diff --git a/rules/application/kubernetes/audit/kubernetes_audit_deployment_deleted.yml b/rules/application/kubernetes/audit/kubernetes_audit_deployment_deleted.yml index 732c65e11..804168a59 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_deployment_deleted.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_deployment_deleted.yml @@ -10,6 +10,7 @@ author: Leo Tsaousis (@laripping) date: 2024-03-26 tags: - attack.t1498 + - attack.impact logsource: category: application product: kubernetes diff --git a/rules/application/kubernetes/audit/kubernetes_audit_exec_into_container.yml b/rules/application/kubernetes/audit/kubernetes_audit_exec_into_container.yml index 1d8535910..2982425ad 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_exec_into_container.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_exec_into_container.yml @@ -9,6 +9,7 @@ author: Leo Tsaousis (@laripping) date: 2024-03-26 tags: - attack.t1609 + - attack.execution logsource: category: application product: kubernetes diff --git a/rules/application/kubernetes/audit/kubernetes_audit_hostpath_mount.yml b/rules/application/kubernetes/audit/kubernetes_audit_hostpath_mount.yml index 0dd150574..e27602225 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_hostpath_mount.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_hostpath_mount.yml @@ -12,6 +12,7 @@ author: Leo Tsaousis (@laripping) date: 2024-03-26 tags: - attack.t1611 + - attack.privilege-escalation logsource: category: application product: kubernetes diff --git a/rules/application/kubernetes/audit/kubernetes_audit_privileged_pod_creation.yml b/rules/application/kubernetes/audit/kubernetes_audit_privileged_pod_creation.yml index fcc168582..832b73dd7 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_privileged_pod_creation.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_privileged_pod_creation.yml @@ -14,6 +14,7 @@ author: Leo Tsaousis (@laripping) date: 2024-03-26 tags: - attack.t1611 + - attack.privilege-escalation logsource: category: application product: kubernetes diff --git a/rules/application/kubernetes/audit/kubernetes_audit_rbac_permisions_listing.yml b/rules/application/kubernetes/audit/kubernetes_audit_rbac_permisions_listing.yml index d680a4644..901e7bb77 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_rbac_permisions_listing.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_rbac_permisions_listing.yml @@ -13,6 +13,7 @@ date: 2024-03-26 tags: - attack.t1069.003 - attack.t1087.004 + - attack.discovery logsource: category: application product: kubernetes diff --git a/rules/application/kubernetes/audit/kubernetes_audit_secrets_enumeration.yml b/rules/application/kubernetes/audit/kubernetes_audit_secrets_enumeration.yml index d690e5975..5d10a6f12 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_secrets_enumeration.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_secrets_enumeration.yml @@ -11,6 +11,7 @@ author: Leo Tsaousis (@laripping) date: 2024-03-26 tags: - attack.t1552.007 + - attack.credential-access logsource: category: application product: kubernetes diff --git a/rules/application/kubernetes/audit/kubernetes_audit_sidecar_injection.yml b/rules/application/kubernetes/audit/kubernetes_audit_sidecar_injection.yml index 3a6fa87b7..79e767bda 100644 --- a/rules/application/kubernetes/audit/kubernetes_audit_sidecar_injection.yml +++ b/rules/application/kubernetes/audit/kubernetes_audit_sidecar_injection.yml @@ -13,6 +13,7 @@ author: Leo Tsaousis (@laripping) date: 2024-03-26 tags: - attack.t1609 + - attack.execution logsource: category: application product: kubernetes diff --git a/rules/application/opencanary/opencanary_ftp_login_attempt.yml b/rules/application/opencanary/opencanary_ftp_login_attempt.yml index 9fb47b670..f2e9ba9b1 100644 --- a/rules/application/opencanary/opencanary_ftp_login_attempt.yml +++ b/rules/application/opencanary/opencanary_ftp_login_attempt.yml @@ -10,6 +10,7 @@ date: 2024-03-08 tags: - attack.initial-access - attack.exfiltration + - attack.lateral-movement - attack.t1190 - attack.t1021 logsource: diff --git a/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml index 810b9a6ac..b4b14bcfb 100644 --- a/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml @@ -11,6 +11,8 @@ author: Sagie Dulce, Dekel Paz date: 2022-01-01 tags: - attack.lateral-movement + - attack.execution + - attack.persistence - attack.t1053 - attack.t1053.002 logsource: diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml b/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml index 2d3d6296c..fb73f6e53 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml @@ -10,6 +10,7 @@ author: Sagie Dulce, Dekel Paz date: 2022-01-01 tags: - attack.lateral-movement + - attack.execution - attack.t1021.003 - attack.t1047 logsource: diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml index 2e5bff60e..aca398581 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml @@ -12,6 +12,7 @@ date: 2022-01-01 tags: - attack.lateral-movement - attack.t1112 + - attack.persistence logsource: product: rpc_firewall category: application diff --git a/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml index 4d568ade0..b24843aa2 100644 --- a/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml @@ -11,6 +11,7 @@ author: Sagie Dulce, Dekel Paz date: 2022-01-01 tags: - attack.lateral-movement + - attack.execution - attack.t1569.002 logsource: product: rpc_firewall diff --git a/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml b/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml index 7a07e55e5..272e1a21d 100644 --- a/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml +++ b/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml @@ -11,6 +11,8 @@ author: Sagie Dulce, Dekel Paz date: 2022-01-01 tags: - attack.lateral-movement + - attack.execution + - attack.persistence - attack.t1053 - attack.t1053.002 logsource: diff --git a/rules/category/antivirus/av_ransomware.yml b/rules/category/antivirus/av_ransomware.yml index 2c3a7667f..d7077d390 100644 --- a/rules/category/antivirus/av_ransomware.yml +++ b/rules/category/antivirus/av_ransomware.yml @@ -17,6 +17,7 @@ date: 2022-05-12 modified: 2024-11-02 tags: - attack.t1486 + - attack.impact logsource: category: antivirus detection: diff --git a/rules/cloud/aws/cloudtrail/aws_cloudtrail_ssm_malicious_usage.yml b/rules/cloud/aws/cloudtrail/aws_cloudtrail_ssm_malicious_usage.yml index 76d7601fb..6a409f66a 100644 --- a/rules/cloud/aws/cloudtrail/aws_cloudtrail_ssm_malicious_usage.yml +++ b/rules/cloud/aws/cloudtrail/aws_cloudtrail_ssm_malicious_usage.yml @@ -9,6 +9,7 @@ author: jamesc-grafana date: 2024-07-11 tags: - attack.privilege-escalation + - attack.initial-access - attack.t1566 - attack.t1566.002 logsource: diff --git a/rules/cloud/aws/cloudtrail/aws_delete_saml_provider.yml b/rules/cloud/aws/cloudtrail/aws_delete_saml_provider.yml index 39d076456..0a527ddbc 100644 --- a/rules/cloud/aws/cloudtrail/aws_delete_saml_provider.yml +++ b/rules/cloud/aws/cloudtrail/aws_delete_saml_provider.yml @@ -12,6 +12,7 @@ tags: - attack.t1078.004 - attack.privilege-escalation - attack.t1531 + - attack.impact logsource: product: aws service: cloudtrail diff --git a/rules/cloud/azure/activity_logs/azure_rare_operations.yml b/rules/cloud/azure/activity_logs/azure_rare_operations.yml index 6572248da..de84e45a3 100644 --- a/rules/cloud/azure/activity_logs/azure_rare_operations.yml +++ b/rules/cloud/azure/activity_logs/azure_rare_operations.yml @@ -9,6 +9,7 @@ date: 2020-05-07 modified: 2023-10-11 tags: - attack.t1003 + - attack.credential-access logsource: product: azure service: activitylogs diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_via_ssh_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_via_ssh_detected.yml index d1fa3fdbd..f5b9789fc 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_via_ssh_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_via_ssh_detected.yml @@ -10,6 +10,8 @@ references: author: Muhammad Faisal (@faisalusuf) date: 2024-02-25 tags: + - attack.lateral-movement + - attack.credential-access - attack.t1021.004 - attack.t1110 logsource: diff --git a/rules/cloud/github/github_fork_private_repos_enabled_or_cleared.yml b/rules/cloud/github/github_fork_private_repos_enabled_or_cleared.yml index b7efbb07f..436481651 100644 --- a/rules/cloud/github/github_fork_private_repos_enabled_or_cleared.yml +++ b/rules/cloud/github/github_fork_private_repos_enabled_or_cleared.yml @@ -9,6 +9,7 @@ author: Romain Gaillard (@romain-gaillard) date: 2024-07-29 tags: - attack.persistence + - attack.exfiltration - attack.t1020 - attack.t1537 logsource: diff --git a/rules/cloud/github/github_repo_or_org_transferred.yml b/rules/cloud/github/github_repo_or_org_transferred.yml index 8fe904c39..725edd5e6 100644 --- a/rules/cloud/github/github_repo_or_org_transferred.yml +++ b/rules/cloud/github/github_repo_or_org_transferred.yml @@ -11,6 +11,7 @@ author: Romain Gaillard (@romain-gaillard) date: 2024-07-29 tags: - attack.persistence + - attack.exfiltration - attack.t1020 - attack.t1537 logsource: diff --git a/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml b/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml index 2ca1086e5..723a15990 100644 --- a/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml +++ b/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml @@ -9,6 +9,7 @@ date: 2020-06-16 modified: 2022-10-05 tags: - attack.persistence + - attack.privilege-escalation - attack.t1548.001 logsource: product: linux diff --git a/rules/web/proxy_generic/proxy_pua_advanced_ip_scanner_update_check.yml b/rules/web/proxy_generic/proxy_pua_advanced_ip_scanner_update_check.yml index ef41f25b4..164690dce 100644 --- a/rules/web/proxy_generic/proxy_pua_advanced_ip_scanner_update_check.yml +++ b/rules/web/proxy_generic/proxy_pua_advanced_ip_scanner_update_check.yml @@ -10,6 +10,7 @@ date: 2022-08-14 modified: 2024-02-15 tags: - attack.discovery + - attack.reconnaissance - attack.t1590 logsource: category: proxy diff --git a/rules/web/proxy_generic/proxy_webdav_external_execution.yml b/rules/web/proxy_generic/proxy_webdav_external_execution.yml index d473ad869..947e6c116 100644 --- a/rules/web/proxy_generic/proxy_webdav_external_execution.yml +++ b/rules/web/proxy_generic/proxy_webdav_external_execution.yml @@ -15,6 +15,7 @@ author: Ahmed Farouk date: 2024-05-10 tags: - attack.initial-access + - attack.resource-development - attack.t1584 - attack.t1566 logsource: diff --git a/rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml b/rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml index a240e62ec..ffc02c86c 100644 --- a/rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml +++ b/rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml @@ -14,6 +14,7 @@ date: 2023-11-08 tags: - attack.execution - attack.t1190 + - attack.initial-access logsource: category: webserver detection: diff --git a/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml b/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml index 3bf361f21..c2ebdc3ea 100644 --- a/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml +++ b/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml @@ -12,6 +12,7 @@ date: 2022-12-23 modified: 2024-12-07 tags: - attack.persistence + - attack.execution - attack.t1543.003 - attack.t1569.002 logsource: diff --git a/rules/windows/dns_query/dns_query_win_quickassist.yml b/rules/windows/dns_query/dns_query_win_quickassist.yml index bed7507aa..5ab11aded 100644 --- a/rules/windows/dns_query/dns_query_win_quickassist.yml +++ b/rules/windows/dns_query/dns_query_win_quickassist.yml @@ -13,6 +13,7 @@ date: 2024-12-19 tags: - attack.command-and-control - attack.initial-access + - attack.lateral-movement - attack.t1071.001 - attack.t1210 logsource: diff --git a/rules/windows/file/file_event/file_event_win_mal_octopus_scanner.yml b/rules/windows/file/file_event/file_event_win_mal_octopus_scanner.yml index 5e43a3a0a..023f49584 100644 --- a/rules/windows/file/file_event/file_event_win_mal_octopus_scanner.yml +++ b/rules/windows/file/file_event/file_event_win_mal_octopus_scanner.yml @@ -8,6 +8,7 @@ author: NVISO date: 2020-06-09 modified: 2021-11-27 tags: + - attack.initial-access - attack.t1195 - attack.t1195.001 logsource: diff --git a/rules/windows/file/file_event/file_event_win_susp_dpapi_backup_and_cert_export_ioc.yml b/rules/windows/file/file_event/file_event_win_susp_dpapi_backup_and_cert_export_ioc.yml index 4158be2f1..d5a7c2e1a 100644 --- a/rules/windows/file/file_event/file_event_win_susp_dpapi_backup_and_cert_export_ioc.yml +++ b/rules/windows/file/file_event/file_event_win_susp_dpapi_backup_and_cert_export_ioc.yml @@ -9,6 +9,7 @@ references: author: Nounou Mbeiri, Nasreddine Bencherchali (Nextron Systems) date: 2024-06-26 tags: + - attack.credential-access - attack.t1555 - attack.t1552.004 logsource: diff --git a/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml b/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml index a7c4f5a41..898c2ab5a 100644 --- a/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml +++ b/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml @@ -10,6 +10,7 @@ date: 2022-06-02 modified: 2023-03-08 tags: - attack.lateral-movement + - attack.execution - attack.t1047 logsource: category: file_event diff --git a/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml b/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml index 6e44c48b4..ad7fc9eeb 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml @@ -10,6 +10,7 @@ date: 2020-06-29 modified: 2025-01-20 tags: - attack.execution + - attack.defense-evasion - attack.t1059.001 - attack.t1036.003 logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml b/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml index f1d50eef4..9aadd223a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml @@ -8,6 +8,7 @@ author: Max Altgelt (Nextron Systems) date: 2021-09-21 modified: 2022-12-25 tags: + - attack.credential-access - attack.t1003 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_powershell_web_access_installation.yml b/rules/windows/powershell/powershell_script/posh_ps_powershell_web_access_installation.yml index 238391191..5439c7229 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_powershell_web_access_installation.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_powershell_web_access_installation.yml @@ -10,6 +10,7 @@ author: Michael Haag date: 2024-09-03 tags: - attack.persistence + - attack.execution - attack.t1059.001 logsource: product: windows diff --git a/rules/windows/process_access/proc_access_win_hktl_littlecorporal_generated_maldoc.yml b/rules/windows/process_access/proc_access_win_hktl_littlecorporal_generated_maldoc.yml index a036b8fc3..6ff15466d 100644 --- a/rules/windows/process_access/proc_access_win_hktl_littlecorporal_generated_maldoc.yml +++ b/rules/windows/process_access/proc_access_win_hktl_littlecorporal_generated_maldoc.yml @@ -9,6 +9,7 @@ date: 2021-08-09 modified: 2023-11-28 tags: - attack.execution + - attack.privilege-escalation - attack.t1204.002 - attack.t1055.003 logsource: diff --git a/rules/windows/process_access/proc_access_win_svchost_credential_dumping.yml b/rules/windows/process_access/proc_access_win_svchost_credential_dumping.yml index d3ca01d42..303d1d51d 100644 --- a/rules/windows/process_access/proc_access_win_svchost_credential_dumping.yml +++ b/rules/windows/process_access/proc_access_win_svchost_credential_dumping.yml @@ -8,6 +8,7 @@ author: Florent Labouyrie date: 2021-04-30 modified: 2022-10-09 tags: + - attack.privilege-escalation - attack.t1548 logsource: product: windows diff --git a/rules/windows/process_creation/proc_creation_win_bcp_export_data.yml b/rules/windows/process_creation/proc_creation_win_bcp_export_data.yml index d1aab0f5d..dca3d88ed 100644 --- a/rules/windows/process_creation/proc_creation_win_bcp_export_data.yml +++ b/rules/windows/process_creation/proc_creation_win_bcp_export_data.yml @@ -16,6 +16,7 @@ author: Omar Khaled (@beacon_exe), MahirAli Khan (in/mahiralikhan), Nasreddine B date: 2024-08-20 tags: - attack.execution + - attack.exfiltration - attack.t1048 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml b/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml index f58409ee1..918ff2604 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml @@ -9,6 +9,7 @@ date: 2022-03-04 modified: 2024-11-23 tags: - attack.credential-access + - attack.resource-development - attack.t1588.002 - attack.t1003 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_impacket_tools.yml b/rules/windows/process_creation/proc_creation_win_hktl_impacket_tools.yml index ba09a9951..651136c50 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_impacket_tools.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_impacket_tools.yml @@ -9,6 +9,7 @@ date: 2021-07-24 modified: 2023-02-07 tags: - attack.execution + - attack.credential-access - attack.t1557.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_mmc_mmc20_lateral_movement.yml b/rules/windows/process_creation/proc_creation_win_mmc_mmc20_lateral_movement.yml index 0656acc4c..d35465f69 100644 --- a/rules/windows/process_creation/proc_creation_win_mmc_mmc20_lateral_movement.yml +++ b/rules/windows/process_creation/proc_creation_win_mmc_mmc20_lateral_movement.yml @@ -10,6 +10,7 @@ date: 2020-03-04 modified: 2021-11-27 tags: - attack.execution + - attack.lateral-movement - attack.t1021.003 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_node_adobe_creative_cloud_abuse.yml b/rules/windows/process_creation/proc_creation_win_node_adobe_creative_cloud_abuse.yml index a737bbef3..e011beb62 100644 --- a/rules/windows/process_creation/proc_creation_win_node_adobe_creative_cloud_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_node_adobe_creative_cloud_abuse.yml @@ -8,6 +8,7 @@ author: Max Altgelt (Nextron Systems) date: 2022-04-06 tags: - attack.defense-evasion + - attack.execution - attack.t1127 - attack.t1059.007 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml b/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml index ceb1d0587..eafd27c7c 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml @@ -10,6 +10,7 @@ modified: 2023-01-26 tags: - attack.t1027 - attack.defense-evasion + - attack.execution - attack.t1140 - attack.t1059.001 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_pua_crassus.yml b/rules/windows/process_creation/proc_creation_win_pua_crassus.yml index d1ea956c7..daee9de42 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_crassus.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_crassus.yml @@ -8,6 +8,7 @@ author: pH-T (Nextron Systems) date: 2023-04-17 tags: - attack.discovery + - attack.reconnaissance - attack.t1590.001 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml b/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml index de4718322..2f9679146 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml @@ -9,6 +9,7 @@ date: 2022-08-10 tags: - attack.defense-evasion - attack.execution + - attack.lateral-movement - attack.t1021.002 - attack.t1218.011 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml b/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml index 135bbaf94..5246b770e 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml @@ -11,6 +11,7 @@ author: Swachchhanda Shrawan Poudel date: 2024-02-12 tags: - attack.t1003 + - attack.credential-access logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml b/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml index 015f43dbf..280dbeacb 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml @@ -10,6 +10,7 @@ date: 2021-12-27 modified: 2022-08-02 tags: - attack.command-and-control + - attack.resource-development - attack.t1105 - attack.t1608 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml b/rules/windows/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml index f769748cb..a382c8785 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml @@ -12,6 +12,7 @@ tags: - attack.t1059 - attack.defense-evasion - attack.persistence + - attack.execution logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_execution.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_execution.yml index e5a827872..10fa7688b 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_execution.yml @@ -9,6 +9,7 @@ date: 2020-10-30 modified: 2023-02-28 tags: - attack.execution + - attack.lateral-movement - attack.t1569 - attack.t1021 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml b/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml index 7c65d3eb6..de3b8a76e 100644 --- a/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml +++ b/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml @@ -13,6 +13,7 @@ date: 2024-02-12 modified: 2024-03-13 tags: - attack.t1003 + - attack.credential-access logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml b/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml index 0fdc959f8..6b0a612ed 100644 --- a/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml +++ b/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml @@ -10,6 +10,7 @@ date: 2019-01-16 modified: 2024-11-26 tags: - attack.persistence + - attack.initial-access - attack.t1505.003 - attack.t1190 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_winrm_remote_powershell_session_process.yml b/rules/windows/process_creation/proc_creation_win_winrm_remote_powershell_session_process.yml index 37921b611..dd1399c87 100644 --- a/rules/windows/process_creation/proc_creation_win_winrm_remote_powershell_session_process.yml +++ b/rules/windows/process_creation/proc_creation_win_winrm_remote_powershell_session_process.yml @@ -9,6 +9,7 @@ date: 2019-09-12 modified: 2022-10-09 tags: - attack.execution + - attack.lateral-movement - attack.t1059.001 - attack.t1021.006 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_odbc_driver_registered_susp.yml b/rules/windows/registry/registry_set/registry_set_odbc_driver_registered_susp.yml index 5f2120006..ad48f18db 100644 --- a/rules/windows/registry/registry_set/registry_set_odbc_driver_registered_susp.yml +++ b/rules/windows/registry/registry_set/registry_set_odbc_driver_registered_susp.yml @@ -8,6 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-05-23 modified: 2023-08-17 tags: + - attack.credential-access - attack.persistence - attack.t1003 logsource: