diff --git a/rules/windows/process_creation/proc_creation_win_pua_webbrowserpassview.yml b/rules/windows/process_creation/proc_creation_win_pua_webbrowserpassview.yml index ae6042f40..c9859b1c6 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_webbrowserpassview.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_webbrowserpassview.yml @@ -1,7 +1,7 @@ title: PUA - WebBrowserPassView Execution id: d0dae994-26c6-4d2d-83b5-b3c8b79ae513 status: experimental -description: Detect execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera +description: Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers: Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari and Opera references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1555.003/T1555.003.md author: frack113 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml b/rules/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml index 022c9353c..208176a41 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml @@ -1,7 +1,7 @@ title: New ActiveScriptEventConsumer Created Via Wmic.EXE id: ebef4391-1a81-4761-a40a-1db446c0e625 status: test -description: Detects WMIC executions in which a event consumer gets created. This could be used to establish persistence +description: Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence references: - https://twitter.com/johnlatwc/status/1408062131321270282?s=12 - https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf diff --git a/rules/windows/process_creation/proc_creation_win_wmic_process_creation.yml b/rules/windows/process_creation/proc_creation_win_wmic_process_creation.yml index 466910217..99fd968ce 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_process_creation.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_process_creation.yml @@ -4,7 +4,7 @@ related: - id: 3c89a1e8-0fba-449e-8f1b-8409d6267ec8 # For suspicious process creation type: derived status: test -description: Detects new process creation using WMIC via the "process call creat" flags +description: Detects new process creation using WMIC via the "process call create" flag references: - https://www.sans.org/blog/wmic-for-incident-response/ author: Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_computersystem.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_computersystem.yml index e08fbd127..30cb71b78 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_computersystem.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_computersystem.yml @@ -1,7 +1,7 @@ title: Computer System Reconnaissance Via Wmic.EXE id: 9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f status: experimental -description: Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model...etc. +description: Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc. references: - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/ author: Nasreddine Bencherchali (Nextron Systems) diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_csproduct.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_csproduct.yml index 3a9d7acc3..69a8be88a 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_csproduct.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_csproduct.yml @@ -1,7 +1,7 @@ title: Hardware Model Reconnaissance Via Wmic.EXE id: 3e3ceccd-6c06-48b8-b5ff-ab1d25db8c1d status: experimental -description: Detects execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information +description: Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information references: - https://jonconwayuk.wordpress.com/2014/01/31/wmic-csproduct-using-wmi-to-identify-make-and-model-of-hardware/ - https://www.uptycs.com/blog/kuraystealer-a-bandit-using-discord-webhooks diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml index 51329bb7f..7aa136745 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml @@ -1,7 +1,7 @@ title: Windows Hotfix Updates Reconnaissance Via Wmic.EXE id: dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45 status: experimental -description: Detects the execution of wmic with the "qfe" flag in order to obtain information about installed hotfixe updates on the system. This is often used by pentesters and attackers enumeration scripts +description: Detects the execution of wmic with the "qfe" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts references: - https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat - https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml index b4965ff61..4ca49d1f1 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml @@ -1,7 +1,7 @@ title: Process Reconnaissance Via Wmic.EXE id: 221b251a-357a-49a9-920a-271802777cc0 status: experimental -description: Detects the execution of "wmic" with the "process" flag. Whihc adversary might use to list Processes running on the compromised host or list installed Software hotfix and patches. +description: Detects the execution of "wmic" with the "process" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml index 3240a3dcb..885822d4b 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml @@ -1,7 +1,7 @@ title: Potential Product Reconnaissance Via Wmic.EXE id: e568650b-5dcd-4658-8f34-ded0b1e13992 status: experimental -description: Detects execution of WMIC in order to get list of firewal executing suspicious or recon commands +description: Detects the execution of WMIC in order to get a list of firewall and antivirus products references: - https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md - https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml index 5923ab0e3..6e055ea1a 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml @@ -5,7 +5,7 @@ related: type: similar status: experimental description: | - An adversary might use WMI to check if a certain Remote Service is running on a remote device. + An adversary might use WMI to check if a certain remote service is running on a remote device. When the test completes, a service information will be displayed on the screen if it exists. A common feedback message is that "No instance(s) Available" if the service queried is not running. A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml index 51fa8b175..cb3fe94fb 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml @@ -6,7 +6,7 @@ related: - id: 76f55eaa-d27f-4213-9d45-7b0e4b60bbae type: similar status: experimental -description: Detects known wmi recon method to look for unquoted service paths using wmic. Often used by pentesters and attackers enumeration scripts +description: Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts references: - https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py - https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml b/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml index a3f66acc1..8c05b5f5a 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml @@ -6,7 +6,7 @@ related: - id: 09af397b-c5eb-4811-b2bb-08b3de464ebf type: obsoletes status: experimental -description: Detects execution of WMIC to query information on a remote system +description: Detects the execution of WMIC to query information on a remote system references: - https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/ - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic diff --git a/rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml b/rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml index 206b8f64e..1d4c4a5cc 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml @@ -4,7 +4,7 @@ related: - id: 526be59f-a573-4eea-b5f7-f0973207634d # Generic type: derived status: test -description: Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32"...etc +description: Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32", etc. references: - https://thedfirreport.com/2020/10/08/ryuks-return/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker diff --git a/rules/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml b/rules/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml index 2bcfc5e93..abb571644 100644 --- a/rules/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml @@ -1,7 +1,7 @@ title: Windows Binary Executed From WSL id: ed825c86-c009-4014-b413-b76003e33d35 status: experimental -description: Detects execution of windows binaries from wihthin a WSL instance. This could be used to avoid parent/child relationship detections or similar +description: Detects the execution of Windows binaries from within a WSL instance. This could be used to masquerade parent-child relationships references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems)