo_dir_write.yml @@ -7,8 +7,8 @@ references: author: elhoim date: 2022-04-28 tags: + - attack.stealth - attack.t1036.005 - - attack.defense-evasion logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_susp_double_extension.yml b/rules/windows/file/file_event/file_event_win_susp_double_extension.yml index 53b01bef9..9a47d2365 100644 --- a/rules/windows/file/file_event/file_event_win_susp_double_extension.yml +++ b/rules/windows/file/file_event/file_event_win_susp_double_extension.yml @@ -19,7 +19,7 @@ author: Nasreddine Bencherchali (Nextron Systems), frack113 date: 2022-06-19 modified: 2026-03-31 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036.007 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml b/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml index 319abdc11..4640104d8 100644 --- a/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml +++ b/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml @@ -11,7 +11,7 @@ author: frack113 date: 2022-09-05 modified: 2023-12-11 tags: - - attack.defense-evasion + - attack.stealth - attack.t1564 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_susp_get_variable.yml b/rules/windows/file/file_event/file_event_win_susp_get_variable.yml index b59d21bfa..2456abc61 100644 --- a/rules/windows/file/file_event/file_event_win_susp_get_variable.yml +++ b/rules/windows/file/file_event/file_event_win_susp_get_variable.yml @@ -13,8 +13,8 @@ date: 2022-04-23 tags: - attack.privilege-escalation - attack.persistence + - attack.stealth - attack.t1546 - - attack.defense-evasion - attack.t1027 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml b/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml index a6d21c786..a377f3d60 100644 --- a/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml +++ b/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml @@ -15,7 +15,7 @@ references: author: Scoubi (@ScoubiMtl) date: 2023-10-09 tags: - - attack.defense-evasion + - attack.stealth - attack.t1564.004 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_susp_homoglyph_filename.yml b/rules/windows/file/file_event/file_event_win_susp_homoglyph_filename.yml index 8eadfa49d..8006c564e 100644 --- a/rules/windows/file/file_event/file_event_win_susp_homoglyph_filename.yml +++ b/rules/windows/file/file_event/file_event_win_susp_homoglyph_filename.yml @@ -11,10 +11,9 @@ references: author: Micah Babinski, @micahbabinski date: 2023-05-08 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036 - attack.t1036.003 - # - attack.t1036.008 logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_archive.yml b/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_archive.yml index 284457d6e..20eda7979 100644 --- a/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_archive.yml +++ b/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_archive.yml @@ -7,7 +7,7 @@ references: author: frack113, Florian Roth date: 2022-08-21 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml b/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml index 75ee62d27..794f1e689 100644 --- a/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml +++ b/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml @@ -8,7 +8,7 @@ author: frack113, Florian Roth (Nextron Systems) date: 2022-08-21 modified: 2023-06-22 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_in_uncommon_location.yml b/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_in_uncommon_location.yml index 995a0cb9d..e9d1d995c 100644 --- a/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_in_uncommon_location.yml +++ b/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_in_uncommon_location.yml @@ -12,7 +12,7 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-12-10 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 - attack.command-and-control - attack.t1105 diff --git a/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml b/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml index 2dcdbb8a8..d5f0d6ed5 100644 --- a/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml +++ b/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml @@ -8,7 +8,7 @@ author: frack113, Florian Roth (Nextron Systems) date: 2022-08-21 modified: 2023-06-22 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml b/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml index c5ff31979..44afa5801 100644 --- a/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml +++ b/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml @@ -16,7 +16,7 @@ author: Nasreddine Bencherchali (Nextron Systems), frack113 date: 2022-11-07 modified: 2023-10-18 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036.007 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml b/rules/windows/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml index c2d2d3e83..a77f3d774 100755 --- a/rules/windows/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml +++ b/rules/windows/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml @@ -10,8 +10,8 @@ author: xknow (@xknow_infosec), xorxes (@xor_xes) date: 2019-04-08 modified: 2022-11-22 tags: - - attack.t1562.001 - - attack.defense-evasion + - attack.defense-impairment + - attack.t1685 logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml b/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml index b4f86e9b4..11171c671 100644 --- a/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml +++ b/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml @@ -13,7 +13,7 @@ date: 2023-07-12 modified: 2023-12-11 tags: - attack.persistence - - attack.defense-evasion + - attack.stealth logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing.yml b/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing.yml index 586b22f0a..c3f2790ab 100644 --- a/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing.yml +++ b/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing.yml @@ -16,7 +16,7 @@ date: 2024-11-17 modified: 2026-03-20 tags: - attack.execution - - attack.defense-evasion + - attack.stealth - attack.t1036.002 logsource: category: file_event diff --git a/rules/windows/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml b/rules/windows/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml index 2c7fb6569..8cf1119a0 100644 --- a/rules/windows/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml +++ b/rules/windows/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml @@ -7,7 +7,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-07-28 tags: - - attack.defense-evasion + - attack.stealth logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_susp_wdac_policy_creation.yml b/rules/windows/file/file_event/file_event_win_susp_wdac_policy_creation.yml index 8b6177171..d8fdec999 100644 --- a/rules/windows/file/file_event/file_event_win_susp_wdac_policy_creation.yml +++ b/rules/windows/file/file_event/file_event_win_susp_wdac_policy_creation.yml @@ -14,7 +14,7 @@ author: X__Junior date: 2025-02-07 modified: 2025-12-03 tags: - - attack.defense-evasion + - attack.defense-impairment logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_sysinternals_livekd_default_dump_name.yml b/rules/windows/file/file_event/file_event_win_sysinternals_livekd_default_dump_name.yml index 353b2c540..9e4cb3459 100644 --- a/rules/windows/file/file_event/file_event_win_sysinternals_livekd_default_dump_name.yml +++ b/rules/windows/file/file_event/file_event_win_sysinternals_livekd_default_dump_name.yml @@ -7,8 +7,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-05-16 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver.yml b/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver.yml index 01ffd9778..d9d21e54c 100644 --- a/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver.yml +++ b/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver.yml @@ -7,8 +7,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-05-16 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver_susp_creation.yml b/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver_susp_creation.yml index e37be4917..cb6fd6c3a 100644 --- a/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver_susp_creation.yml +++ b/rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver_susp_creation.yml @@ -10,8 +10,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-05-16 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml b/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml index 1516644dd..4385cb457 100644 --- a/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml +++ b/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml @@ -9,9 +9,9 @@ author: Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash) date: 2022-12-16 modified: 2022-12-19 tags: - - attack.defense-evasion - attack.persistence - attack.privilege-escalation + - attack.stealth logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_uac_bypass_consent_comctl32.yml b/rules/windows/file/file_event/file_event_win_uac_bypass_consent_comctl32.yml index 0e8445a12..7505f4a8a 100644 --- a/rules/windows/file/file_event/file_event_win_uac_bypass_consent_comctl32.yml +++ b/rules/windows/file/file_event/file_event_win_uac_bypass_consent_comctl32.yml @@ -8,7 +8,6 @@ author: Christian Burkard (Nextron Systems) date: 2021-08-23 modified: 2022-10-09 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 logsource: diff --git a/rules/windows/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml b/rules/windows/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml index fe49cca4c..37fa80f06 100644 --- a/rules/windows/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml +++ b/rules/windows/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml @@ -8,7 +8,6 @@ author: Christian Burkard (Nextron Systems) date: 2021-08-30 modified: 2022-10-09 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 logsource: diff --git a/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml b/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml index 06269ac80..27c1b7caa 100644 --- a/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml +++ b/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml @@ -10,8 +10,8 @@ author: Antonio Cocomazzi (idea), Florian Roth (Nextron Systems) date: 2022-04-27 modified: 2022-11-22 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml b/rules/windows/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml index 71c0c8144..e56ff4c7c 100644 --- a/rules/windows/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml +++ b/rules/windows/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml @@ -8,7 +8,6 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-07-03 tags: - attack.execution - - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 logsource: diff --git a/rules/windows/file/file_event/file_event_win_uac_bypass_ieinstal.yml b/rules/windows/file/file_event/file_event_win_uac_bypass_ieinstal.yml index b78dbe3a4..a6b347ee8 100644 --- a/rules/windows/file/file_event/file_event_win_uac_bypass_ieinstal.yml +++ b/rules/windows/file/file_event/file_event_win_uac_bypass_ieinstal.yml @@ -8,7 +8,6 @@ author: Christian Burkard (Nextron Systems) date: 2021-08-30 modified: 2022-10-09 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 logsource: diff --git a/rules/windows/file/file_event/file_event_win_uac_bypass_msconfig_gui.yml b/rules/windows/file/file_event/file_event_win_uac_bypass_msconfig_gui.yml index f6377bb28..fd0f8b5e4 100644 --- a/rules/windows/file/file_event/file_event_win_uac_bypass_msconfig_gui.yml +++ b/rules/windows/file/file_event/file_event_win_uac_bypass_msconfig_gui.yml @@ -8,7 +8,6 @@ author: Christian Burkard (Nextron Systems) date: 2021-08-30 modified: 2022-10-09 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 logsource: diff --git a/rules/windows/file/file_event/file_event_win_uac_bypass_ntfs_reparse_point.yml b/rules/windows/file/file_event/file_event_win_uac_bypass_ntfs_reparse_point.yml index 79aef3db6..1ac3e02ee 100644 --- a/rules/windows/file/file_event/file_event_win_uac_bypass_ntfs_reparse_point.yml +++ b/rules/windows/file/file_event/file_event_win_uac_bypass_ntfs_reparse_point.yml @@ -8,7 +8,6 @@ author: Christian Burkard (Nextron Systems) date: 2021-08-30 modified: 2022-10-09 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 logsource: diff --git a/rules/windows/file/file_event/file_event_win_uac_bypass_winsat.yml b/rules/windows/file/file_event/file_event_win_uac_bypass_winsat.yml index dbed70ecd..3d693c0bd 100644 --- a/rules/windows/file/file_event/file_event_win_uac_bypass_winsat.yml +++ b/rules/windows/file/file_event/file_event_win_uac_bypass_winsat.yml @@ -8,7 +8,6 @@ author: Christian Burkard (Nextron Systems) date: 2021-08-30 modified: 2022-10-09 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 logsource: diff --git a/rules/windows/file/file_event/file_event_win_uac_bypass_wmp.yml b/rules/windows/file/file_event/file_event_win_uac_bypass_wmp.yml index 17f08dd10..5f47eeffb 100644 --- a/rules/windows/file/file_event/file_event_win_uac_bypass_wmp.yml +++ b/rules/windows/file/file_event/file_event_win_uac_bypass_wmp.yml @@ -8,7 +8,6 @@ author: Christian Burkard (Nextron Systems) date: 2021-08-23 modified: 2022-10-09 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 logsource: diff --git a/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml b/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml index c065adac4..75b131816 100644 --- a/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml +++ b/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml @@ -10,7 +10,8 @@ modified: 2025-12-03 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1574.001 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml b/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml index 92562c9c0..b89956c9d 100644 --- a/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml +++ b/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml @@ -11,7 +11,7 @@ author: Julia Fomina, oscd.community date: 2020-10-06 modified: 2022-11-28 tags: - - attack.defense-evasion + - attack.stealth - attack.t1216 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml b/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml index 4386c5a9f..960228bca 100644 --- a/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml +++ b/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml @@ -9,7 +9,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-07-18 tags: - attack.persistence - - attack.defense-evasion + - attack.stealth - attack.t1542.001 logsource: product: windows diff --git a/rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml b/rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml index f693d5eb2..a24ff3e71 100644 --- a/rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml +++ b/rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml @@ -16,7 +16,7 @@ references: author: Joseliyo Sanchez, @Joseliyo_Jstnk date: 2024-02-05 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: product: windows diff --git a/rules/windows/image_load/image_load_cmstp_load_dll_from_susp_location.yml b/rules/windows/image_load/image_load_cmstp_load_dll_from_susp_location.yml index 4e29957bd..209f520f9 100644 --- a/rules/windows/image_load/image_load_cmstp_load_dll_from_susp_location.yml +++ b/rules/windows/image_load/image_load_cmstp_load_dll_from_susp_location.yml @@ -8,7 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-30 modified: 2023-02-17 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.003 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml b/rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml index c411030ce..478e360a0 100644 --- a/rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml +++ b/rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml @@ -9,7 +9,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-06-01 modified: 2025-10-07 tags: - - attack.defense-evasion + - attack.defense-impairment logsource: category: image_load product: windows diff --git a/rules/windows/image_load/image_load_dll_azure_microsoft_account_token_provider_dll_load.yml b/rules/windows/image_load/image_load_dll_azure_microsoft_account_token_provider_dll_load.yml index 02b023a57..74ae5259f 100644 --- a/rules/windows/image_load/image_load_dll_azure_microsoft_account_token_provider_dll_load.yml +++ b/rules/windows/image_load/image_load_dll_azure_microsoft_account_token_provider_dll_load.yml @@ -11,8 +11,9 @@ date: 2020-07-15 modified: 2023-04-18 tags: - attack.persistence - - attack.defense-evasion - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml b/rules/windows/image_load/image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml index 7dc49b707..abcba931b 100644 --- a/rules/windows/image_load/image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml +++ b/rules/windows/image_load/image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml @@ -9,7 +9,6 @@ date: 2022-08-14 modified: 2023-02-17 tags: - attack.credential-access - - attack.defense-evasion - attack.t1003.001 logsource: product: windows diff --git a/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml b/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml index 1c8700fe7..11874aa16 100644 --- a/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml +++ b/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml @@ -17,9 +17,9 @@ author: Luc Génaux date: 2023-11-28 tags: - attack.impact - - attack.defense-evasion + - attack.defense-impairment - attack.t1486 - - attack.t1562.001 + - attack.t1685 logsource: category: image_load product: windows diff --git a/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml b/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml index e665d2464..54424752e 100644 --- a/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml +++ b/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml @@ -18,9 +18,9 @@ date: 2023-11-28 modified: 2025-12-08 tags: - attack.impact - - attack.defense-evasion + - attack.defense-impairment - attack.t1486 - - attack.t1562.001 + - attack.t1685 logsource: category: image_load product: windows diff --git a/rules/windows/image_load/image_load_dll_sdiageng_load_by_msdt.yml b/rules/windows/image_load/image_load_dll_sdiageng_load_by_msdt.yml index 6b550b274..8c38be485 100644 --- a/rules/windows/image_load/image_load_dll_sdiageng_load_by_msdt.yml +++ b/rules/windows/image_load/image_load_dll_sdiageng_load_by_msdt.yml @@ -8,7 +8,7 @@ author: Greg (rule) date: 2022-06-17 modified: 2023-02-17 tags: - - attack.defense-evasion + - attack.stealth - attack.t1202 - cve.2022-30190 logsource: diff --git a/rules/windows/image_load/image_load_dll_tttracer_module_load.yml b/rules/windows/image_load/image_load_dll_tttracer_module_load.yml index b915e2ee9..e32810c82 100644 --- a/rules/windows/image_load/image_load_dll_tttracer_module_load.yml +++ b/rules/windows/image_load/image_load_dll_tttracer_module_load.yml @@ -10,8 +10,8 @@ author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative' date: 2020-10-06 modified: 2022-12-02 tags: - - attack.defense-evasion - attack.credential-access + - attack.stealth - attack.t1218 - attack.t1003.001 logsource: diff --git a/rules/windows/image_load/image_load_dll_unsigned_node_load.yml b/rules/windows/image_load/image_load_dll_unsigned_node_load.yml index 3e95599eb..cf21d7001 100644 --- a/rules/windows/image_load/image_load_dll_unsigned_node_load.yml +++ b/rules/windows/image_load/image_load_dll_unsigned_node_load.yml @@ -16,7 +16,7 @@ tags: - attack.execution - attack.privilege-escalation - attack.persistence - - attack.defense-evasion + - attack.stealth - attack.t1129 - attack.t1574.001 - attack.t1036.005 diff --git a/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml b/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml index 6ed043e0d..5bfd764bb 100644 --- a/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml +++ b/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml @@ -17,7 +17,6 @@ author: Markus Neis, @markus_neis date: 2021-07-07 modified: 2025-07-11 tags: - - attack.defense-evasion - attack.impact - attack.t1490 logsource: diff --git a/rules/windows/image_load/image_load_dll_vssapi_susp_load.yml b/rules/windows/image_load/image_load_dll_vssapi_susp_load.yml index d286fad96..8b7223d28 100644 --- a/rules/windows/image_load/image_load_dll_vssapi_susp_load.yml +++ b/rules/windows/image_load/image_load_dll_vssapi_susp_load.yml @@ -13,7 +13,6 @@ author: frack113 date: 2022-10-31 modified: 2025-10-17 tags: - - attack.defense-evasion - attack.impact - attack.t1490 logsource: diff --git a/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml b/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml index 0af8d7918..562f5a957 100644 --- a/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml +++ b/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml @@ -13,7 +13,6 @@ author: frack113 date: 2023-02-17 modified: 2025-12-03 tags: - - attack.defense-evasion - attack.impact - attack.t1490 logsource: diff --git a/rules/windows/image_load/image_load_hktl_sharpevtmute.yml b/rules/windows/image_load/image_load_hktl_sharpevtmute.yml index c6f4f0f3b..ea2042aa5 100644 --- a/rules/windows/image_load/image_load_hktl_sharpevtmute.yml +++ b/rules/windows/image_load/image_load_hktl_sharpevtmute.yml @@ -11,8 +11,8 @@ author: Florian Roth (Nextron Systems) date: 2022-09-07 modified: 2024-11-23 tags: - - attack.defense-evasion - - attack.t1562.002 + - attack.defense-impairment + - attack.t1685.001 logsource: category: image_load product: windows diff --git a/rules/windows/image_load/image_load_office_powershell_dll_load.yml b/rules/windows/image_load/image_load_office_powershell_dll_load.yml index dc079ebdf..87df77582 100644 --- a/rules/windows/image_load/image_load_office_powershell_dll_load.yml +++ b/rules/windows/image_load/image_load_office_powershell_dll_load.yml @@ -7,7 +7,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-06-01 tags: - - attack.defense-evasion + - attack.stealth logsource: category: image_load product: windows diff --git a/rules/windows/image_load/image_load_side_load_7za.yml b/rules/windows/image_load/image_load_side_load_7za.yml index c25fde357..7ec3a71f7 100644 --- a/rules/windows/image_load/image_load_side_load_7za.yml +++ b/rules/windows/image_load/image_load_side_load_7za.yml @@ -7,9 +7,10 @@ references: author: X__Junior date: 2023-06-09 tags: - - attack.defense-evasion - attack.persistence - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_antivirus.yml b/rules/windows/image_load/image_load_side_load_antivirus.yml index debca85c1..5dcc4b8f4 100644 --- a/rules/windows/image_load/image_load_side_load_antivirus.yml +++ b/rules/windows/image_load/image_load_side_load_antivirus.yml @@ -8,9 +8,10 @@ author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and r date: 2022-08-17 modified: 2025-10-07 tags: - - attack.defense-evasion - attack.persistence - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_appverifui.yml b/rules/windows/image_load/image_load_side_load_appverifui.yml index 6044538f1..a6e90fc8b 100644 --- a/rules/windows/image_load/image_load_side_load_appverifui.yml +++ b/rules/windows/image_load/image_load_side_load_appverifui.yml @@ -8,8 +8,9 @@ author: X__Junior (Nextron Systems) date: 2023-06-20 tags: - attack.persistence - - attack.defense-evasion - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml b/rules/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml index 56fe989b8..2f3b8b9f0 100644 --- a/rules/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml +++ b/rules/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml @@ -8,9 +8,10 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-01-22 modified: 2023-03-15 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.persistence + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_avkkid.yml b/rules/windows/image_load/image_load_side_load_avkkid.yml index f4052a4a0..e49aa82ce 100644 --- a/rules/windows/image_load/image_load_side_load_avkkid.yml +++ b/rules/windows/image_load/image_load_side_load_avkkid.yml @@ -8,8 +8,9 @@ author: X__Junior (Nextron Systems) date: 2023-08-03 tags: - attack.persistence - - attack.defense-evasion - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_ccleaner_du.yml b/rules/windows/image_load/image_load_side_load_ccleaner_du.yml index 54d61784f..8bea5b619 100644 --- a/rules/windows/image_load/image_load_side_load_ccleaner_du.yml +++ b/rules/windows/image_load/image_load_side_load_ccleaner_du.yml @@ -7,9 +7,10 @@ references: author: X__Junior (Nextron Systems) date: 2023-07-13 tags: - - attack.defense-evasion - attack.persistence - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml b/rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml index 24d13c972..121c991eb 100644 --- a/rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml +++ b/rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml @@ -7,9 +7,10 @@ references: author: X__Junior date: 2023-07-13 tags: - - attack.defense-evasion - attack.persistence - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_chrome_frame_helper.yml b/rules/windows/image_load/image_load_side_load_chrome_frame_helper.yml index ae7c1211b..9819bd5df 100644 --- a/rules/windows/image_load/image_load_side_load_chrome_frame_helper.yml +++ b/rules/windows/image_load/image_load_side_load_chrome_frame_helper.yml @@ -8,9 +8,10 @@ author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and r date: 2022-08-17 modified: 2023-05-15 tags: - - attack.defense-evasion - attack.persistence - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_classicexplorer32.yml b/rules/windows/image_load/image_load_side_load_classicexplorer32.yml index 0dc646875..a0d5dd7cc 100644 --- a/rules/windows/image_load/image_load_side_load_classicexplorer32.yml +++ b/rules/windows/image_load/image_load_side_load_classicexplorer32.yml @@ -8,9 +8,10 @@ references: author: frack113 date: 2022-12-13 tags: - - attack.defense-evasion - attack.persistence - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_comctl32.yml b/rules/windows/image_load/image_load_side_load_comctl32.yml index 192c481c1..74b1f942f 100644 --- a/rules/windows/image_load/image_load_side_load_comctl32.yml +++ b/rules/windows/image_load/image_load_side_load_comctl32.yml @@ -9,9 +9,10 @@ author: Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash) date: 2022-12-16 modified: 2022-12-19 tags: - - attack.defense-evasion - attack.persistence - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_coregen.yml b/rules/windows/image_load/image_load_side_load_coregen.yml index 64dc35a5a..d799259e4 100644 --- a/rules/windows/image_load/image_load_side_load_coregen.yml +++ b/rules/windows/image_load/image_load_side_load_coregen.yml @@ -8,7 +8,7 @@ author: frack113 date: 2022-12-31 tags: - attack.privilege-escalation - - attack.defense-evasion + - attack.stealth - attack.t1218 - attack.t1055 logsource: diff --git a/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location.yml index 02880444d..9b7bbc58a 100644 --- a/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location.yml @@ -12,9 +12,10 @@ author: Anish Bogati date: 2024-01-09 modified: 2026-02-17 tags: - - attack.defense-evasion - attack.persistence - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: product: windows diff --git a/rules/windows/image_load/image_load_side_load_dbgcore.yml b/rules/windows/image_load/image_load_side_load_dbgcore.yml index d601be7de..f8d2a7e2d 100644 --- a/rules/windows/image_load/image_load_side_load_dbgcore.yml +++ b/rules/windows/image_load/image_load_side_load_dbgcore.yml @@ -8,9 +8,10 @@ author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and r date: 2022-10-25 modified: 2025-10-06 tags: - - attack.defense-evasion - attack.persistence - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_dbghelp.yml b/rules/windows/image_load/image_load_side_load_dbghelp.yml index b7d87720a..5a755a318 100644 --- a/rules/windows/image_load/image_load_side_load_dbghelp.yml +++ b/rules/windows/image_load/image_load_side_load_dbghelp.yml @@ -8,9 +8,10 @@ author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and r date: 2022-10-25 modified: 2025-10-07 tags: - - attack.defense-evasion - attack.persistence - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_dbgmodel.yml b/rules/windows/image_load/image_load_side_load_dbgmodel.yml index 2a076e9f4..4829de648 100644 --- a/rules/windows/image_load/image_load_side_load_dbgmodel.yml +++ b/rules/windows/image_load/image_load_side_load_dbgmodel.yml @@ -10,7 +10,8 @@ modified: 2024-07-22 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1574.001 logsource: product: windows diff --git a/rules/windows/image_load/image_load_side_load_eacore.yml b/rules/windows/image_load/image_load_side_load_eacore.yml index e4fb13c02..6bbffc85a 100644 --- a/rules/windows/image_load/image_load_side_load_eacore.yml +++ b/rules/windows/image_load/image_load_side_load_eacore.yml @@ -8,8 +8,9 @@ author: X__Junior (Nextron Systems) date: 2023-08-03 tags: - attack.persistence - - attack.defense-evasion - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_edputil.yml b/rules/windows/image_load/image_load_side_load_edputil.yml index 0be84bd96..5b2a8e39a 100644 --- a/rules/windows/image_load/image_load_side_load_edputil.yml +++ b/rules/windows/image_load/image_load_side_load_edputil.yml @@ -8,8 +8,9 @@ author: X__Junior (Nextron Systems) date: 2023-06-09 tags: - attack.persistence - - attack.defense-evasion - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index 0308429fe..723e55656 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -12,9 +12,10 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-14 modified: 2025-12-03 tags: - - attack.defense-evasion - attack.persistence - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_goopdate.yml b/rules/windows/image_load/image_load_side_load_goopdate.yml index a92834ba1..cf73c66f8 100644 --- a/rules/windows/image_load/image_load_side_load_goopdate.yml +++ b/rules/windows/image_load/image_load_side_load_goopdate.yml @@ -9,8 +9,9 @@ date: 2023-05-15 modified: 2025-10-07 tags: - attack.persistence - - attack.defense-evasion - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_gup_libcurl.yml b/rules/windows/image_load/image_load_side_load_gup_libcurl.yml index b9f744a92..6ebc24ce0 100644 --- a/rules/windows/image_load/image_load_side_load_gup_libcurl.yml +++ b/rules/windows/image_load/image_load_side_load_gup_libcurl.yml @@ -7,9 +7,10 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-05-05 tags: - - attack.defense-evasion - attack.persistence - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_iviewers.yml b/rules/windows/image_load/image_load_side_load_iviewers.yml index c22f86e34..0792d6d8a 100644 --- a/rules/windows/image_load/image_load_side_load_iviewers.yml +++ b/rules/windows/image_load/image_load_side_load_iviewers.yml @@ -8,8 +8,9 @@ author: X__Junior (Nextron Systems) date: 2023-03-21 tags: - attack.persistence - - attack.defense-evasion - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_jli.yml b/rules/windows/image_load/image_load_side_load_jli.yml index 021b3cfdb..196c12677 100644 --- a/rules/windows/image_load/image_load_side_load_jli.yml +++ b/rules/windows/image_load/image_load_side_load_jli.yml @@ -14,9 +14,10 @@ author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-07-25 modified: 2025-10-06 tags: - - attack.defense-evasion - attack.persistence - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_jsschhlp.yml b/rules/windows/image_load/image_load_side_load_jsschhlp.yml index 3a44b1022..7f35c09a4 100644 --- a/rules/windows/image_load/image_load_side_load_jsschhlp.yml +++ b/rules/windows/image_load/image_load_side_load_jsschhlp.yml @@ -8,9 +8,10 @@ references: author: frack113 date: 2022-12-14 tags: - - attack.defense-evasion - attack.persistence - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_keyscrambler.yml b/rules/windows/image_load/image_load_side_load_keyscrambler.yml index 6b3bca73a..cccb4d73c 100644 --- a/rules/windows/image_load/image_load_side_load_keyscrambler.yml +++ b/rules/windows/image_load/image_load_side_load_keyscrambler.yml @@ -17,8 +17,9 @@ author: Swachchhanda Shrawan Poudel date: 2024-04-15 tags: - attack.persistence - - attack.defense-evasion - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_libvlc.yml b/rules/windows/image_load/image_load_side_load_libvlc.yml index d29d5313e..42f052d39 100644 --- a/rules/windows/image_load/image_load_side_load_libvlc.yml +++ b/rules/windows/image_load/image_load_side_load_libvlc.yml @@ -8,9 +8,10 @@ references: author: X__Junior date: 2023-04-17 tags: - - attack.defense-evasion - attack.persistence - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_mfdetours.yml b/rules/windows/image_load/image_load_side_load_mfdetours.yml index eef04981a..a25c7c7d3 100644 --- a/rules/windows/image_load/image_load_side_load_mfdetours.yml +++ b/rules/windows/image_load/image_load_side_load_mfdetours.yml @@ -8,8 +8,9 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-08-03 tags: - attack.persistence - - attack.defense-evasion - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_mfdetours_unsigned.yml b/rules/windows/image_load/image_load_side_load_mfdetours_unsigned.yml index fce67c510..5aeaf7e17 100644 --- a/rules/windows/image_load/image_load_side_load_mfdetours_unsigned.yml +++ b/rules/windows/image_load/image_load_side_load_mfdetours_unsigned.yml @@ -11,8 +11,9 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-08-11 tags: - attack.persistence - - attack.defense-evasion - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_mpsvc.yml b/rules/windows/image_load/image_load_side_load_mpsvc.yml index 058fa4308..bdc1a3572 100644 --- a/rules/windows/image_load/image_load_side_load_mpsvc.yml +++ b/rules/windows/image_load/image_load_side_load_mpsvc.yml @@ -9,7 +9,8 @@ date: 2024-07-11 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1574.001 logsource: product: windows diff --git a/rules/windows/image_load/image_load_side_load_mscorsvc.yml b/rules/windows/image_load/image_load_side_load_mscorsvc.yml index 15de52ddb..6e78f060d 100644 --- a/rules/windows/image_load/image_load_side_load_mscorsvc.yml +++ b/rules/windows/image_load/image_load_side_load_mscorsvc.yml @@ -10,7 +10,8 @@ modified: 2025-02-26 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1574.001 logsource: product: windows diff --git a/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml b/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml index 67a279e64..bd577ef9a 100644 --- a/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml +++ b/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml @@ -26,9 +26,10 @@ author: Nasreddine Bencherchali (Nextron Systems), SBousseaden date: 2022-12-09 modified: 2026-01-24 tags: - - attack.defense-evasion - attack.persistence - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_office_dlls.yml b/rules/windows/image_load/image_load_side_load_office_dlls.yml index 023f4d668..39ca71f01 100644 --- a/rules/windows/image_load/image_load_side_load_office_dlls.yml +++ b/rules/windows/image_load/image_load_side_load_office_dlls.yml @@ -8,9 +8,10 @@ author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and r date: 2022-08-17 modified: 2023-03-15 tags: - - attack.defense-evasion - attack.persistence - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_python.yml b/rules/windows/image_load/image_load_side_load_python.yml index 920437331..72893d971 100644 --- a/rules/windows/image_load/image_load_side_load_python.yml +++ b/rules/windows/image_load/image_load_side_load_python.yml @@ -12,7 +12,8 @@ modified: 2025-08-18 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_rcdll.yml b/rules/windows/image_load/image_load_side_load_rcdll.yml index 610e53d92..ac27377f5 100644 --- a/rules/windows/image_load/image_load_side_load_rcdll.yml +++ b/rules/windows/image_load/image_load_side_load_rcdll.yml @@ -9,8 +9,9 @@ date: 2023-03-13 modified: 2023-03-15 tags: - attack.persistence - - attack.defense-evasion - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_rjvplatform_default_location.yml b/rules/windows/image_load/image_load_side_load_rjvplatform_default_location.yml index 9628b7c7b..d72046ad8 100644 --- a/rules/windows/image_load/image_load_side_load_rjvplatform_default_location.yml +++ b/rules/windows/image_load/image_load_side_load_rjvplatform_default_location.yml @@ -8,8 +8,9 @@ author: X__Junior (Nextron Systems) date: 2023-06-09 tags: - attack.persistence - - attack.defense-evasion - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_rjvplatform_non_default_location.yml b/rules/windows/image_load/image_load_side_load_rjvplatform_non_default_location.yml index ac675c66b..e2fb8b141 100644 --- a/rules/windows/image_load/image_load_side_load_rjvplatform_non_default_location.yml +++ b/rules/windows/image_load/image_load_side_load_rjvplatform_non_default_location.yml @@ -8,8 +8,9 @@ author: X__Junior (Nextron Systems) date: 2023-06-09 tags: - attack.persistence - - attack.defense-evasion - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_robform.yml b/rules/windows/image_load/image_load_side_load_robform.yml index e1973606c..e64c3b0f1 100644 --- a/rules/windows/image_load/image_load_side_load_robform.yml +++ b/rules/windows/image_load/image_load_side_load_robform.yml @@ -10,8 +10,9 @@ author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2023-05-14 tags: - attack.persistence - - attack.defense-evasion - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_shell_chrome_api.yml b/rules/windows/image_load/image_load_side_load_shell_chrome_api.yml index 6893ba0b2..57c398d6d 100644 --- a/rules/windows/image_load/image_load_side_load_shell_chrome_api.yml +++ b/rules/windows/image_load/image_load_side_load_shell_chrome_api.yml @@ -13,9 +13,10 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-12-01 tags: - - attack.defense-evasion - attack.persistence - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_shelldispatch.yml b/rules/windows/image_load/image_load_side_load_shelldispatch.yml index 23a5373e6..bb497c35d 100644 --- a/rules/windows/image_load/image_load_side_load_shelldispatch.yml +++ b/rules/windows/image_load/image_load_side_load_shelldispatch.yml @@ -8,8 +8,9 @@ author: X__Junior (Nextron Systems) date: 2023-06-20 tags: - attack.persistence - - attack.defense-evasion - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_smadhook.yml b/rules/windows/image_load/image_load_side_load_smadhook.yml index f60ff84a4..83174a6c1 100644 --- a/rules/windows/image_load/image_load_side_load_smadhook.yml +++ b/rules/windows/image_load/image_load_side_load_smadhook.yml @@ -9,8 +9,9 @@ author: X__Junior (Nextron Systems) date: 2023-06-01 tags: - attack.persistence - - attack.defense-evasion - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_solidpdfcreator.yml b/rules/windows/image_load/image_load_side_load_solidpdfcreator.yml index 975b72807..ee981f508 100644 --- a/rules/windows/image_load/image_load_side_load_solidpdfcreator.yml +++ b/rules/windows/image_load/image_load_side_load_solidpdfcreator.yml @@ -8,8 +8,9 @@ author: X__Junior (Nextron Systems) date: 2023-05-07 tags: - attack.persistence - - attack.defense-evasion - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_third_party.yml b/rules/windows/image_load/image_load_side_load_third_party.yml index 62dd9ba4b..1fc81b404 100644 --- a/rules/windows/image_load/image_load_side_load_third_party.yml +++ b/rules/windows/image_load/image_load_side_load_third_party.yml @@ -7,9 +7,10 @@ references: author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) date: 2022-08-17 tags: - - attack.defense-evasion - attack.persistence - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_ualapi.yml b/rules/windows/image_load/image_load_side_load_ualapi.yml index c1f454cf6..f75014c7d 100644 --- a/rules/windows/image_load/image_load_side_load_ualapi.yml +++ b/rules/windows/image_load/image_load_side_load_ualapi.yml @@ -10,7 +10,8 @@ modified: 2022-06-02 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_vcruntime140.yml b/rules/windows/image_load/image_load_side_load_vcruntime140.yml index 54cdb6ab2..0cad24954 100644 --- a/rules/windows/image_load/image_load_side_load_vcruntime140.yml +++ b/rules/windows/image_load/image_load_side_load_vcruntime140.yml @@ -12,9 +12,10 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2026-01-12 tags: - - attack.defense-evasion - attack.persistence - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_vivaldi_elf.yml b/rules/windows/image_load/image_load_side_load_vivaldi_elf.yml index 0ceb195e7..525197d5b 100644 --- a/rules/windows/image_load/image_load_side_load_vivaldi_elf.yml +++ b/rules/windows/image_load/image_load_side_load_vivaldi_elf.yml @@ -8,8 +8,9 @@ author: X__Junior (Nextron Systems) date: 2023-08-03 tags: - attack.persistence - - attack.defense-evasion - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_vmguestlib.yml b/rules/windows/image_load/image_load_side_load_vmguestlib.yml index f5320dadc..c76da4f53 100644 --- a/rules/windows/image_load/image_load_side_load_vmguestlib.yml +++ b/rules/windows/image_load/image_load_side_load_vmguestlib.yml @@ -7,9 +7,10 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-12-01 tags: - - attack.defense-evasion - attack.persistence - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_signed.yml b/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_signed.yml index 5ca877662..11466c9c6 100644 --- a/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_signed.yml +++ b/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_signed.yml @@ -10,9 +10,10 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-09-05 tags: - - attack.defense-evasion - attack.persistence - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_unsigned.yml b/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_unsigned.yml index 936139e5c..48dff189e 100644 --- a/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_unsigned.yml +++ b/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_unsigned.yml @@ -11,9 +11,10 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-07-28 modified: 2023-09-05 tags: - - attack.defense-evasion - attack.persistence - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_vmware_xfer.yml b/rules/windows/image_load/image_load_side_load_vmware_xfer.yml index ade77083e..e4cde0c60 100644 --- a/rules/windows/image_load/image_load_side_load_vmware_xfer.yml +++ b/rules/windows/image_load/image_load_side_load_vmware_xfer.yml @@ -10,7 +10,8 @@ modified: 2023-02-17 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1574.001 logsource: product: windows diff --git a/rules/windows/image_load/image_load_side_load_waveedit.yml b/rules/windows/image_load/image_load_side_load_waveedit.yml index 3984fab9a..b1452cb41 100644 --- a/rules/windows/image_load/image_load_side_load_waveedit.yml +++ b/rules/windows/image_load/image_load_side_load_waveedit.yml @@ -8,8 +8,9 @@ author: X__Junior (Nextron Systems) date: 2023-06-14 tags: - attack.persistence - - attack.defense-evasion - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_wazuh.yml b/rules/windows/image_load/image_load_side_load_wazuh.yml index 5bfe4a601..d576016fc 100644 --- a/rules/windows/image_load/image_load_side_load_wazuh.yml +++ b/rules/windows/image_load/image_load_side_load_wazuh.yml @@ -8,9 +8,10 @@ author: X__Junior (Nextron Systems) date: 2023-03-13 modified: 2023-05-12 tags: - - attack.defense-evasion - attack.persistence - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_side_load_windows_defender.yml b/rules/windows/image_load/image_load_side_load_windows_defender.yml index 08c37f904..4422765e5 100644 --- a/rules/windows/image_load/image_load_side_load_windows_defender.yml +++ b/rules/windows/image_load/image_load_side_load_windows_defender.yml @@ -13,7 +13,8 @@ modified: 2023-08-04 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1574.001 logsource: product: windows diff --git a/rules/windows/image_load/image_load_side_load_wwlib.yml b/rules/windows/image_load/image_load_side_load_wwlib.yml index 95f22de97..191483cd5 100644 --- a/rules/windows/image_load/image_load_side_load_wwlib.yml +++ b/rules/windows/image_load/image_load_side_load_wwlib.yml @@ -10,8 +10,9 @@ author: X__Junior (Nextron Systems) date: 2023-05-18 tags: - attack.persistence - - attack.defense-evasion - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_susp_baaupdate_dll_load.yml b/rules/windows/image_load/image_load_susp_baaupdate_dll_load.yml index 31e99ed58..11be87a52 100644 --- a/rules/windows/image_load/image_load_susp_baaupdate_dll_load.yml +++ b/rules/windows/image_load/image_load_susp_baaupdate_dll_load.yml @@ -13,7 +13,7 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-10-18 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 - attack.lateral-movement - attack.t1021.003 diff --git a/rules/windows/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml b/rules/windows/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml index d6f8dd14e..ad36e995d 100644 --- a/rules/windows/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml +++ b/rules/windows/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml @@ -8,8 +8,9 @@ author: '@SerkinValery' date: 2023-06-08 tags: - attack.privilege-escalation - - attack.defense-evasion - attack.persistence + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml index 0c7e23829..7702537d3 100644 --- a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml +++ b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml @@ -8,7 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-07-17 modified: 2023-09-18 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070 logsource: product: windows diff --git a/rules/windows/image_load/image_load_susp_python_image_load.yml b/rules/windows/image_load/image_load_susp_python_image_load.yml index fc408cdc5..47d121b76 100644 --- a/rules/windows/image_load/image_load_susp_python_image_load.yml +++ b/rules/windows/image_load/image_load_susp_python_image_load.yml @@ -12,7 +12,7 @@ author: Patrick St. John, OTR (Open Threat Research) date: 2020-05-03 modified: 2025-08-18 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027.002 logsource: product: windows diff --git a/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml b/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml index ff993e82c..24120c6e9 100644 --- a/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml +++ b/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml @@ -11,9 +11,9 @@ author: omkar72, oscd.community date: 2020-10-14 modified: 2023-02-23 tags: - - attack.defense-evasion - attack.execution - attack.privilege-escalation + - attack.stealth - attack.t1055 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_susp_unsigned_dll.yml b/rules/windows/image_load/image_load_susp_unsigned_dll.yml index 5987d09c4..000b2bfbe 100644 --- a/rules/windows/image_load/image_load_susp_unsigned_dll.yml +++ b/rules/windows/image_load/image_load_susp_unsigned_dll.yml @@ -12,9 +12,9 @@ author: Swachchhanda Shrawan Poudel date: 2024-02-28 modified: 2025-10-07 tags: + - attack.stealth - attack.t1218.011 - attack.t1218.010 - - attack.defense-evasion logsource: product: windows category: image_load diff --git a/rules/windows/image_load/image_load_thor_unsigned_execution.yml b/rules/windows/image_load/image_load_thor_unsigned_execution.yml index 49d671b22..2b0095373 100644 --- a/rules/windows/image_load/image_load_thor_unsigned_execution.yml +++ b/rules/windows/image_load/image_load_thor_unsigned_execution.yml @@ -9,7 +9,8 @@ date: 2023-10-29 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: image_load diff --git a/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml b/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml index e2537d28b..fbffe928e 100644 --- a/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml +++ b/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml @@ -9,7 +9,6 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-07-17 modified: 2022-07-25 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 logsource: diff --git a/rules/windows/image_load/image_load_uac_bypass_via_dism.yml b/rules/windows/image_load/image_load_uac_bypass_via_dism.yml index 05925f10f..21149eed3 100644 --- a/rules/windows/image_load/image_load_uac_bypass_via_dism.yml +++ b/rules/windows/image_load/image_load_uac_bypass_via_dism.yml @@ -9,8 +9,9 @@ date: 2020-10-06 modified: 2022-12-25 tags: - attack.persistence - - attack.defense-evasion - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1548.002 - attack.t1574.001 logsource: diff --git a/rules/windows/image_load/image_load_win_mmc_loads_script_engine_dll.yml b/rules/windows/image_load/image_load_win_mmc_loads_script_engine_dll.yml index a75549c00..7e4996426 100644 --- a/rules/windows/image_load/image_load_win_mmc_loads_script_engine_dll.yml +++ b/rules/windows/image_load/image_load_win_mmc_loads_script_engine_dll.yml @@ -11,7 +11,7 @@ author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-02-05 tags: - attack.execution - - attack.defense-evasion + - attack.stealth - attack.t1059.005 - attack.t1218.014 logsource: diff --git a/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load.yml b/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load.yml index 57685d400..fcd43b49e 100644 --- a/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load.yml +++ b/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load.yml @@ -16,9 +16,9 @@ date: 2025-11-27 modified: 2026-01-09 tags: - attack.credential-access + - attack.defense-impairment - attack.t1003 - - attack.defense-evasion - - attack.t1562.001 + - attack.t1685 logsource: category: image_load product: windows diff --git a/rules/windows/image_load/image_load_win_trusted_path_bypass.yml b/rules/windows/image_load/image_load_win_trusted_path_bypass.yml index 2b8d5828a..277aa13bb 100644 --- a/rules/windows/image_load/image_load_win_trusted_path_bypass.yml +++ b/rules/windows/image_load/image_load_win_trusted_path_bypass.yml @@ -13,8 +13,9 @@ author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-06-17 tags: - attack.persistence - - attack.defense-evasion - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.007 - attack.t1548.002 logsource: diff --git a/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml b/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml index ab56a10d0..9796a3975 100644 --- a/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml +++ b/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml @@ -17,7 +17,7 @@ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020-10-17 modified: 2022-10-13 tags: - - attack.defense-evasion + - attack.stealth - attack.t1220 logsource: category: image_load diff --git a/rules/windows/network_connection/net_connection_win_addinutil_initiated.yml b/rules/windows/network_connection/net_connection_win_addinutil_initiated.yml index 9b50abcc3..db81155dc 100644 --- a/rules/windows/network_connection/net_connection_win_addinutil_initiated.yml +++ b/rules/windows/network_connection/net_connection_win_addinutil_initiated.yml @@ -10,7 +10,7 @@ author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) date: 2023-09-18 modified: 2024-07-16 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_cmstp_initiated_connection.yml b/rules/windows/network_connection/net_connection_win_cmstp_initiated_connection.yml index a0dbaff15..18a1ab78f 100644 --- a/rules/windows/network_connection/net_connection_win_cmstp_initiated_connection.yml +++ b/rules/windows/network_connection/net_connection_win_cmstp_initiated_connection.yml @@ -10,7 +10,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-30 modified: 2024-05-31 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.003 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_notepad.yml b/rules/windows/network_connection/net_connection_win_notepad.yml index 2f999dcba..9a0f2eae9 100644 --- a/rules/windows/network_connection/net_connection_win_notepad.yml +++ b/rules/windows/network_connection/net_connection_win_notepad.yml @@ -15,7 +15,7 @@ tags: - attack.privilege-escalation - attack.command-and-control - attack.execution - - attack.defense-evasion + - attack.stealth - attack.t1055 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml b/rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml index e8b4edfba..00a0180d9 100644 --- a/rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml +++ b/rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml @@ -8,8 +8,8 @@ author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2023-07-12 modified: 2025-10-17 tags: - - attack.defense-evasion - attack.command-and-control + - attack.stealth logsource: category: network_connection product: windows diff --git a/rules/windows/network_connection/net_connection_win_regasm_network_activity.yml b/rules/windows/network_connection/net_connection_win_regasm_network_activity.yml index a83a6e0c4..6c062ded6 100644 --- a/rules/windows/network_connection/net_connection_win_regasm_network_activity.yml +++ b/rules/windows/network_connection/net_connection_win_regasm_network_activity.yml @@ -9,7 +9,7 @@ references: author: frack113 date: 2024-04-25 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.009 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml b/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml index 5dbeb0252..16d1d8685 100644 --- a/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml +++ b/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml @@ -10,8 +10,8 @@ date: 2019-10-25 modified: 2023-09-18 tags: - attack.execution + - attack.stealth - attack.t1559.001 - - attack.defense-evasion - attack.t1218.010 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml b/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml index d00b4686a..d92f2dcb0 100755 --- a/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml +++ b/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml @@ -8,7 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2017-11-04 modified: 2024-03-13 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.011 - attack.execution logsource: diff --git a/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml b/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml index 62de6a988..96f5e7e42 100644 --- a/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml +++ b/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml @@ -9,7 +9,7 @@ date: 2020-10-11 modified: 2022-10-05 tags: - attack.execution - - attack.defense-evasion + - attack.stealth - attack.t1127.001 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_susp_binary_no_cmdline.yml b/rules/windows/network_connection/net_connection_win_susp_binary_no_cmdline.yml index e262eb9d2..fb1587943 100644 --- a/rules/windows/network_connection/net_connection_win_susp_binary_no_cmdline.yml +++ b/rules/windows/network_connection/net_connection_win_susp_binary_no_cmdline.yml @@ -7,7 +7,7 @@ references: author: Florian Roth (Nextron Systems) date: 2022-07-03 tags: - - attack.defense-evasion + - attack.stealth logsource: category: network_connection product: windows diff --git a/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml b/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml index 972faa404..46380d22f 100755 --- a/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml +++ b/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml @@ -12,7 +12,6 @@ author: Ilyas Ochkov, oscd.community date: 2019-10-24 modified: 2024-03-15 tags: - - attack.defense-evasion - attack.credential-access - attack.t1558 - attack.lateral-movement diff --git a/rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml b/rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml index 5bc9e0718..9901a4cd1 100644 --- a/rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml +++ b/rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml @@ -9,10 +9,10 @@ date: 2022-04-28 modified: 2024-03-12 tags: - attack.privilege-escalation + - attack.stealth - attack.t1055 - attack.t1218 - attack.execution - - attack.defense-evasion logsource: product: windows category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_winlogon_net_connections.yml b/rules/windows/network_connection/net_connection_win_winlogon_net_connections.yml index 01839c496..b531f2aef 100644 --- a/rules/windows/network_connection/net_connection_win_winlogon_net_connections.yml +++ b/rules/windows/network_connection/net_connection_win_winlogon_net_connections.yml @@ -8,9 +8,9 @@ author: Christopher Peacock @securepeacock, SCYTHE @scythe_io date: 2023-04-28 modified: 2024-03-12 tags: - - attack.defense-evasion - attack.execution - attack.command-and-control + - attack.stealth - attack.t1218.011 logsource: category: network_connection diff --git a/rules/windows/network_connection/net_connection_win_wordpad_uncommon_ports.yml b/rules/windows/network_connection/net_connection_win_wordpad_uncommon_ports.yml index dcf35177a..18468209c 100644 --- a/rules/windows/network_connection/net_connection_win_wordpad_uncommon_ports.yml +++ b/rules/windows/network_connection/net_connection_win_wordpad_uncommon_ports.yml @@ -10,8 +10,8 @@ author: X__Junior (Nextron Systems) date: 2023-07-12 modified: 2023-12-15 tags: - - attack.defense-evasion - attack.command-and-control + - attack.stealth logsource: category: network_connection product: windows diff --git a/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml b/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml index 523e8bff0..4aa5f26d6 100644 --- a/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml +++ b/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml @@ -10,7 +10,7 @@ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020-10-12 modified: 2024-03-12 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: network_connection diff --git a/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml b/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml index 4c9fb5a0a..6caa534d5 100644 --- a/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml @@ -17,8 +17,8 @@ author: Florian Roth (Nextron Systems), Wojciech Lesicki date: 2021-05-25 modified: 2022-10-31 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth - attack.t1055 logsource: product: windows diff --git a/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_re.yml b/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_re.yml index 696f89a81..f5b4a5b8a 100644 --- a/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_re.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_re.yml @@ -14,8 +14,8 @@ author: Florian Roth (Nextron Systems) date: 2021-07-30 modified: 2022-12-31 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth - attack.t1055 logsource: product: windows diff --git a/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml b/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml index 25fa2b5eb..4b0d34a26 100644 --- a/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml @@ -14,8 +14,8 @@ author: Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems) date: 2021-07-30 modified: 2024-01-26 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth - attack.t1055 - stp.1k logsource: diff --git a/rules/windows/pipe_created/pipe_created_hktl_coercedpotato.yml b/rules/windows/pipe_created/pipe_created_hktl_coercedpotato.yml index 986444a2c..53aa928e6 100644 --- a/rules/windows/pipe_created/pipe_created_hktl_coercedpotato.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_coercedpotato.yml @@ -8,8 +8,8 @@ references: author: Florian Roth (Nextron Systems) date: 2023-10-11 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth - attack.t1055 logsource: product: windows diff --git a/rules/windows/pipe_created/pipe_created_hktl_efspotato.yml b/rules/windows/pipe_created/pipe_created_hktl_efspotato.yml index f652759ce..fe697b688 100644 --- a/rules/windows/pipe_created/pipe_created_hktl_efspotato.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_efspotato.yml @@ -9,8 +9,8 @@ author: Florian Roth (Nextron Systems) date: 2021-08-23 modified: 2023-12-21 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth - attack.t1055 logsource: product: windows diff --git a/rules/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yml b/rules/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yml index da13d9652..01f7e418c 100644 --- a/rules/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yml @@ -8,9 +8,9 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-07-08 modified: 2023-08-07 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.credential-access + - attack.stealth - attack.t1528 - attack.t1134.001 logsource: diff --git a/rules/windows/pipe_created/pipe_created_susp_malicious_namedpipes.yml b/rules/windows/pipe_created/pipe_created_susp_malicious_namedpipes.yml index 5b59086a0..b2d1f34de 100644 --- a/rules/windows/pipe_created/pipe_created_susp_malicious_namedpipes.yml +++ b/rules/windows/pipe_created/pipe_created_susp_malicious_namedpipes.yml @@ -19,8 +19,8 @@ author: Florian Roth (Nextron Systems), blueteam0ps, elhoim date: 2017-11-06 modified: 2023-08-07 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth - attack.t1055 logsource: product: windows diff --git a/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml b/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml index 5cdf48d1f..4011cadf1 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml @@ -8,7 +8,6 @@ author: Florian Roth (Nextron Systems), Lee Holmes (idea), Harish Segar (improve date: 2017-03-22 modified: 2023-10-27 tags: - - attack.defense-evasion - attack.execution - attack.t1059.001 logsource: diff --git a/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml b/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml index ff8dcf7b8..fae464fb3 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml @@ -8,7 +8,6 @@ author: Sean Metcalf (source), Florian Roth (Nextron Systems) date: 2017-03-05 modified: 2023-10-27 tags: - - attack.defense-evasion - attack.execution - attack.t1059.001 logsource: diff --git a/rules/windows/powershell/powershell_classic/posh_pc_remotefxvgpudisablement_abuse.yml b/rules/windows/powershell/powershell_classic/posh_pc_remotefxvgpudisablement_abuse.yml index 3194b0bf0..548ffc0fd 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_remotefxvgpudisablement_abuse.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_remotefxvgpudisablement_abuse.yml @@ -16,7 +16,7 @@ author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2021-07-13 modified: 2023-05-09 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: product: windows diff --git a/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml b/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml index ad7fc9eeb..7459c3149 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml @@ -10,7 +10,7 @@ date: 2020-06-29 modified: 2025-01-20 tags: - attack.execution - - attack.defense-evasion + - attack.stealth - attack.t1059.001 - attack.t1036.003 logsource: diff --git a/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml b/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml index a00c14eb8..7c3474f7c 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml @@ -11,8 +11,8 @@ author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2021-06-07 modified: 2024-01-02 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: windows category: ps_classic_provider_start diff --git a/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml b/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml index 9c3786d0f..d6ff85457 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml @@ -11,7 +11,7 @@ author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community date: 2019-10-25 modified: 2022-12-02 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070.003 logsource: product: windows diff --git a/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml b/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml index d32d2da43..169c0642d 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml @@ -12,7 +12,7 @@ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020-05-02 modified: 2022-12-25 tags: - - attack.defense-evasion + - attack.stealth - attack.t1140 logsource: product: windows diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml index e98b23275..3d32bd1cf 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml @@ -11,7 +11,7 @@ author: Jonathan Cheong, oscd.community date: 2020-10-13 modified: 2024-04-05 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml index c5e142a20..3c25a47a3 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml @@ -11,7 +11,7 @@ author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community date: 2019-11-08 modified: 2022-12-31 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml index e3e44252f..870a44f28 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml @@ -11,7 +11,7 @@ author: Jonathan Cheong, oscd.community date: 2020-10-15 modified: 2024-04-05 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml index b6a26623b..20a07b320 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml @@ -11,7 +11,7 @@ author: Jonathan Cheong, oscd.community date: 2020-10-15 modified: 2024-04-05 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml index 9aee02152..aea7add1a 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml @@ -11,7 +11,7 @@ author: Timur Zinniatullin, oscd.community date: 2020-10-18 modified: 2022-11-29 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml index bd9360ea6..76a635054 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml @@ -11,7 +11,7 @@ author: Timur Zinniatullin, oscd.community date: 2020-10-18 modified: 2022-11-29 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml index c5347f19d..efaa290f8 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml @@ -11,7 +11,7 @@ author: Nikita Nazarov, oscd.community date: 2020-10-12 modified: 2024-04-05 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml index 79bc122e4..2cc2f7796 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml @@ -11,7 +11,7 @@ author: Nikita Nazarov, oscd.community date: 2020-10-09 modified: 2024-04-05 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml index 940888d10..40ae20b2e 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml @@ -11,7 +11,7 @@ author: Nikita Nazarov, oscd.community date: 2020-10-08 modified: 2023-01-04 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml index 158e22d32..8e2531340 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml @@ -11,7 +11,7 @@ author: Nikita Nazarov, oscd.community date: 2019-10-08 modified: 2022-11-29 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml index e6d4d3f88..ae1c2d85c 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml @@ -11,7 +11,7 @@ author: Timur Zinniatullin, oscd.community date: 2020-10-13 modified: 2024-04-05 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml b/rules/windows/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml index 636653cc3..3a2da47aa 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml @@ -16,7 +16,7 @@ author: Nasreddine Bencherchali (Nextron Systems), frack113 date: 2021-07-13 modified: 2023-05-09 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: product: windows diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml index 5e379cee3..4ec873c1b 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml @@ -12,8 +12,8 @@ date: 2022-02-21 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion - attack.initial-access + - attack.stealth - attack.t1078 logsource: product: windows diff --git a/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml b/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml index 055c015eb..f9ff77a38 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml @@ -13,7 +13,7 @@ author: 'Ensar Şamil, @sblmsrsn, OSCD Community' date: 2020-10-05 modified: 2022-12-02 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml b/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml index c9f3c473a..c49daf52a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml @@ -8,8 +8,8 @@ references: author: Florian Roth (Nextron Systems) date: 2022-11-09 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 - attack.execution logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml b/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml index cd0093f33..ad4d8ae76 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml @@ -11,8 +11,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-01-04 modified: 2023-05-09 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml b/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml index 508ec7b6d..6cb8708f7 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml @@ -11,7 +11,7 @@ author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community date: 2022-01-25 modified: 2022-12-02 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070.003 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml b/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml index ca0993df1..244321d7c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml @@ -10,7 +10,7 @@ author: Austin Songer @austinsonger date: 2021-11-25 modified: 2022-12-25 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070 - attack.t1070.003 logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml b/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml index 1ddfaa7ad..a37e30ff4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml @@ -9,8 +9,8 @@ date: 2021-12-27 modified: 2024-01-22 tags: - attack.persistence - - attack.defense-evasion - attack.credential-access + - attack.defense-impairment - attack.t1556.002 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml b/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml index e1593fb84..ddafdb6c3 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml @@ -13,8 +13,9 @@ author: frack113 date: 2021-12-30 tags: - attack.privilege-escalation - - attack.defense-evasion - attack.persistence + - attack.execution + - attack.stealth - attack.t1574.012 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_create_new_dmsasvc_account.yml b/rules/windows/powershell/powershell_script/posh_ps_create_new_dmsasvc_account.yml index d8f4d1654..beb4bd3ca 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_create_new_dmsasvc_account.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_create_new_dmsasvc_account.yml @@ -19,8 +19,8 @@ date: 2025-05-24 tags: - attack.privilege-escalation - attack.initial-access - - attack.defense-evasion - attack.persistence + - attack.stealth - attack.t1078.002 - attack.t1098 logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml b/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml index 20798897b..63b428545 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml @@ -12,7 +12,7 @@ date: 2021-08-03 modified: 2022-03-03 tags: - attack.discovery - - attack.defense-evasion + - attack.stealth - attack.t1497.001 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml b/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml index 16ef6d8a0..c3751268d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml @@ -7,7 +7,7 @@ references: author: Ali Alwashali date: 2022-08-21 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070.003 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml b/rules/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml index 549bdc963..20d7b907e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml @@ -10,8 +10,8 @@ references: author: frack113 date: 2022-09-10 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml b/rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml index 42ff73e01..fa6f001cf 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml @@ -7,7 +7,7 @@ references: author: frack113 date: 2022-12-25 tags: - - attack.defense-evasion + - attack.stealth - attack.t1620 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml b/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml index f0d5f0203..540e99e2c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml @@ -15,7 +15,7 @@ author: frack113 date: 2022-09-10 modified: 2022-12-29 tags: - - attack.defense-evasion + - attack.stealth logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml b/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml index 73a9f778e..71db32b9d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml @@ -11,9 +11,10 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-06-28 modified: 2022-11-25 tags: - - attack.defense-evasion + - attack.stealth + - attack.defense-impairment - attack.t1070 - - attack.t1562.006 + - attack.t1685 - car.2016-04-002 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml b/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml index 10c2b77b8..90276e39a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml @@ -12,8 +12,9 @@ author: frack113 date: 2021-12-30 tags: - attack.privilege-escalation - - attack.defense-evasion - attack.persistence + - attack.execution + - attack.stealth - attack.t1574.011 - stp.2a logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml b/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml index e89106894..1c525bf0d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml @@ -12,7 +12,6 @@ references: author: Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems) date: 2023-04-27 tags: - - attack.defense-evasion - attack.credential-access - attack.t1003 - attack.t1558.003 diff --git a/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml b/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml index c03ea5301..f33de1705 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml @@ -16,7 +16,6 @@ references: - https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team tags: - attack.credential-access - - attack.defense-evasion - attack.discovery - attack.execution - attack.privilege-escalation diff --git a/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml b/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml index 2cdcd8875..6ce8ad6f9 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml @@ -14,7 +14,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-01-31 tags: - attack.persistence - - attack.defense-evasion + - attack.stealth logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml index 426ffdf1d..f7c6c1be4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml @@ -8,7 +8,7 @@ author: Jonathan Cheong, oscd.community date: 2020-10-13 modified: 2024-04-05 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml index f0ab351d1..6316f2eab 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml @@ -8,7 +8,7 @@ author: 'Daniel Bohannon (@Mandiant/@FireEye), oscd.community' date: 2019-11-08 modified: 2022-12-31 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml index 30647587e..2dc5c5b77 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml @@ -8,7 +8,7 @@ author: Jonathan Cheong, oscd.community date: 2020-10-15 modified: 2024-04-05 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml index 89f261986..a579a6716 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml @@ -8,7 +8,7 @@ author: Jonathan Cheong, oscd.community date: 2020-10-15 modified: 2024-04-05 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml index 77c4fabb6..241eaa06a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml @@ -8,7 +8,7 @@ author: Timur Zinniatullin, oscd.community date: 2020-10-18 modified: 2022-11-29 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml index afb1a74a4..e866b86a4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml @@ -8,7 +8,7 @@ author: Timur Zinniatullin, oscd.community date: 2020-10-18 modified: 2022-11-29 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml index d2054c497..ced6bf98d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml @@ -8,7 +8,7 @@ author: Nikita Nazarov, oscd.community date: 2020-10-12 modified: 2024-04-05 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml index 30be1457e..74b44d781 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml @@ -8,7 +8,7 @@ author: Nikita Nazarov, oscd.community date: 2020-10-09 modified: 2024-04-15 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml index d067fb3d3..7bf6c9906 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml @@ -8,7 +8,7 @@ author: Nikita Nazarov, oscd.community date: 2020-10-08 modified: 2022-11-29 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml index eb45ff619..f3432db5a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml @@ -8,7 +8,7 @@ author: Nikita Nazarov, oscd.community date: 2019-10-08 modified: 2022-11-29 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml index ce008e13f..57ae13307 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml @@ -8,7 +8,7 @@ author: Timur Zinniatullin, oscd.community date: 2020-10-13 modified: 2024-04-05 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_modification_of_dmsa_link_attribute.yml b/rules/windows/powershell/powershell_script/posh_ps_modification_of_dmsa_link_attribute.yml index 9834ca5ca..bdfba2754 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_modification_of_dmsa_link_attribute.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_modification_of_dmsa_link_attribute.yml @@ -13,9 +13,9 @@ author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-05-24 tags: - attack.privilege-escalation - - attack.defense-evasion - attack.persistence - attack.initial-access + - attack.stealth - attack.t1078.002 - attack.t1098 logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml b/rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml index a9ec8b80f..f8a740e12 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml @@ -10,8 +10,8 @@ references: author: frack113 date: 2022-08-19 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.defense-impairment - attack.t1484.001 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml b/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml index a711e434d..08f0a0293 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml @@ -9,7 +9,7 @@ author: Sami Ruohonen date: 2018-07-24 modified: 2022-12-25 tags: - - attack.defense-evasion + - attack.stealth - attack.t1564.004 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml b/rules/windows/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml index 4eaa754bd..23e15fdd5 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml @@ -15,7 +15,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-05-09 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml b/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml index 931335596..b16bac9e0 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml @@ -8,7 +8,7 @@ author: 'oscd.community, @redcanary, Zach Stanford @svch0st' date: 2020-10-10 modified: 2022-12-02 tags: - - attack.defense-evasion + - attack.defense-impairment - attack.t1553.004 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml b/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml index be52955d5..b8c04c83d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml @@ -8,7 +8,7 @@ references: author: frack113 date: 2022-02-01 tags: - - attack.defense-evasion + - attack.defense-impairment - attack.t1553.005 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_set_acl.yml b/rules/windows/powershell/powershell_script/posh_ps_set_acl.yml index f84e60065..aee40e9b4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_set_acl.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_set_acl.yml @@ -14,7 +14,7 @@ references: author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2023-07-18 tags: - - attack.defense-evasion + - attack.defense-impairment - attack.t1222 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_set_acl_susp_location.yml b/rules/windows/powershell/powershell_script/posh_ps_set_acl_susp_location.yml index 0634508bf..c56563832 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_set_acl_susp_location.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_set_acl_susp_location.yml @@ -15,7 +15,7 @@ references: author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2023-07-18 tags: - - attack.defense-evasion + - attack.defense-impairment - attack.t1222 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml b/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml index 3e8d10bb1..66d2c686c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml @@ -8,8 +8,8 @@ author: David Ledbetter (shellcode), Florian Roth (Nextron Systems) date: 2018-11-17 modified: 2024-01-25 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth - attack.t1055 - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml b/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml index 27e19fa41..c6d2f0fe0 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml @@ -8,7 +8,7 @@ author: frack113 date: 2021-09-02 modified: 2022-12-25 tags: - - attack.defense-evasion + - attack.stealth - attack.t1564.004 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml index d9dd0139a..ab2729fd9 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml @@ -8,8 +8,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-01-05 tags: - attack.persistence - - attack.defense-evasion - attack.privilege-escalation + - attack.defense-impairment logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml index 6e07be999..2198be465 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml @@ -10,8 +10,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-01-09 tags: - - attack.defense-evasion - attack.execution + - attack.stealth - attack.t1027 - attack.t1059.001 logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml index dffcf679a..62e07b2d2 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml @@ -16,8 +16,8 @@ author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel ( date: 2022-09-12 modified: 2025-10-06 tags: - - attack.defense-evasion - - attack.t1070.001 + - attack.defense-impairment + - attack.t1685.005 logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml index 332bb627c..545246855 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml @@ -8,7 +8,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-06-21 tags: - - attack.defense-evasion + - attack.stealth - attack.t1202 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml index 887132e8d..170901ff3 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml @@ -8,7 +8,7 @@ references: author: frack113 date: 2022-04-09 tags: - - attack.defense-evasion + - attack.stealth - attack.t1564.006 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml index d7bf33fc4..15a002542 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml @@ -8,7 +8,7 @@ author: frack113 date: 2022-01-09 modified: 2022-03-05 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070.003 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml index 0e583178a..933be2a84 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml @@ -8,7 +8,7 @@ references: author: frack113 date: 2022-02-01 tags: - - attack.defense-evasion + - attack.defense-impairment - attack.t1553.005 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml index 8abed2e27..b8373ee1b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml @@ -8,7 +8,7 @@ author: 'oscd.community, @redcanary, Zach Stanford @svch0st' date: 2020-10-08 modified: 2025-10-07 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070.005 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml index b1fc54d37..7861dfd03 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml @@ -12,8 +12,9 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-10-24 tags: - attack.persistence - - attack.defense-evasion - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.011 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml index eb9262fb7..beb74da56 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml @@ -11,8 +11,8 @@ author: frack113 date: 2023-01-08 modified: 2025-10-22 tags: - - attack.defense-evasion - attack.execution + - attack.stealth - attack.t1027 - attack.t1059.001 logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml index 8d786a3fe..f7528c4cf 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml @@ -8,7 +8,7 @@ references: author: frack113 date: 2022-01-15 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036.003 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml index ecb923780..bc018508a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml @@ -8,7 +8,7 @@ references: author: frack113 date: 2022-02-01 tags: - - attack.defense-evasion + - attack.defense-impairment - attack.t1553.005 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml index c92d3e3d9..a97451c80 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml @@ -10,7 +10,7 @@ author: frack113, Tim Shelton (fp AWS) date: 2021-10-20 modified: 2023-01-03 tags: - - attack.defense-evasion + - attack.stealth - attack.t1564.003 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml index 0fcb4965a..4227b6282 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml @@ -7,7 +7,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-16 tags: - - attack.defense-evasion + - attack.defense-impairment logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml b/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml index 0f9c662e6..90bff7e75 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml @@ -13,7 +13,7 @@ author: 'Ensar Şamil, @sblmsrsn, OSCD Community' date: 2020-10-05 modified: 2022-12-25 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_rem_mp.yml b/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_rem_mp.yml index 8b52a2f8f..26dd86379 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_rem_mp.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_rem_mp.yml @@ -10,8 +10,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-05 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml b/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml index ceb86c199..60775596d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml @@ -13,8 +13,8 @@ author: frack113, elhoim, Tim Shelton (fps, alias support), Swachchhanda Shrawan date: 2022-01-16 modified: 2024-01-02 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml b/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml index 9ee1b1603..61a008ecd 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml @@ -11,7 +11,7 @@ author: frack113 date: 2021-08-03 modified: 2022-12-25 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070.006 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml b/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml index 4d359a9ff..4c7ef0204 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml @@ -12,8 +12,9 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-10-17 tags: - attack.persistence - - attack.defense-evasion - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.011 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_vbscript_registry_modification.yml b/rules/windows/powershell/powershell_script/posh_ps_vbscript_registry_modification.yml index 7c4cfe1e1..048f1e399 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_vbscript_registry_modification.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_vbscript_registry_modification.yml @@ -17,9 +17,9 @@ references: date: 2025-08-13 author: Swachchhanda Shrawan Poudel (Nextron Systems) tags: - - attack.defense-evasion - attack.persistence - attack.execution + - attack.defense-impairment - attack.t1112 - attack.t1059.005 logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml b/rules/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml index e04378b01..5ee963cbe 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml @@ -7,7 +7,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-07-13 tags: - - attack.defense-evasion + - attack.defense-impairment logsource: category: ps_script product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml b/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml index 19f6887f7..3d7aabed1 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml @@ -7,7 +7,7 @@ references: author: frack113 date: 2022-04-24 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.007 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml b/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml index 79fa2ee1d..6f426d7ac 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml @@ -11,8 +11,8 @@ author: Tim Rauch, Elastic (idea) date: 2022-09-16 modified: 2022-11-26 tags: - - attack.defense-evasion - - attack.t1562 + - attack.defense-impairment + - attack.t1685 - attack.execution - attack.t1059 logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml b/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml index beb48f129..3da8e7947 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml @@ -15,8 +15,8 @@ author: Austin Songer @austinsonger date: 2021-10-12 modified: 2022-12-30 tags: - - attack.defense-evasion - - attack.t1562.004 + - attack.defense-impairment + - attack.t1686.003 logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml b/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml index 80bcb9136..4c3b2ff5c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml @@ -12,7 +12,7 @@ references: author: frack113 date: 2022-12-23 tags: - - attack.defense-evasion + - attack.defense-impairment - attack.t1553.004 logsource: product: windows diff --git a/rules/windows/process_access/proc_access_win_cmstp_execution_by_access.yml b/rules/windows/process_access/proc_access_win_cmstp_execution_by_access.yml index 7dc77b126..64f931bb7 100755 --- a/rules/windows/process_access/proc_access_win_cmstp_execution_by_access.yml +++ b/rules/windows/process_access/proc_access_win_cmstp_execution_by_access.yml @@ -8,7 +8,7 @@ author: Nik Seetharaman date: 2018-07-16 modified: 2021-06-27 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.003 - attack.execution - attack.t1559.001 diff --git a/rules/windows/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml b/rules/windows/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml index c200b011f..d008638b7 100644 --- a/rules/windows/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml +++ b/rules/windows/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml @@ -10,9 +10,9 @@ date: 2021-08-04 modified: 2023-11-28 tags: - attack.execution + - attack.defense-impairment - attack.t1106 - - attack.defense-evasion - - attack.t1562.001 + - attack.t1685 logsource: category: process_access product: windows diff --git a/rules/windows/process_access/proc_access_win_hktl_handlekatz_lsass_access.yml b/rules/windows/process_access/proc_access_win_hktl_handlekatz_lsass_access.yml index 6b899fc26..ae7c6a4a2 100644 --- a/rules/windows/process_access/proc_access_win_hktl_handlekatz_lsass_access.yml +++ b/rules/windows/process_access/proc_access_win_hktl_handlekatz_lsass_access.yml @@ -10,7 +10,6 @@ modified: 2023-11-28 tags: - attack.execution - attack.t1106 - - attack.defense-evasion - attack.t1003.001 - attack.credential-access logsource: diff --git a/rules/windows/process_access/proc_access_win_hktl_littlecorporal_generated_maldoc.yml b/rules/windows/process_access/proc_access_win_hktl_littlecorporal_generated_maldoc.yml index 5b68dfe5f..a5ae7f65b 100644 --- a/rules/windows/process_access/proc_access_win_hktl_littlecorporal_generated_maldoc.yml +++ b/rules/windows/process_access/proc_access_win_hktl_littlecorporal_generated_maldoc.yml @@ -8,9 +8,9 @@ author: Christian Burkard (Nextron Systems) date: 2021-08-09 modified: 2023-11-28 tags: - - attack.defense-evasion - attack.execution - attack.privilege-escalation + - attack.stealth - attack.t1204.002 - attack.t1055.003 logsource: diff --git a/rules/windows/process_access/proc_access_win_hktl_sysmonente.yml b/rules/windows/process_access/proc_access_win_hktl_sysmonente.yml index f8a12a2da..716aa13d2 100644 --- a/rules/windows/process_access/proc_access_win_hktl_sysmonente.yml +++ b/rules/windows/process_access/proc_access_win_hktl_sysmonente.yml @@ -10,8 +10,8 @@ author: Florian Roth (Nextron Systems) date: 2022-09-07 modified: 2023-11-28 tags: - - attack.defense-evasion - - attack.t1562.002 + - attack.defense-impairment + - attack.t1685.001 logsource: category: process_access product: windows diff --git a/rules/windows/process_access/proc_access_win_susp_all_access_uncommon_target.yml b/rules/windows/process_access/proc_access_win_susp_all_access_uncommon_target.yml index c0a79444d..58a1e7c04 100644 --- a/rules/windows/process_access/proc_access_win_susp_all_access_uncommon_target.yml +++ b/rules/windows/process_access/proc_access_win_susp_all_access_uncommon_target.yml @@ -8,8 +8,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems), frack113 date: 2024-05-27 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth - attack.t1055.011 logsource: category: process_access diff --git a/rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load.yml b/rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load.yml index e01e1644e..8118d1b65 100644 --- a/rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load.yml +++ b/rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load.yml @@ -15,9 +15,9 @@ author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-11-27 tags: - attack.credential-access + - attack.defense-impairment - attack.t1003.001 - - attack.defense-evasion - - attack.t1562.001 + - attack.t1685 logsource: category: process_access product: windows diff --git a/rules/windows/process_access/proc_access_win_svchost_credential_dumping.yml b/rules/windows/process_access/proc_access_win_svchost_credential_dumping.yml index 69eaedb8a..303d1d51d 100644 --- a/rules/windows/process_access/proc_access_win_svchost_credential_dumping.yml +++ b/rules/windows/process_access/proc_access_win_svchost_credential_dumping.yml @@ -8,7 +8,6 @@ author: Florent Labouyrie date: 2021-04-30 modified: 2022-10-09 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548 logsource: diff --git a/rules/windows/process_access/proc_access_win_svchost_susp_access_request.yml b/rules/windows/process_access/proc_access_win_svchost_susp_access_request.yml index 6c2323dcd..b570026dd 100644 --- a/rules/windows/process_access/proc_access_win_svchost_susp_access_request.yml +++ b/rules/windows/process_access/proc_access_win_svchost_susp_access_request.yml @@ -9,8 +9,8 @@ author: Tim Burrell date: 2020-01-02 modified: 2023-01-30 tags: - - attack.defense-evasion - - attack.t1562.002 + - attack.defense-impairment + - attack.t1685.001 logsource: category: process_access product: windows diff --git a/rules/windows/process_access/proc_access_win_uac_bypass_editionupgrademanagerobj.yml b/rules/windows/process_access/proc_access_win_uac_bypass_editionupgrademanagerobj.yml index 987d861b3..2df7e37b0 100644 --- a/rules/windows/process_access/proc_access_win_uac_bypass_editionupgrademanagerobj.yml +++ b/rules/windows/process_access/proc_access_win_uac_bypass_editionupgrademanagerobj.yml @@ -9,7 +9,6 @@ author: oscd.community, Dmitry Uchakin date: 2020-10-07 modified: 2023-11-30 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 logsource: diff --git a/rules/windows/process_access/proc_access_win_uac_bypass_wow64_logger.yml b/rules/windows/process_access/proc_access_win_uac_bypass_wow64_logger.yml index 9f7066aa1..48ff67887 100644 --- a/rules/windows/process_access/proc_access_win_uac_bypass_wow64_logger.yml +++ b/rules/windows/process_access/proc_access_win_uac_bypass_wow64_logger.yml @@ -8,7 +8,6 @@ author: Christian Burkard (Nextron Systems) date: 2021-08-23 modified: 2022-10-09 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 logsource: diff --git a/rules/windows/process_access/proc_access_win_werfaultsecure_msmpeng_access.yml b/rules/windows/process_access/proc_access_win_werfaultsecure_msmpeng_access.yml index be9bf1483..74ff854b5 100644 --- a/rules/windows/process_access/proc_access_win_werfaultsecure_msmpeng_access.yml +++ b/rules/windows/process_access/proc_access_win_werfaultsecure_msmpeng_access.yml @@ -14,8 +14,8 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-11-27 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: process_access product: windows diff --git a/rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml b/rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml index 8450812a7..24aab1985 100644 --- a/rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml +++ b/rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml @@ -8,7 +8,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems), Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) date: 2023-09-18 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml b/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml index c70f6ce80..cd457f4aa 100644 --- a/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml @@ -8,7 +8,7 @@ references: author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) date: 2023-09-18 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml b/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml index ae897ea9b..c26ef5ef7 100644 --- a/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml +++ b/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml @@ -8,7 +8,7 @@ references: author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) date: 2023-09-18 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml b/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml index 1f5477b82..d20fb3519 100644 --- a/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml @@ -8,7 +8,7 @@ author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) date: 2023-09-18 modified: 2025-02-24 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml b/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml index 5f21e01d0..c43b442d5 100644 --- a/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml +++ b/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml @@ -10,7 +10,6 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-06-09 modified: 2023-06-23 tags: - - attack.defense-evasion - attack.execution - attack.credential-access - attack.t1003.001 diff --git a/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml b/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml index 182896e7d..96d0aad83 100644 --- a/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml @@ -14,7 +14,7 @@ references: date: 2022-12-24 modified: 2024-08-07 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml b/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml index 062ae65ff..99bdeb6b4 100644 --- a/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml @@ -14,7 +14,7 @@ references: date: 2022-12-24 modified: 2024-08-07 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_amsi_registry_tampering.yml b/rules/windows/process_creation/proc_creation_win_amsi_registry_tampering.yml index 3fc2edc42..469bf7338 100644 --- a/rules/windows/process_creation/proc_creation_win_amsi_registry_tampering.yml +++ b/rules/windows/process_creation/proc_creation_win_amsi_registry_tampering.yml @@ -15,9 +15,8 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-12-25 tags: - - attack.defense-evasion - - attack.t1562.001 - - attack.t1562.006 + - attack.defense-impairment + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml b/rules/windows/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml index cbe99b2c0..34ccb67ed 100644 --- a/rules/windows/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml @@ -12,8 +12,8 @@ author: Sreeman date: 2020-03-13 modified: 2023-11-09 tags: + - attack.stealth - attack.t1218 - - attack.defense-evasion - attack.execution logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_aspnet_compiler_exectuion.yml b/rules/windows/process_creation/proc_creation_win_aspnet_compiler_exectuion.yml index b515732dc..c84ae9809 100644 --- a/rules/windows/process_creation/proc_creation_win_aspnet_compiler_exectuion.yml +++ b/rules/windows/process_creation/proc_creation_win_aspnet_compiler_exectuion.yml @@ -16,7 +16,8 @@ author: frack113 date: 2021-11-24 modified: 2025-02-24 tags: - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1127 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml index b23cbc093..ff2c4778f 100644 --- a/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml @@ -15,7 +15,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-08-14 tags: - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1127 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml b/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml index 49f973a51..b4296b132 100644 --- a/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml +++ b/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml @@ -16,7 +16,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-08-14 modified: 2025-02-24 tags: - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1127 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_atbroker_uncommon_ats_execution.yml b/rules/windows/process_creation/proc_creation_win_atbroker_uncommon_ats_execution.yml index 4bc4bd394..3d5734cba 100644 --- a/rules/windows/process_creation/proc_creation_win_atbroker_uncommon_ats_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_atbroker_uncommon_ats_execution.yml @@ -9,7 +9,7 @@ author: Mateusz Wydra, oscd.community date: 2020-10-12 modified: 2024-03-06 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml b/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml index 269778d1b..a849376b7 100644 --- a/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml +++ b/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml @@ -9,7 +9,7 @@ author: Sami Ruohonen date: 2019-01-16 modified: 2023-03-14 tags: - - attack.defense-evasion + - attack.stealth - attack.t1564.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml b/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml index ecdf6b7bd..9b41483f1 100644 --- a/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml +++ b/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml @@ -14,7 +14,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-06-28 modified: 2023-03-14 tags: - - attack.defense-evasion + - attack.stealth - attack.t1564.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_auditpol_nt_resource_kit_usage.yml b/rules/windows/process_creation/proc_creation_win_auditpol_nt_resource_kit_usage.yml index 42071ee0e..b9e258205 100644 --- a/rules/windows/process_creation/proc_creation_win_auditpol_nt_resource_kit_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_auditpol_nt_resource_kit_usage.yml @@ -13,8 +13,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2021-12-18 modified: 2023-02-21 tags: - - attack.defense-evasion - - attack.t1562.002 + - attack.defense-impairment + - attack.t1685.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_auditpol_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_auditpol_susp_execution.yml index 5a340da7e..484b02a5d 100644 --- a/rules/windows/process_creation/proc_creation_win_auditpol_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_auditpol_susp_execution.yml @@ -13,8 +13,8 @@ author: Janantha Marasinghe (https://github.com/blueteam0ps) date: 2021-02-02 modified: 2023-02-22 tags: - - attack.defense-evasion - - attack.t1562.002 + - attack.defense-impairment + - attack.t1685.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_autologger_session_registry_modification.yml b/rules/windows/process_creation/proc_creation_win_autologger_session_registry_modification.yml index a33e44e7d..aa07dbb48 100644 --- a/rules/windows/process_creation/proc_creation_win_autologger_session_registry_modification.yml +++ b/rules/windows/process_creation/proc_creation_win_autologger_session_registry_modification.yml @@ -16,8 +16,8 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-12-25 tags: - - attack.defense-evasion - - attack.t1562.002 + - attack.defense-impairment + - attack.t1685.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_baaupdate_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_baaupdate_susp_child_process.yml index a87d440b3..0d64757a5 100644 --- a/rules/windows/process_creation/proc_creation_win_baaupdate_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_baaupdate_susp_child_process.yml @@ -12,7 +12,7 @@ references: author: andrewdanis, Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-10-18 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 - attack.lateral-movement - attack.t1021.003 diff --git a/rules/windows/process_creation/proc_creation_win_bash_command_execution.yml b/rules/windows/process_creation/proc_creation_win_bash_command_execution.yml index 0540e644d..347bdd0b1 100644 --- a/rules/windows/process_creation/proc_creation_win_bash_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_bash_command_execution.yml @@ -13,7 +13,7 @@ author: frack113 date: 2021-11-24 modified: 2023-08-15 tags: - - attack.defense-evasion + - attack.stealth - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml b/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml index e6df1d1bd..adb2569f1 100644 --- a/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml @@ -14,7 +14,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-08-15 tags: - - attack.defense-evasion + - attack.stealth - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_bcdedit_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_bcdedit_susp_execution.yml index 51d43a13f..ee616674f 100644 --- a/rules/windows/process_creation/proc_creation_win_bcdedit_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_bcdedit_susp_execution.yml @@ -9,7 +9,7 @@ author: '@neu5ron' date: 2019-02-07 modified: 2023-02-15 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070 - attack.persistence - attack.t1542.003 diff --git a/rules/windows/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml b/rules/windows/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml index 422d784fd..9c0fae0ef 100644 --- a/rules/windows/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml @@ -12,8 +12,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-08-16 tags: - attack.execution + - attack.stealth - attack.t1059.005 - - attack.defense-evasion - attack.t1218 - attack.t1202 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_bginfo_uncommon_child_process.yml b/rules/windows/process_creation/proc_creation_win_bginfo_uncommon_child_process.yml index 4104b174c..ac933cfe5 100644 --- a/rules/windows/process_creation/proc_creation_win_bginfo_uncommon_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_bginfo_uncommon_child_process.yml @@ -13,8 +13,8 @@ date: 2019-10-26 modified: 2023-08-16 tags: - attack.execution + - attack.stealth - attack.t1059.005 - - attack.defense-evasion - attack.t1218 - attack.t1202 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_bitlockertogo_execution.yml b/rules/windows/process_creation/proc_creation_win_bitlockertogo_execution.yml index 0addfb2d4..695b2a63c 100644 --- a/rules/windows/process_creation/proc_creation_win_bitlockertogo_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_bitlockertogo_execution.yml @@ -14,7 +14,7 @@ references: author: Josh Nickels, mttaggart date: 2024-07-11 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml index 37038a2e1..eae99114c 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml @@ -10,8 +10,9 @@ author: Michael Haag, FPT.EagleEye date: 2017-03-09 modified: 2023-02-15 tags: - - attack.defense-evasion - attack.persistence + - attack.execution + - attack.stealth - attack.t1197 - attack.s0190 - attack.t1036.003 diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml index 9eab7a96c..b0fbe2e96 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml @@ -14,8 +14,9 @@ author: Florian Roth (Nextron Systems) date: 2022-06-28 modified: 2023-02-15 tags: - - attack.defense-evasion - attack.persistence + - attack.execution + - attack.stealth - attack.t1197 - attack.s0190 - attack.t1036.003 diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml index ee65fa462..b92c5c591 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml @@ -13,8 +13,9 @@ author: Florian Roth (Nextron Systems) date: 2022-06-28 modified: 2025-12-10 tags: - - attack.defense-evasion - attack.persistence + - attack.execution + - attack.stealth - attack.t1197 - attack.s0190 - attack.t1036.003 diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml index 3abbbc561..452b603bf 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml @@ -10,8 +10,9 @@ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems date: 2022-06-28 modified: 2023-05-30 tags: - - attack.defense-evasion - attack.persistence + - attack.execution + - attack.stealth - attack.t1197 - attack.s0190 - attack.t1036.003 diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml index 2c658cca5..57c0fc663 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml @@ -16,8 +16,9 @@ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems date: 2022-06-28 modified: 2025-12-10 tags: - - attack.defense-evasion - attack.persistence + - attack.execution + - attack.stealth - attack.t1197 - attack.s0190 - attack.t1036.003 diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml index 7280155a0..c0de2cbe7 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml @@ -15,7 +15,8 @@ date: 2020-10-29 modified: 2024-01-25 tags: - attack.persistence - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1197 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml index 233ad4734..d3781462a 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml @@ -13,9 +13,9 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-12-23 tags: - - attack.defense-evasion - attack.credential-access - attack.collection + - attack.stealth - attack.t1185 - attack.t1564.003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml index f97e9385c..315706a40 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml @@ -11,8 +11,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-09-12 tags: - - attack.defense-evasion - attack.command-and-control + - attack.stealth - attack.t1105 - attack.t1564.003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml index 4ef935056..be962e04c 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml @@ -12,8 +12,8 @@ author: Sreeman, Florian Roth (Nextron Systems) date: 2022-01-04 modified: 2025-10-07 tags: - - attack.defense-evasion - attack.command-and-control + - attack.stealth - attack.t1105 - attack.t1564.003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml b/rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml index 8c264e6d5..47b9419b7 100644 --- a/rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml @@ -9,7 +9,7 @@ author: Florian Roth (Nextron Systems) date: 2019-02-09 modified: 2023-11-09 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_cdb_arbitrary_command_execution.yml b/rules/windows/process_creation/proc_creation_win_cdb_arbitrary_command_execution.yml index 0de84472d..3f69ed22b 100644 --- a/rules/windows/process_creation/proc_creation_win_cdb_arbitrary_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cdb_arbitrary_command_execution.yml @@ -11,8 +11,8 @@ date: 2019-10-26 modified: 2024-04-22 tags: - attack.execution + - attack.stealth - attack.t1106 - - attack.defense-evasion - attack.t1218 - attack.t1127 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_certmgr_certificate_installation.yml b/rules/windows/process_creation/proc_creation_win_certmgr_certificate_installation.yml index ecadab35c..89770c42e 100644 --- a/rules/windows/process_creation/proc_creation_win_certmgr_certificate_installation.yml +++ b/rules/windows/process_creation/proc_creation_win_certmgr_certificate_installation.yml @@ -15,7 +15,7 @@ references: author: oscd.community, @redcanary, Zach Stanford @svch0st date: 2023-03-05 tags: - - attack.defense-evasion + - attack.defense-impairment - attack.t1553.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml b/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml index e7900d977..0bb11a9bd 100644 --- a/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml @@ -13,7 +13,7 @@ author: Austin Songer @austinsonger date: 2021-10-23 modified: 2024-03-05 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml b/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml index edc542a53..63d1d887d 100644 --- a/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml +++ b/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml @@ -13,7 +13,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-02-15 modified: 2024-03-05 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_certutil_certificate_installation.yml b/rules/windows/process_creation/proc_creation_win_certutil_certificate_installation.yml index 41fc05d88..a0ec4f7cf 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_certificate_installation.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_certificate_installation.yml @@ -15,7 +15,7 @@ author: oscd.community, @redcanary, Zach Stanford @svch0st date: 2023-03-05 modified: 2024-03-05 tags: - - attack.defense-evasion + - attack.defense-impairment - attack.t1553.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_certutil_decode.yml b/rules/windows/process_creation/proc_creation_win_certutil_decode.yml index 7f0da8fea..6ae995f94 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_decode.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_decode.yml @@ -13,7 +13,7 @@ author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community date: 2023-02-15 modified: 2025-06-04 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_certutil_download.yml b/rules/windows/process_creation/proc_creation_win_certutil_download.yml index 2ad1a73b7..91ff291b6 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_download.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_download.yml @@ -16,7 +16,7 @@ author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasr date: 2023-02-15 modified: 2025-12-01 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.command-and-control - attack.t1105 diff --git a/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml b/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml index d36941da3..9e1369fc3 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml @@ -19,7 +19,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-02-15 modified: 2025-12-01 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.command-and-control - attack.t1105 diff --git a/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml index 0e61d86aa..0b4b2a32a 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml @@ -19,7 +19,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-02-15 modified: 2025-12-10 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.command-and-control - attack.t1105 diff --git a/rules/windows/process_creation/proc_creation_win_certutil_encode.yml b/rules/windows/process_creation/proc_creation_win_certutil_encode.yml index 18fa80f58..ecc9f04a3 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_encode.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_encode.yml @@ -10,7 +10,7 @@ author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasr date: 2019-02-24 modified: 2024-03-05 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml index f0dff318d..c2fc09016 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml @@ -14,7 +14,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-05-15 modified: 2024-03-05 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml index 29c037154..adbda9a13 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml @@ -14,7 +14,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-05-15 modified: 2024-03-05 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_certutil_export_pfx.yml b/rules/windows/process_creation/proc_creation_win_certutil_export_pfx.yml index 5587f7ecb..ac0fbe683 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_export_pfx.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_export_pfx.yml @@ -8,7 +8,7 @@ author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasr date: 2023-02-15 modified: 2024-03-05 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml b/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml index cb319c0b0..daabb93ae 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml @@ -8,7 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-09-01 modified: 2023-02-14 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch.yml b/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch.yml index 0a72e83d3..2c23dd278 100644 --- a/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch.yml +++ b/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch.yml @@ -9,8 +9,8 @@ author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community date: 2019-10-14 modified: 2023-03-07 tags: + - attack.stealth - attack.t1036 - - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_citrix_trolleyexpress_procdump.yml b/rules/windows/process_creation/proc_creation_win_citrix_trolleyexpress_procdump.yml index 7574c9ecc..40149d671 100644 --- a/rules/windows/process_creation/proc_creation_win_citrix_trolleyexpress_procdump.yml +++ b/rules/windows/process_creation/proc_creation_win_citrix_trolleyexpress_procdump.yml @@ -9,7 +9,7 @@ author: Florian Roth (Nextron Systems) date: 2022-02-10 modified: 2022-05-13 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.011 - attack.credential-access - attack.t1003.001 diff --git a/rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml b/rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml index 4d0659da7..cb0aa4bad 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml @@ -8,7 +8,7 @@ author: Sreeman, Nasreddine Bencherchali (Nextron Systems) date: 2020-01-13 modified: 2024-03-05 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 - attack.command-and-control - attack.t1105 diff --git a/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml index cd2fd2675..0d8b49d19 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml @@ -13,7 +13,7 @@ author: frack113 date: 2022-01-15 modified: 2024-03-05 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml b/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml index 3af2a401b..583e477e3 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml @@ -9,7 +9,7 @@ author: frack113 , X__Junior (Nextron Systems) date: 2021-12-02 modified: 2023-09-11 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_cmd_launched_with_hidden_start_flag.yml b/rules/windows/process_creation/proc_creation_win_cmd_launched_with_hidden_start_flag.yml index 8a73cd0fb..7a5402afe 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_launched_with_hidden_start_flag.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_launched_with_hidden_start_flag.yml @@ -11,7 +11,7 @@ references: - https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/start tags: - - attack.defense-evasion + - attack.stealth - attack.t1564.003 author: Vladan Sekulic, Swachchhanda Shrawan Poudel (Nextron Systems) date: 2026-01-24 diff --git a/rules/windows/process_creation/proc_creation_win_cmd_ntdllpipe_redirect.yml b/rules/windows/process_creation/proc_creation_win_cmd_ntdllpipe_redirect.yml index 15c2ee231..fa8116232 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_ntdllpipe_redirect.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_ntdllpipe_redirect.yml @@ -8,7 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2022-03-05 modified: 2023-03-07 tags: - - attack.defense-evasion + - attack.defense-impairment logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml index d96cbf5ad..0cc696384 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml @@ -9,7 +9,7 @@ author: X__Junior (Nextron Systems) date: 2023-07-18 modified: 2024-03-06 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml index 717b4fd92..6c67a4d26 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml @@ -11,7 +11,7 @@ author: Ilya Krestinichev date: 2022-11-03 modified: 2024-03-05 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml b/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml index e95a87358..28a433529 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml @@ -15,7 +15,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-07-12 modified: 2024-03-19 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml index ebe366222..94fe9dde6 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml @@ -13,7 +13,7 @@ author: frack113 date: 2022-01-15 modified: 2023-03-07 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_cmdl32_arbitrary_file_download.yml b/rules/windows/process_creation/proc_creation_win_cmdl32_arbitrary_file_download.yml index 744a4b5a3..69af6ef89 100644 --- a/rules/windows/process_creation/proc_creation_win_cmdl32_arbitrary_file_download.yml +++ b/rules/windows/process_creation/proc_creation_win_cmdl32_arbitrary_file_download.yml @@ -14,7 +14,7 @@ date: 2021-11-03 modified: 2024-04-22 tags: - attack.execution - - attack.defense-evasion + - attack.stealth - attack.t1218 - attack.t1202 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_cmstp_execution_by_creation.yml b/rules/windows/process_creation/proc_creation_win_cmstp_execution_by_creation.yml index 678ccbc06..87f26d0b6 100644 --- a/rules/windows/process_creation/proc_creation_win_cmstp_execution_by_creation.yml +++ b/rules/windows/process_creation/proc_creation_win_cmstp_execution_by_creation.yml @@ -8,8 +8,8 @@ author: Nik Seetharaman date: 2018-07-16 modified: 2020-12-23 tags: - - attack.defense-evasion - attack.execution + - attack.stealth - attack.t1218.003 - attack.g0069 - car.2019-04-001 diff --git a/rules/windows/process_creation/proc_creation_win_conhost_headless_powershell.yml b/rules/windows/process_creation/proc_creation_win_conhost_headless_powershell.yml index 27e9bd685..a6a98ceed 100644 --- a/rules/windows/process_creation/proc_creation_win_conhost_headless_powershell.yml +++ b/rules/windows/process_creation/proc_creation_win_conhost_headless_powershell.yml @@ -12,8 +12,8 @@ references: author: Matt Anderson (Huntress) date: 2024-07-23 tags: - - attack.defense-evasion - attack.execution + - attack.stealth - attack.t1059.001 - attack.t1059.003 - attack.t1564.003 diff --git a/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml b/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml index d50a60c50..45673419f 100644 --- a/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml +++ b/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml @@ -10,7 +10,7 @@ author: frack113 date: 2022-12-09 modified: 2024-12-01 tags: - - attack.defense-evasion + - attack.stealth - attack.t1202 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml index 6d5449f66..449dbfe10 100644 --- a/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml @@ -11,7 +11,7 @@ author: omkar72 date: 2020-10-25 modified: 2023-12-11 tags: - - attack.defense-evasion + - attack.stealth - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_conhost_susp_winshell_child_process.yml b/rules/windows/process_creation/proc_creation_win_conhost_susp_winshell_child_process.yml index 5a303294e..4e69247b4 100644 --- a/rules/windows/process_creation/proc_creation_win_conhost_susp_winshell_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_conhost_susp_winshell_child_process.yml @@ -10,8 +10,8 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-02-05 tags: + - attack.stealth - attack.t1202 - - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_control_panel_item.yml b/rules/windows/process_creation/proc_creation_win_control_panel_item.yml index bf77a0878..0bbd7092a 100644 --- a/rules/windows/process_creation/proc_creation_win_control_panel_item.yml +++ b/rules/windows/process_creation/proc_creation_win_control_panel_item.yml @@ -10,7 +10,7 @@ modified: 2023-10-11 tags: - attack.privilege-escalation - attack.execution - - attack.defense-evasion + - attack.stealth - attack.t1218.002 - attack.persistence - attack.t1546 diff --git a/rules/windows/process_creation/proc_creation_win_create_new_dmsasvc_account.yml b/rules/windows/process_creation/proc_creation_win_create_new_dmsasvc_account.yml index 189c4948b..d36121424 100644 --- a/rules/windows/process_creation/proc_creation_win_create_new_dmsasvc_account.yml +++ b/rules/windows/process_creation/proc_creation_win_create_new_dmsasvc_account.yml @@ -19,8 +19,8 @@ date: 2025-05-24 tags: - attack.privilege-escalation - attack.initial-access - - attack.defense-evasion - attack.persistence + - attack.stealth - attack.t1078.002 - attack.t1098 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_createdump_lolbin_execution.yml b/rules/windows/process_creation/proc_creation_win_createdump_lolbin_execution.yml index d451338a5..3a64e23ed 100644 --- a/rules/windows/process_creation/proc_creation_win_createdump_lolbin_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_createdump_lolbin_execution.yml @@ -12,7 +12,7 @@ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems date: 2022-01-04 modified: 2022-08-19 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036 - attack.t1003.001 - attack.credential-access diff --git a/rules/windows/process_creation/proc_creation_win_credential_guard_registry_tampering.yml b/rules/windows/process_creation/proc_creation_win_credential_guard_registry_tampering.yml index e905eb280..22fefb189 100644 --- a/rules/windows/process_creation/proc_creation_win_credential_guard_registry_tampering.yml +++ b/rules/windows/process_creation/proc_creation_win_credential_guard_registry_tampering.yml @@ -18,8 +18,8 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-12-26 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml b/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml index 6d17fc140..9a53c831b 100644 --- a/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml +++ b/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml @@ -12,7 +12,7 @@ author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems) date: 2019-08-24 modified: 2026-03-23 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml b/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml index 4053e9c14..bfab5d837 100644 --- a/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml @@ -11,9 +11,9 @@ date: 2019-02-11 modified: 2026-03-23 tags: - attack.execution + - attack.stealth - attack.t1059.005 - attack.t1059.007 - - attack.defense-evasion - attack.t1218.005 - attack.t1027.004 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_csi_execution.yml b/rules/windows/process_creation/proc_creation_win_csi_execution.yml index 9bb2662e5..dee3e54ff 100644 --- a/rules/windows/process_creation/proc_creation_win_csi_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_csi_execution.yml @@ -13,8 +13,8 @@ modified: 2022-07-11 tags: - attack.lateral-movement - attack.execution + - attack.stealth - attack.t1072 - - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_csi_use_of_csharp_console.yml b/rules/windows/process_creation/proc_creation_win_csi_use_of_csharp_console.yml index 6b48f5825..062bb3be1 100644 --- a/rules/windows/process_creation/proc_creation_win_csi_use_of_csharp_console.yml +++ b/rules/windows/process_creation/proc_creation_win_csi_use_of_csharp_console.yml @@ -9,7 +9,7 @@ date: 2020-03-08 modified: 2022-07-14 tags: - attack.execution - - attack.defense-evasion + - attack.stealth - attack.t1127 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_customshellhost_susp_exec.yml b/rules/windows/process_creation/proc_creation_win_customshellhost_susp_exec.yml index 53d6d06e3..042a90d6e 100644 --- a/rules/windows/process_creation/proc_creation_win_customshellhost_susp_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_customshellhost_susp_exec.yml @@ -10,7 +10,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-19 modified: 2025-10-29 tags: - - attack.defense-evasion + - attack.stealth - attack.t1216 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml b/rules/windows/process_creation/proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml index b6faa6ded..15ae84e47 100644 --- a/rules/windows/process_creation/proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml @@ -13,7 +13,7 @@ date: 2020-01-28 modified: 2025-01-22 tags: - attack.privilege-escalation - - attack.defense-evasion + - attack.stealth - attack.t1055.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_defaultpack_uncommon_child_process.yml b/rules/windows/process_creation/proc_creation_win_defaultpack_uncommon_child_process.yml index 5d885ec00..b5dd17aec 100644 --- a/rules/windows/process_creation/proc_creation_win_defaultpack_uncommon_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_defaultpack_uncommon_child_process.yml @@ -9,8 +9,8 @@ author: frack113 date: 2022-12-31 modified: 2024-04-22 tags: + - attack.stealth - attack.t1218 - - attack.defense-evasion - attack.execution logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_defender_default_action_modified.yml b/rules/windows/process_creation/proc_creation_win_defender_default_action_modified.yml index 882245608..fd9a01bec 100644 --- a/rules/windows/process_creation/proc_creation_win_defender_default_action_modified.yml +++ b/rules/windows/process_creation/proc_creation_win_defender_default_action_modified.yml @@ -17,8 +17,8 @@ references: author: 'Matt Anderson (Huntress)' date: 2025-07-11 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_defender_remove_context_menu.yml b/rules/windows/process_creation/proc_creation_win_defender_remove_context_menu.yml index aa9fc6a6a..f5c6efad8 100644 --- a/rules/windows/process_creation/proc_creation_win_defender_remove_context_menu.yml +++ b/rules/windows/process_creation/proc_creation_win_defender_remove_context_menu.yml @@ -16,8 +16,8 @@ references: author: 'Matt Anderson (Huntress)' date: 2025-07-09 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver.yml b/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver.yml index 8e8121e56..4de8753eb 100644 --- a/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver.yml +++ b/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver.yml @@ -13,11 +13,11 @@ references: author: Matt Anderson, Dray Agha, Anna Pham (Huntress) date: 2026-01-02 tags: - - attack.defense-evasion - attack.persistence - attack.privilege-escalation + - attack.defense-impairment - attack.t1543.003 - - attack.t1562.001 + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_device_credential_deployment.yml b/rules/windows/process_creation/proc_creation_win_device_credential_deployment.yml index c6c7c01ca..a9b80b621 100644 --- a/rules/windows/process_creation/proc_creation_win_device_credential_deployment.yml +++ b/rules/windows/process_creation/proc_creation_win_device_credential_deployment.yml @@ -8,7 +8,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-19 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml b/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml index 176cd3434..0f4c4722e 100644 --- a/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml +++ b/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml @@ -16,7 +16,8 @@ modified: 2023-02-04 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml b/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml index 63ce60c8a..d4b3c9ea9 100644 --- a/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml @@ -10,7 +10,7 @@ date: 2022-01-11 modified: 2023-04-06 tags: - attack.execution - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml b/rules/windows/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml index 7e91b656d..ccd230b22 100644 --- a/rules/windows/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml @@ -8,7 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-06-12 tags: - attack.execution - - attack.defense-evasion + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml b/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml index 0b50eabbb..04889c408 100644 --- a/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml +++ b/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml @@ -22,7 +22,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-09-15 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml b/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml index b82b4a93e..5eee8aa0d 100644 --- a/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml +++ b/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml @@ -25,7 +25,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-09-15 modified: 2024-03-05 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml b/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml index da4dd14ba..55a433880 100644 --- a/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml +++ b/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml @@ -23,7 +23,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-09-15 modified: 2024-03-05 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_dism_enable_powershell_web_access_feature.yml b/rules/windows/process_creation/proc_creation_win_dism_enable_powershell_web_access_feature.yml index f332d6054..cf8edfe51 100644 --- a/rules/windows/process_creation/proc_creation_win_dism_enable_powershell_web_access_feature.yml +++ b/rules/windows/process_creation/proc_creation_win_dism_enable_powershell_web_access_feature.yml @@ -10,7 +10,6 @@ author: Michael Haag date: 2024-09-03 tags: - attack.privilege-escalation - - attack.defense-evasion - attack.persistence - attack.t1548.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_dism_remove.yml b/rules/windows/process_creation/proc_creation_win_dism_remove.yml index 33c8d48d9..c885214a1 100644 --- a/rules/windows/process_creation/proc_creation_win_dism_remove.yml +++ b/rules/windows/process_creation/proc_creation_win_dism_remove.yml @@ -9,8 +9,8 @@ author: frack113 date: 2022-01-16 modified: 2022-08-26 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml b/rules/windows/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml index f2c69fe7c..ea093f81a 100644 --- a/rules/windows/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml +++ b/rules/windows/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml @@ -9,7 +9,8 @@ date: 2022-08-02 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1574.001 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml b/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml index 2d0236e31..0f8a66d5c 100644 --- a/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml @@ -11,7 +11,7 @@ date: 2022-06-27 modified: 2023-05-15 tags: - attack.privilege-escalation - - attack.defense-evasion + - attack.stealth - attack.t1055 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml b/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml index ec611ecf5..12abd020a 100644 --- a/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml @@ -16,7 +16,9 @@ modified: 2023-02-05 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion + - attack.execution + - attack.stealth + - attack.defense-impairment - attack.t1574.001 - attack.t1112 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_dnx_execute_csharp_code.yml b/rules/windows/process_creation/proc_creation_win_dnx_execute_csharp_code.yml index e4bc4b2dd..6bc56ab4a 100644 --- a/rules/windows/process_creation/proc_creation_win_dnx_execute_csharp_code.yml +++ b/rules/windows/process_creation/proc_creation_win_dnx_execute_csharp_code.yml @@ -11,7 +11,7 @@ author: Beyu Denis, oscd.community date: 2019-10-26 modified: 2024-04-24 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 - attack.t1027.004 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_dotnet_arbitrary_dll_csproj_execution.yml b/rules/windows/process_creation/proc_creation_win_dotnet_arbitrary_dll_csproj_execution.yml index e38497fdc..c67831ea8 100644 --- a/rules/windows/process_creation/proc_creation_win_dotnet_arbitrary_dll_csproj_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dotnet_arbitrary_dll_csproj_execution.yml @@ -10,7 +10,7 @@ author: Beyu Denis, oscd.community date: 2020-10-18 modified: 2025-10-08 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml b/rules/windows/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml index 89bd4bb91..36acf50c0 100644 --- a/rules/windows/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml @@ -8,7 +8,7 @@ author: Jimmy Bayne (@bohops) date: 2024-01-02 tags: - attack.execution - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_dotnetdump_memory_dump.yml b/rules/windows/process_creation/proc_creation_win_dotnetdump_memory_dump.yml index 51eb013f8..eac6dd365 100644 --- a/rules/windows/process_creation/proc_creation_win_dotnetdump_memory_dump.yml +++ b/rules/windows/process_creation/proc_creation_win_dotnetdump_memory_dump.yml @@ -9,7 +9,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-03-14 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml b/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml index df47bf12c..2958462ff 100644 --- a/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml +++ b/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml @@ -9,7 +9,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-06-20 modified: 2023-02-04 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml b/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml index 0bba9c4ee..a7d0a0dd0 100644 --- a/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml +++ b/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml @@ -10,7 +10,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-06-20 modified: 2023-02-04 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml b/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml index 0a368ed6e..8c0b26053 100644 --- a/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml @@ -11,7 +11,7 @@ author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems date: 2022-04-06 modified: 2023-04-12 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036 - attack.t1003.001 - attack.credential-access diff --git a/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml index 887d18f7b..67c95d095 100644 --- a/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml @@ -10,8 +10,8 @@ author: Florian Roth (Nextron Systems) date: 2022-04-06 modified: 2023-04-12 tags: - - attack.defense-evasion - attack.credential-access + - attack.stealth - attack.t1036 - attack.t1003.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_dxcap_arbitrary_binary_execution.yml b/rules/windows/process_creation/proc_creation_win_dxcap_arbitrary_binary_execution.yml index 642e589d1..5288647dd 100644 --- a/rules/windows/process_creation/proc_creation_win_dxcap_arbitrary_binary_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dxcap_arbitrary_binary_execution.yml @@ -10,7 +10,7 @@ author: Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2019-10-26 modified: 2022-06-09 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml b/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml index 3e9bb6981..77347d652 100644 --- a/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml +++ b/rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml @@ -14,8 +14,8 @@ author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-04-09 tags: - attack.persistence - - attack.defense-evasion - - attack.t1562.002 + - attack.defense-impairment + - attack.t1685.001 - attack.t1112 - car.2022-03-001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_eventvwr_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_eventvwr_susp_child_process.yml index 4d16403bf..d03e29f90 100644 --- a/rules/windows/process_creation/proc_creation_win_eventvwr_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_eventvwr_susp_child_process.yml @@ -12,7 +12,6 @@ author: Florian Roth (Nextron Systems) date: 2017-03-19 modified: 2023-09-28 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 - car.2019-04-001 diff --git a/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml b/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml index 4fc249624..d5b9cb81e 100644 --- a/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml +++ b/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml @@ -9,7 +9,7 @@ author: Bhabesh Raj, X__Junior (Nextron Systems) date: 2021-07-30 modified: 2024-11-13 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml b/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml index c44689c51..feadf2a9d 100644 --- a/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml +++ b/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml @@ -13,7 +13,7 @@ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems date: 2019-06-29 modified: 2025-10-31 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_explorer_nouaccheck.yml b/rules/windows/process_creation/proc_creation_win_explorer_nouaccheck.yml index 053ce4adc..eb29721c0 100644 --- a/rules/windows/process_creation/proc_creation_win_explorer_nouaccheck.yml +++ b/rules/windows/process_creation/proc_creation_win_explorer_nouaccheck.yml @@ -9,7 +9,6 @@ date: 2022-02-23 modified: 2022-04-21 tags: - attack.privilege-escalation - - attack.defense-evasion - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_findstr_download.yml b/rules/windows/process_creation/proc_creation_win_findstr_download.yml index 5470062b2..06b779e61 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_download.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_download.yml @@ -14,9 +14,9 @@ author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherc date: 2020-10-05 modified: 2024-03-05 tags: - - attack.defense-evasion - attack.credential-access - attack.command-and-control + - attack.stealth - attack.t1218 - attack.t1564.004 - attack.t1552.001 diff --git a/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml b/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml index edae85ac7..47c7549dd 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml @@ -8,7 +8,7 @@ author: Trent Liffick date: 2020-05-01 modified: 2024-01-15 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036 - attack.t1202 - attack.t1027.003 diff --git a/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml b/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml index 7d504949b..27118ad3d 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml @@ -14,9 +14,9 @@ author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherc date: 2020-10-05 modified: 2024-03-05 tags: - - attack.defense-evasion - attack.credential-access - attack.command-and-control + - attack.stealth - attack.t1218 - attack.t1564.004 - attack.t1552.001 diff --git a/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver.yml b/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver.yml index 8bc189a75..e1c1d07ff 100644 --- a/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver.yml +++ b/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver.yml @@ -12,10 +12,11 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-02-13 modified: 2025-10-07 tags: - - attack.defense-evasion + - attack.stealth + - attack.defense-impairment - attack.t1070 - - attack.t1562 - - attack.t1562.002 + - attack.t1685 + - attack.t1685.001 logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver_sysmon.yml b/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver_sysmon.yml index dcf7818c2..961e3a2aa 100644 --- a/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver_sysmon.yml +++ b/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver_sysmon.yml @@ -11,10 +11,11 @@ author: Kirill Kiryanov, oscd.community date: 2019-10-23 modified: 2023-02-13 tags: - - attack.defense-evasion + - attack.stealth + - attack.defense-impairment - attack.t1070 - - attack.t1562 - - attack.t1562.002 + - attack.t1685 + - attack.t1685.001 logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml b/rules/windows/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml index b77b3588d..acee740ee 100644 --- a/rules/windows/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml +++ b/rules/windows/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml @@ -8,7 +8,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati date: 2024-01-05 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_format_uncommon_filesystem_load.yml b/rules/windows/process_creation/proc_creation_win_format_uncommon_filesystem_load.yml index 727448758..ba972940b 100644 --- a/rules/windows/process_creation/proc_creation_win_format_uncommon_filesystem_load.yml +++ b/rules/windows/process_creation/proc_creation_win_format_uncommon_filesystem_load.yml @@ -10,7 +10,7 @@ author: Florian Roth (Nextron Systems) date: 2022-01-04 modified: 2024-05-13 tags: - - attack.defense-evasion + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml b/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml index 6fd7e3fa1..09397a704 100644 --- a/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml +++ b/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml @@ -12,8 +12,8 @@ date: 2022-03-02 modified: 2025-11-13 tags: - attack.execution + - attack.defense-impairment - attack.t1059 - - attack.defense-evasion - attack.t1222.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml b/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml index f08511507..f9004af28 100644 --- a/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml @@ -14,8 +14,8 @@ author: Ecco, E.M. Anhaus, oscd.community date: 2019-09-26 modified: 2023-09-09 tags: - - attack.defense-evasion - attack.impact + - attack.stealth - attack.t1070 - attack.t1485 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_ftp_arbitrary_command_execution.yml b/rules/windows/process_creation/proc_creation_win_ftp_arbitrary_command_execution.yml index e021183ff..c84f4114f 100644 --- a/rules/windows/process_creation/proc_creation_win_ftp_arbitrary_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_ftp_arbitrary_command_execution.yml @@ -9,8 +9,8 @@ date: 2020-10-09 modified: 2024-04-23 tags: - attack.execution + - attack.stealth - attack.t1059 - - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_googleupdate_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_googleupdate_susp_child_process.yml index a59b6e704..711f0eb0e 100644 --- a/rules/windows/process_creation/proc_creation_win_googleupdate_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_googleupdate_susp_child_process.yml @@ -11,7 +11,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-05-15 modified: 2023-05-22 tags: - - attack.defense-evasion + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_gup_suspicious_execution.yml b/rules/windows/process_creation/proc_creation_win_gup_suspicious_execution.yml index f2439674a..c4b5b6315 100644 --- a/rules/windows/process_creation/proc_creation_win_gup_suspicious_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_gup_suspicious_execution.yml @@ -10,7 +10,8 @@ modified: 2022-08-13 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml b/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml index 683d4975a..1199c3547 100644 --- a/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml @@ -10,7 +10,7 @@ author: E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.c date: 2019-10-24 modified: 2023-12-11 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml b/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml index 5d8620133..0c227c8f5 100644 --- a/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml @@ -10,7 +10,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-09-29 modified: 2024-01-31 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml index 14afcd59b..43d7ac3fc 100644 --- a/rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml @@ -11,9 +11,9 @@ author: Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems) date: 2020-04-01 modified: 2023-04-12 tags: - - attack.defense-evasion - attack.execution - attack.initial-access + - attack.stealth - attack.t1047 - attack.t1059.001 - attack.t1059.003 diff --git a/rules/windows/process_creation/proc_creation_win_hh_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_hh_susp_execution.yml index af99a6409..e63eaf0da 100644 --- a/rules/windows/process_creation/proc_creation_win_hh_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_hh_susp_execution.yml @@ -11,9 +11,9 @@ author: Maxim Pavlunin date: 2020-04-01 modified: 2023-04-12 tags: - - attack.defense-evasion - attack.execution - attack.initial-access + - attack.stealth - attack.t1047 - attack.t1059.001 - attack.t1059.003 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_c3_rundll32_pattern.yml b/rules/windows/process_creation/proc_creation_win_hktl_c3_rundll32_pattern.yml index c1b5e3c5d..3400cb9a5 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_c3_rundll32_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_c3_rundll32_pattern.yml @@ -8,7 +8,7 @@ author: Alfie Champion (ajpc500) date: 2021-06-02 modified: 2023-03-05 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml b/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml index 3df521b9b..eaa78c966 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml @@ -10,7 +10,7 @@ author: Wojciech Lesicki date: 2021-06-01 modified: 2022-09-16 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml b/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml index 311786f37..ad8950134 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml @@ -9,8 +9,8 @@ author: Florian Roth (Nextron Systems) date: 2023-10-11 modified: 2024-11-23 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth - attack.t1055 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_covenant.yml b/rules/windows/process_creation/proc_creation_win_hktl_covenant.yml index 697cc70ef..fad768574 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_covenant.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_covenant.yml @@ -9,7 +9,7 @@ date: 2020-06-04 modified: 2023-02-21 tags: - attack.execution - - attack.defense-evasion + - attack.stealth - attack.t1059.001 - attack.t1564.003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml b/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml index f43715be1..351f40eb6 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml @@ -10,8 +10,8 @@ date: 2020-05-22 modified: 2023-02-21 tags: - attack.execution + - attack.stealth - attack.t1059.001 - - attack.defense-evasion - attack.t1027.005 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_dinjector.yml b/rules/windows/process_creation/proc_creation_win_hktl_dinjector.yml index 21ece4e18..7764f95ff 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_dinjector.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_dinjector.yml @@ -9,7 +9,7 @@ date: 2021-12-07 modified: 2023-02-04 tags: - attack.privilege-escalation - - attack.defense-evasion + - attack.stealth - attack.t1055 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze.yml b/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze.yml index 929b20662..cb6291495 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze.yml @@ -12,8 +12,8 @@ author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-09-24 modified: 2025-11-27 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_hktl_edrsilencer.yml b/rules/windows/process_creation/proc_creation_win_hktl_edrsilencer.yml index c07c238e1..428823b86 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_edrsilencer.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_edrsilencer.yml @@ -8,8 +8,8 @@ references: author: '@gott_cyber' date: 2024-01-02 tags: - - attack.defense-evasion - - attack.t1562 + - attack.defense-impairment + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml b/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml index f5f222ad7..40d3178b7 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml @@ -9,7 +9,6 @@ author: Ecco date: 2019-08-30 modified: 2023-02-21 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 - car.2019-04-001 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_gmer.yml b/rules/windows/process_creation/proc_creation_win_hktl_gmer.yml index 6c08ebdcc..256523359 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_gmer.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_gmer.yml @@ -8,7 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-10-05 modified: 2024-11-23 tags: - - attack.defense-evasion + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_hktl_hollowreaper.yml b/rules/windows/process_creation/proc_creation_win_hktl_hollowreaper.yml index 508bcf01f..51805ba03 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_hollowreaper.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_hollowreaper.yml @@ -10,7 +10,7 @@ author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-07-01 tags: - attack.privilege-escalation - - attack.defense-evasion + - attack.stealth - attack.t1055.012 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml b/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml index 37cef8dcf..6572e2456 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml @@ -10,7 +10,7 @@ date: 2022-12-21 modified: 2024-11-23 tags: - attack.privilege-escalation - - attack.defense-evasion + - attack.stealth - attack.t1134.001 - attack.t1134.003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_clip.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_clip.yml index 5d7bb7a56..836e141d2 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_clip.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_clip.yml @@ -8,7 +8,7 @@ author: Jonathan Cheong, oscd.community date: 2020-10-13 modified: 2022-11-17 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml index f5f7486a5..3f590a0c5 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml @@ -8,7 +8,7 @@ author: 'Daniel Bohannon (@Mandiant/@FireEye), oscd.community' date: 2019-11-08 modified: 2026-03-16 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_stdin.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_stdin.yml index 18d7cd612..4154065aa 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_stdin.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_stdin.yml @@ -8,7 +8,7 @@ author: Jonathan Cheong, oscd.community date: 2020-10-15 modified: 2024-04-15 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_var.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_var.yml index 034cd19e5..6ce3936ff 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_var.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_var.yml @@ -8,7 +8,7 @@ author: Jonathan Cheong, oscd.community date: 2020-10-15 modified: 2024-04-15 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.yml index 47119154d..7b7504234 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.yml @@ -8,7 +8,7 @@ author: Timur Zinniatullin, oscd.community date: 2020-10-18 modified: 2022-12-29 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml index 60d46b894..a3f0ccff4 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml @@ -8,7 +8,7 @@ author: Nikita Nazarov, oscd.community date: 2020-10-12 modified: 2026-03-16 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml index 7e9fe5214..5625ceb05 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml @@ -8,7 +8,7 @@ author: Nikita Nazarov, oscd.community date: 2020-10-09 modified: 2026-03-16 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml index 1f5d9dd1d..669c82310 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml @@ -8,7 +8,7 @@ author: Nikita Nazarov, oscd.community date: 2020-10-08 modified: 2022-03-08 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_var.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_var.yml index da74b71d1..eb4bc6cfe 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_var.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_var.yml @@ -8,7 +8,7 @@ author: Timur Zinniatullin, oscd.community date: 2020-10-13 modified: 2022-11-16 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml b/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml index 02a796ed1..46f3cb68e 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml @@ -8,7 +8,6 @@ author: Florian Roth (Nextron Systems) date: 2022-04-26 modified: 2023-02-04 tags: - - attack.defense-evasion - attack.credential-access - attack.t1558.003 - attack.lateral-movement diff --git a/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml b/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml index 546fc5bbb..2d7afe5be 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml @@ -9,9 +9,9 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-02-14 modified: 2024-11-23 tags: - - attack.defense-evasion - attack.privilege-escalation - cve.2023-21746 + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml b/rules/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml index 038aa8537..80566b31b 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml @@ -9,8 +9,8 @@ author: Teymur Kheirkhabarov, Ecco, Florian Roth date: 2019-10-26 modified: 2023-02-05 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth - attack.t1134.001 - attack.t1134.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml b/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml index bb0e9d6bf..97fbaea38 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml @@ -11,8 +11,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-11-29 modified: 2023-02-04 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_redmimicry_winnti_playbook.yml b/rules/windows/process_creation/proc_creation_win_hktl_redmimicry_winnti_playbook.yml index 133f60fe9..94961c8ce 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_redmimicry_winnti_playbook.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_redmimicry_winnti_playbook.yml @@ -9,7 +9,7 @@ date: 2020-06-24 modified: 2023-03-01 tags: - attack.execution - - attack.defense-evasion + - attack.stealth - attack.t1106 - attack.t1059.003 - attack.t1218.011 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml b/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml index d7b4453c7..97f88c953 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml @@ -13,7 +13,6 @@ author: Florian Roth (Nextron Systems) date: 2018-12-19 modified: 2023-04-20 tags: - - attack.defense-evasion - attack.credential-access - attack.t1003 - attack.t1558.003 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml b/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml index 56d9fb93a..02dec134c 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml @@ -12,7 +12,7 @@ date: 2022-07-23 modified: 2024-11-23 tags: - attack.privilege-escalation - - attack.defense-evasion + - attack.stealth - attack.t1134.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharp_dpapi_execution.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharp_dpapi_execution.yml index 599561022..a8b14d6cf 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharp_dpapi_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharp_dpapi_execution.yml @@ -10,7 +10,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2024-06-26 tags: - attack.privilege-escalation - - attack.defense-evasion + - attack.stealth - attack.t1134.001 - attack.t1134.003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharp_impersonation.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharp_impersonation.yml index 3ec2ca55f..2d4b57d3d 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharp_impersonation.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharp_impersonation.yml @@ -13,7 +13,7 @@ date: 2022-12-27 modified: 2023-02-13 tags: - attack.privilege-escalation - - attack.defense-evasion + - attack.stealth - attack.t1134.001 - attack.t1134.003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharpevtmute.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharpevtmute.yml index 51a8b2457..f05cf9cdc 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharpevtmute.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharpevtmute.yml @@ -11,8 +11,8 @@ author: Florian Roth (Nextron Systems) date: 2022-09-07 modified: 2023-02-14 tags: - - attack.defense-evasion - - attack.t1562.002 + - attack.defense-impairment + - attack.t1685.001 logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharpup.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharpup.yml index 333089a43..48b405b96 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_sharpup.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_sharpup.yml @@ -9,10 +9,10 @@ date: 2022-08-20 modified: 2023-02-13 tags: - attack.persistence - - attack.defense-evasion - attack.privilege-escalation - attack.discovery - attack.execution + - attack.stealth - attack.t1615 - attack.t1569.002 - attack.t1574.005 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml b/rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml index c700138b6..037be8ff8 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml @@ -9,9 +9,9 @@ date: 2023-04-17 modified: 2024-11-23 tags: - attack.execution - - attack.defense-evasion + - attack.defense-impairment - attack.t1059 - - attack.t1562.001 + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_hktl_uacme.yml b/rules/windows/process_creation/proc_creation_win_hktl_uacme.yml index de6f7fea2..519faebba 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_uacme.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_uacme.yml @@ -8,7 +8,6 @@ author: Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems) date: 2021-08-30 modified: 2024-11-23 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml b/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml index 208ef882b..deeca1302 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml @@ -16,7 +16,6 @@ references: - https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team tags: - attack.credential-access - - attack.defense-evasion - attack.discovery - attack.execution - attack.privilege-escalation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_wmiexec_default_powershell.yml b/rules/windows/process_creation/proc_creation_win_hktl_wmiexec_default_powershell.yml index 267b359b1..c153d53b8 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_wmiexec_default_powershell.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_wmiexec_default_powershell.yml @@ -7,8 +7,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-03-08 tags: - - attack.defense-evasion - attack.lateral-movement + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_hktl_xordump.yml b/rules/windows/process_creation/proc_creation_win_hktl_xordump.yml index 1b5f2fc4a..1aaaa98a0 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_xordump.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_xordump.yml @@ -8,7 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2022-01-28 modified: 2023-02-08 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036 - attack.t1003.001 - attack.credential-access diff --git a/rules/windows/process_creation/proc_creation_win_hktl_zipexec.yml b/rules/windows/process_creation/proc_creation_win_hktl_zipexec.yml index d020adfae..cbd7dd6f0 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_zipexec.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_zipexec.yml @@ -10,7 +10,7 @@ date: 2021-11-07 modified: 2022-12-25 tags: - attack.execution - - attack.defense-evasion + - attack.stealth - attack.t1218 - attack.t1202 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hvci_registry_tampering.yml b/rules/windows/process_creation/proc_creation_win_hvci_registry_tampering.yml index db42d9940..e761ea106 100644 --- a/rules/windows/process_creation/proc_creation_win_hvci_registry_tampering.yml +++ b/rules/windows/process_creation/proc_creation_win_hvci_registry_tampering.yml @@ -14,8 +14,8 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2026-01-26 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_hxtsr_masquerading.yml b/rules/windows/process_creation/proc_creation_win_hxtsr_masquerading.yml index d1b20ab50..ef3f94eb1 100644 --- a/rules/windows/process_creation/proc_creation_win_hxtsr_masquerading.yml +++ b/rules/windows/process_creation/proc_creation_win_hxtsr_masquerading.yml @@ -11,7 +11,7 @@ author: Sreeman date: 2020-04-17 modified: 2024-02-08 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_icacls_deny.yml b/rules/windows/process_creation/proc_creation_win_icacls_deny.yml index 65017d663..2cd8d16e5 100644 --- a/rules/windows/process_creation/proc_creation_win_icacls_deny.yml +++ b/rules/windows/process_creation/proc_creation_win_icacls_deny.yml @@ -8,7 +8,7 @@ author: frack113 date: 2022-07-18 modified: 2024-04-29 tags: - - attack.defense-evasion + - attack.stealth - attack.t1564.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml index 80696bf9a..53ac80b43 100644 --- a/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml @@ -13,7 +13,7 @@ author: Joseliyo Sanchez, @Joseliyo_Jstnk, Nasreddine Bencherchali (Nextron Syst date: 2024-02-05 modified: 2024-06-04 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_iis_appcmd_http_logging.yml b/rules/windows/process_creation/proc_creation_win_iis_appcmd_http_logging.yml index 70c84c482..7f45877d6 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_appcmd_http_logging.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_appcmd_http_logging.yml @@ -8,8 +8,8 @@ author: frack113 date: 2022-01-09 modified: 2023-01-22 tags: - - attack.defense-evasion - - attack.t1562.002 + - attack.defense-impairment + - attack.t1685.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml b/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml index 602fd20a4..f73c3d685 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml @@ -8,7 +8,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-01-22 tags: - - attack.defense-evasion + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_iis_logs_deletion.yml b/rules/windows/process_creation/proc_creation_win_iis_logs_deletion.yml index 6ef1e8b83..642c2df98 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_logs_deletion.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_logs_deletion.yml @@ -12,7 +12,7 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-09-02 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_ilasm_il_code_compilation.yml b/rules/windows/process_creation/proc_creation_win_ilasm_il_code_compilation.yml index 453ee74ed..dbd714224 100644 --- a/rules/windows/process_creation/proc_creation_win_ilasm_il_code_compilation.yml +++ b/rules/windows/process_creation/proc_creation_win_ilasm_il_code_compilation.yml @@ -9,7 +9,8 @@ author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2022-05-07 modified: 2022-05-16 tags: - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1127 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml b/rules/windows/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml index ffe2ad61a..2146224bf 100644 --- a/rules/windows/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml +++ b/rules/windows/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml @@ -8,8 +8,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-09-27 modified: 2022-12-29 tags: - - attack.defense-evasion - attack.execution + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_imewbdld_download.yml b/rules/windows/process_creation/proc_creation_win_imewbdld_download.yml index 122e49c9b..82281e2c7 100644 --- a/rules/windows/process_creation/proc_creation_win_imewbdld_download.yml +++ b/rules/windows/process_creation/proc_creation_win_imewbdld_download.yml @@ -11,8 +11,8 @@ references: author: Swachchhanda Shrawan Poudel date: 2023-11-09 tags: - - attack.defense-evasion - attack.execution + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml b/rules/windows/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml index 07417c966..2378c9b7e 100644 --- a/rules/windows/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml +++ b/rules/windows/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml @@ -9,7 +9,7 @@ author: frack113 date: 2021-07-13 modified: 2022-10-09 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_installutil_download.yml b/rules/windows/process_creation/proc_creation_win_installutil_download.yml index 234c35b8d..e4983ca52 100644 --- a/rules/windows/process_creation/proc_creation_win_installutil_download.yml +++ b/rules/windows/process_creation/proc_creation_win_installutil_download.yml @@ -9,7 +9,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-19 modified: 2023-11-09 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_instalutil_no_log_execution.yml b/rules/windows/process_creation/proc_creation_win_instalutil_no_log_execution.yml index e3857295e..d9c81b1e9 100644 --- a/rules/windows/process_creation/proc_creation_win_instalutil_no_log_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_instalutil_no_log_execution.yml @@ -9,7 +9,7 @@ author: frack113 date: 2022-01-23 modified: 2022-02-04 tags: - - attack.defense-evasion + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_jsc_execution.yml b/rules/windows/process_creation/proc_creation_win_jsc_execution.yml index d99b3c5a7..cd0d7ce5b 100644 --- a/rules/windows/process_creation/proc_creation_win_jsc_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_jsc_execution.yml @@ -12,7 +12,8 @@ author: frack113 date: 2022-05-02 modified: 2024-04-24 tags: - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1127 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_kavremover_uncommon_execution.yml b/rules/windows/process_creation/proc_creation_win_kavremover_uncommon_execution.yml index 39e4e22ba..b5c25ca9a 100644 --- a/rules/windows/process_creation/proc_creation_win_kavremover_uncommon_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_kavremover_uncommon_execution.yml @@ -7,7 +7,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-11-01 tags: - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1127 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_kd_execution.yml b/rules/windows/process_creation/proc_creation_win_kd_execution.yml index 4f938bd58..cc9ebd28f 100644 --- a/rules/windows/process_creation/proc_creation_win_kd_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_kd_execution.yml @@ -8,8 +8,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-05-15 modified: 2024-04-24 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_keyscrambler_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_keyscrambler_susp_child_process.yml index 999c74df4..42ed00b8f 100644 --- a/rules/windows/process_creation/proc_creation_win_keyscrambler_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_keyscrambler_susp_child_process.yml @@ -12,8 +12,8 @@ date: 2024-05-13 tags: - attack.persistence - attack.execution - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth - attack.t1203 - attack.t1574.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml b/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml index fc6c06551..308020b15 100644 --- a/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml +++ b/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml @@ -12,7 +12,7 @@ date: 2022-09-02 modified: 2023-03-14 tags: - attack.command-and-control - - attack.defense-evasion + - attack.stealth - attack.t1218 - attack.t1105 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_link_uncommon_parent_process.yml b/rules/windows/process_creation/proc_creation_win_link_uncommon_parent_process.yml index 87a13fdbf..566395c66 100644 --- a/rules/windows/process_creation/proc_creation_win_link_uncommon_parent_process.yml +++ b/rules/windows/process_creation/proc_creation_win_link_uncommon_parent_process.yml @@ -13,7 +13,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-22 modified: 2024-06-27 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_logman_disable_eventlog.yml b/rules/windows/process_creation/proc_creation_win_logman_disable_eventlog.yml index c93f334ae..80ec4d0a0 100644 --- a/rules/windows/process_creation/proc_creation_win_logman_disable_eventlog.yml +++ b/rules/windows/process_creation/proc_creation_win_logman_disable_eventlog.yml @@ -9,9 +9,9 @@ author: Florian Roth (Nextron Systems) date: 2021-02-11 modified: 2023-02-21 tags: - - attack.defense-evasion - - attack.t1562.001 - - attack.t1070.001 + - attack.defense-impairment + - attack.t1685 + - attack.t1685.005 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml b/rules/windows/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml index 4d0b0e1fc..28b14a717 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml @@ -9,7 +9,7 @@ author: Beyu Denis, oscd.community (rule), @_felamos (idea) date: 2019-10-12 modified: 2021-11-27 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml b/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml index c84652307..44485420a 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml @@ -8,7 +8,7 @@ author: frack113 date: 2021-11-26 modified: 2022-12-31 tags: - - attack.defense-evasion + - attack.stealth - attack.t1564.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml b/rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml index ddbb6bf58..5f70c3d99 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml @@ -8,7 +8,7 @@ author: frack113 date: 2021-11-26 modified: 2022-12-30 tags: - - attack.defense-evasion + - attack.stealth - attack.t1564.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml b/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml index 2b08fb5c5..4044fc17b 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml @@ -9,7 +9,7 @@ author: frack113 date: 2022-05-16 modified: 2023-06-14 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml b/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml index 1089ffa47..ad09f636a 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml @@ -9,7 +9,7 @@ author: frack113 date: 2022-05-07 modified: 2022-05-16 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml b/rules/windows/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml index 9422f3aa3..7481143ad 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml @@ -7,7 +7,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-19 tags: - - attack.defense-evasion + - attack.stealth - attack.t1216.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml b/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml index f1e61b054..0240f2846 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml @@ -12,7 +12,7 @@ author: oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Sys date: 2020-10-13 modified: 2023-02-03 tags: - - attack.defense-evasion + - attack.stealth - attack.t1216 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml b/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml index bb2dd9fcd..e96406525 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml @@ -18,8 +18,8 @@ author: frack113, Florian Roth date: 2021-07-12 modified: 2022-12-05 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth - attack.t1055.001 - attack.t1218.013 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_mpiexec.yml b/rules/windows/process_creation/proc_creation_win_lolbin_mpiexec.yml index d1d47f273..860223f5b 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_mpiexec.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_mpiexec.yml @@ -10,7 +10,7 @@ date: 2022-01-11 modified: 2024-11-23 tags: - attack.execution - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml b/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml index bdbac4f78..f3567edac 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml @@ -10,7 +10,7 @@ author: Beyu Denis, oscd.community date: 2020-10-18 modified: 2021-11-27 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_openwith.yml b/rules/windows/process_creation/proc_creation_win_lolbin_openwith.yml index cdeeb1e32..0a7d7fabd 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_openwith.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_openwith.yml @@ -9,7 +9,7 @@ author: Beyu Denis, oscd.community (rule), @harr0ey (idea) date: 2019-10-12 modified: 2021-11-27 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml b/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml index d8398d63d..0d3869978 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml @@ -9,7 +9,7 @@ author: A. Sungurov , oscd.community date: 2020-10-12 modified: 2021-11-27 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml b/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml index fc460b69d..5e466d64f 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml @@ -7,7 +7,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-06-13 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_pcwutl.yml b/rules/windows/process_creation/proc_creation_win_lolbin_pcwutl.yml index 1ff177bbf..b4db9a536 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_pcwutl.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_pcwutl.yml @@ -9,7 +9,7 @@ author: Julia Fomina, oscd.community date: 2020-10-05 modified: 2023-02-09 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_pester.yml b/rules/windows/process_creation/proc_creation_win_lolbin_pester.yml index 45d45dce6..fdf1b0277 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_pester.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_pester.yml @@ -12,8 +12,8 @@ author: frack113, Nasreddine Bencherchali date: 2022-08-20 tags: - attack.execution + - attack.stealth - attack.t1059.001 - - attack.defense-evasion - attack.t1216 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_pester_1.yml b/rules/windows/process_creation/proc_creation_win_lolbin_pester_1.yml index 0936900bf..719c35c28 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_pester_1.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_pester_1.yml @@ -10,8 +10,8 @@ date: 2020-10-08 modified: 2023-11-09 tags: - attack.execution + - attack.stealth - attack.t1059.001 - - attack.defense-evasion - attack.t1216 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml b/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml index 32626fda3..06906a9f5 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml @@ -8,8 +8,8 @@ author: frack113 date: 2022-05-02 tags: - attack.command-and-control + - attack.stealth - attack.t1105 - - attack.defense-evasion - attack.t1564.004 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml b/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml index b01127c96..2b12d0fb6 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml @@ -7,7 +7,7 @@ references: author: frack113 date: 2022-05-28 tags: - - attack.defense-evasion + - attack.stealth - attack.t1216.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml b/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml index 823c27334..1305787ad 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml @@ -9,7 +9,7 @@ references: author: Julia Fomina, oscd.community date: 2020-10-09 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_register_app.yml b/rules/windows/process_creation/proc_creation_win_lolbin_register_app.yml index 9a9a9894a..012bdb05a 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_register_app.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_register_app.yml @@ -7,7 +7,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-19 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml b/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml index 3dd81beb2..08fadabf4 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml @@ -8,7 +8,8 @@ references: author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io' date: 2022-06-02 tags: - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1127 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml b/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml index 993052cc9..50be454e0 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml @@ -8,7 +8,7 @@ references: author: frack113 date: 2022-12-29 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_runscripthelper.yml b/rules/windows/process_creation/proc_creation_win_lolbin_runscripthelper.yml index 3085d7e8e..6ca5b3035 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_runscripthelper.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_runscripthelper.yml @@ -9,8 +9,8 @@ date: 2020-10-09 modified: 2022-07-11 tags: - attack.execution + - attack.stealth - attack.t1059 - - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_scriptrunner.yml b/rules/windows/process_creation/proc_creation_win_lolbin_scriptrunner.yml index d9b945af3..47f02d8da 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_scriptrunner.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_scriptrunner.yml @@ -7,8 +7,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-07-01 tags: - - attack.defense-evasion - attack.execution + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_settingsynchost.yml b/rules/windows/process_creation/proc_creation_win_lolbin_settingsynchost.yml index 77a407dbf..470aec206 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_settingsynchost.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_settingsynchost.yml @@ -11,7 +11,7 @@ tags: - attack.privilege-escalation - attack.persistence - attack.execution - - attack.defense-evasion + - attack.stealth - attack.t1574.008 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_sftp.yml b/rules/windows/process_creation/proc_creation_win_lolbin_sftp.yml index b618302b1..367126731 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_sftp.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_sftp.yml @@ -7,8 +7,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-11-10 tags: - - attack.defense-evasion - attack.execution + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml b/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml index 07606c80d..78f7e4966 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml @@ -12,7 +12,7 @@ author: frack113 date: 2021-07-12 modified: 2022-10-04 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml b/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml index bae2b53f6..70765c973 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml @@ -9,7 +9,7 @@ author: frack113 date: 2021-07-16 modified: 2022-06-22 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 - attack.t1216 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_tracker.yml b/rules/windows/process_creation/proc_creation_win_lolbin_tracker.yml index daa1b9a59..7f7c5ae6d 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_tracker.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_tracker.yml @@ -9,7 +9,7 @@ date: 2020-10-18 modified: 2023-01-09 tags: - attack.privilege-escalation - - attack.defense-evasion + - attack.stealth - attack.t1055.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml b/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml index c11d3d784..8566eb281 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml @@ -7,7 +7,8 @@ references: author: frack113 date: 2022-05-16 tags: - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1127 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml b/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml index c86c21d52..47c023be1 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml @@ -13,8 +13,8 @@ author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative' date: 2020-10-06 modified: 2022-10-09 tags: - - attack.defense-evasion - attack.credential-access + - attack.stealth - attack.t1218 - attack.t1003.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml b/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml index d76cb25ba..4bc43dd7c 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml @@ -8,7 +8,7 @@ author: frack113 date: 2022-12-29 modified: 2024-06-04 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_utilityfunctions.yml b/rules/windows/process_creation/proc_creation_win_lolbin_utilityfunctions.yml index 7dce23df5..187d1ec1f 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_utilityfunctions.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_utilityfunctions.yml @@ -7,7 +7,7 @@ references: author: frack113 date: 2022-05-28 tags: - - attack.defense-evasion + - attack.stealth - attack.t1216 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml b/rules/windows/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml index 5b5667613..d44e3a255 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml @@ -8,7 +8,7 @@ author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative' date: 2020-10-07 modified: 2021-11-27 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml b/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml index 3561e084a..ac8bc442a 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml @@ -10,7 +10,7 @@ references: author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io' date: 2022-06-01 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml b/rules/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml index 208d533c3..8144ab98f 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml @@ -7,7 +7,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-06-09 tags: - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1127 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml b/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml index d1b368298..bab790f76 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml @@ -8,7 +8,8 @@ references: author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io' date: 2022-06-01 tags: - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1127 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml b/rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml index 8e0c854fd..b1cd14b62 100644 --- a/rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml +++ b/rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml @@ -9,7 +9,7 @@ author: Austin Songer @austinsonger date: 2021-11-05 modified: 2022-07-07 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_lsa_ppl_protection_setting_modification_via_cli.yml b/rules/windows/process_creation/proc_creation_win_lsa_ppl_protection_setting_modification_via_cli.yml index 445c1e58a..34e6ea88c 100644 --- a/rules/windows/process_creation/proc_creation_win_lsa_ppl_protection_setting_modification_via_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_lsa_ppl_protection_setting_modification_via_cli.yml @@ -11,8 +11,8 @@ author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Sys date: 2022-03-22 modified: 2026-03-13 tags: - - attack.defense-evasion - - attack.t1562.010 + - attack.defense-impairment + - attack.t1689 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_mftrace_child_process.yml b/rules/windows/process_creation/proc_creation_win_mftrace_child_process.yml index 386842c8f..e79099896 100644 --- a/rules/windows/process_creation/proc_creation_win_mftrace_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_mftrace_child_process.yml @@ -8,7 +8,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-06-09 modified: 2023-08-03 tags: - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1127 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_mmc_default_domain_gpo_modification_via_gpme.yml b/rules/windows/process_creation/proc_creation_win_mmc_default_domain_gpo_modification_via_gpme.yml index 64f9a45b3..9de84fe15 100644 --- a/rules/windows/process_creation/proc_creation_win_mmc_default_domain_gpo_modification_via_gpme.yml +++ b/rules/windows/process_creation/proc_creation_win_mmc_default_domain_gpo_modification_via_gpme.yml @@ -15,8 +15,8 @@ references: author: TropChaud date: 2025-11-22 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.defense-impairment - attack.t1484.001 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_mmc_rlo_abuse_pattern.yml b/rules/windows/process_creation/proc_creation_win_mmc_rlo_abuse_pattern.yml index 588301102..8e51f7330 100644 --- a/rules/windows/process_creation/proc_creation_win_mmc_rlo_abuse_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_mmc_rlo_abuse_pattern.yml @@ -10,8 +10,8 @@ author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-02-05 tags: - attack.execution + - attack.stealth - attack.t1204.002 - - attack.defense-evasion - attack.t1218.014 - attack.t1036.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_mode_codepage_russian.yml b/rules/windows/process_creation/proc_creation_win_mode_codepage_russian.yml index 539295fbe..84217df96 100644 --- a/rules/windows/process_creation/proc_creation_win_mode_codepage_russian.yml +++ b/rules/windows/process_creation/proc_creation_win_mode_codepage_russian.yml @@ -15,7 +15,7 @@ references: author: Joseliyo Sanchez, @Joseliyo_Jstnk date: 2024-01-17 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml b/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml index 61e9dfbce..cc480ba93 100644 --- a/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml @@ -13,7 +13,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-07-12 modified: 2023-04-11 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml b/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml index bf697f6c1..1d2092ab8 100644 --- a/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml +++ b/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml @@ -13,7 +13,8 @@ modified: 2023-08-04 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1574.001 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml b/rules/windows/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml index 9ab70f25d..e319c2861 100644 --- a/rules/windows/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml +++ b/rules/windows/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml @@ -9,7 +9,7 @@ author: Matthew Matchen date: 2020-09-04 modified: 2023-11-09 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 - attack.command-and-control - attack.t1105 diff --git a/rules/windows/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml b/rules/windows/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml index 5b564b781..542ee47d0 100644 --- a/rules/windows/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml +++ b/rules/windows/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml @@ -9,8 +9,8 @@ author: frack113 date: 2021-07-07 modified: 2023-07-18 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_msbuild_susp_parent_process.yml b/rules/windows/process_creation/proc_creation_win_msbuild_susp_parent_process.yml index 2391af6cb..0dc13e4e7 100644 --- a/rules/windows/process_creation/proc_creation_win_msbuild_susp_parent_process.yml +++ b/rules/windows/process_creation/proc_creation_win_msbuild_susp_parent_process.yml @@ -8,7 +8,7 @@ references: author: frack113 date: 2022-11-17 tags: - - attack.defense-evasion + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_msdt_answer_file_exec.yml b/rules/windows/process_creation/proc_creation_win_msdt_answer_file_exec.yml index 9681557c0..d4e06c2f0 100644 --- a/rules/windows/process_creation/proc_creation_win_msdt_answer_file_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_msdt_answer_file_exec.yml @@ -9,7 +9,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-06-13 modified: 2025-10-29 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml b/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml index 15fbbe0d8..700193b61 100644 --- a/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml @@ -10,7 +10,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-05-29 modified: 2024-03-13 tags: - - attack.defense-evasion + - attack.stealth - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml b/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml index 90b0c6705..977a9ef8f 100644 --- a/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml +++ b/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml @@ -14,7 +14,7 @@ author: Nasreddine Bencherchali (Nextron Systems), GossiTheDog, frack113 date: 2022-06-21 modified: 2024-03-13 tags: - - attack.defense-evasion + - attack.stealth - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml b/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml index b86d8cbd0..f9be68e06 100644 --- a/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml @@ -9,7 +9,7 @@ author: Nextron Systems date: 2022-06-01 modified: 2023-02-06 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036 - attack.t1218 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_msedge_proxy_download.yml b/rules/windows/process_creation/proc_creation_win_msedge_proxy_download.yml index 79e890f18..599697cb6 100644 --- a/rules/windows/process_creation/proc_creation_win_msedge_proxy_download.yml +++ b/rules/windows/process_creation/proc_creation_win_msedge_proxy_download.yml @@ -7,8 +7,8 @@ references: author: Swachchhanda Shrawan Poudel date: 2023-11-09 tags: - - attack.defense-evasion - attack.execution + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_mshta_http.yml b/rules/windows/process_creation/proc_creation_win_mshta_http.yml index 9f5cbf0a4..c80ec9347 100644 --- a/rules/windows/process_creation/proc_creation_win_mshta_http.yml +++ b/rules/windows/process_creation/proc_creation_win_mshta_http.yml @@ -8,8 +8,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-08 modified: 2023-02-06 tags: - - attack.defense-evasion - attack.execution + - attack.stealth - attack.t1218.005 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml b/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml index c71f0e03d..68ff620fe 100644 --- a/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml +++ b/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml @@ -9,7 +9,7 @@ author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.comm date: 2019-10-24 modified: 2023-02-07 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.005 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_mshta_lethalhta_technique.yml b/rules/windows/process_creation/proc_creation_win_mshta_lethalhta_technique.yml index ab4307a31..8ba264535 100644 --- a/rules/windows/process_creation/proc_creation_win_mshta_lethalhta_technique.yml +++ b/rules/windows/process_creation/proc_creation_win_mshta_lethalhta_technique.yml @@ -8,7 +8,7 @@ author: Markus Neis date: 2018-06-07 modified: 2023-02-07 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.005 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_mshta_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_mshta_susp_child_processes.yml index 2b690e821..945feff13 100644 --- a/rules/windows/process_creation/proc_creation_win_mshta_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_mshta_susp_child_processes.yml @@ -8,7 +8,7 @@ author: Michael Haag date: 2019-01-16 modified: 2023-02-06 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.005 - car.2013-02-003 - car.2013-03-001 diff --git a/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml index 260c5cecc..75fab68ee 100644 --- a/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml @@ -17,7 +17,7 @@ author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule), Swachc date: 2019-02-22 modified: 2025-05-12 tags: - - attack.defense-evasion + - attack.stealth - attack.t1140 - attack.t1218.005 - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml b/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml index 56df948f2..c5e8778be 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml @@ -10,7 +10,7 @@ author: frack113 date: 2022-04-24 modified: 2024-03-13 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.007 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_embedding.yml b/rules/windows/process_creation/proc_creation_win_msiexec_embedding.yml index 2dab54524..80c8f1cf1 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_embedding.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_embedding.yml @@ -8,8 +8,8 @@ author: frack113 date: 2022-04-16 modified: 2022-07-14 tags: + - attack.stealth - attack.t1218.007 - - attack.defense-evasion logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml b/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml index 217a284c2..3ab762167 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml @@ -12,7 +12,7 @@ author: frack113 date: 2022-01-16 modified: 2026-01-09 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.007 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml b/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml index 915285036..3e6579a08 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml @@ -12,7 +12,7 @@ author: frack113 date: 2022-01-16 modified: 2024-12-01 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.007 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_install_remote.yml b/rules/windows/process_creation/proc_creation_win_msiexec_install_remote.yml index f8332505a..40d584bc4 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_install_remote.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_install_remote.yml @@ -11,7 +11,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-10-28 modified: 2025-10-07 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.007 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_masquerading.yml b/rules/windows/process_creation/proc_creation_win_msiexec_masquerading.yml index d8d71c1f0..09e484002 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_masquerading.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_masquerading.yml @@ -8,7 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2019-11-14 modified: 2023-02-21 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036.005 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_web_install.yml b/rules/windows/process_creation/proc_creation_win_msiexec_web_install.yml index 2b42219f6..ecc0ffa7f 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_web_install.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_web_install.yml @@ -11,7 +11,7 @@ author: Florian Roth (Nextron Systems) date: 2018-02-09 modified: 2022-01-07 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.007 - attack.command-and-control - attack.t1105 diff --git a/rules/windows/process_creation/proc_creation_win_msix_ai_stub_execution.yml b/rules/windows/process_creation/proc_creation_win_msix_ai_stub_execution.yml index c39b9f2c8..c9691682f 100644 --- a/rules/windows/process_creation/proc_creation_win_msix_ai_stub_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_msix_ai_stub_execution.yml @@ -12,8 +12,9 @@ references: author: Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-11-03 tags: - - attack.defense-evasion - attack.execution + - attack.stealth + - attack.defense-impairment - attack.t1218 - attack.t1553.005 - attack.t1204.002 diff --git a/rules/windows/process_creation/proc_creation_win_msohtmed_download.yml b/rules/windows/process_creation/proc_creation_win_msohtmed_download.yml index 05cecbce7..482f8f32a 100644 --- a/rules/windows/process_creation/proc_creation_win_msohtmed_download.yml +++ b/rules/windows/process_creation/proc_creation_win_msohtmed_download.yml @@ -8,8 +8,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-19 modified: 2023-11-09 tags: - - attack.defense-evasion - attack.execution + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_mspub_download.yml b/rules/windows/process_creation/proc_creation_win_mspub_download.yml index f698ea1ac..b7037f38c 100644 --- a/rules/windows/process_creation/proc_creation_win_mspub_download.yml +++ b/rules/windows/process_creation/proc_creation_win_mspub_download.yml @@ -8,8 +8,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-19 modified: 2023-02-08 tags: - - attack.defense-evasion - attack.execution + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml b/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml index a1518440c..296e21980 100644 --- a/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml +++ b/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml @@ -10,7 +10,7 @@ date: 2022-06-24 modified: 2023-02-03 tags: - attack.privilege-escalation - - attack.defense-evasion + - attack.stealth - attack.t1055 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml index 0500cb38f..a591c0174 100644 --- a/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml @@ -13,8 +13,8 @@ date: 2020-10-10 modified: 2022-12-09 tags: - attack.execution + - attack.stealth - attack.t1059.001 - - attack.defense-evasion - attack.t1127 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml index 1cad374ae..76de12e45 100644 --- a/rules/windows/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml @@ -12,8 +12,8 @@ date: 2020-10-13 modified: 2022-02-25 tags: - attack.execution + - attack.stealth - attack.t1059.001 - - attack.defense-evasion - attack.t1127 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_msxsl_execution.yml b/rules/windows/process_creation/proc_creation_win_msxsl_execution.yml index 3617cfd77..cf9d195ca 100644 --- a/rules/windows/process_creation/proc_creation_win_msxsl_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_msxsl_execution.yml @@ -11,7 +11,7 @@ author: Timur Zinniatullin, oscd.community date: 2019-10-21 modified: 2023-11-09 tags: - - attack.defense-evasion + - attack.stealth - attack.t1220 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_msxsl_remote_execution.yml b/rules/windows/process_creation/proc_creation_win_msxsl_remote_execution.yml index e22aa8d9e..770fedf7b 100644 --- a/rules/windows/process_creation/proc_creation_win_msxsl_remote_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_msxsl_remote_execution.yml @@ -8,7 +8,7 @@ references: author: Swachchhanda Shrawan Poudel date: 2023-11-09 tags: - - attack.defense-evasion + - attack.stealth - attack.t1220 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_net_share_unmount.yml b/rules/windows/process_creation/proc_creation_win_net_share_unmount.yml index 34fa64866..0c57e461c 100644 --- a/rules/windows/process_creation/proc_creation_win_net_share_unmount.yml +++ b/rules/windows/process_creation/proc_creation_win_net_share_unmount.yml @@ -8,7 +8,7 @@ author: oscd.community, @redcanary, Zach Stanford @svch0st date: 2020-10-08 modified: 2023-02-21 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070.005 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_net_use_password_plaintext.yml b/rules/windows/process_creation/proc_creation_win_net_use_password_plaintext.yml index 57a5ca9d3..f4798f13f 100644 --- a/rules/windows/process_creation/proc_creation_win_net_use_password_plaintext.yml +++ b/rules/windows/process_creation/proc_creation_win_net_use_password_plaintext.yml @@ -8,11 +8,11 @@ author: Tim Shelton (HAWK.IO) date: 2021-12-09 modified: 2023-02-21 tags: - - attack.defense-evasion - attack.initial-access - attack.persistence - attack.privilege-escalation - attack.lateral-movement + - attack.stealth - attack.t1021.002 - attack.t1078 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml index 1c95471b1..046146460 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml @@ -8,8 +8,8 @@ author: Markus Neis, Sander Wiebing date: 2019-01-29 modified: 2023-02-10 tags: - - attack.defense-evasion - - attack.t1562.004 + - attack.defense-impairment + - attack.t1686.003 - attack.s0246 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_allow_program_in_susp_location.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_allow_program_in_susp_location.yml index 7f530d906..477f1ab6e 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_allow_program_in_susp_location.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_allow_program_in_susp_location.yml @@ -9,8 +9,8 @@ author: Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community date: 2020-05-25 modified: 2023-12-11 tags: - - attack.defense-evasion - - attack.t1562.004 + - attack.defense-impairment + - attack.t1686.003 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_allow_rdp.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_allow_rdp.yml index 609378f72..4935b77fe 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_allow_rdp.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_allow_rdp.yml @@ -8,8 +8,8 @@ author: Sander Wiebing date: 2020-05-23 modified: 2023-12-11 tags: - - attack.defense-evasion - - attack.t1562.004 + - attack.defense-impairment + - attack.t1686.003 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_delete_rule.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_delete_rule.yml index 50986eb4b..78e1a558d 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_delete_rule.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_delete_rule.yml @@ -8,8 +8,8 @@ author: frack113 date: 2022-08-14 modified: 2025-10-07 tags: - - attack.defense-evasion - - attack.t1562.004 + - attack.defense-impairment + - attack.t1686.003 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_disable.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_disable.yml index b4a46526e..6d9962ef7 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_disable.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_disable.yml @@ -10,8 +10,8 @@ author: Fatih Sirin date: 2019-11-01 modified: 2023-02-13 tags: - - attack.defense-evasion - - attack.t1562.004 + - attack.defense-impairment + - attack.t1686.003 - attack.s0108 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml index fc550cf84..2a3ba3277 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml @@ -9,8 +9,8 @@ author: frack113 date: 2022-01-09 modified: 2023-02-14 tags: - - attack.defense-evasion - - attack.t1562.004 + - attack.defense-impairment + - attack.t1686.003 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_set_rule.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_set_rule.yml index 4bb6dbe26..0685e1376 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_set_rule.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_set_rule.yml @@ -7,7 +7,7 @@ references: author: X__Junior (Nextron Systems) date: 2023-07-18 tags: - - attack.defense-evasion + - attack.defense-impairment logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml b/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml index a08da2ed0..fc8ed9039 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml @@ -11,7 +11,6 @@ date: 2019-01-29 modified: 2023-09-01 tags: - attack.lateral-movement - - attack.defense-evasion - attack.command-and-control - attack.t1090 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding_3389.yml b/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding_3389.yml index 2dcd58677..de430f5e5 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding_3389.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding_3389.yml @@ -9,7 +9,6 @@ date: 2019-01-29 modified: 2023-02-13 tags: - attack.lateral-movement - - attack.defense-evasion - attack.command-and-control - attack.t1090 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_node_abuse.yml b/rules/windows/process_creation/proc_creation_win_node_abuse.yml index 61107b834..166a79195 100644 --- a/rules/windows/process_creation/proc_creation_win_node_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_node_abuse.yml @@ -11,7 +11,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-09-09 modified: 2023-02-03 tags: - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1127 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_node_adobe_creative_cloud_abuse.yml b/rules/windows/process_creation/proc_creation_win_node_adobe_creative_cloud_abuse.yml index 784423582..15ac4f3f2 100644 --- a/rules/windows/process_creation/proc_creation_win_node_adobe_creative_cloud_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_node_adobe_creative_cloud_abuse.yml @@ -7,8 +7,8 @@ references: author: Max Altgelt (Nextron Systems) date: 2022-04-06 tags: - - attack.defense-evasion - attack.execution + - attack.stealth - attack.t1127 - attack.t1059.007 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml b/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml index f5ee6c8b4..a52482994 100644 --- a/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml +++ b/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml @@ -13,7 +13,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-09-05 modified: 2022-12-19 tags: - - attack.defense-evasion + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml index 978badb80..f55c74362 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml @@ -12,7 +12,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-05-22 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.008 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml index 39713e00e..20a708f58 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml @@ -12,7 +12,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-05-23 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.008 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml index 4c679701d..69b43b210 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml @@ -10,7 +10,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-05-22 modified: 2023-05-26 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.008 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml index d7f9a5206..5eed67f12 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml @@ -15,7 +15,7 @@ references: author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2023-05-22 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.008 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml index 7bc5ef904..28a0be1b2 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml @@ -12,7 +12,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-05-22 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.008 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml index 1b20ada9a..9b6e2865c 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml @@ -16,7 +16,7 @@ author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasred date: 2023-05-22 modified: 2024-03-05 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.008 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml index 1a3e92091..5d24a33cc 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml @@ -15,7 +15,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-05-22 modified: 2024-03-13 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.008 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml index 00231805b..79beddaf9 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml @@ -9,7 +9,7 @@ references: author: Harjot Singh @cyb3rjy0t date: 2023-05-22 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.008 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml b/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml index baa359dd9..c22d64b1e 100644 --- a/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml +++ b/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml @@ -14,7 +14,7 @@ author: Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community date: 2022-05-17 modified: 2023-06-22 tags: - - attack.defense-evasion + - attack.stealth - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml b/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml index 17e672543..51e2ada82 100644 --- a/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml +++ b/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml @@ -11,7 +11,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-06-21 modified: 2023-10-18 tags: - - attack.defense-evasion + - attack.stealth - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_office_onenote_embedded_script_execution.yml b/rules/windows/process_creation/proc_creation_win_office_onenote_embedded_script_execution.yml index bd3518e03..fad1b8b19 100644 --- a/rules/windows/process_creation/proc_creation_win_office_onenote_embedded_script_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_office_onenote_embedded_script_execution.yml @@ -9,7 +9,7 @@ references: author: '@kostastsale' date: 2023-02-02 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml b/rules/windows/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml index 8f4f5fa5a..ab5a43e74 100644 --- a/rules/windows/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml +++ b/rules/windows/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml @@ -14,7 +14,7 @@ date: 2018-12-27 modified: 2023-02-09 tags: - attack.execution - - attack.defense-evasion + - attack.stealth - attack.t1059 - attack.t1202 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml b/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml index 766ccbf1d..8699d39cb 100644 --- a/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml +++ b/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml @@ -14,7 +14,7 @@ date: 2018-12-27 modified: 2023-02-09 tags: - attack.execution - - attack.defense-evasion + - attack.stealth - attack.t1059 - attack.t1202 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml index 1ad30964b..28aeb4061 100644 --- a/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml @@ -29,8 +29,8 @@ author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Kh date: 2018-04-06 modified: 2023-04-24 tags: - - attack.defense-evasion - attack.execution + - attack.stealth - attack.t1047 - attack.t1204.002 - attack.t1218.010 diff --git a/rules/windows/process_creation/proc_creation_win_office_winword_dll_load.yml b/rules/windows/process_creation/proc_creation_win_office_winword_dll_load.yml index c823f0b7d..6fab9b39b 100644 --- a/rules/windows/process_creation/proc_creation_win_office_winword_dll_load.yml +++ b/rules/windows/process_creation/proc_creation_win_office_winword_dll_load.yml @@ -11,7 +11,7 @@ author: Victor Sergeev, oscd.community date: 2020-10-09 modified: 2023-03-29 tags: - - attack.defense-evasion + - attack.stealth - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_offlinescannershell_mpclient_sideloading.yml b/rules/windows/process_creation/proc_creation_win_offlinescannershell_mpclient_sideloading.yml index 2c251d810..50048c4ce 100644 --- a/rules/windows/process_creation/proc_creation_win_offlinescannershell_mpclient_sideloading.yml +++ b/rules/windows/process_creation/proc_creation_win_offlinescannershell_mpclient_sideloading.yml @@ -10,7 +10,7 @@ author: frack113 date: 2022-03-06 modified: 2023-08-03 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_ping_hex_ip.yml b/rules/windows/process_creation/proc_creation_win_ping_hex_ip.yml index e9def9783..21112bdf4 100644 --- a/rules/windows/process_creation/proc_creation_win_ping_hex_ip.yml +++ b/rules/windows/process_creation/proc_creation_win_ping_hex_ip.yml @@ -9,7 +9,7 @@ author: Florian Roth (Nextron Systems) date: 2018-03-23 modified: 2025-10-17 tags: - - attack.defense-evasion + - attack.stealth - attack.t1140 - attack.t1027 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_powercfg_execution.yml b/rules/windows/process_creation/proc_creation_win_powercfg_execution.yml index 9603d0bbe..363fa298e 100644 --- a/rules/windows/process_creation/proc_creation_win_powercfg_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_powercfg_execution.yml @@ -8,7 +8,7 @@ references: author: frack113 date: 2022-11-18 tags: - - attack.defense-evasion + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml b/rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml index 4322be46e..d784c6f1e 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml @@ -12,8 +12,8 @@ author: Markus Neis, @Kostastsale date: 2018-08-17 modified: 2023-02-03 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml b/rules/windows/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml index 0c159f1df..17ae1f86e 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml @@ -11,8 +11,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-01-04 modified: 2023-05-09 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_obfusc.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_obfusc.yml index 3a908d007..e1b06869d 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_obfusc.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_obfusc.yml @@ -8,7 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2022-07-11 modified: 2023-02-14 tags: - - attack.defense-evasion + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_frombase64string.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_frombase64string.yml index f6094e19c..d4753d0da 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_frombase64string.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_frombase64string.yml @@ -8,7 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2019-08-24 modified: 2023-04-06 tags: - - attack.defense-evasion + - attack.stealth - attack.t1140 - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_invoke.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_invoke.yml index 9681b6f08..d94577685 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_invoke.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_invoke.yml @@ -12,8 +12,8 @@ date: 2022-05-20 modified: 2023-04-06 tags: - attack.execution + - attack.stealth - attack.t1059.001 - - attack.defense-evasion - attack.t1027 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml index 78bad8367..9fc0d14b2 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml @@ -10,8 +10,8 @@ author: Florian Roth (Nextron Systems) date: 2022-03-04 modified: 2023-01-30 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load.yml index ad125631a..f3f171441 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load.yml @@ -13,8 +13,8 @@ date: 2022-03-01 modified: 2023-01-30 tags: - attack.execution + - attack.stealth - attack.t1059.001 - - attack.defense-evasion - attack.t1027 - attack.t1620 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml index 6a30b5efb..bb0910ea3 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml @@ -14,7 +14,7 @@ date: 2022-03-01 modified: 2023-04-06 tags: - attack.execution - - attack.defense-evasion + - attack.stealth - attack.t1059.001 - attack.t1027 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml index d655058c8..243ebf6e9 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml @@ -11,8 +11,8 @@ author: Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Sy date: 2023-01-30 tags: - attack.execution + - attack.stealth - attack.t1059.001 - - attack.defense-evasion - attack.t1027 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cl_invocation.yml b/rules/windows/process_creation/proc_creation_win_powershell_cl_invocation.yml index 1416a2da3..fe6ff0aa6 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_cl_invocation.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_cl_invocation.yml @@ -9,7 +9,7 @@ author: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shorn date: 2020-10-14 modified: 2023-08-17 tags: - - attack.defense-evasion + - attack.stealth - attack.t1216 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cl_loadassembly.yml b/rules/windows/process_creation/proc_creation_win_powershell_cl_loadassembly.yml index d9067f4b9..2c1e53e99 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_cl_loadassembly.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_cl_loadassembly.yml @@ -9,7 +9,7 @@ author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2022-05-21 modified: 2023-08-17 tags: - - attack.defense-evasion + - attack.stealth - attack.t1216 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cl_mutexverifiers.yml b/rules/windows/process_creation/proc_creation_win_powershell_cl_mutexverifiers.yml index cdea7db43..e65d6157c 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_cl_mutexverifiers.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_cl_mutexverifiers.yml @@ -8,7 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shorn date: 2022-05-21 modified: 2023-08-17 tags: - - attack.defense-evasion + - attack.stealth - attack.t1216 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml index e7a0388af..3a7441a35 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml @@ -9,7 +9,7 @@ author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim S date: 2020-10-11 modified: 2023-02-01 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml index cc533274c..75af47eba 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml @@ -9,7 +9,7 @@ author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim S date: 2020-10-11 modified: 2023-05-31 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml index 1f1e2ea00..3d6b33c02 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml @@ -9,7 +9,7 @@ date: 2020-10-15 modified: 2024-04-15 tags: - attack.execution - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.t1059.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_comobject_msi.yml b/rules/windows/process_creation/proc_creation_win_powershell_comobject_msi.yml index 90b7223b4..dd0fbb111 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_comobject_msi.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_comobject_msi.yml @@ -14,7 +14,7 @@ references: author: Meroujan Antonyan (vx3r) date: 2025-05-27 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027.010 - attack.t1218.007 - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_powershell_comobject_msi_remote.yml b/rules/windows/process_creation/proc_creation_win_powershell_comobject_msi_remote.yml index 2c50aaa1a..cbdc3621f 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_comobject_msi_remote.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_comobject_msi_remote.yml @@ -14,8 +14,8 @@ author: Meroujan Antonyan (vx3r) date: 2025-06-05 tags: - attack.execution + - attack.stealth - attack.t1059.001 - - attack.defense-evasion - attack.t1218 - attack.command-and-control - attack.t1105 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml b/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml index 9a1a53645..e18cf171f 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml @@ -10,8 +10,8 @@ author: Florian Roth (Nextron Systems) date: 2022-03-03 modified: 2024-01-02 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml b/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml index 8a0b3a335..ff1b466fc 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml @@ -13,8 +13,8 @@ author: Florian Roth (Nextron Systems) date: 2021-04-29 modified: 2022-05-12 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml b/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml index 85e540109..7eeffebdf 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml @@ -10,8 +10,8 @@ author: 'ok @securonix invrep-de, oscd.community, frack113' date: 2020-10-12 modified: 2022-11-18 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_disable_firewall.yml b/rules/windows/process_creation/proc_creation_win_powershell_disable_firewall.yml index 2fe327847..c29c0def4 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_disable_firewall.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_disable_firewall.yml @@ -11,8 +11,8 @@ author: Tim Rauch, Elastic (idea) date: 2022-09-14 modified: 2023-02-13 tags: - - attack.defense-evasion - - attack.t1562 + - attack.defense-impairment + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_disable_ie_features.yml b/rules/windows/process_creation/proc_creation_win_powershell_disable_ie_features.yml index 36fc38dee..708426030 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_disable_ie_features.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_disable_ie_features.yml @@ -8,8 +8,8 @@ author: Florian Roth (Nextron Systems) date: 2020-06-19 modified: 2021-11-27 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml b/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml index 26be469ce..a388b89f0 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml @@ -12,7 +12,6 @@ author: Harish Segar (rule) date: 2020-03-20 modified: 2023-01-04 tags: - - attack.defense-evasion - attack.execution - attack.t1059.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_cradle_obfuscated.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_cradle_obfuscated.yml index 06a8a63c1..07944ea26 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_cradle_obfuscated.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_cradle_obfuscated.yml @@ -9,10 +9,10 @@ author: '@Kostastsale, TheDFIRReport' date: 2022-05-09 modified: 2025-04-16 tags: - - attack.defense-evasion - attack.execution + - attack.defense-impairment - attack.t1059.001 - - attack.t1562.001 + - attack.t1685 logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml b/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml index 8969a822a..3b12fcf8f 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml @@ -14,7 +14,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-12-29 tags: - - attack.defense-evasion + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_encoding_patterns.yml b/rules/windows/process_creation/proc_creation_win_powershell_encoding_patterns.yml index 4f109282f..e7dfb9a6e 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_encoding_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_encoding_patterns.yml @@ -11,7 +11,7 @@ author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim S date: 2020-10-11 modified: 2023-01-26 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml b/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml index eafd27c7c..5f73612b6 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml @@ -8,8 +8,8 @@ author: Florian Roth (Nextron Systems) date: 2020-01-29 modified: 2023-01-26 tags: + - attack.stealth - attack.t1027 - - attack.defense-evasion - attack.execution - attack.t1140 - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml b/rules/windows/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml index 344bff202..88206a752 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml @@ -14,8 +14,9 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-10-17 tags: - attack.persistence - - attack.defense-evasion - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml b/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml index 442667b7b..374723a64 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml @@ -9,7 +9,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-09-09 modified: 2023-01-16 tags: - - attack.defense-evasion + - attack.defense-impairment - attack.t1553.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml b/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml index 8c9071e47..26cad8e32 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml @@ -14,7 +14,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-01-31 tags: - attack.persistence - - attack.defense-evasion + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml b/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml index db5ff8244..6a3c4eefb 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml @@ -14,7 +14,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-01-05 tags: - - attack.defense-evasion + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_obfuscation_via_utf8.yml b/rules/windows/process_creation/proc_creation_win_powershell_obfuscation_via_utf8.yml index ffe144301..4c1634478 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_obfuscation_via_utf8.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_obfuscation_via_utf8.yml @@ -9,8 +9,8 @@ date: 2020-07-09 modified: 2025-03-03 tags: - attack.execution + - attack.stealth - attack.t1059.001 - - attack.defense-evasion - attack.t1027 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml b/rules/windows/process_creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml index ef01c0e95..8a9c45389 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml @@ -16,7 +16,7 @@ author: frack113 date: 2021-07-13 modified: 2023-05-09 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_remove_mppreference.yml b/rules/windows/process_creation/proc_creation_win_powershell_remove_mppreference.yml index c056a2663..578c0899b 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_remove_mppreference.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_remove_mppreference.yml @@ -10,8 +10,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-05 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_ads.yml b/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_ads.yml index 08a0188a7..675a543e2 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_ads.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_ads.yml @@ -8,7 +8,7 @@ author: Sergey Soldatov, Kaspersky Lab, oscd.community date: 2019-10-30 modified: 2022-07-14 tags: - - attack.defense-evasion + - attack.stealth - attack.t1564.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_input_stream.yml b/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_input_stream.yml index c9e429ead..e505e8cf4 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_input_stream.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_input_stream.yml @@ -9,7 +9,6 @@ author: Moriarty Meng (idea), Anton Kutepov (rule), oscd.community date: 2020-10-17 modified: 2021-11-27 tags: - - attack.defense-evasion - attack.execution - attack.t1059 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_set_acl.yml b/rules/windows/process_creation/proc_creation_win_powershell_set_acl.yml index edd87ef7c..875853b5e 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_set_acl.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_set_acl.yml @@ -15,7 +15,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-10-18 tags: - - attack.defense-evasion + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml b/rules/windows/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml index 1d1fe711c..929e73505 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml @@ -15,7 +15,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-10-18 tags: - - attack.defense-evasion + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_set_service_disabled.yml b/rules/windows/process_creation/proc_creation_win_powershell_set_service_disabled.yml index 5bdfbc58a..693830fc3 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_set_service_disabled.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_set_service_disabled.yml @@ -8,8 +8,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-03-04 tags: - attack.execution - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml b/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml index 80534e810..458f473a8 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml @@ -11,7 +11,7 @@ author: frack113 date: 2022-12-27 modified: 2026-03-16 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027.009 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_uninstall_defender_feature.yml b/rules/windows/process_creation/proc_creation_win_powershell_uninstall_defender_feature.yml index 89a3a7e21..d5e9e9190 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_uninstall_defender_feature.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_uninstall_defender_feature.yml @@ -9,8 +9,8 @@ references: author: yxinmiracle date: 2025-08-22 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml b/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml index 34aa33f22..9e5f99faf 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml @@ -12,7 +12,7 @@ references: author: frack113 date: 2022-12-23 tags: - - attack.defense-evasion + - attack.defense-impairment - attack.t1553.004 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml b/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml index 95e2ed443..b1154dbda 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml @@ -14,8 +14,8 @@ author: Sami Ruohonen, Harish Segar, Tim Shelton, Teymur Kheirkhabarov, Vasiliy date: 2018-09-05 modified: 2023-01-30 tags: - - attack.defense-evasion - attack.execution + - attack.stealth - attack.t1059.001 - attack.t1140 - attack.t1027 diff --git a/rules/windows/process_creation/proc_creation_win_presentationhost_download.yml b/rules/windows/process_creation/proc_creation_win_presentationhost_download.yml index 07b9b3387..b9a0126f0 100644 --- a/rules/windows/process_creation/proc_creation_win_presentationhost_download.yml +++ b/rules/windows/process_creation/proc_creation_win_presentationhost_download.yml @@ -8,8 +8,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-19 modified: 2023-11-09 tags: - - attack.defense-evasion - attack.execution + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_presentationhost_uncommon_location_exec.yml b/rules/windows/process_creation/proc_creation_win_presentationhost_uncommon_location_exec.yml index 24d674c5e..8bd3d8f36 100644 --- a/rules/windows/process_creation/proc_creation_win_presentationhost_uncommon_location_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_presentationhost_uncommon_location_exec.yml @@ -9,8 +9,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-07-01 modified: 2023-11-09 tags: - - attack.defense-evasion - attack.execution + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml b/rules/windows/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml index aaff7ae7c..7c578439a 100644 --- a/rules/windows/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml @@ -13,7 +13,7 @@ date: 2022-01-11 modified: 2023-04-11 tags: - attack.execution - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_print_dump_sensitive_files.yml b/rules/windows/process_creation/proc_creation_win_print_dump_sensitive_files.yml index 20fa3c37d..279893e69 100644 --- a/rules/windows/process_creation/proc_creation_win_print_dump_sensitive_files.yml +++ b/rules/windows/process_creation/proc_creation_win_print_dump_sensitive_files.yml @@ -11,9 +11,9 @@ author: Ayush Anand (Securityinbits) date: 2026-04-28 tags: - attack.credential-access + - attack.stealth - attack.t1003.003 - attack.t1003.002 - - attack.defense-evasion - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml b/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml index 2425b4ea5..a981640ca 100644 --- a/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml +++ b/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml @@ -9,7 +9,7 @@ author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative' date: 2020-10-05 modified: 2022-07-07 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_protocolhandler_download.yml b/rules/windows/process_creation/proc_creation_win_protocolhandler_download.yml index 497bffec3..49e2cd458 100644 --- a/rules/windows/process_creation/proc_creation_win_protocolhandler_download.yml +++ b/rules/windows/process_creation/proc_creation_win_protocolhandler_download.yml @@ -10,7 +10,7 @@ author: frack113 date: 2021-07-13 modified: 2023-11-09 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml b/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml index 1f65531f6..50fad4ecf 100644 --- a/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml @@ -15,7 +15,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel date: 2023-08-08 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml index 8acfb9187..869130e13 100644 --- a/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml @@ -15,7 +15,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-08-08 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml b/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml index 82c0f23b9..d0ecb31bc 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml @@ -15,8 +15,8 @@ date: 2022-01-20 modified: 2023-02-21 tags: - attack.execution - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth - attack.t1564.003 - attack.t1134.002 - attack.t1059.003 diff --git a/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml b/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml index c02e45a7b..37d6f6a56 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml @@ -14,8 +14,8 @@ author: Florian Roth (Nextron Systems) date: 2022-01-20 modified: 2023-02-21 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth - attack.t1134.002 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_pua_cleanwipe.yml b/rules/windows/process_creation/proc_creation_win_pua_cleanwipe.yml index 724e5c03b..714b10bf0 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_cleanwipe.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_cleanwipe.yml @@ -8,8 +8,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2021-12-18 modified: 2023-02-14 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_pua_defendercheck.yml b/rules/windows/process_creation/proc_creation_win_pua_defendercheck.yml index 74a3dd008..97abd9f85 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_defendercheck.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_defendercheck.yml @@ -8,7 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2022-08-30 modified: 2023-02-04 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027.005 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml b/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml index f56f78b16..1937accf3 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml @@ -15,10 +15,10 @@ author: Florian Roth (Nextron Systems) date: 2022-10-10 modified: 2024-11-23 tags: - - attack.defense-evasion - attack.discovery - attack.persistence - attack.privilege-escalation + - attack.stealth - attack.t1622 - attack.t1564 - attack.t1543 diff --git a/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml b/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml index bd2bd540f..058964b31 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml @@ -10,7 +10,7 @@ author: Micah Babinski date: 2022-12-11 modified: 2023-03-05 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036.003 - attack.t1036 - attack.t1027.005 diff --git a/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml b/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml index 9d599252d..373c940c6 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml @@ -14,7 +14,7 @@ tags: - attack.persistence - attack.privilege-escalation - attack.discovery - - attack.defense-evasion + - attack.stealth - attack.t1082 - attack.t1564 - attack.t1543 diff --git a/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution.yml b/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution.yml index e703204d5..6c70403c5 100644 --- a/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution.yml @@ -15,8 +15,8 @@ author: Hugh Ryan (HueCodes), Swachchhanda Shrawan Poudel (Nextron Systems) date: 2026-03-09 tags: - attack.execution + - attack.stealth - attack.t1059.006 - - attack.defense-evasion - attack.t1027.010 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rasdial_execution.yml b/rules/windows/process_creation/proc_creation_win_rasdial_execution.yml index 276d8fb5c..60df424d8 100644 --- a/rules/windows/process_creation/proc_creation_win_rasdial_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_rasdial_execution.yml @@ -8,7 +8,6 @@ author: juju4 date: 2019-01-16 modified: 2021-11-27 tags: - - attack.defense-evasion - attack.execution - attack.t1059 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml b/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml index 689ab6957..3fbf9efc9 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml @@ -11,8 +11,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-09-02 modified: 2024-03-19 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml b/rules/windows/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml index 6b7ca4798..b31b04313 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml @@ -10,8 +10,8 @@ date: 2020-10-29 modified: 2022-10-09 tags: - attack.persistence - - attack.defense-evasion - attack.credential-access + - attack.defense-impairment - attack.t1556.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml b/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml index cf02453be..b44413824 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml @@ -9,8 +9,8 @@ author: frack113 date: 2022-02-13 modified: 2023-02-04 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_reg_delete_runmru.yml b/rules/windows/process_creation/proc_creation_win_reg_delete_runmru.yml index e2b9611d7..e4d22e80b 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_delete_runmru.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_delete_runmru.yml @@ -13,7 +13,7 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-09-25 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml b/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml index e869a8985..6315f1f0d 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml @@ -11,8 +11,8 @@ author: Nasreddine Bencherchali (Nextron Systems), Tim Shelton date: 2022-08-08 modified: 2023-02-04 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml b/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml index b624d9c85..b211b0a23 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml @@ -8,8 +8,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-01 modified: 2023-02-04 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml b/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml index 20a2685d8..5636cb620 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml @@ -18,8 +18,8 @@ author: Stephen Lincoln @slincoln-aiq (AttackIQ) date: 2023-12-21 tags: - attack.persistence - - attack.defense-evasion - attack.impact + - attack.defense-impairment - attack.t1112 - attack.t1491.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_reg_disable_defender_wmi_autologger.yml b/rules/windows/process_creation/proc_creation_win_reg_disable_defender_wmi_autologger.yml index 610afdb58..c0cd40d61 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_disable_defender_wmi_autologger.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_disable_defender_wmi_autologger.yml @@ -17,8 +17,8 @@ references: author: Matt Anderson (Huntress) date: 2025-07-09 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml b/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml index 4af53ef91..2ae001bfb 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml @@ -11,8 +11,8 @@ author: Florian Roth (Nextron Systems), John Lambert (idea), elhoim date: 2021-07-14 modified: 2023-06-05 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml b/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml index 1f476c772..bbc8dc778 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml @@ -12,8 +12,8 @@ date: 2022-08-01 modified: 2023-02-05 tags: - attack.persistence + - attack.defense-impairment - attack.t1112 - - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml b/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml index 65d488a2e..12c946847 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml @@ -17,7 +17,7 @@ date: 2023-01-13 modified: 2025-08-28 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_reg_modify_group_policy_settings.yml b/rules/windows/process_creation/proc_creation_win_reg_modify_group_policy_settings.yml index 45b66c49e..2947b56c0 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_modify_group_policy_settings.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_modify_group_policy_settings.yml @@ -10,8 +10,8 @@ references: author: frack113 date: 2022-08-19 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.defense-impairment - attack.t1484.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml b/rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml index 2c54f61f1..258b75f40 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml @@ -16,7 +16,7 @@ date: 2023-12-15 modified: 2023-12-22 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml b/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml index cfcd04a91..53fafa5e4 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml @@ -23,8 +23,8 @@ date: 2022-02-12 modified: 2025-11-22 tags: - attack.persistence - - attack.defense-evasion - attack.lateral-movement + - attack.defense-impairment - attack.t1021.001 - attack.t1112 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml b/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml index 7a7e81fb2..d12a9bac4 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml @@ -12,8 +12,9 @@ date: 2021-12-30 modified: 2024-03-13 tags: - attack.privilege-escalation - - attack.defense-evasion - attack.persistence + - attack.execution + - attack.stealth - attack.t1574.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml b/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml index ff558683e..197d76073 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml @@ -11,9 +11,9 @@ date: 2022-08-19 modified: 2022-10-10 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 - - attack.t1562.001 + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_reg_volsnap_disable.yml b/rules/windows/process_creation/proc_creation_win_reg_volsnap_disable.yml index ce0555afa..03bcd61cf 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_volsnap_disable.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_volsnap_disable.yml @@ -8,8 +8,8 @@ author: Florian Roth (Nextron Systems) date: 2021-01-28 modified: 2023-12-15 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml b/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml index 3186c08a5..ba2b3ca8d 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml @@ -12,8 +12,8 @@ author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine date: 2022-03-22 modified: 2025-06-04 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml b/rules/windows/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml index 495207ebd..81f019e55 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml @@ -10,8 +10,8 @@ author: Sreeman date: 2021-06-11 modified: 2024-01-18 tags: - - attack.defense-evasion - - attack.t1562 + - attack.defense-impairment + - attack.t1685 logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_regasm_no_flag_or_dll_execution.yml b/rules/windows/process_creation/proc_creation_win_regasm_no_flag_or_dll_execution.yml index 4566412d7..45cfbd01f 100644 --- a/rules/windows/process_creation/proc_creation_win_regasm_no_flag_or_dll_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_regasm_no_flag_or_dll_execution.yml @@ -13,7 +13,7 @@ references: author: frack113 date: 2025-06-04 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.009 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml b/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml index f57026d73..99112c9f0 100644 --- a/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml @@ -12,7 +12,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-02-13 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.009 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml b/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml index 6d05c27a4..303569a0d 100644 --- a/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml @@ -13,7 +13,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-25 modified: 2023-02-13 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.009 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml b/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml index 7e16665fc..cdd9c3067 100644 --- a/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml +++ b/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml @@ -13,8 +13,8 @@ date: 2020-10-07 modified: 2024-03-13 tags: - attack.persistence + - attack.defense-impairment - attack.t1112 - - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml b/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml index da41354f0..2e7deb043 100644 --- a/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml +++ b/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml @@ -13,8 +13,8 @@ date: 2020-10-12 modified: 2024-03-13 tags: - attack.persistence + - attack.defense-impairment - attack.t1112 - - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_regedit_trustedinstaller.yml b/rules/windows/process_creation/proc_creation_win_regedit_trustedinstaller.yml index b434b6945..983759d1b 100644 --- a/rules/windows/process_creation/proc_creation_win_regedit_trustedinstaller.yml +++ b/rules/windows/process_creation/proc_creation_win_regedit_trustedinstaller.yml @@ -8,7 +8,6 @@ author: Florian Roth (Nextron Systems) date: 2021-05-27 modified: 2022-10-09 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_regini_ads.yml b/rules/windows/process_creation/proc_creation_win_regini_ads.yml index 887319505..69ff82e17 100644 --- a/rules/windows/process_creation/proc_creation_win_regini_ads.yml +++ b/rules/windows/process_creation/proc_creation_win_regini_ads.yml @@ -14,8 +14,8 @@ date: 2020-10-12 modified: 2023-02-08 tags: - attack.persistence + - attack.defense-impairment - attack.t1112 - - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_regini_execution.yml b/rules/windows/process_creation/proc_creation_win_regini_execution.yml index 7b5849a72..ddf566dab 100644 --- a/rules/windows/process_creation/proc_creation_win_regini_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_regini_execution.yml @@ -14,8 +14,8 @@ date: 2020-10-08 modified: 2023-02-08 tags: - attack.persistence + - attack.defense-impairment - attack.t1112 - - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml b/rules/windows/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml index fdf5f1633..4ffbf1953 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml @@ -11,7 +11,8 @@ modified: 2021-11-27 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1574 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml b/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml index aea746113..ce04551f4 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml @@ -15,7 +15,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-09-05 tags: - attack.execution - - attack.defense-evasion + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_registry_office_disable_python_security_warnings.yml b/rules/windows/process_creation/proc_creation_win_registry_office_disable_python_security_warnings.yml index 81984c068..c70d2b138 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_office_disable_python_security_warnings.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_office_disable_python_security_warnings.yml @@ -12,8 +12,8 @@ references: author: '@Kostastsale' date: 2023-08-22 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml b/rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml index 926d8bdea..26a92e48d 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml @@ -10,8 +10,9 @@ date: 2019-10-26 modified: 2024-12-01 tags: - attack.persistence - - attack.defense-evasion - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.011 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml b/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml index 69dd19d83..d14204a7a 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml @@ -15,7 +15,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel date: 2023-08-08 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_registry_set_unsecure_powershell_policy.yml b/rules/windows/process_creation/proc_creation_win_registry_set_unsecure_powershell_policy.yml index 1ee3cd6dd..b1eac1bff 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_set_unsecure_powershell_policy.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_set_unsecure_powershell_policy.yml @@ -14,7 +14,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-01-11 tags: - - attack.defense-evasion + - attack.defense-impairment logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user.yml b/rules/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user.yml index bd9edb23b..de735ce64 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user.yml @@ -15,7 +15,7 @@ author: '@Kostastsale, TheDFIRReport' date: 2022-05-14 modified: 2024-08-23 tags: - - attack.defense-evasion + - attack.stealth - attack.t1564.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml index e0a2546f4..97fb8a3d1 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml @@ -8,7 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2019-07-13 modified: 2024-03-13 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.010 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml index e68d4df0e..16ba78710 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml @@ -10,7 +10,7 @@ author: Florian Roth (Nextron Systems) date: 2022-01-11 modified: 2023-05-24 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.010 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml index af1bcb191..bdba5a7de 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml @@ -13,7 +13,7 @@ author: Florian Roth (Nextron Systems) date: 2023-05-24 modified: 2023-05-26 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.010 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_remote_share.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_remote_share.yml index c16260557..6dd125e42 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_remote_share.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_remote_share.yml @@ -7,7 +7,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-10-31 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.010 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml index ba846ced3..ebc4f0276 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml @@ -13,7 +13,7 @@ author: elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron date: 2022-05-05 modified: 2023-05-26 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.010 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml index 9c285592f..986a09cd4 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml @@ -11,7 +11,7 @@ references: author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2023-05-26 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.010 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml index 2b4071b63..4ac91bd4d 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml @@ -7,7 +7,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-05-26 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.010 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml index 49da31966..179d9299f 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml @@ -14,7 +14,7 @@ author: Florian Roth (Nextron Systems), frack113 date: 2021-11-29 modified: 2025-08-27 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.010 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml index b7021462f..e668f6368 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml @@ -11,7 +11,7 @@ references: author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2023-05-26 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.010 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml index 9bb848807..1807f6fc2 100644 --- a/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml @@ -10,7 +10,7 @@ modified: 2023-05-24 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion + - attack.stealth - attack.t1574 - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml index abfab0a37..dc151e557 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml @@ -8,7 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-09-19 modified: 2024-11-23 tags: - - attack.defense-evasion + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_renamed_meshagent_execution.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_renamed_meshagent_execution.yml index 1f4e44b27..38ab31e26 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_renamed_meshagent_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_renamed_meshagent_execution.yml @@ -19,7 +19,7 @@ author: Norbert Jaśniewicz (AlphaSOC) date: 2025-05-19 tags: - attack.command-and-control - - attack.defense-evasion + - attack.stealth - attack.t1219.002 - attack.t1036.003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yml index 7ef274cfa..f84623026 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yml @@ -8,7 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-09-19 modified: 2023-03-05 tags: - - attack.defense-evasion + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_renamed_autohotkey.yml b/rules/windows/process_creation/proc_creation_win_renamed_autohotkey.yml index 7163fc610..c009b1ab1 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_autohotkey.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_autohotkey.yml @@ -8,7 +8,7 @@ references: author: Nasreddine Bencherchali date: 2023-02-07 tags: - - attack.defense-evasion + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml b/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml index c3dd2775f..c99fe419b 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml @@ -12,7 +12,7 @@ author: Florian Roth (Nextron Systems) date: 2023-06-04 modified: 2024-11-23 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_binary.yml b/rules/windows/process_creation/proc_creation_win_renamed_binary.yml index 3b05e37a6..bbb4f3444 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_binary.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_binary.yml @@ -14,7 +14,7 @@ author: Matthew Green @mgreen27, Ecco, James Pemberton @4A616D6573, oscd.communi date: 2019-06-15 modified: 2025-07-15 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml b/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml index ddf0b035f..7a5abd4ab 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml @@ -24,7 +24,7 @@ author: Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113 date: 2019-06-15 modified: 2026-02-12 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036.003 - car.2013-05-009 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_renamed_boinc.yml b/rules/windows/process_creation/proc_creation_win_renamed_boinc.yml index 29dfd682c..2aee364cb 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_boinc.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_boinc.yml @@ -9,7 +9,7 @@ references: author: Matt Anderson (Huntress) date: 2024-07-23 tags: - - attack.defense-evasion + - attack.defense-impairment - attack.t1553 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml b/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml index 61167c55a..8bc0af491 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml @@ -9,7 +9,7 @@ date: 2022-06-02 modified: 2023-02-03 tags: - attack.credential-access - - attack.defense-evasion + - attack.stealth - attack.t1528 - attack.t1036.003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml b/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml index a06f30da8..7e6a0cad3 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml @@ -12,7 +12,7 @@ author: Florian Roth (Nextron Systems) date: 2022-09-20 modified: 2023-02-14 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036 - attack.t1003.001 - attack.credential-access diff --git a/rules/windows/process_creation/proc_creation_win_renamed_curl.yml b/rules/windows/process_creation/proc_creation_win_renamed_curl.yml index a2dd63837..c61f72fea 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_curl.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_curl.yml @@ -9,8 +9,8 @@ date: 2023-09-11 modified: 2023-10-12 tags: - attack.execution + - attack.stealth - attack.t1059 - - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml b/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml index 855a3a114..86e0dcc83 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml @@ -13,7 +13,7 @@ date: 2020-01-28 modified: 2025-01-22 tags: - attack.privilege-escalation - - attack.defense-evasion + - attack.stealth - attack.t1036 - attack.t1055.001 - attack.t1202 diff --git a/rules/windows/process_creation/proc_creation_win_renamed_ftp.yml b/rules/windows/process_creation/proc_creation_win_renamed_ftp.yml index 37e25f9ea..653f4f3a3 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_ftp.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_ftp.yml @@ -9,8 +9,8 @@ date: 2020-10-09 modified: 2023-02-03 tags: - attack.execution + - attack.stealth - attack.t1059 - - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml b/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml index 7150ee30f..3f7233aa7 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml @@ -9,7 +9,7 @@ date: 2019-06-04 modified: 2023-02-03 tags: - attack.execution - - attack.defense-evasion + - attack.stealth - attack.t1036.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml b/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml index 858a13222..307e65152 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml @@ -15,8 +15,8 @@ author: frack113, Florian Roth date: 2022-12-05 modified: 2023-02-03 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth - attack.t1055.001 - attack.t1218.013 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_renamed_megasync.yml b/rules/windows/process_creation/proc_creation_win_renamed_megasync.yml index 188232b83..567c8cef5 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_megasync.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_megasync.yml @@ -8,7 +8,7 @@ author: Sittikorn S date: 2021-06-22 modified: 2023-02-03 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml b/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml index f5496247b..55684dc63 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml @@ -8,7 +8,7 @@ author: pH-T (Nextron Systems) date: 2022-06-03 modified: 2023-02-03 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_msteams.yml b/rules/windows/process_creation/proc_creation_win_renamed_msteams.yml index 65fd63328..4f4dc9730 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_msteams.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_msteams.yml @@ -7,7 +7,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2024-07-12 tags: - - attack.defense-evasion + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml b/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml index 41b356c44..d90e0eef2 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml @@ -8,7 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-09-19 modified: 2024-11-23 tags: - - attack.defense-evasion + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_renamed_nircmd.yml b/rules/windows/process_creation/proc_creation_win_renamed_nircmd.yml index 858800834..80ca3be00 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_nircmd.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_nircmd.yml @@ -9,8 +9,8 @@ author: X__Junior (Nextron Systems) date: 2024-03-11 tags: - attack.execution + - attack.stealth - attack.t1059 - - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml b/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml index 0d2f62dd4..5475650f9 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml @@ -8,7 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-12-20 modified: 2025-12-09 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml b/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml index bc58e99e8..568ed655d 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml @@ -12,7 +12,7 @@ author: Florian Roth (Nextron Systems), Jason Lynch date: 2021-05-22 modified: 2024-11-23 tags: - - attack.defense-evasion + - attack.stealth - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_pingcastle.yml b/rules/windows/process_creation/proc_creation_win_renamed_pingcastle.yml index 30eed2445..8f9fe7f5a 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_pingcastle.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_pingcastle.yml @@ -9,8 +9,8 @@ author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) date: 2024-01-11 tags: - attack.execution + - attack.stealth - attack.t1059 - - attack.defense-evasion - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_plink.yml b/rules/windows/process_creation/proc_creation_win_renamed_plink.yml index 500a51555..e98414883 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_plink.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_plink.yml @@ -9,7 +9,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-06-06 modified: 2023-02-03 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml b/rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml index 721d9c4cf..c9cec2bb8 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml @@ -12,7 +12,7 @@ author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems date: 2023-04-11 tags: - attack.execution - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml b/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml index 218c4ae45..7eaeb35d8 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml @@ -8,10 +8,10 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-09-19 modified: 2023-02-03 tags: - - attack.defense-evasion - attack.collection - attack.command-and-control - attack.discovery + - attack.stealth - attack.s0592 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_renamed_schtasks_execution.yml b/rules/windows/process_creation/proc_creation_win_renamed_schtasks_execution.yml index 54e042660..1718a5fe1 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_schtasks_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_schtasks_execution.yml @@ -11,10 +11,10 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-11-27 tags: - - attack.defense-evasion - attack.execution - attack.persistence - attack.privilege-escalation + - attack.stealth - attack.t1036.003 - attack.t1053.005 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml b/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml index 0fca0d71e..1d0070615 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml @@ -13,7 +13,7 @@ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems date: 2019-11-18 modified: 2024-06-25 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036.003 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml b/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml index 216434f1a..5a9c9ab6a 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml @@ -10,7 +10,8 @@ modified: 2023-02-03 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_ads_stored_dll_execution.yml b/rules/windows/process_creation/proc_creation_win_rundll32_ads_stored_dll_execution.yml index 1656fada0..ddbe16f5a 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_ads_stored_dll_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_ads_stored_dll_execution.yml @@ -8,7 +8,7 @@ author: Harjot Singh, '@cyb3rjy0t' date: 2023-01-21 modified: 2026-03-16 tags: - - attack.defense-evasion + - attack.stealth - attack.t1564.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml b/rules/windows/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml index 4b2b4647d..50c0d2ad8 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml @@ -8,7 +8,7 @@ references: author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2023-05-17 tags: - - attack.defense-evasion + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_inline_vbs.yml b/rules/windows/process_creation/proc_creation_win_rundll32_inline_vbs.yml index 5ac05e97d..89a2f379e 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_inline_vbs.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_inline_vbs.yml @@ -9,7 +9,7 @@ date: 2021-03-05 modified: 2022-10-09 tags: - attack.privilege-escalation - - attack.defense-evasion + - attack.stealth - attack.t1055 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml b/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml index a65e79cc4..c3787669e 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml @@ -9,8 +9,8 @@ author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec' date: 2022-04-28 modified: 2023-02-09 tags: + - attack.stealth - attack.t1218.011 - - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml b/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml index d2b0e7896..d69d3712a 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml @@ -16,8 +16,8 @@ author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron System date: 2022-08-14 modified: 2024-02-23 tags: - - attack.defense-evasion - attack.execution + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml b/rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml index 44da78da8..c72388f02 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml @@ -9,7 +9,7 @@ author: Florian Roth (Nextron Systems) date: 2021-05-27 modified: 2023-08-31 tags: - - attack.defense-evasion + - attack.stealth - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_obfuscated_ordinal_call.yml b/rules/windows/process_creation/proc_creation_win_rundll32_obfuscated_ordinal_call.yml index 24f785be4..4da9f6472 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_obfuscated_ordinal_call.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_obfuscated_ordinal_call.yml @@ -9,7 +9,7 @@ author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel ( date: 2023-05-17 modified: 2025-02-23 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027.010 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml index 0a3227f92..0f044badf 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml @@ -9,7 +9,7 @@ author: CD_ROM_ date: 2022-05-21 modified: 2023-08-31 tags: - - attack.defense-evasion + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml b/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml index 3352960b9..406030b37 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml @@ -18,8 +18,8 @@ author: Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron date: 2020-02-18 modified: 2025-02-23 tags: - - attack.defense-evasion - attack.credential-access + - attack.stealth - attack.t1036 - attack.t1003.001 - car.2013-05-009 diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_run_locations.yml b/rules/windows/process_creation/proc_creation_win_rundll32_run_locations.yml index 2e1963903..128a4aa54 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_run_locations.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_run_locations.yml @@ -8,7 +8,7 @@ author: juju4, Jonhnathan Ribeiro, oscd.community date: 2019-01-16 modified: 2022-01-07 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036 - car.2013-05-002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml b/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml index d59b473b8..885a93613 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml @@ -11,7 +11,7 @@ author: Konstantin Grishchenko, oscd.community date: 2020-10-07 modified: 2021-11-27 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_shell32_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_rundll32_shell32_susp_execution.yml index fc7dfe938..447f47bbd 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_shell32_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_shell32_susp_execution.yml @@ -8,8 +8,8 @@ author: Christian Burkard (Nextron Systems) date: 2021-11-24 modified: 2023-02-09 tags: - - attack.defense-evasion - attack.execution + - attack.stealth - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml b/rules/windows/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml index e64616f67..855cfdd6f 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml @@ -8,7 +8,7 @@ author: X__Junior (Nextron Systems) date: 2023-06-20 tags: - attack.execution - - attack.defense-evasion + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_spawn_explorer.yml b/rules/windows/process_creation/proc_creation_win_rundll32_spawn_explorer.yml index d9a6b8cb8..3b57a4c4e 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_spawn_explorer.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_spawn_explorer.yml @@ -8,7 +8,7 @@ author: elhoim, CD_ROM_ date: 2022-04-27 modified: 2022-05-25 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml b/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml index 6cfa9d4ab..060c6ac83 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml @@ -13,7 +13,7 @@ author: juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Next date: 2019-01-16 modified: 2023-05-17 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml b/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml index 6cdc61deb..218aa94fb 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml @@ -9,7 +9,7 @@ author: Florian Roth (Nextron Systems) date: 2017-04-15 modified: 2023-02-09 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_susp_execution_with_image_extension.yml b/rules/windows/process_creation/proc_creation_win_rundll32_susp_execution_with_image_extension.yml index 2795efa6d..ca8223503 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_susp_execution_with_image_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_susp_execution_with_image_extension.yml @@ -10,7 +10,7 @@ references: author: Hieu Tran date: 2023-03-13 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml b/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml index 35693d65b..9fe0918f5 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml @@ -15,7 +15,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-09-01 modified: 2022-12-30 tags: - - attack.defense-evasion + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_ordinal_execution.yml b/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_ordinal_execution.yml index 47e11cc02..5d66aea86 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_ordinal_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_ordinal_execution.yml @@ -15,7 +15,7 @@ references: author: Swachchhanda Shrawan Poudel date: 2024-12-01 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml b/rules/windows/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml index c041b7204..d1aac5987 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml @@ -8,7 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2021-02-01 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_sys.yml b/rules/windows/process_creation/proc_creation_win_rundll32_sys.yml index 7e27c3ab3..5317e2657 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_sys.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_sys.yml @@ -8,7 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2021-03-05 modified: 2022-10-09 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_udl_exec.yml b/rules/windows/process_creation/proc_creation_win_rundll32_udl_exec.yml index 29d3ee3a3..42c9bd48b 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_udl_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_udl_exec.yml @@ -9,9 +9,9 @@ references: author: '@kostastsale' date: 2024-08-16 tags: - - attack.defense-evasion - attack.execution - attack.command-and-control + - attack.stealth - attack.t1218.011 - attack.t1071 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml b/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml index 2f9679146..767e9266c 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml @@ -7,9 +7,9 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-10 tags: - - attack.defense-evasion - attack.execution - attack.lateral-movement + - attack.stealth - attack.t1021.002 - attack.t1218.011 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml b/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml index 4da867588..eb07a7465 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml @@ -8,7 +8,7 @@ author: Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou date: 2022-01-13 modified: 2024-04-04 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_user32_dll.yml b/rules/windows/process_creation/proc_creation_win_rundll32_user32_dll.yml index a42d3a860..4080dca15 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_user32_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_user32_dll.yml @@ -8,7 +8,7 @@ author: frack113 date: 2022-06-04 modified: 2023-02-09 tags: - - attack.defense-evasion + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_runonce_execution.yml b/rules/windows/process_creation/proc_creation_win_runonce_execution.yml index ad12be4ac..25d4cf2d1 100644 --- a/rules/windows/process_creation/proc_creation_win_runonce_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_runonce_execution.yml @@ -11,7 +11,7 @@ date: 2020-10-18 modified: 2022-12-13 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml b/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml index 740e1f895..5cf9f67ef 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml @@ -10,8 +10,9 @@ date: 2019-10-26 modified: 2024-12-01 tags: - attack.persistence - - attack.defense-evasion - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sc_disable_service.yml b/rules/windows/process_creation/proc_creation_win_sc_disable_service.yml index df12c6996..efad8018c 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_disable_service.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_disable_service.yml @@ -9,8 +9,8 @@ date: 2022-08-01 modified: 2023-03-04 tags: - attack.execution - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml b/rules/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml index b1261f9c6..8635cda3e 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml @@ -17,8 +17,9 @@ date: 2021-12-20 modified: 2022-08-08 tags: - attack.persistence - - attack.defense-evasion - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml b/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml index 08a56a06d..ac49c72f8 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml @@ -17,8 +17,9 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-02-28 tags: - attack.persistence - - attack.defense-evasion - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml b/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml index 0b9cf254d..7f032f7e1 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml @@ -9,8 +9,9 @@ date: 2020-09-29 modified: 2023-02-04 tags: - attack.privilege-escalation - - attack.defense-evasion - attack.persistence + - attack.execution + - attack.stealth - attack.t1543.003 - attack.t1574.011 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_curl_and_powershell_combo.yml b/rules/windows/process_creation/proc_creation_win_schtasks_curl_and_powershell_combo.yml index b238f764a..91be60bd0 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_curl_and_powershell_combo.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_curl_and_powershell_combo.yml @@ -12,8 +12,8 @@ tags: - attack.privilege-escalation - attack.execution - attack.persistence + - attack.stealth - attack.t1053.005 - - attack.defense-evasion - attack.t1218 - attack.command-and-control - attack.t1105 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml index 492319dd9..e30fa0c74 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml @@ -11,8 +11,8 @@ modified: 2024-12-01 tags: - attack.privilege-escalation - attack.execution - - attack.defense-evasion - attack.persistence + - attack.stealth - attack.t1036.005 - attack.t1053.005 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_system_process.yml b/rules/windows/process_creation/proc_creation_win_schtasks_system_process.yml index 3639f409b..26e62b6c3 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_system_process.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_system_process.yml @@ -10,8 +10,8 @@ tags: - attack.privilege-escalation - attack.execution - attack.persistence + - attack.stealth - attack.t1053.005 - - attack.defense-evasion - attack.t1036.004 - attack.t1036.005 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml b/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml index ebb556620..9863eb337 100644 --- a/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml @@ -9,7 +9,6 @@ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020-05-02 modified: 2021-11-27 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml b/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml index b15151218..9d3dca3e8 100644 --- a/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml +++ b/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml @@ -12,7 +12,7 @@ author: Nextron Systems, @Kostastsale date: 2022-06-01 modified: 2024-08-23 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036 - attack.t1218 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_secedit_execution.yml b/rules/windows/process_creation/proc_creation_win_secedit_execution.yml index 80fa5ea93..b882d6ff1 100644 --- a/rules/windows/process_creation/proc_creation_win_secedit_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_secedit_execution.yml @@ -12,14 +12,16 @@ tags: - attack.collection - attack.discovery - attack.persistence - - attack.defense-evasion - attack.credential-access - attack.privilege-escalation - - attack.t1562.002 + - attack.execution + - attack.stealth + - attack.defense-impairment + - attack.t1685.001 - attack.t1547.001 - attack.t1505.005 - attack.t1556.002 - - attack.t1562 + - attack.t1685 - attack.t1574.007 - attack.t1564.002 - attack.t1546.008 diff --git a/rules/windows/process_creation/proc_creation_win_setres_uncommon_child_process.yml b/rules/windows/process_creation/proc_creation_win_setres_uncommon_child_process.yml index b2471cb1c..3d1fbea6c 100644 --- a/rules/windows/process_creation/proc_creation_win_setres_uncommon_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_setres_uncommon_child_process.yml @@ -14,7 +14,7 @@ author: '@gott_cyber, Nasreddine Bencherchali (Nextron Systems)' date: 2022-12-11 modified: 2024-06-26 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 - attack.t1202 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_setup16_custom_lst_execution.yml b/rules/windows/process_creation/proc_creation_win_setup16_custom_lst_execution.yml index d6647c5f6..9af162245 100644 --- a/rules/windows/process_creation/proc_creation_win_setup16_custom_lst_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_setup16_custom_lst_execution.yml @@ -12,7 +12,8 @@ date: 2024-12-01 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1574.005 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sftp_proxy_command_execution.yml b/rules/windows/process_creation/proc_creation_win_sftp_proxy_command_execution.yml index f080d2fe0..9dd9eafc9 100644 --- a/rules/windows/process_creation/proc_creation_win_sftp_proxy_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_sftp_proxy_command_execution.yml @@ -10,7 +10,7 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2026-04-27 tags: - - attack.defense-evasion + - attack.stealth - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sigverif_uncommon_child_process.yml b/rules/windows/process_creation/proc_creation_win_sigverif_uncommon_child_process.yml index 95a0e581c..06cbdb8f1 100644 --- a/rules/windows/process_creation/proc_creation_win_sigverif_uncommon_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_sigverif_uncommon_child_process.yml @@ -10,7 +10,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-19 modified: 2024-08-27 tags: - - attack.defense-evasion + - attack.stealth - attack.t1216 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_speechruntime_child_process.yml b/rules/windows/process_creation/proc_creation_win_speechruntime_child_process.yml index 5110fa9f2..469a7d86e 100644 --- a/rules/windows/process_creation/proc_creation_win_speechruntime_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_speechruntime_child_process.yml @@ -12,8 +12,8 @@ logsource: category: process_creation product: windows tags: - - attack.defense-evasion - attack.lateral-movement + - attack.stealth - attack.t1021.003 - attack.t1218 detection: diff --git a/rules/windows/process_creation/proc_creation_win_splwow64_cli_anomaly.yml b/rules/windows/process_creation/proc_creation_win_splwow64_cli_anomaly.yml index 1f1cc3acc..8bc95e3d3 100644 --- a/rules/windows/process_creation/proc_creation_win_splwow64_cli_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_splwow64_cli_anomaly.yml @@ -8,7 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2021-08-23 modified: 2022-12-25 tags: - - attack.defense-evasion + - attack.stealth - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_squirrel_download.yml b/rules/windows/process_creation/proc_creation_win_squirrel_download.yml index d63ab228f..8fcad8536 100644 --- a/rules/windows/process_creation/proc_creation_win_squirrel_download.yml +++ b/rules/windows/process_creation/proc_creation_win_squirrel_download.yml @@ -16,8 +16,8 @@ author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonh date: 2022-06-09 modified: 2023-11-09 tags: - - attack.defense-evasion - attack.execution + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml b/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml index 6114f16f6..68252814c 100644 --- a/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml @@ -16,8 +16,8 @@ author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonh date: 2022-06-09 modified: 2025-10-07 tags: - - attack.defense-evasion - attack.execution + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_ssh_proxy_execution.yml b/rules/windows/process_creation/proc_creation_win_ssh_proxy_execution.yml index 92d2d53d4..ba79c1909 100644 --- a/rules/windows/process_creation/proc_creation_win_ssh_proxy_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_ssh_proxy_execution.yml @@ -12,7 +12,7 @@ author: frack113, Nasreddine Bencherchali date: 2022-12-29 modified: 2025-10-16 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_stordiag_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_stordiag_susp_child_process.yml index ca0bc2f51..f7443a72e 100644 --- a/rules/windows/process_creation/proc_creation_win_stordiag_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_stordiag_susp_child_process.yml @@ -9,7 +9,7 @@ author: Austin Songer (@austinsonger) date: 2021-10-21 modified: 2022-12-25 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml b/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml index 004cd7902..bf6cbf4c9 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml @@ -10,7 +10,7 @@ references: author: frack113 date: 2022-07-16 tags: - - attack.defense-evasion + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_abusing_debug_privilege.yml b/rules/windows/process_creation/proc_creation_win_susp_abusing_debug_privilege.yml index 95c520110..ae026e1a3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_abusing_debug_privilege.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_abusing_debug_privilege.yml @@ -8,7 +8,6 @@ author: 'Semanur Guneysu @semanurtg, oscd.community' date: 2020-10-28 modified: 2022-11-11 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml b/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml index 3f4165ee6..82fc1003b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml @@ -8,7 +8,7 @@ author: frack113 date: 2021-09-01 modified: 2022-10-09 tags: - - attack.defense-evasion + - attack.stealth - attack.t1564.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml b/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml index 286962327..8e4efb8d4 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml @@ -8,7 +8,6 @@ author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community date: 2020-10-13 modified: 2024-12-01 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml index b83f2059f..f95de5c58 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml @@ -9,7 +9,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-01-12 modified: 2025-10-07 tags: - - attack.defense-evasion + - attack.stealth logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml index fb2c2e2fb..53daa0845 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml @@ -20,7 +20,7 @@ author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Next date: 2020-10-23 modified: 2024-08-15 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml b/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml index ad52a7053..4c0d3c068 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml @@ -11,8 +11,8 @@ author: Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Rese date: 2019-10-26 modified: 2024-12-01 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth - attack.t1134.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml b/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml index 067834827..5fb05bc06 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml @@ -12,7 +12,7 @@ author: juju4 date: 2018-12-11 modified: 2023-03-03 tags: - - attack.defense-evasion + - attack.stealth - attack.t1140 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode_img.yml b/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode_img.yml index 448beb131..6325aa16c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode_img.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode_img.yml @@ -18,7 +18,7 @@ author: frack113, Florian Roth (Nextron Systems), Josh Nickels date: 2024-09-02 modified: 2025-05-30 tags: - - attack.defense-evasion + - attack.stealth - attack.t1027 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_clickfix_filefix_whitespace_padding.yml b/rules/windows/process_creation/proc_creation_win_susp_clickfix_filefix_whitespace_padding.yml index b9429775f..fc6c53c62 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_clickfix_filefix_whitespace_padding.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_clickfix_filefix_whitespace_padding.yml @@ -18,8 +18,8 @@ date: 2025-11-04 modified: 2025-11-26 tags: - attack.execution + - attack.stealth - attack.t1204.004 - - attack.defense-evasion - attack.t1027.010 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_cmd_for_loop_execution_with_recursive_directory_search.yml b/rules/windows/process_creation/proc_creation_win_susp_cmd_for_loop_execution_with_recursive_directory_search.yml index bebe1e5ab..dc355f2ea 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cmd_for_loop_execution_with_recursive_directory_search.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_cmd_for_loop_execution_with_recursive_directory_search.yml @@ -11,8 +11,8 @@ author: Joseliyo Sanchez, @Joseliyo_Jstnk date: 2025-11-12 tags: - attack.execution + - attack.stealth - attack.t1059.003 - - attack.defense-evasion - attack.t1027.010 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml b/rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml index 87b5c6e58..efa67410e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml @@ -9,7 +9,7 @@ author: Christian Burkard (Nextron Systems) date: 2021-10-26 modified: 2023-03-29 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml b/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml index 10f3206d9..56b94ad13 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml @@ -15,7 +15,7 @@ author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasr date: 2020-07-03 modified: 2026-03-16 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml b/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml index ab779e508..57a3647b2 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml @@ -15,7 +15,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-08-29 modified: 2025-11-27 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml b/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml index 9e0e26b5a..09c7e0dc5 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml @@ -8,8 +8,8 @@ author: Florian Roth (Nextron Systems) date: 2021-01-21 modified: 2022-10-09 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml b/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml index 59572989b..53c08678e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml @@ -12,7 +12,7 @@ author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2023-01-06 modified: 2023-02-28 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036.007 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_dumpstack_log_evasion.yml b/rules/windows/process_creation/proc_creation_win_susp_dumpstack_log_evasion.yml index 50ba43d5a..4486170f6 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_dumpstack_log_evasion.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_dumpstack_log_evasion.yml @@ -8,7 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2022-01-06 modified: 2022-06-17 tags: - - attack.defense-evasion + - attack.defense-impairment logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_elavated_msi_spawned_shell.yml b/rules/windows/process_creation/proc_creation_win_susp_elavated_msi_spawned_shell.yml index 403d7efae..acc850d5b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_elavated_msi_spawned_shell.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_elavated_msi_spawned_shell.yml @@ -8,7 +8,6 @@ author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community date: 2020-10-13 modified: 2022-10-20 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml b/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml index b0598796d..b9e6f708d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml @@ -12,7 +12,6 @@ date: 2022-12-05 modified: 2025-03-06 tags: - attack.privilege-escalation - - attack.defense-evasion - attack.execution - attack.t1059 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_1.yml b/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_1.yml index c37d9a07e..e538f3cb3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_1.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_1.yml @@ -6,7 +6,7 @@ author: '@Kostastsale, TheDFIRReport' references: - Internal Research tags: - - attack.defense-evasion + - attack.stealth date: 2022-12-05 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_2.yml b/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_2.yml index f4eb41b22..055b74667 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_2.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_2.yml @@ -6,7 +6,7 @@ author: '@Kostastsale, TheDFIRReport' references: - Internal Research tags: - - attack.defense-evasion + - attack.stealth date: 2022-12-05 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_3.yml b/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_3.yml index 0afa462c9..63483c1d9 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_3.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_3.yml @@ -6,7 +6,7 @@ author: '@Kostastsale, TheDFIRReport' references: - Internal Research tags: - - attack.defense-evasion + - attack.stealth date: 2022-12-05 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_4.yml b/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_4.yml index 877595dc3..f8fe72e43 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_4.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_4.yml @@ -6,7 +6,7 @@ author: '@Kostastsale, TheDFIRReport' references: - Internal Research tags: - - attack.defense-evasion + - attack.stealth date: 2022-12-05 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml b/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml index ecd20aaa7..7a1906e60 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml @@ -19,8 +19,8 @@ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020-05-02 modified: 2022-12-09 tags: - - attack.defense-evasion - - attack.t1562 + - attack.defense-impairment + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml b/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml index 64c7bf780..535425584 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml @@ -11,9 +11,10 @@ author: '@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.comm date: 2019-03-22 modified: 2022-06-28 tags: - - attack.defense-evasion + - attack.stealth + - attack.defense-impairment - attack.t1070 - - attack.t1562.006 + - attack.t1685 - car.2016-04-002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml b/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml index 30e1dd7b4..7913fac7a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml @@ -18,9 +18,9 @@ author: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105, Swachchhanda Shraw date: 2019-09-26 modified: 2025-03-12 tags: - - attack.defense-evasion - - attack.t1070.001 - - attack.t1562.002 + - attack.defense-impairment + - attack.t1685.005 + - attack.t1685.001 - car.2016-04-002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yml b/rules/windows/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yml index 380377348..ca4b11e57 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yml @@ -9,8 +9,8 @@ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems date: 2022-02-25 modified: 2024-07-12 tags: - - attack.defense-evasion - attack.execution + - attack.stealth - attack.t1564 - attack.t1059 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml b/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml index 7b0494fe5..8ed9ef8ae 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml @@ -11,7 +11,7 @@ author: Florian Roth (Nextron Systems), Tim Shelton date: 2019-01-16 modified: 2024-07-12 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml b/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml index 47fa7ee7b..b0a5f1dfc 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml @@ -15,7 +15,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems), Scoubi (@ScoubiMtl) date: 2023-10-09 tags: - - attack.defense-evasion + - attack.stealth - attack.t1564.004 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml b/rules/windows/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml index a382c8785..934d968f8 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml @@ -8,9 +8,9 @@ author: Sreeman date: 2020-04-21 modified: 2022-03-08 tags: + - attack.stealth - attack.t1211 - attack.t1059 - - attack.defense-evasion - attack.persistence - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml b/rules/windows/process_creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml index c8ad77d27..d76463075 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml @@ -11,10 +11,9 @@ references: author: Micah Babinski, @micahbabinski date: 2023-05-07 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036 - attack.t1036.003 - # - attack.t1036.008 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml b/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml index 7acb7a5f7..fdc1139e4 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml @@ -8,7 +8,7 @@ author: Max Altgelt (Nextron Systems) date: 2021-12-09 modified: 2022-12-14 tags: - - attack.defense-evasion + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml b/rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml index b10f0d2e9..fa28764a6 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml @@ -13,7 +13,7 @@ author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Angelo Violet date: 2022-01-25 modified: 2023-08-29 tags: - - attack.defense-evasion + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml b/rules/windows/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml index ae174c1da..0225f3964 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml @@ -12,8 +12,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel date: 2023-11-09 tags: - - attack.defense-evasion - attack.execution + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_no_image_name.yml b/rules/windows/process_creation/proc_creation_win_susp_no_image_name.yml index 7a095964b..68f2dbf44 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_no_image_name.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_no_image_name.yml @@ -7,7 +7,7 @@ references: author: Matt Anderson (Huntress) date: 2024-07-23 tags: - - attack.defense-evasion + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml b/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml index f336a1a4e..9276151ff 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml @@ -10,7 +10,7 @@ author: Max Altgelt (Nextron Systems) date: 2021-12-09 modified: 2023-11-23 tags: - - attack.defense-evasion + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml b/rules/windows/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml index 357b22fd9..0d0bf212c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml @@ -9,7 +9,7 @@ date: 2020-10-05 modified: 2024-12-01 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml b/rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml index 570b9477d..c5156dd81 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml @@ -10,7 +10,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-07-13 tags: - - attack.defense-evasion + - attack.defense-impairment logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml index 1623a9f72..9fa759dbf 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml @@ -13,7 +13,7 @@ author: frack113, Nasreddine Bencherchali date: 2022-08-07 modified: 2025-10-20 tags: - - attack.defense-evasion + - attack.stealth - attack.t1564.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml index 0be94c50b..50a424106 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml @@ -13,7 +13,7 @@ author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2022-08-05 modified: 2022-09-21 tags: - - attack.defense-evasion + - attack.stealth - attack.t1564.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml index 50381e025..2b4463a7a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml @@ -13,7 +13,7 @@ author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2022-08-06 modified: 2023-07-20 tags: - - attack.defense-evasion + - attack.stealth - attack.t1564.004 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_parents.yml b/rules/windows/process_creation/proc_creation_win_susp_parents.yml index 374b6a7c6..fb404d300 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_parents.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_parents.yml @@ -9,7 +9,7 @@ author: Florian Roth (Nextron Systems) date: 2022-03-21 modified: 2022-09-08 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_execution_via_dll.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_execution_via_dll.yml index 37499cf9d..4f1a4c7d7 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_execution_via_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_execution_via_dll.yml @@ -10,7 +10,7 @@ author: Markus Neis, Nasreddine Bencherchali (Nextron Systems) date: 2018-08-25 modified: 2024-03-07 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.011 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml b/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml index 893b94fa8..055257b76 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml @@ -10,7 +10,7 @@ author: vburov date: 2019-02-23 modified: 2025-03-06 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036.003 - attack.t1036.005 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml index 24ed2273c..19d5d2b44 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml @@ -13,7 +13,7 @@ date: 2023-07-12 modified: 2023-12-11 tags: - attack.persistence - - attack.defense-evasion + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_registry_modification_of_ms_setting_protocol_handler.yml b/rules/windows/process_creation/proc_creation_win_susp_registry_modification_of_ms_setting_protocol_handler.yml index 9cc4053b4..45f6ed96d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_registry_modification_of_ms_setting_protocol_handler.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_registry_modification_of_ms_setting_protocol_handler.yml @@ -14,9 +14,9 @@ author: frack113, Swachchhanda Shrawan Poudel (Nextron Systems) date: 2021-12-20 modified: 2026-01-24 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.persistence + - attack.defense-impairment - attack.t1548.002 - attack.t1546.001 - attack.t1112 diff --git a/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml b/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml index af6f8a47a..4c41eea72 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml @@ -19,7 +19,7 @@ author: Micah Babinski, @micahbabinski, Swachchhanda Shrawan Poudel (Nextron Sys date: 2023-02-15 modified: 2026-03-20 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_dir.yml b/rules/windows/process_creation/proc_creation_win_susp_service_dir.yml index 3606e7ab0..d6fb04955 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_service_dir.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_service_dir.yml @@ -8,7 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2021-03-09 modified: 2022-10-09 tags: - - attack.defense-evasion + - attack.stealth - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml index 039c68765..2cfccf417 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml @@ -21,10 +21,10 @@ author: Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior (Nextron date: 2022-09-01 modified: 2025-08-27 tags: - - attack.defense-evasion - attack.impact + - attack.defense-impairment - attack.t1489 - - attack.t1562.001 + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml b/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml index 69ed96fef..691f4060e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml @@ -16,8 +16,8 @@ author: Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Dani date: 2019-10-22 modified: 2022-11-03 tags: - - attack.defense-evasion - attack.impact + - attack.stealth - attack.t1070 - attack.t1490 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml b/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml index f8000ecde..2a72fc318 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml @@ -9,7 +9,7 @@ date: 2018-04-06 modified: 2023-05-23 tags: - attack.execution - - attack.defense-evasion + - attack.stealth - attack.t1059.005 - attack.t1059.001 - attack.t1218 diff --git a/rules/windows/process_creation/proc_creation_win_susp_sysnative.yml b/rules/windows/process_creation/proc_creation_win_susp_sysnative.yml index c506a9456..c642da6db 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_sysnative.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_sysnative.yml @@ -8,8 +8,8 @@ author: Max Altgelt (Nextron Systems) date: 2022-08-23 modified: 2025-10-08 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth - attack.t1055 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml b/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml index 77dc13da6..200a7039c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml @@ -14,7 +14,7 @@ author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.com date: 2017-11-27 modified: 2026-02-12 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml b/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml index cf63d7c1a..a2d90f587 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml @@ -10,8 +10,8 @@ date: 2021-12-20 modified: 2025-10-19 tags: - attack.credential-access - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth - attack.t1134 - attack.t1003 - attack.t1027 diff --git a/rules/windows/process_creation/proc_creation_win_susp_task_folder_evasion.yml b/rules/windows/process_creation/proc_creation_win_susp_task_folder_evasion.yml index a8f25bfc8..c6d624064 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_task_folder_evasion.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_task_folder_evasion.yml @@ -13,9 +13,9 @@ date: 2020-01-13 modified: 2022-12-25 tags: - attack.privilege-escalation - - attack.defense-evasion - attack.persistence - attack.execution + - attack.stealth - attack.t1574.001 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml b/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml index 0803f12f5..c62eb6fe8 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml @@ -12,7 +12,7 @@ author: 'Agro (@agro_sev) oscd.community' date: 2020-10-13 modified: 2021-11-27 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml b/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml index b1717ae90..23c3679c0 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml @@ -13,8 +13,8 @@ author: Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community date: 2020-10-14 modified: 2022-10-09 tags: + - attack.stealth - attack.t1218 - - attack.defense-evasion logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml b/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml index c98f25440..43d09b862 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml @@ -9,7 +9,7 @@ date: 2019-06-17 modified: 2025-10-17 tags: - attack.privilege-escalation - - attack.defense-evasion + - attack.stealth - attack.t1055 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_velociraptor_child_process.yml b/rules/windows/process_creation/proc_creation_win_susp_velociraptor_child_process.yml index d6706ae6a..833eab905 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_velociraptor_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_velociraptor_child_process.yml @@ -9,7 +9,6 @@ date: 2025-08-29 tags: - attack.command-and-control - attack.persistence - - attack.defense-evasion - attack.t1219 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml b/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml index a3542ba61..f2b9c9b8c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml @@ -13,8 +13,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-09-14 modified: 2024-02-23 tags: - - attack.defense-evasion - attack.execution + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_workfolders.yml b/rules/windows/process_creation/proc_creation_win_susp_workfolders.yml index 65022b15d..9de7e8231 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_workfolders.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_workfolders.yml @@ -8,7 +8,7 @@ author: Maxime Thiebaut (@0xThiebaut) date: 2021-10-21 modified: 2022-12-25 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml b/rules/windows/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml index 329ee9a2b..edb4b5f24 100644 --- a/rules/windows/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml +++ b/rules/windows/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml @@ -8,8 +8,8 @@ author: David Burkett, @signalblur date: 2019-12-28 modified: 2022-06-27 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth - attack.t1055 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution.yml b/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution.yml index ab08855e5..73e6039ec 100644 --- a/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution.yml @@ -15,7 +15,7 @@ references: author: Swachchhanda Shrawan Poudel date: 2024-08-07 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036.005 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_svchost_uncommon_command_line_flags.yml b/rules/windows/process_creation/proc_creation_win_svchost_uncommon_command_line_flags.yml index 6b522e7bd..62fae3686 100644 --- a/rules/windows/process_creation/proc_creation_win_svchost_uncommon_command_line_flags.yml +++ b/rules/windows/process_creation/proc_creation_win_svchost_uncommon_command_line_flags.yml @@ -13,8 +13,8 @@ author: Liran Ravich date: 2025-11-14 modified: 2026-03-23 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth - attack.t1036.005 - attack.t1055 - attack.t1055.012 diff --git a/rules/windows/process_creation/proc_creation_win_svchost_uncommon_parent_process.yml b/rules/windows/process_creation/proc_creation_win_svchost_uncommon_parent_process.yml index 31eb6380f..2666ec68e 100644 --- a/rules/windows/process_creation/proc_creation_win_svchost_uncommon_parent_process.yml +++ b/rules/windows/process_creation/proc_creation_win_svchost_uncommon_parent_process.yml @@ -8,7 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2017-08-15 modified: 2022-06-28 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036.005 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_execution.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_execution.yml index 14286ba5c..c3340f416 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_execution.yml @@ -7,7 +7,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-05-15 tags: - - attack.defense-evasion + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml index 1cdcaf461..2c5c5f087 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml @@ -10,7 +10,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-05-16 modified: 2024-03-13 tags: - - attack.defense-evasion + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml index 732c4f786..0238c3304 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml @@ -8,7 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2021-08-16 modified: 2023-02-28 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036 - attack.t1003.001 - attack.credential-access diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_evasion.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_evasion.yml index 7e68176e5..b03262953 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_evasion.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_evasion.yml @@ -8,7 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2022-01-11 modified: 2023-05-09 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036 - attack.t1003.001 - attack.credential-access diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml index c80eb4acc..3e740ffb0 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml @@ -14,7 +14,7 @@ author: Florian Roth (Nextron Systems) date: 2018-10-30 modified: 2025-10-19 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036 - attack.credential-access - attack.t1003.001 diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml index d7c562361..12086c33a 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml @@ -11,8 +11,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-03-23 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_config_update.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_config_update.yml index 1fb2a7d2c..6ac45a379 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_config_update.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_config_update.yml @@ -8,8 +8,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-03-09 modified: 2024-03-13 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_uninstall.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_uninstall.yml index 4690d9914..58b5eb619 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_uninstall.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_uninstall.yml @@ -8,8 +8,8 @@ author: frack113 date: 2022-01-12 modified: 2024-03-13 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_tools_masquerading.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_tools_masquerading.yml index 431b74b62..580682177 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_tools_masquerading.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_tools_masquerading.yml @@ -12,7 +12,7 @@ date: 2021-12-20 modified: 2025-04-12 tags: - attack.execution - - attack.defense-evasion + - attack.stealth - attack.t1218 - attack.t1202 - attack.t1036.005 diff --git a/rules/windows/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml b/rules/windows/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml index fc2464708..5585ab092 100644 --- a/rules/windows/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml +++ b/rules/windows/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml @@ -11,7 +11,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-01-11 tags: - - attack.defense-evasion + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_takeown_recursive_own.yml b/rules/windows/process_creation/proc_creation_win_takeown_recursive_own.yml index ca209c649..3dddd04a8 100644 --- a/rules/windows/process_creation/proc_creation_win_takeown_recursive_own.yml +++ b/rules/windows/process_creation/proc_creation_win_takeown_recursive_own.yml @@ -9,7 +9,7 @@ author: frack113 date: 2022-01-30 modified: 2022-11-21 tags: - - attack.defense-evasion + - attack.defense-impairment - attack.t1222.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml b/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml index b0b7fd4d3..d605e577b 100644 --- a/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml +++ b/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml @@ -12,8 +12,8 @@ references: author: Ilya Krestinichev, Florian Roth (Nextron Systems) date: 2022-09-13 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_taskmgr_localsystem.yml b/rules/windows/process_creation/proc_creation_win_taskmgr_localsystem.yml index 62fc346af..5a8e0e89e 100644 --- a/rules/windows/process_creation/proc_creation_win_taskmgr_localsystem.yml +++ b/rules/windows/process_creation/proc_creation_win_taskmgr_localsystem.yml @@ -8,7 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2018-03-18 modified: 2022-05-27 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_taskmgr_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_taskmgr_susp_child_process.yml index 24e8cb145..f6b55e0bd 100644 --- a/rules/windows/process_creation/proc_creation_win_taskmgr_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_taskmgr_susp_child_process.yml @@ -8,7 +8,7 @@ author: Florian Roth (Nextron Systems) date: 2018-03-13 modified: 2024-01-18 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml index baa7cabea..46f49d22a 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml @@ -10,7 +10,6 @@ author: Christian Burkard (Nextron Systems) date: 2021-08-23 modified: 2024-12-01 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml index ebc11bec2..811085183 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml @@ -8,7 +8,6 @@ author: Christian Burkard (Nextron Systems) date: 2021-08-30 modified: 2024-12-01 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml index 8b763d6aa..c5f106521 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml @@ -11,7 +11,7 @@ date: 2019-10-24 modified: 2022-08-30 tags: - attack.privilege-escalation - - attack.defense-evasion + - attack.stealth - attack.t1548.002 - attack.t1218.003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml index e78e952d8..11bc02506 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml @@ -12,8 +12,8 @@ date: 2019-07-31 modified: 2024-12-01 tags: - attack.execution - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth - attack.t1548.002 - attack.t1218.003 - attack.g0069 diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml index b5c009b3a..757821494 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml @@ -8,7 +8,6 @@ author: Christian Burkard (Nextron Systems) date: 2021-08-31 modified: 2024-12-01 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml index 959e21ec5..7169923e2 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml @@ -8,7 +8,6 @@ author: Christian Burkard (Nextron Systems) date: 2021-08-23 modified: 2024-12-01 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml index 5ec3876d2..b87118886 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml @@ -8,7 +8,6 @@ author: Christian Burkard (Nextron Systems) date: 2021-08-30 modified: 2024-12-01 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr_recentviews.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr_recentviews.yml index 3bf09474b..9c4bac309 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr_recentviews.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr_recentviews.yml @@ -11,8 +11,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2022-11-22 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml index 7a59a13b7..323153e86 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml @@ -9,7 +9,6 @@ author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd date: 2019-10-24 modified: 2021-11-27 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml index 9422e51e8..c987fc15d 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml @@ -7,7 +7,6 @@ references: author: Tim Rauch, Elastic (idea) date: 2022-09-27 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml index db1ec4358..0bf37bc20 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml @@ -8,7 +8,6 @@ author: Florian Roth (Nextron Systems), Elastic (idea) date: 2022-09-13 modified: 2022-09-27 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml index a9b108890..8e459f1cf 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml @@ -9,7 +9,6 @@ date: 2022-07-03 modified: 2024-12-01 tags: - attack.execution - - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml index b0590e33d..e5f76e9a3 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml @@ -8,7 +8,6 @@ author: Christian Burkard (Nextron Systems) date: 2021-08-30 modified: 2024-12-01 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml index 0a4eaa08d..1a43efd97 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml @@ -8,7 +8,6 @@ author: Christian Burkard (Nextron Systems) date: 2021-08-30 modified: 2024-12-01 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml index 3db306a9b..36495e388 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml @@ -8,7 +8,6 @@ author: Christian Burkard (Nextron Systems) date: 2021-08-30 modified: 2024-12-01 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml index a57e45efe..4cfb0e505 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml @@ -8,7 +8,6 @@ author: Christian Burkard (Nextron Systems) date: 2021-08-23 modified: 2024-12-01 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_sdclt.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_sdclt.yml index 276326a63..7a1c0a7f7 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_sdclt.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_sdclt.yml @@ -10,7 +10,6 @@ date: 2020-05-02 modified: 2024-12-01 tags: - attack.privilege-escalation - - attack.defense-evasion - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml index 0fe66c35b..5e5d47d93 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml @@ -15,7 +15,6 @@ date: 2021-08-27 modified: 2025-06-17 tags: - attack.privilege-escalation - - attack.defense-evasion - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_winsat.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_winsat.yml index 2889f4f0f..1a0884dab 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_winsat.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_winsat.yml @@ -8,7 +8,6 @@ author: Christian Burkard (Nextron Systems) date: 2021-08-30 modified: 2024-12-01 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml index dda9e21e4..97d249b64 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml @@ -8,7 +8,6 @@ author: Christian Burkard (Nextron Systems) date: 2021-08-23 modified: 2024-12-01 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml index c8188244f..1eecf03e1 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml @@ -15,7 +15,6 @@ date: 2019-10-24 modified: 2022-05-13 tags: - attack.privilege-escalation - - attack.defense-evasion - attack.t1548.002 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml index 960e395d8..5b1297783 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml @@ -10,7 +10,6 @@ author: Christian Burkard (Nextron Systems) date: 2021-08-23 modified: 2024-12-01 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml b/rules/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml index 94699a6fe..8eb202875 100644 --- a/rules/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml +++ b/rules/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml @@ -8,8 +8,8 @@ author: frack113 date: 2021-07-12 modified: 2023-03-09 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_user_shell_folders_registry_modification.yml b/rules/windows/process_creation/proc_creation_win_user_shell_folders_registry_modification.yml index 2bc9e1fd0..fc65008a2 100644 --- a/rules/windows/process_creation/proc_creation_win_user_shell_folders_registry_modification.yml +++ b/rules/windows/process_creation/proc_creation_win_user_shell_folders_registry_modification.yml @@ -15,8 +15,8 @@ date: 2026-01-05 tags: - attack.persistence - attack.privilege-escalation + - attack.defense-impairment - attack.t1547.001 - - attack.defense-evasion - attack.t1112 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_vbscript_registry_modification.yml b/rules/windows/process_creation/proc_creation_win_vbscript_registry_modification.yml index c50232548..0447efcc2 100644 --- a/rules/windows/process_creation/proc_creation_win_vbscript_registry_modification.yml +++ b/rules/windows/process_creation/proc_creation_win_vbscript_registry_modification.yml @@ -16,9 +16,9 @@ references: date: 2025-08-13 author: Swachchhanda Shrawan Poudel (Nextron Systems) tags: - - attack.defense-evasion - attack.persistence - attack.execution + - attack.defense-impairment - attack.t1112 - attack.t1059.005 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml b/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml index c4e136505..59ff838f9 100644 --- a/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml +++ b/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml @@ -10,7 +10,7 @@ author: Victor Sergeev, oscd.community date: 2020-10-09 modified: 2025-10-07 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_virtualbox_execution.yml b/rules/windows/process_creation/proc_creation_win_virtualbox_execution.yml index fe3de118c..92da877bb 100644 --- a/rules/windows/process_creation/proc_creation_win_virtualbox_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_virtualbox_execution.yml @@ -9,7 +9,7 @@ author: Janantha Marasinghe date: 2020-09-26 modified: 2025-07-29 tags: - - attack.defense-evasion + - attack.stealth - attack.t1564.006 - attack.t1564 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml b/rules/windows/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml index 1ba7387cc..1466e745a 100644 --- a/rules/windows/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml @@ -13,7 +13,7 @@ date: 2020-10-06 modified: 2021-11-27 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml b/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml index 4f7df9b16..e524fe17c 100644 --- a/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml +++ b/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml @@ -10,7 +10,7 @@ date: 2023-01-26 modified: 2023-10-25 tags: - attack.execution - - attack.defense-evasion + - attack.stealth - attack.t1218 - attack.t1202 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml b/rules/windows/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml index 3eaf8a4b7..a74ef8abf 100644 --- a/rules/windows/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml +++ b/rules/windows/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml @@ -7,7 +7,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-08-03 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_vshadow_exec.yml b/rules/windows/process_creation/proc_creation_win_vshadow_exec.yml index 37b8589fe..683acf9fc 100644 --- a/rules/windows/process_creation/proc_creation_win_vshadow_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_vshadow_exec.yml @@ -11,7 +11,7 @@ references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vshadow/ - https://learn.microsoft.com/en-us/windows/win32/vss/vshadow-tool-and-sample tags: - - attack.defense-evasion + - attack.stealth - attack.t1202 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_vslsagent_agentextensionpath_load.yml b/rules/windows/process_creation/proc_creation_win_vslsagent_agentextensionpath_load.yml index 3603fa06e..bedd4e161 100644 --- a/rules/windows/process_creation/proc_creation_win_vslsagent_agentextensionpath_load.yml +++ b/rules/windows/process_creation/proc_creation_win_vslsagent_agentextensionpath_load.yml @@ -7,7 +7,7 @@ references: author: bohops date: 2022-10-30 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_vulnerable_driver_blocklist_registry_tampering.yml b/rules/windows/process_creation/proc_creation_win_vulnerable_driver_blocklist_registry_tampering.yml index 5f1adf8bc..987b860bd 100644 --- a/rules/windows/process_creation/proc_creation_win_vulnerable_driver_blocklist_registry_tampering.yml +++ b/rules/windows/process_creation/proc_creation_win_vulnerable_driver_blocklist_registry_tampering.yml @@ -15,8 +15,8 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2026-01-26 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml b/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml index 3a698e48f..7907999ed 100644 --- a/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml +++ b/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml @@ -10,8 +10,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-12 modified: 2022-09-27 tags: - - attack.defense-evasion - attack.execution + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml b/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml index c928adbf3..e2972eb52 100644 --- a/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml +++ b/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml @@ -10,8 +10,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-12 modified: 2022-09-27 tags: - - attack.defense-evasion - attack.execution + - attack.stealth logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml b/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml index 75b4f9859..596c2e3d1 100644 --- a/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml @@ -12,7 +12,7 @@ author: X__Junior (Nextron Systems) date: 2023-06-30 tags: - attack.execution - - attack.defense-evasion + - attack.stealth - attack.t1036 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse.yml b/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse.yml index db5dd1dbe..1f54196bd 100644 --- a/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse.yml @@ -22,8 +22,8 @@ author: Jason (https://github.com/0xbcf) date: 2025-09-23 modified: 2025-11-23 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 - attack.credential-access - attack.t1003.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml index 20983614f..120de47b4 100644 --- a/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml @@ -13,8 +13,8 @@ author: Florian Roth (Nextron Systems) date: 2022-10-14 modified: 2024-08-29 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth - attack.t1055 - attack.t1036 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_winget_add_custom_source.yml b/rules/windows/process_creation/proc_creation_win_winget_add_custom_source.yml index 8aafaf81e..46698d298 100644 --- a/rules/windows/process_creation/proc_creation_win_winget_add_custom_source.yml +++ b/rules/windows/process_creation/proc_creation_win_winget_add_custom_source.yml @@ -13,7 +13,6 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-04-17 tags: - - attack.defense-evasion - attack.execution - attack.t1059 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml b/rules/windows/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml index 78c3065c6..88e8e9a49 100644 --- a/rules/windows/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml +++ b/rules/windows/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml @@ -15,7 +15,6 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-04-17 tags: - - attack.defense-evasion - attack.execution - attack.t1059 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml b/rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml index 08602fc0c..46cd8291d 100644 --- a/rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml +++ b/rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml @@ -14,7 +14,6 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-04-17 modified: 2023-12-04 tags: - - attack.defense-evasion - attack.execution - attack.t1059 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml b/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml index 46900416b..60fe3fcd1 100644 --- a/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml +++ b/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml @@ -13,7 +13,6 @@ author: Sreeman, Florian Roth (Nextron Systems), frack113 date: 2020-04-21 modified: 2023-04-17 tags: - - attack.defense-evasion - attack.execution - attack.t1059 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_winrm_awl_bypass.yml b/rules/windows/process_creation/proc_creation_win_winrm_awl_bypass.yml index 4ccfdff91..961866874 100644 --- a/rules/windows/process_creation/proc_creation_win_winrm_awl_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_winrm_awl_bypass.yml @@ -8,7 +8,7 @@ author: Julia Fomina, oscd.community date: 2020-10-06 modified: 2022-10-09 tags: - - attack.defense-evasion + - attack.stealth - attack.t1216 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml b/rules/windows/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml index cab7cf058..327b03617 100644 --- a/rules/windows/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml +++ b/rules/windows/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml @@ -10,7 +10,7 @@ author: Julia Fomina, oscd.community date: 2020-10-07 modified: 2023-03-03 tags: - - attack.defense-evasion + - attack.stealth - attack.t1216 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_winrs_local_command_execution.yml b/rules/windows/process_creation/proc_creation_win_winrs_local_command_execution.yml index 1a6b697ed..a368647bd 100644 --- a/rules/windows/process_creation/proc_creation_win_winrs_local_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_winrs_local_command_execution.yml @@ -11,7 +11,7 @@ author: Liran Ravich, Nasreddine Bencherchali date: 2025-10-22 tags: - attack.lateral-movement - - attack.defense-evasion + - attack.stealth - attack.t1021.006 - attack.t1218 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_wlrmdr_uncommon_child_process.yml b/rules/windows/process_creation/proc_creation_win_wlrmdr_uncommon_child_process.yml index 5cc321813..c535764c6 100644 --- a/rules/windows/process_creation/proc_creation_win_wlrmdr_uncommon_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_wlrmdr_uncommon_child_process.yml @@ -11,7 +11,7 @@ author: frack113, manasmbellani date: 2022-02-16 modified: 2025-10-31 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml b/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml index a67c336a1..598cfa807 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml @@ -10,10 +10,10 @@ author: frack113 date: 2022-12-11 modified: 2023-02-14 tags: - - attack.defense-evasion - attack.execution + - attack.defense-impairment - attack.t1047 - - attack.t1562 + - attack.t1685 logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_wmic_service_startup_change.yml b/rules/windows/process_creation/proc_creation_win_wmic_service_startup_change.yml index ec0093414..93c2c61dd 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_service_startup_change.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_service_startup_change.yml @@ -9,9 +9,9 @@ author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2026-04-27 tags: - attack.execution + - attack.defense-impairment - attack.t1047 - - attack.defense-evasion - - attack.t1562.001 + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml b/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml index f54697d20..c2b02138f 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml @@ -23,7 +23,7 @@ author: Markus Neis, Florian Roth, Swachchhanda Shrawan Poudel (Nextron Systems) date: 2019-01-16 modified: 2026-01-24 tags: - - attack.defense-evasion + - attack.stealth - attack.t1047 - attack.t1220 - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_wmic_stdregprov_reg_modification.yml b/rules/windows/process_creation/proc_creation_win_wmic_stdregprov_reg_modification.yml index 4d94eafcd..0392d02f2 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_stdregprov_reg_modification.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_stdregprov_reg_modification.yml @@ -14,8 +14,8 @@ date: 2025-07-30 tags: - attack.persistence - attack.execution - - attack.defense-evasion - attack.discovery + - attack.defense-impairment - attack.t1047 - attack.t1112 - attack.t1012 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml b/rules/windows/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml index 6233eff74..f5b6d7a18 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml @@ -20,11 +20,11 @@ author: Vadim Khrykov, Cyb3rEng date: 2021-08-23 modified: 2023-02-14 tags: + - attack.stealth - attack.t1204.002 - attack.t1047 - attack.t1218.010 - attack.execution - - attack.defense-evasion logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml b/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml index 3d0d1995a..c070fe3fc 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml @@ -15,8 +15,8 @@ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems date: 2021-01-30 modified: 2023-02-14 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml b/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml index 0fbdc607b..3ef6dd835 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml @@ -16,7 +16,7 @@ author: Timur Zinniatullin, oscd.community, Swachchhanda Shrawan Poudel date: 2019-10-21 modified: 2026-01-24 tags: - - attack.defense-evasion + - attack.stealth - attack.t1047 - attack.t1220 - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml index 983b235d4..ee375355f 100644 --- a/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml @@ -19,7 +19,7 @@ date: 2021-08-23 modified: 2023-11-10 tags: - attack.execution - - attack.defense-evasion + - attack.stealth - attack.t1047 - attack.t1204.002 - attack.t1218.010 diff --git a/rules/windows/process_creation/proc_creation_win_wpbbin_potential_persistence.yml b/rules/windows/process_creation/proc_creation_win_wpbbin_potential_persistence.yml index f5315af5b..6f9c4a289 100644 --- a/rules/windows/process_creation/proc_creation_win_wpbbin_potential_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_wpbbin_potential_persistence.yml @@ -9,7 +9,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-07-18 tags: - attack.persistence - - attack.defense-evasion + - attack.stealth - attack.t1542.001 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml b/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml index f39edc335..afab27d00 100644 --- a/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml +++ b/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml @@ -13,7 +13,7 @@ date: 2023-01-23 modified: 2023-08-15 tags: - attack.execution - - attack.defense-evasion + - attack.stealth - attack.t1218 - attack.t1202 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_wsl_kali_linux_usage.yml b/rules/windows/process_creation/proc_creation_win_wsl_kali_linux_usage.yml index e332d6ed1..6442ca67b 100644 --- a/rules/windows/process_creation/proc_creation_win_wsl_kali_linux_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_wsl_kali_linux_usage.yml @@ -8,7 +8,7 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-10-10 tags: - - attack.defense-evasion + - attack.stealth - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml b/rules/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml index 7d8cdfdc4..a54ff446d 100644 --- a/rules/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml @@ -10,7 +10,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-02-14 tags: - attack.execution - - attack.defense-evasion + - attack.stealth - attack.t1202 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml b/rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml index 48af49ae5..0254aaf21 100644 --- a/rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml +++ b/rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml @@ -14,7 +14,7 @@ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Rot date: 2020-10-12 modified: 2023-11-11 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml b/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml index 604f48f6a..f6d7f9644 100644 --- a/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml @@ -9,7 +9,7 @@ author: Florian Roth (Nextron Systems) date: 2022-02-26 modified: 2023-11-11 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_xwizard_execution_non_default_location.yml b/rules/windows/process_creation/proc_creation_win_xwizard_execution_non_default_location.yml index 2af1da66b..d3e2fc746 100644 --- a/rules/windows/process_creation/proc_creation_win_xwizard_execution_non_default_location.yml +++ b/rules/windows/process_creation/proc_creation_win_xwizard_execution_non_default_location.yml @@ -13,7 +13,8 @@ modified: 2024-08-15 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1574.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_xwizard_runwizard_com_object_exec.yml b/rules/windows/process_creation/proc_creation_win_xwizard_runwizard_com_object_exec.yml index 14f4630b2..9914e87cd 100644 --- a/rules/windows/process_creation/proc_creation_win_xwizard_runwizard_com_object_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_xwizard_runwizard_com_object_exec.yml @@ -12,7 +12,7 @@ author: Ensar Şamil, @sblmsrsn, @oscd_initiative, Nasreddine Bencherchali (Next date: 2020-10-07 modified: 2024-08-15 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_tampering/proc_tampering_susp_process_hollowing.yml b/rules/windows/process_tampering/proc_tampering_susp_process_hollowing.yml index 451e5d8c8..b5df17baf 100644 --- a/rules/windows/process_tampering/proc_tampering_susp_process_hollowing.yml +++ b/rules/windows/process_tampering/proc_tampering_susp_process_hollowing.yml @@ -9,8 +9,8 @@ author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S date: 2022-01-25 modified: 2023-11-28 tags: - - attack.defense-evasion - attack.privilege-escalation + - attack.stealth - attack.t1055.012 logsource: product: windows diff --git a/rules/windows/raw_access_thread/raw_access_thread_susp_disk_access_using_uncommon_tools.yml b/rules/windows/raw_access_thread/raw_access_thread_susp_disk_access_using_uncommon_tools.yml index dd9a88e73..fa0cf6011 100644 --- a/rules/windows/raw_access_thread/raw_access_thread_susp_disk_access_using_uncommon_tools.yml +++ b/rules/windows/raw_access_thread/raw_access_thread_susp_disk_access_using_uncommon_tools.yml @@ -8,7 +8,7 @@ author: Teymur Kheirkhabarov, oscd.community date: 2019-10-22 modified: 2025-12-03 tags: - - attack.defense-evasion + - attack.stealth - attack.t1006 logsource: product: windows diff --git a/rules/windows/registry/registry_delete/registry_delete_defender_context_menu.yml b/rules/windows/registry/registry_delete/registry_delete_defender_context_menu.yml index d0951c9f7..077ebd66f 100644 --- a/rules/windows/registry/registry_delete/registry_delete_defender_context_menu.yml +++ b/rules/windows/registry/registry_delete/registry_delete_defender_context_menu.yml @@ -14,7 +14,7 @@ author: 'Matt Anderson (Huntress)' date: 2025-07-11 modified: 2025-10-07 tags: - - attack.defense-evasion + - attack.defense-impairment logsource: category: registry_delete product: windows diff --git a/rules/windows/registry/registry_delete/registry_delete_disable_credential_guard.yml b/rules/windows/registry/registry_delete/registry_delete_disable_credential_guard.yml index 972dc9b0b..ab34be932 100644 --- a/rules/windows/registry/registry_delete/registry_delete_disable_credential_guard.yml +++ b/rules/windows/registry/registry_delete/registry_delete_disable_credential_guard.yml @@ -13,8 +13,8 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-12-26 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: registry_delete product: windows diff --git a/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml b/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml index d62440d97..3ac3430e7 100644 --- a/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml +++ b/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml @@ -8,8 +8,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-05 modified: 2023-02-08 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: registry_delete product: windows diff --git a/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml b/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml index 91dcf400a..dce4cb19b 100644 --- a/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml +++ b/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml @@ -11,7 +11,8 @@ date: 2021-10-19 modified: 2023-02-08 tags: - attack.persistence - - attack.defense-evasion + - attack.stealth + - attack.defense-impairment - attack.t1070 - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml b/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml index b737061e5..e4a979f43 100644 --- a/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml +++ b/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml @@ -9,8 +9,8 @@ author: frack113 date: 2021-06-07 modified: 2025-10-07 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: windows category: registry_delete diff --git a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml index 60d10e767..378fa306c 100644 --- a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml +++ b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml @@ -15,7 +15,7 @@ date: 2020-05-02 modified: 2025-10-07 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 logsource: product: windows diff --git a/rules/windows/registry/registry_delete/registry_delete_runmru.yml b/rules/windows/registry/registry_delete/registry_delete_runmru.yml index 7732dfdfd..6fa907498 100644 --- a/rules/windows/registry/registry_delete/registry_delete_runmru.yml +++ b/rules/windows/registry/registry_delete/registry_delete_runmru.yml @@ -13,7 +13,7 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-09-25 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070.003 logsource: category: registry_delete diff --git a/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml b/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml index 4ea12e530..efacddbdb 100644 --- a/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml +++ b/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml @@ -13,8 +13,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-26 modified: 2025-10-25 tags: - - attack.defense-evasion - - attack.t1562 + - attack.defense-impairment + - attack.t1685 logsource: product: windows category: registry_delete diff --git a/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml b/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml index 20eab1538..5aac71de9 100644 --- a/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml +++ b/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml @@ -11,8 +11,8 @@ author: Sittikorn S date: 2022-04-15 modified: 2025-10-25 tags: - - attack.defense-evasion - - attack.t1562 + - attack.defense-impairment + - attack.t1685 logsource: product: windows category: registry_delete diff --git a/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml b/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml index baa4912aa..7311f61ad 100644 --- a/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml +++ b/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml @@ -9,7 +9,6 @@ author: oscd.community, Dmitry Uchakin date: 2020-10-07 modified: 2021-11-27 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 logsource: diff --git a/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml b/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml index d10ce1a39..1b72af7a8 100755 --- a/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml +++ b/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml @@ -8,8 +8,8 @@ author: Nik Seetharaman date: 2018-07-16 modified: 2020-12-23 tags: - - attack.defense-evasion - attack.execution + - attack.stealth - attack.t1218.003 - attack.g0069 - car.2019-04-001 diff --git a/rules/windows/registry/registry_event/registry_event_defender_threat_action_modified.yml b/rules/windows/registry/registry_event/registry_event_defender_threat_action_modified.yml index 0450c94df..81019f109 100644 --- a/rules/windows/registry/registry_event/registry_event_defender_threat_action_modified.yml +++ b/rules/windows/registry/registry_event/registry_event_defender_threat_action_modified.yml @@ -17,8 +17,8 @@ references: author: 'Matt Anderson (Huntress)' date: 2025-07-11 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: registry_event product: windows diff --git a/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml b/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml index 650bb7952..a1e93b736 100755 --- a/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml +++ b/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml @@ -10,8 +10,8 @@ date: 2019-10-25 modified: 2021-11-27 tags: - attack.persistence - - attack.defense-evasion - - attack.t1562.002 + - attack.defense-impairment + - attack.t1685.001 - attack.t1112 - car.2022-03-001 logsource: diff --git a/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml b/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml index 27281a36e..6b5cba24b 100644 --- a/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml +++ b/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml @@ -12,7 +12,7 @@ date: 2019-08-25 modified: 2021-11-27 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 logsource: category: registry_event diff --git a/rules/windows/registry/registry_event/registry_event_mal_azorult.yml b/rules/windows/registry/registry_event/registry_event_mal_azorult.yml index ea6be70a6..a4851c9b8 100644 --- a/rules/windows/registry/registry_event/registry_event_mal_azorult.yml +++ b/rules/windows/registry/registry_event/registry_event_mal_azorult.yml @@ -8,9 +8,9 @@ author: Trent Liffick date: 2020-05-08 modified: 2021-11-27 tags: - - attack.defense-evasion - attack.persistence - attack.execution + - attack.defense-impairment - attack.t1112 logsource: product: windows diff --git a/rules/windows/registry/registry_event/registry_event_malware_qakbot_registry.yml b/rules/windows/registry/registry_event/registry_event_malware_qakbot_registry.yml index 5a53af9c3..ffd9066d3 100644 --- a/rules/windows/registry/registry_event/registry_event_malware_qakbot_registry.yml +++ b/rules/windows/registry/registry_event/registry_event_malware_qakbot_registry.yml @@ -8,7 +8,7 @@ author: Hieu Tran date: 2023-03-13 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 logsource: category: registry_event diff --git a/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml b/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml index 069a0b82d..4944ab73c 100644 --- a/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml +++ b/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml @@ -10,8 +10,8 @@ date: 2018-03-20 modified: 2024-12-03 tags: - attack.persistence - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 - attack.t1112 logsource: product: windows diff --git a/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml b/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml index bde71a2cb..78c0e4fb4 100644 --- a/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml +++ b/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml @@ -11,7 +11,6 @@ date: 2021-06-22 modified: 2024-03-25 tags: - attack.lateral-movement - - attack.defense-evasion - attack.command-and-control - attack.t1090 logsource: diff --git a/rules/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yml b/rules/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yml index b23b06a4c..727fd2c38 100644 --- a/rules/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yml +++ b/rules/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yml @@ -9,7 +9,7 @@ date: 2020-06-24 modified: 2021-11-27 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 logsource: product: windows diff --git a/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml b/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml index eb30bcf28..e24e41dfb 100644 --- a/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml +++ b/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml @@ -10,7 +10,7 @@ date: 2020-11-15 modified: 2024-03-25 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 logsource: product: windows diff --git a/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml b/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml index 864f72e49..9d4284fce 100644 --- a/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml +++ b/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml @@ -15,7 +15,6 @@ date: 2021-08-30 modified: 2022-01-13 tags: - attack.persistence - - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 - attack.t1546.001 diff --git a/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml b/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml index 3da1adbb6..31b8deaec 100644 --- a/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml +++ b/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml @@ -10,7 +10,7 @@ date: 2020-10-13 modified: 2023-01-19 tags: - attack.privilege-escalation - - attack.defense-evasion + - attack.stealth - attack.t1218 - attack.persistence - attack.t1547 diff --git a/rules/windows/registry/registry_event/registry_event_susp_process_registry_modification.yml b/rules/windows/registry/registry_event/registry_event_susp_process_registry_modification.yml index ab0309610..8ca38e81c 100644 --- a/rules/windows/registry/registry_event/registry_event_susp_process_registry_modification.yml +++ b/rules/windows/registry/registry_event/registry_event_susp_process_registry_modification.yml @@ -17,9 +17,9 @@ author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-08-13 modified: 2026-04-14 tags: - - attack.defense-evasion - attack.persistence - attack.execution + - attack.defense-impairment - attack.t1112 - attack.t1059.005 logsource: diff --git a/rules/windows/registry/registry_event/registry_set_enable_anonymous_connection.yml b/rules/windows/registry/registry_event/registry_set_enable_anonymous_connection.yml index ec642ca43..ab1ea547b 100644 --- a/rules/windows/registry/registry_event/registry_set_enable_anonymous_connection.yml +++ b/rules/windows/registry/registry_event/registry_set_enable_anonymous_connection.yml @@ -7,8 +7,8 @@ references: author: X__Junior (Nextron Systems) date: 2023-11-03 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: windows category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml b/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml index 4da50d0b6..47824c3d8 100644 --- a/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml +++ b/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml @@ -9,7 +9,7 @@ author: frack113 date: 2022-04-04 modified: 2025-10-22 tags: - - attack.defense-evasion + - attack.stealth - attack.t1564.001 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml b/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml index 997ebde73..efe183160 100644 --- a/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml +++ b/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml @@ -9,7 +9,7 @@ date: 2022-08-19 modified: 2023-08-17 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml b/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml index 3626597f3..c6d551fdc 100644 --- a/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml +++ b/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml @@ -9,8 +9,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-01-04 modified: 2023-08-17 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_amsi_disable.yml b/rules/windows/registry/registry_set/registry_set_amsi_disable.yml index bf61a2670..21a3ff3e3 100644 --- a/rules/windows/registry/registry_set/registry_set_amsi_disable.yml +++ b/rules/windows/registry/registry_set/registry_set_amsi_disable.yml @@ -15,9 +15,8 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-12-25 tags: - - attack.defense-evasion - - attack.t1562.001 - - attack.t1562.006 + - attack.defense-impairment + - attack.t1685 logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml b/rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml index e717b00e2..20eae549e 100644 --- a/rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml +++ b/rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml @@ -8,7 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-08-16 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml b/rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml index a32506418..af5d0dcb8 100644 --- a/rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml +++ b/rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml @@ -11,7 +11,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-08-16 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml b/rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml index 6ae92024b..7bbb19f5d 100644 --- a/rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml +++ b/rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml @@ -11,7 +11,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-08-16 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml index def7a4982..f5db82410 100644 --- a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml +++ b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml @@ -11,7 +11,6 @@ date: 2022-01-05 modified: 2023-08-17 tags: - attack.privilege-escalation - - attack.defense-evasion - attack.t1548.002 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml index 447d8f18a..7f1e59a67 100644 --- a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml +++ b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml @@ -14,7 +14,6 @@ date: 2022-01-06 modified: 2024-01-30 tags: - attack.privilege-escalation - - attack.defense-evasion - attack.t1548.002 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml b/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml index 3cff92e1f..f4dfc9663 100644 --- a/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml +++ b/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml @@ -11,8 +11,8 @@ author: B.Talebi date: 2022-07-28 modified: 2024-03-25 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml b/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml index fb6805137..68d12da5f 100644 --- a/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml +++ b/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml @@ -10,8 +10,8 @@ author: frack113 date: 2022-09-17 modified: 2024-03-25 tags: - - attack.defense-evasion - - attack.t1562.002 + - attack.defense-impairment + - attack.t1685.001 logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml b/rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml index c6afcca11..e5918d0eb 100644 --- a/rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml +++ b/rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml @@ -10,7 +10,7 @@ date: 2023-06-12 modified: 2023-08-17 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml b/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml index 38951f4a3..f8b07919b 100644 --- a/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml +++ b/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml @@ -10,7 +10,6 @@ date: 2020-09-27 modified: 2023-09-28 tags: - attack.persistence - - attack.defense-evasion - attack.privilege-escalation - attack.t1546 - attack.t1548 diff --git a/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml b/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml index 34064efbd..1feb160db 100644 --- a/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml +++ b/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml @@ -9,7 +9,8 @@ date: 2022-02-24 modified: 2023-08-17 tags: - attack.persistence - - attack.defense-evasion + - attack.stealth + - attack.defense-impairment - attack.t1564 - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_create_minint_key.yml b/rules/windows/registry/registry_set/registry_set_create_minint_key.yml index 82c13ca64..7f300593a 100644 --- a/rules/windows/registry/registry_set/registry_set_create_minint_key.yml +++ b/rules/windows/registry/registry_set/registry_set_create_minint_key.yml @@ -14,8 +14,8 @@ author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-04-09 tags: - attack.persistence - - attack.defense-evasion - - attack.t1562.002 + - attack.defense-impairment + - attack.t1685.001 - attack.t1112 - car.2022-03-001 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml b/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml index 76fe5360a..7488b98c4 100644 --- a/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml +++ b/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml @@ -12,7 +12,7 @@ date: 2022-05-02 modified: 2025-10-07 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_credential_guard_disabled.yml b/rules/windows/registry/registry_set/registry_set_credential_guard_disabled.yml index df5eb9745..e3081d4e0 100644 --- a/rules/windows/registry/registry_set/registry_set_credential_guard_disabled.yml +++ b/rules/windows/registry/registry_set/registry_set_credential_guard_disabled.yml @@ -12,8 +12,8 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-12-26 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml b/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml index d5ea0d83f..28cce5ed3 100644 --- a/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml +++ b/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml @@ -8,7 +8,7 @@ author: CD_R0M_ date: 2022-06-11 modified: 2023-08-17 tags: - - attack.defense-evasion + - attack.stealth - attack.t1202 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml b/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml index 269ee0805..35a059bfe 100644 --- a/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml @@ -10,8 +10,9 @@ date: 2022-08-07 modified: 2023-08-17 tags: - attack.privilege-escalation - - attack.defense-evasion - attack.persistence + - attack.execution + - attack.stealth - attack.t1574 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml b/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml index 5bfba1cb6..a0a2b3c65 100644 --- a/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml +++ b/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml @@ -11,8 +11,8 @@ author: Christian Burkard (Nextron Systems) date: 2021-07-06 modified: 2023-08-17 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: windows category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml b/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml index 51cba8ce2..7d3596df7 100644 --- a/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml +++ b/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml @@ -19,8 +19,8 @@ date: 2023-12-21 modified: 2025-10-17 tags: - attack.persistence - - attack.defense-evasion - attack.impact + - attack.defense-impairment - attack.t1112 - attack.t1491.001 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_devdrv_disallow_antivirus_filter.yml b/rules/windows/registry/registry_set/registry_set_devdrv_disallow_antivirus_filter.yml index 5631c1962..46de9b200 100644 --- a/rules/windows/registry/registry_set/registry_set_devdrv_disallow_antivirus_filter.yml +++ b/rules/windows/registry/registry_set/registry_set_devdrv_disallow_antivirus_filter.yml @@ -9,8 +9,8 @@ author: '@kostastsale, Nasreddine Bencherchali (Nextron Systems)' date: 2023-11-05 modified: 2024-08-16 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml b/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml index cbeb46653..cf78d03a6 100644 --- a/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml +++ b/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml @@ -13,8 +13,8 @@ author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati date: 2023-03-14 modified: 2024-07-05 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedpagingtranslation_disabled.yml b/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedpagingtranslation_disabled.yml index 67044b387..066d33c21 100644 --- a/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedpagingtranslation_disabled.yml +++ b/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedpagingtranslation_disabled.yml @@ -9,8 +9,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2024-07-05 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml b/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml index 33c9c15f5..daee2acb3 100755 --- a/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml +++ b/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml @@ -12,7 +12,9 @@ modified: 2023-08-17 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion + - attack.execution + - attack.stealth + - attack.defense-impairment - attack.t1574.001 - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml b/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml index 4da521321..0fc2b4e79 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml @@ -8,7 +8,7 @@ author: frack113 date: 2022-01-16 modified: 2024-03-25 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070.005 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml b/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml index 680dae84f..0b5dfd6c0 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml @@ -19,8 +19,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-01 modified: 2025-12-26 tags: - - attack.defense-evasion - - attack.t1562.002 + - attack.defense-impairment + - attack.t1685.001 logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml b/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml index 6aadbb4dd..d7127ee15 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml @@ -8,8 +8,8 @@ author: frack113 date: 2022-01-09 modified: 2024-03-25 tags: - - attack.defense-evasion - - attack.t1562.004 + - attack.defense-impairment + - attack.t1686.003 logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_disable_function_user.yml b/rules/windows/registry/registry_set/registry_set_disable_function_user.yml index 42ffb0b44..c9ec8ac57 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_function_user.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_function_user.yml @@ -14,7 +14,7 @@ date: 2022-03-18 modified: 2025-06-04 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml b/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml index 68ea1de22..78adda25a 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml @@ -10,7 +10,7 @@ references: - https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope - https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba tags: - - attack.defense-evasion + - attack.defense-impairment logsource: product: windows category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml b/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml index 055cc3514..5e1d52cb5 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml @@ -8,8 +8,8 @@ author: frack113 date: 2022-10-02 modified: 2023-08-17 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml b/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml index f48e92362..37c7aa757 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml @@ -9,7 +9,7 @@ date: 2022-08-19 modified: 2023-08-17 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml b/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml index d88fbea33..972ab199c 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml @@ -9,8 +9,8 @@ author: Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali date: 2022-08-01 modified: 2024-03-25 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: windows category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_disable_windows_event_log_access.yml b/rules/windows/registry/registry_set/registry_set_disable_windows_event_log_access.yml index 923e7b270..4c416a944 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_windows_event_log_access.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_windows_event_log_access.yml @@ -13,7 +13,7 @@ modified: 2025-08-16 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1547.001 - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml b/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml index a4951a741..0eee21456 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml @@ -8,8 +8,8 @@ author: frack113 date: 2022-08-19 modified: 2023-08-17 tags: - - attack.defense-evasion - - attack.t1562.004 + - attack.defense-impairment + - attack.t1686.003 logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml index 7feacfa62..bf82f0288 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml @@ -9,8 +9,8 @@ author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2022-07-04 modified: 2024-03-25 tags: - - attack.defense-evasion - - attack.t1562.002 + - attack.defense-impairment + - attack.t1685.001 logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml b/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml index ca48b994d..325a4234a 100644 --- a/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml +++ b/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml @@ -8,8 +8,8 @@ author: Austin Songer @austinsonger date: 2021-08-04 modified: 2023-08-17 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml b/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml index 275d92bd4..b2da26d78 100644 --- a/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml +++ b/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml @@ -8,8 +8,8 @@ author: Florian Roth (Nextron Systems) date: 2022-07-04 modified: 2023-08-17 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml b/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml index 366956027..c9c1a6be1 100644 --- a/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml +++ b/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml @@ -8,8 +8,8 @@ author: Austin Songer @austinsonger date: 2021-08-04 modified: 2023-08-17 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml b/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml index 537d21a78..4260f087c 100644 --- a/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml +++ b/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml @@ -8,8 +8,8 @@ author: Austin Songer @austinsonger date: 2021-08-04 modified: 2023-08-17 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml b/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml index aaee3dd80..ef6bdfa9d 100644 --- a/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml +++ b/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml @@ -9,7 +9,7 @@ date: 2022-08-19 modified: 2023-08-17 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml b/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml index 31029adfa..41beaf9ec 100644 --- a/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml +++ b/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml @@ -15,7 +15,8 @@ date: 2021-07-22 modified: 2023-08-17 tags: - attack.persistence - - attack.defense-evasion + - attack.stealth + - attack.defense-impairment - attack.t1140 - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml b/rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml index 0c834fdda..f517c4768 100644 --- a/rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml +++ b/rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml @@ -16,7 +16,9 @@ modified: 2023-08-17 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion + - attack.execution + - attack.stealth + - attack.defense-impairment - attack.t1574.001 - attack.t1112 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml index 9a86f7983..e2f1490da 100644 --- a/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml @@ -22,9 +22,9 @@ date: 2020-06-05 modified: 2023-08-17 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 - - attack.t1562 + - attack.t1685 logsource: product: windows category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_dsrm_tampering.yml b/rules/windows/registry/registry_set/registry_set_dsrm_tampering.yml index 40b058bc1..221ff5cf4 100644 --- a/rules/windows/registry/registry_set/registry_set_dsrm_tampering.yml +++ b/rules/windows/registry/registry_set/registry_set_dsrm_tampering.yml @@ -18,9 +18,9 @@ references: author: Nischal Khadgi date: 2024-07-11 tags: - - attack.defense-evasion - attack.credential-access - attack.persistence + - attack.defense-impairment - attack.t1556 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml b/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml index cb85fb1f8..953b714f0 100644 --- a/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml +++ b/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml @@ -13,7 +13,8 @@ modified: 2023-11-24 tags: - attack.persistence - attack.privilege-escalation - - attack.defense-evasion + - attack.execution + - attack.stealth - attack.t1574.012 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml b/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml index d718e8560..2e81de31b 100644 --- a/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml +++ b/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml @@ -8,8 +8,8 @@ author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io' date: 2022-06-15 modified: 2023-08-17 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: windows category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_evtx_file_key_tamper.yml b/rules/windows/registry/registry_set/registry_set_evtx_file_key_tamper.yml index cb1fcfb5b..1a921d57a 100644 --- a/rules/windows/registry/registry_set/registry_set_evtx_file_key_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_evtx_file_key_tamper.yml @@ -8,8 +8,8 @@ author: D3F7A5105 date: 2023-01-02 modified: 2023-08-17 tags: - - attack.defense-evasion - - attack.t1562.002 + - attack.defense-impairment + - attack.t1685.001 logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml b/rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml index 2adef7e9a..3245039ff 100644 --- a/rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml +++ b/rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml @@ -8,8 +8,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-05 modified: 2023-08-17 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml b/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml index 1a76560aa..3a1fa6cdd 100644 --- a/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml +++ b/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml @@ -10,7 +10,7 @@ date: 2022-07-17 modified: 2022-12-30 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml b/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml index a4a7d7704..458018b7e 100644 --- a/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml +++ b/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml @@ -10,7 +10,7 @@ date: 2022-07-17 modified: 2022-12-30 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_file_association_exefile.yml b/rules/windows/registry/registry_set/registry_set_file_association_exefile.yml index d2c844b4a..1c5e37a9a 100644 --- a/rules/windows/registry/registry_set/registry_set_file_association_exefile.yml +++ b/rules/windows/registry/registry_set/registry_set_file_association_exefile.yml @@ -8,7 +8,7 @@ author: Andreas Hunkeler (@Karneades) date: 2021-11-19 modified: 2023-08-17 tags: - - attack.defense-evasion + - attack.stealth logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_hide_file.yml b/rules/windows/registry/registry_set/registry_set_hide_file.yml index 8b6699d4e..44afbac40 100644 --- a/rules/windows/registry/registry_set/registry_set_hide_file.yml +++ b/rules/windows/registry/registry_set/registry_set_hide_file.yml @@ -10,7 +10,7 @@ author: frack113 date: 2022-04-02 modified: 2024-03-26 tags: - - attack.defense-evasion + - attack.stealth - attack.t1564.001 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_hide_function_user.yml b/rules/windows/registry/registry_set/registry_set_hide_function_user.yml index 3bf497ab4..42fa47746 100644 --- a/rules/windows/registry/registry_set/registry_set_hide_function_user.yml +++ b/rules/windows/registry/registry_set/registry_set_hide_function_user.yml @@ -9,7 +9,7 @@ date: 2022-03-18 modified: 2023-08-17 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml b/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml index a1b72c79a..0239bd2ae 100644 --- a/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml @@ -15,8 +15,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-26 modified: 2023-08-17 tags: - - attack.defense-evasion - - attack.t1562 + - attack.defense-impairment + - attack.t1685 logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_hvci_disallowed_images.yml b/rules/windows/registry/registry_set/registry_set_hvci_disallowed_images.yml index e36e65e6a..7133cb68a 100644 --- a/rules/windows/registry/registry_set/registry_set_hvci_disallowed_images.yml +++ b/rules/windows/registry/registry_set/registry_set_hvci_disallowed_images.yml @@ -13,7 +13,7 @@ author: Nasreddine Bencherchali (Nextron Systems), Omar Khaled (@beacon_exe) date: 2023-12-05 modified: 2024-08-21 tags: - - attack.defense-evasion + - attack.stealth logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml b/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml index 952af7f01..95ec7daaa 100644 --- a/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml +++ b/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml @@ -14,7 +14,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems), Michael Haag (idea) date: 2023-09-05 tags: - - attack.defense-evasion + - attack.stealth logsource: product: windows category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_ime_non_default_extension.yml b/rules/windows/registry/registry_set/registry_set_ime_non_default_extension.yml index 342c1538f..b28d0c613 100644 --- a/rules/windows/registry/registry_set/registry_set_ime_non_default_extension.yml +++ b/rules/windows/registry/registry_set/registry_set_ime_non_default_extension.yml @@ -13,8 +13,8 @@ references: author: X__Junior (Nextron Systems) date: 2023-11-21 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: windows category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_ime_suspicious_paths.yml b/rules/windows/registry/registry_set/registry_set_ime_suspicious_paths.yml index 7cd1bb1d9..c81ca594a 100644 --- a/rules/windows/registry/registry_set/registry_set_ime_suspicious_paths.yml +++ b/rules/windows/registry/registry_set/registry_set_ime_suspicious_paths.yml @@ -13,8 +13,8 @@ references: author: X__Junior (Nextron Systems) date: 2023-11-21 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: windows category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml b/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml index c861cf28a..80a8c9773 100644 --- a/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml +++ b/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml @@ -11,7 +11,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-05-16 modified: 2025-10-07 tags: - - attack.defense-evasion + - attack.defense-impairment logsource: product: windows category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml b/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml index 8b943256e..4787e099c 100644 --- a/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml +++ b/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml @@ -16,7 +16,7 @@ date: 2023-01-13 modified: 2024-08-23 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml b/rules/windows/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml index b1a4b5316..440364cd6 100644 --- a/rules/windows/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml +++ b/rules/windows/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml @@ -12,7 +12,7 @@ date: 2022-11-18 modified: 2023-08-17 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml b/rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml index a4185c148..de64ab48a 100644 --- a/rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml @@ -14,7 +14,7 @@ date: 2020-05-22 modified: 2023-08-17 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yml b/rules/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yml index 11379e15c..f2908b657 100644 --- a/rules/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yml +++ b/rules/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yml @@ -14,8 +14,8 @@ author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2021-06-08 modified: 2023-08-17 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: windows category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_office_disable_python_security_warnings.yml b/rules/windows/registry/registry_set/registry_set_office_disable_python_security_warnings.yml index caa54f299..4d067f242 100644 --- a/rules/windows/registry/registry_set/registry_set_office_disable_python_security_warnings.yml +++ b/rules/windows/registry/registry_set/registry_set_office_disable_python_security_warnings.yml @@ -12,8 +12,8 @@ references: author: Nasreddine Bencherchali (Nextron Systems), @Kostastsale date: 2024-08-23 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml b/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml index bb43bcf1c..9b334bdb4 100644 --- a/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml +++ b/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml @@ -15,7 +15,7 @@ date: 2023-02-08 modified: 2023-08-17 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml b/rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml index d917c4445..6e5cff553 100644 --- a/rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml +++ b/rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml @@ -13,7 +13,7 @@ date: 2023-06-21 modified: 2023-08-17 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml b/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml index b83c26fcb..978f7790d 100644 --- a/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml +++ b/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml @@ -13,7 +13,7 @@ date: 2023-06-21 modified: 2023-09-29 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml b/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml index e6c49106a..4d7a11f30 100644 --- a/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml @@ -14,7 +14,7 @@ date: 2020-05-22 modified: 2024-03-19 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml b/rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml index fb5498fc4..ac45664b5 100644 --- a/rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml +++ b/rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml @@ -13,7 +13,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2024-03-19 tags: - - attack.defense-evasion + - attack.stealth - attack.t1070.005 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml b/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml index acdbf733e..b1152f470 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml @@ -9,7 +9,7 @@ date: 2022-05-30 modified: 2023-05-12 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml b/rules/windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml index af4f7c8c2..71c787590 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml @@ -12,7 +12,7 @@ date: 2023-02-17 modified: 2023-03-05 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_persistence_globalflags.yml b/rules/windows/registry/registry_set/registry_set_persistence_globalflags.yml index baebcc278..1f1a1f62d 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_globalflags.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_globalflags.yml @@ -14,7 +14,6 @@ modified: 2023-06-05 tags: - attack.privilege-escalation - attack.persistence - - attack.defense-evasion - attack.t1546.012 - car.2013-01-002 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_ie.yml b/rules/windows/registry/registry_set/registry_set_persistence_ie.yml index 800a9b4f2..a1dfdff97 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_ie.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_ie.yml @@ -10,7 +10,7 @@ date: 2022-01-22 modified: 2025-10-22 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml b/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml index cefe4979b..1e389fe08 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml @@ -15,8 +15,8 @@ author: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Svee date: 2021-06-09 modified: 2024-08-07 tags: - - attack.defense-evasion - attack.persistence + - attack.defense-impairment - attack.t1112 logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml b/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml index bdd1d8555..58688ed21 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml @@ -14,8 +14,8 @@ author: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Svee date: 2021-06-10 modified: 2024-08-07 tags: - - attack.defense-evasion - attack.persistence + - attack.defense-impairment - attack.t1112 logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml b/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml index 66e150db5..8739880e2 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml @@ -11,7 +11,7 @@ references: author: X__Junior date: 2023-05-18 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036.003 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml b/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml index 36bcae546..8f1c707a2 100644 --- a/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml @@ -9,7 +9,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-01 modified: 2023-08-17 tags: - - attack.defense-evasion + - attack.defense-impairment logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml b/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml index cca70c730..8427f8e5f 100644 --- a/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml @@ -9,7 +9,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-01 modified: 2023-08-17 tags: - - attack.defense-evasion + - attack.defense-impairment logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_potential_oci_dll_redirection.yml b/rules/windows/registry/registry_set/registry_set_potential_oci_dll_redirection.yml index 64ab85a6d..2a2dab5e5 100644 --- a/rules/windows/registry/registry_set/registry_set_potential_oci_dll_redirection.yml +++ b/rules/windows/registry/registry_set/registry_set_potential_oci_dll_redirection.yml @@ -11,7 +11,9 @@ date: 2026-01-24 tags: - attack.persistence - attack.privilege-escalation - - attack.defense-evasion + - attack.execution + - attack.stealth + - attack.defense-impairment - attack.t1112 - attack.t1574.001 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml b/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml index 2bb0b269d..bb5f40172 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml @@ -15,7 +15,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-01-11 modified: 2023-12-14 tags: - - attack.defense-evasion + - attack.defense-impairment logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml b/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml index 6037f6ad3..12fe621cc 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml @@ -8,7 +8,8 @@ author: frack113 date: 2022-04-02 modified: 2023-08-17 tags: - - attack.defense-evasion + - attack.stealth + - attack.defense-impairment - attack.t1564.001 - attack.t1112 - attack.persistence diff --git a/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml b/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml index 744dcee6a..f250580e1 100644 --- a/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml +++ b/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml @@ -16,7 +16,7 @@ author: Swachchhanda Shrawan Poudel date: 2023-08-02 modified: 2023-08-17 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml index a27d6fa27..d697fb3b5 100644 --- a/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml @@ -9,9 +9,9 @@ date: 2022-12-09 modified: 2023-08-17 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 - - attack.t1562 + - attack.t1685 logsource: product: windows category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml b/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml index 198ffffda..36d49f583 100644 --- a/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml +++ b/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml @@ -10,7 +10,7 @@ author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk) date: 2022-05-04 modified: 2023-08-17 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218.011 logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml index 70a61d64b..a4d9cb9d3 100644 --- a/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml @@ -9,9 +9,9 @@ date: 2022-12-09 modified: 2023-08-17 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 - - attack.t1562 + - attack.t1685 logsource: product: windows category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml b/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml index 3163de270..2d14d1f24 100644 --- a/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml +++ b/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml @@ -9,7 +9,7 @@ date: 2022-03-18 modified: 2023-08-17 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_sip_persistence.yml b/rules/windows/registry/registry_set/registry_set_sip_persistence.yml index 67bb2f145..6eb693706 100644 --- a/rules/windows/registry/registry_set/registry_set_sip_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_sip_persistence.yml @@ -11,7 +11,7 @@ date: 2022-07-21 modified: 2023-08-17 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1553.003 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_sophos_av_tamper.yml b/rules/windows/registry/registry_set/registry_set_sophos_av_tamper.yml index c6a71beb7..367be87ba 100644 --- a/rules/windows/registry/registry_set/registry_set_sophos_av_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_sophos_av_tamper.yml @@ -8,8 +8,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-09-02 modified: 2023-08-17 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_special_accounts.yml b/rules/windows/registry/registry_set/registry_set_special_accounts.yml index ed062eb91..4bb3fe44f 100644 --- a/rules/windows/registry/registry_set/registry_set_special_accounts.yml +++ b/rules/windows/registry/registry_set/registry_set_special_accounts.yml @@ -14,7 +14,7 @@ author: Nasreddine Bencherchali (Nextron Systems), frack113 date: 2022-07-12 modified: 2023-01-26 tags: - - attack.defense-evasion + - attack.stealth - attack.t1564.002 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml b/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml index b1c23f87a..0d2a6cac7 100644 --- a/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml +++ b/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml @@ -9,7 +9,7 @@ date: 2022-08-19 modified: 2023-08-17 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml b/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml index 4112d87e0..c5b6d3fa5 100644 --- a/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml @@ -13,7 +13,7 @@ author: frack113 date: 2023-01-27 modified: 2025-10-07 tags: - - attack.defense-evasion + - attack.stealth - attack.t1036.003 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml b/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml index 736468ed7..068d36cb8 100644 --- a/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml @@ -9,8 +9,9 @@ date: 2020-07-01 modified: 2023-08-17 tags: - attack.persistence - - attack.defense-evasion - attack.privilege-escalation + - attack.execution + - attack.stealth - attack.t1574 - cve.2021-1675 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_susp_runmru_space_character.yml b/rules/windows/registry/registry_set/registry_set_susp_runmru_space_character.yml index e0e5f26d3..0dee2a80b 100644 --- a/rules/windows/registry/registry_set/registry_set_susp_runmru_space_character.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_runmru_space_character.yml @@ -13,8 +13,8 @@ author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-11-04 tags: - attack.execution + - attack.stealth - attack.t1204.004 - - attack.defense-evasion - attack.t1027.010 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml b/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml index d8e81e3e3..40413cfa5 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml @@ -10,8 +10,8 @@ author: xknow (@xknow_infosec), xorxes (@xor_xes) date: 2019-04-08 modified: 2023-08-17 tags: - - attack.t1562.001 - - attack.defense-evasion + - attack.defense-impairment + - attack.t1685 logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_susp_shell_open_keys_modification_patterns.yml b/rules/windows/registry/registry_set/registry_set_susp_shell_open_keys_modification_patterns.yml index 1cee7ff97..584f82835 100644 --- a/rules/windows/registry/registry_set/registry_set_susp_shell_open_keys_modification_patterns.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_shell_open_keys_modification_patterns.yml @@ -10,7 +10,6 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2026-01-24 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.persistence - attack.t1548.002 diff --git a/rules/windows/registry/registry_set/registry_set_susp_typedpaths_space_characters.yml b/rules/windows/registry/registry_set/registry_set_susp_typedpaths_space_characters.yml index 6ef6053a1..319172a32 100644 --- a/rules/windows/registry/registry_set/registry_set_susp_typedpaths_space_characters.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_typedpaths_space_characters.yml @@ -13,8 +13,8 @@ author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-11-04 tags: - attack.execution + - attack.stealth - attack.t1204.004 - - attack.defense-evasion - attack.t1027.010 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_susp_wfp_filter_added.yml b/rules/windows/registry/registry_set/registry_set_susp_wfp_filter_added.yml index f449af631..5f0ca1e04 100644 --- a/rules/windows/registry/registry_set/registry_set_susp_wfp_filter_added.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_wfp_filter_added.yml @@ -10,9 +10,9 @@ references: author: Frack113 date: 2025-10-23 tags: - - attack.defense-evasion - attack.execution - - attack.t1562 + - attack.defense-impairment + - attack.t1685 - attack.t1569.002 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_suspicious_env_variables.yml b/rules/windows/registry/registry_set/registry_set_suspicious_env_variables.yml index e28e40d7b..46df8137a 100644 --- a/rules/windows/registry/registry_set/registry_set_suspicious_env_variables.yml +++ b/rules/windows/registry/registry_set/registry_set_suspicious_env_variables.yml @@ -8,8 +8,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-12-20 modified: 2023-08-17 tags: - - attack.defense-evasion - attack.persistence + - attack.stealth logsource: product: windows category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml b/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml index dca4ea2b8..6f9766bdd 100644 --- a/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml +++ b/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml @@ -15,7 +15,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-12-15 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 logsource: product: windows diff --git a/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml b/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml index 4d81ef6ff..fa0a71b28 100644 --- a/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml +++ b/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml @@ -21,8 +21,8 @@ author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddin date: 2022-09-29 modified: 2022-11-26 tags: - - attack.defense-evasion - attack.persistence + - attack.defense-impairment - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml b/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml index 774dc5d7c..91a542c6e 100644 --- a/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml +++ b/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml @@ -41,8 +41,8 @@ author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddin date: 2022-08-06 modified: 2025-11-22 tags: - - attack.defense-evasion - attack.persistence + - attack.defense-impairment - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml b/rules/windows/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml index fea51da0f..93fe3b8f7 100644 --- a/rules/windows/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml +++ b/rules/windows/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml @@ -7,7 +7,7 @@ references: author: Nasreddine Bencherchali (Nextron Systems) date: 2023-09-05 tags: - - attack.defense-evasion + - attack.stealth logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml b/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml index 2939bc7a5..420de2694 100644 --- a/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml +++ b/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml @@ -12,7 +12,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-01-12 modified: 2023-08-17 tags: - - attack.defense-evasion + - attack.stealth logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml b/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml index 9bbbdeed4..fc373c48c 100755 --- a/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml +++ b/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml @@ -9,7 +9,6 @@ author: Florian Roth (Nextron Systems) date: 2017-03-19 modified: 2023-09-28 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 - car.2019-04-001 diff --git a/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml b/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml index 947763b3a..f156d7f26 100755 --- a/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml +++ b/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml @@ -9,7 +9,6 @@ author: Omer Yampel, Christian Burkard (Nextron Systems) date: 2017-03-17 modified: 2023-08-17 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 - car.2019-04-001 diff --git a/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml b/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml index 3ee9a26d2..e72d2fa5a 100644 --- a/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml +++ b/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml @@ -8,7 +8,6 @@ author: Christian Burkard (Nextron Systems) date: 2021-08-30 modified: 2023-08-17 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml b/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml index d3deb3064..846a1e74d 100644 --- a/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml +++ b/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml @@ -8,7 +8,6 @@ author: Christian Burkard (Nextron Systems) date: 2021-08-23 modified: 2023-08-17 tags: - - attack.defense-evasion - attack.privilege-escalation - attack.t1548.002 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_uac_disable.yml b/rules/windows/registry/registry_set/registry_set_uac_disable.yml index 568dd6b00..e0087a81b 100644 --- a/rules/windows/registry/registry_set/registry_set_uac_disable.yml +++ b/rules/windows/registry/registry_set/registry_set_uac_disable.yml @@ -15,7 +15,6 @@ date: 2022-01-05 modified: 2024-05-10 tags: - attack.privilege-escalation - - attack.defense-evasion - attack.t1548.002 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_uac_disable_notification.yml b/rules/windows/registry/registry_set/registry_set_uac_disable_notification.yml index d5a2d0fc6..7225f0a64 100644 --- a/rules/windows/registry/registry_set/registry_set_uac_disable_notification.yml +++ b/rules/windows/registry/registry_set/registry_set_uac_disable_notification.yml @@ -17,7 +17,6 @@ author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2024-05-10 tags: - attack.privilege-escalation - - attack.defense-evasion - attack.t1548.002 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_uac_disable_secure_desktop_prompt.yml b/rules/windows/registry/registry_set/registry_set_uac_disable_secure_desktop_prompt.yml index 95019984d..556f3530a 100644 --- a/rules/windows/registry/registry_set/registry_set_uac_disable_secure_desktop_prompt.yml +++ b/rules/windows/registry/registry_set/registry_set_uac_disable_secure_desktop_prompt.yml @@ -16,7 +16,6 @@ author: frack113 date: 2024-05-10 tags: - attack.privilege-escalation - - attack.defense-evasion - attack.t1548.002 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_vulnerable_driver_blocklist_disable.yml b/rules/windows/registry/registry_set/registry_set_vulnerable_driver_blocklist_disable.yml index b90e728b1..e12dc6852 100644 --- a/rules/windows/registry/registry_set/registry_set_vulnerable_driver_blocklist_disable.yml +++ b/rules/windows/registry/registry_set/registry_set_vulnerable_driver_blocklist_disable.yml @@ -17,8 +17,8 @@ references: author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2026-01-26 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml b/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml index 803ea44bc..f32feff2f 100644 --- a/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml +++ b/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml @@ -10,7 +10,7 @@ author: oscd.community, Natalia Shornikova date: 2020-10-13 modified: 2023-08-17 tags: - - attack.defense-evasion + - attack.stealth - attack.t1218 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml b/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml index ebac2060a..4f0401102 100644 --- a/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml +++ b/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml @@ -11,7 +11,7 @@ date: 2019-09-12 modified: 2023-08-17 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml b/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml index b8c188948..88b80ceb5 100644 --- a/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml @@ -20,8 +20,8 @@ author: AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, Swachchha date: 2022-08-01 modified: 2024-10-07 tags: - - attack.defense-evasion - - attack.t1562.001 + - attack.defense-impairment + - attack.t1685 logsource: product: windows category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_winget_admin_settings_tampering.yml b/rules/windows/registry/registry_set/registry_set_winget_admin_settings_tampering.yml index 41834b28a..a7da72b2f 100644 --- a/rules/windows/registry/registry_set/registry_set_winget_admin_settings_tampering.yml +++ b/rules/windows/registry/registry_set/registry_set_winget_admin_settings_tampering.yml @@ -9,8 +9,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-04-17 modified: 2023-08-17 tags: - - attack.defense-evasion - attack.persistence + - attack.defense-impairment logsource: product: windows category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_winget_enable_local_manifest.yml b/rules/windows/registry/registry_set/registry_set_winget_enable_local_manifest.yml index 68035abbf..1265a2f4b 100644 --- a/rules/windows/registry/registry_set/registry_set_winget_enable_local_manifest.yml +++ b/rules/windows/registry/registry_set/registry_set_winget_enable_local_manifest.yml @@ -8,8 +8,8 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-04-17 modified: 2023-08-17 tags: - - attack.defense-evasion - attack.persistence + - attack.stealth logsource: product: windows category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml b/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml index 4d054935d..ec9a290e1 100644 --- a/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml +++ b/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml @@ -12,7 +12,7 @@ date: 2022-09-09 modified: 2023-08-17 tags: - attack.persistence - - attack.defense-evasion + - attack.defense-impairment - attack.t1112 logsource: category: registry_set diff --git a/rules/windows/sysmon/sysmon_config_modification.yml b/rules/windows/sysmon/sysmon_config_modification.yml index 485536c22..f26174910 100644 --- a/rules/windows/sysmon/sysmon_config_modification.yml +++ b/rules/windows/sysmon/sysmon_config_modification.yml @@ -7,7 +7,7 @@ references: author: frack113 date: 2022-01-12 tags: - - attack.defense-evasion + - attack.defense-impairment logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_config_modification_error.yml b/rules/windows/sysmon/sysmon_config_modification_error.yml index e82d37bfe..1500d7748 100644 --- a/rules/windows/sysmon/sysmon_config_modification_error.yml +++ b/rules/windows/sysmon/sysmon_config_modification_error.yml @@ -9,7 +9,7 @@ author: frack113 date: 2021-06-04 modified: 2022-07-07 tags: - - attack.defense-evasion + - attack.stealth - attack.t1564 logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_config_modification_status.yml b/rules/windows/sysmon/sysmon_config_modification_status.yml index 4b0de59e8..eaf55d214 100644 --- a/rules/windows/sysmon/sysmon_config_modification_status.yml +++ b/rules/windows/sysmon/sysmon_config_modification_status.yml @@ -9,7 +9,7 @@ author: frack113 date: 2021-06-04 modified: 2022-08-02 tags: - - attack.defense-evasion + - attack.stealth - attack.t1564 logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_file_block_executable.yml b/rules/windows/sysmon/sysmon_file_block_executable.yml index 44b06396f..aca5b2b4c 100644 --- a/rules/windows/sysmon/sysmon_file_block_executable.yml +++ b/rules/windows/sysmon/sysmon_file_block_executable.yml @@ -8,7 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-16 modified: 2023-09-16 tags: - - attack.defense-evasion + - attack.defense-impairment logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_file_block_shredding.yml b/rules/windows/sysmon/sysmon_file_block_shredding.yml index 52b01cba3..ad6f713b4 100644 --- a/rules/windows/sysmon/sysmon_file_block_shredding.yml +++ b/rules/windows/sysmon/sysmon_file_block_shredding.yml @@ -7,7 +7,7 @@ references: author: frack113 date: 2023-07-20 tags: - - attack.defense-evasion + - attack.defense-impairment logsource: product: windows service: sysmon diff --git a/rules/windows/sysmon/sysmon_file_executable_detected.yml b/rules/windows/sysmon/sysmon_file_executable_detected.yml index 7263bc3b4..c00f5178a 100644 --- a/rules/windows/sysmon/sysmon_file_executable_detected.yml +++ b/rules/windows/sysmon/sysmon_file_executable_detected.yml @@ -8,7 +8,7 @@ references: author: frack113 date: 2023-07-20 tags: - - attack.defense-evasion + - attack.defense-impairment logsource: product: windows service: sysmon